Data leak

[The Imperium Collectives]

Apologies if this was asked or answered before, but like others are saying, what if a puppet has been leaked? I don't use puppets anymore, and the ones I keep track of are now currently destroyed. I have not created a new puppet in at least a month, so I'm fairly certain all puppets of mine are gone from the game. Would there be any security problems or anything notable?

[SalusaSecondus]

Well if a data leak happens like this again, will it be as major, or more affecting or less?

Well, if a dataleak happens like this again, it will be identical!

Snark aside, all events are unique. We're taking this as an opportunity to go over some of our code and tighten things up so the likelihood of things happening again is even lower than it was before.

[Greater Minsk]

*realizes that a different puppet of mine was affected*

[Themiclesia]

This is bad, because my hundreds of accounts scattered across the internet use the same password.

[[violet]]

Darn, I (or one of my puppets, can't tell) was leaked. Did they get TGs from everyone?

We actually don't know that "they" got anything; we just know the file was exposed to the internet, which means it could have been downloaded by anyone. I only have detailed access logs going back two weeks, which shows nobody downloaded it before the player who reported it to us.

As per the News post, the file exposed data on 3,325 nations, many of which were holding telegrams under the old TG system, where messages were written directly into nation files. This caused a further 3,460 nations to be affected in the sense that a TG they sent was exposed.

The Data Leak Checker tool will tell you if you are one of those people, and advise you to contact us so we can show you what the messages were. So far I haven't seen anything anyone will be embarrassed about; the great majority are recruitment TGs.

[[violet]]

This is bad, because my hundreds of accounts scattered across the internet use the same password.

Please note that only 0.08% of nations are affected, and Themiclesia isn't one of them.

But it is really bad practice to use the same email/password combination on everything. You shouldn't do that.

[[violet]]

Apologies if this was asked or answered before, but like others are saying, what if a puppet has been leaked? I don't use puppets anymore, and the ones I keep track of are now currently destroyed. I have not created a new puppet in at least a month, so I'm fairly certain all puppets of mine are gone from the game. Would there be any security problems or anything notable?

The Data Leak Checker tool will tell if you if any puppet that ever shared an email address with your main is part of the leak. If you have puppets with no email addresses, your exposure is a lot more limited, since there's no personal information and no possibility that someone could use the leaked data to find other accounts of yours across the internet with the same combination of email address and password. In this situation, your worst case is that someone (a) has obtained the data, (b) manages to decrypt the password hashes, then (c) revives your old dead puppet. This strikes me as an unlikely scenario, but you should be aware of it.

[Nanatsu no Tsuki]

My nation wasn't affected but I took the advice regardless and changed passwords here and in other websites. One can never be too careful.

Anyway, NS admins, thanks for the transparency in letting us know this happened.

[[violet]]

While we're talking security, can I recommend 2-factor authentication for sites you really care about, like your email account. Here is Google's version.

It means that even if someone discovers your username and password, they can't get into your account unless they have your phone as well.

It's not widely available (and we don't have it here), but for things like banking and email, if your provider has it, it's usually worth using.

[Lost heros]

Are old ex-nations also at risk for potential leakage?

[[violet]]

Are old ex-nations also at risk for potential leakage?

Yes, almost all of the exposed ones are ex-nations. Some ceased to exist more than a decade ago.

If your current nation has an email address set, though, then the Data Leak Checker will search for any exposed nation that had the same address. This way, you can tell whether your email address is involved in any way on any nation past or present.

[The Union of the West]

Only (encrypted) password hashes were exposed, not plaintext passwords. However, you should still change your password if it was exposed, because hashes aren't impervious to brute-force cracking by an attacker who has your data offline, especially if your password contains dictionary words.

Perhaps you should use salted hashes to encrypt the passwords. They provide better protection against dictionary attacks and rainbow table attacks.

[Gregoryisgodistan]

About ten years ago, my sister and I had NS accounts that have long since ceased to exist. Although I wound up creating a new nation about a year and a half ago and joined the forums, she never rejoined. Would it be possible for me to check on her behalf to see if her nation was affected since she has no NS account currently and no desire to create one?

[Reploid Productions]

About ten years ago, my sister and I had NS accounts that have long since ceased to exist. Although I wound up creating a new nation about a year and a half ago and joined the forums, she never rejoined. Would it be possible for me to check on her behalf to see if her nation was affected since she has no NS account currently and no desire to create one?

Sure, just file a GHR telling us the account name and we can check for you.

[Gregoryisgodistan]

About ten years ago, my sister and I had NS accounts that have long since ceased to exist. Although I wound up creating a new nation about a year and a half ago and joined the forums, she never rejoined. Would it be possible for me to check on her behalf to see if her nation was affected since she has no NS account currently and no desire to create one?

Sure, just file a GHR telling us the account name and we can check for you.

Ok, thanks.

[Yao]

Is there a way to check CTE'd nations?

[SalusaSecondus]

Only (encrypted) password hashes were exposed, not plaintext passwords. However, you should still change your password if it was exposed, because hashes aren't impervious to brute-force cracking by an attacker who has your data offline, especially if your password contains dictionary words.

Perhaps you should use salted hashes to encrypt the passwords. They provide better protection against dictionary attacks and rainbow table attacks.

"Encryption" isn't quite accurate. Everything is properly hashed with one-way cryptographic functions.

[Kaiserholt]

I checked, and my nation was not affected. But for some reason there are Chinese / Japanese characters next to my World Assembly / Dispatches toggle. Is this a game feature, or is something else wrong? I didn't put any such changes on my account.

Even though I am not affected, still changing my passwords

[Alyakia]

I checked, and my nation was not affected. But for some reason there are Chinese / Japanese characters next to my World Assembly / Dispatches toggle. Is this a game feature, or is something else wrong? I didn't put any such changes on my account.

Even though I am not affected, still changing my passwords

could you, uh, screenshot that

[[violet]]

I checked, and my nation was not affected. But for some reason there are Chinese / Japanese characters next to my World Assembly / Dispatches toggle.

This is an unrelated browser issue. Please start a new thread in Technical to report that, with a screenshot if you can.

[Kemintiri of Kemet]

About my friend---can I GHR on their behalfs about his two nations: DEATed and CTE'd?

(It's a bit of a pain to contact him IRL (but we both can) #exitcodes #timezones)

[[violet]]

About my friend---can I GHR on their behalfs about his two nations: DEATed and CTE'd?

(It's a bit of a pain to contact him IRL (but we both can) #exitcodes #timezones)

Yes, we can certainly say whether their nations were affected. On the slim chance they were, we would be limited in how much detail we can give you about it.

[Kemintiri of Kemet]

About my friend---can I GHR on their behalfs about his two nations: DEATed and CTE'd?

(It's a bit of a pain to contact him IRL (but we both can) #exitcodes #timezones)

Yes, we can certainly say whether their nations were affected. On the slim chance they were, we would be limited in how much detail we can give you about it.

Thank you very much: both his nations are unaffected.

[Alexanda]

For security reasons, I have deleted my E-Mail from the settings page, and resigned from the World Assembly. Does that ensure that, if my nation is involved in a future leak and information is released, my E-Mail shan't be made public?

[Kocahisar]

For security reasons, I have deleted my E-Mail from the settings page, and resigned from the World Assembly. Does that ensure that, if my nation is involved in a future leak and information is released, my E-Mail shan't be made public?

the email could still be in the server