Notification of Plutonium Forum Databreach - September 2021
-
Absolute embarassment, a year to realise this. Why did that staff member have access to so much personal data?
"During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and ASSUMED we had fixed the issue." - Utter negligence.
And the gall to mute every channel in the discord server...
-
Cigar said in Notification of Plutonium Forum Databreach - September 2021:
Embarrassing to say the least. It took you over a YEAR to acknowledge 1.3 million users data was stolen and most likely sold to the highest bidder.
We became aware 2 days ago and have worked to investigate and notify as soon as possible. Although we do accept that this is unfortunate.
-
Unluko
-
1 Year is a little long for this stuff to be going noticed. Gonna delete my account you should to
-
YouTube bouta be popping with this lmao
-
So you guys aren't even gonna give us instructions on how to negate the effects of the attackers having ONE AND A HALF MILLION IP ADDRESSES??
They can just sell where I live whenever they want and you guys aren't gonna post even like an option that we can do to help ourselves. -
Mr. Android said in Notification of Plutonium Forum Databreach - September 2021:
From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.
During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scThe real question here is why did a STAFF MEMBER even have access to that information, what happens if they were to go rogue. Completely unacceptable. Not to mention you muted everyone in the discord server to try and circumvent backlash. I think it might be time for everyone to switch to a different client.
-
@zombiepepega If you have a dynamic IP, you should be fine. However, anyone who doesn't I suggest deleting your account and or changing your information.
-
Everyone is giving the staff hell for not realizing the data breach when in reality. Everyone who owns a server and has access to the forums has most if not all scrapped data already available. None of the information is compromised. I appreciate the staff's transparency.
-
@zombiepepega if you don't have a static IP, there isn't much to really worry about. If you have a static IP, every other service you use also knows your city etc. :)))
-
Embarrassment. You guys should be ashamed of this delay in notification and oversight.
-
Mr. Android said in Notification of Plutonium Forum Databreach - September 2021:
What happens next:
The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.This didn't happen though... you were probably hoping nothing would have happened but I imagine as soon as it was noticed online you had to make an announcement.
You said you were aware of the data being exfiltrated, a more thorough investigation should have happened especially as a staff account was compromised?
Poor handling on multiple levels.
-
Mr. Android said in Notification of Plutonium Forum Databreach - September 2021:
September 23rd, 2021
Glad you have realized it, what has happend to the information of the accounts made before September 23rd, 2021?
-
They got lucky the hacker only stole trivial data. No one really cares about IP addresses anymore. HOW it happened is more than concerning though.
-
xFD said in Notification of Plutonium Forum Databreach - September 2021:
HOW it happened is more than concerning though.
True, this is what actually matters
-
xFD A lot of people still have static IP addresses. And it's not just a small niche group of peoples data, this is 1.3 million IPs, emails, and usernames.
-
@zombiepepega luckily i have a dynamic ip, otherwise i would have been scared all my life
-
Invenios I know this is nowhere near the level of Plutonium's scale but i've owned Minecraft servers before. I'm the only person who ever even had access to anything even remotely personal. I have never given my staff anything more than that. And the fact Plutonium has given Staff this access is extremely stupid. Imagine one of the staff just decided they don't like someone and leak their IP. I wouldn't be shocked if that has happened before.
-
Cigar Very true. This is awful and really embarrassing for something as big as Plutonium.
There's nothing we can really do besides complain or help repair though. -
Cigar I genuinely believe IP addresses won't matter, except for specific targets.
Email addresses though, will likely be sold for targeted marketing...
