Notification of Plutonium Forum Databreach - September 2021
-
Hello community,
It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.
The stolen data DOES NOT include:
- Passwords
- Server keys
- Hardware information used for Anti-Cheat ban evasion detection
- Information on any of the 2 million registered users who signed up after September 23rd, 2021
The stolen data does include:
- Usernames
- User IDs
- Email address history
- IP addresses used to access the forum
- Registration dates
- Last login dates
As such, no server keys or passwords have been reset.
Our investigation:
Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.
During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.
The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.
Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.
What happens next:
The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.
We will also be in touch with the appropriate authorities.
All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.
Timeline of events:
September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
September 20th 2022: Plutonium Staff are notified of a potential breach.
September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
September 22nd 2022: Investigation is completed, notification of breach is sent to the community.Context of Breach:
As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.Once again, we would like to apologize for this isolated incident.
@Mr-Android said in Notification of Plutonium Forum Databreach - September 2021:
September 23rd, 2021
Glad you have realized it, what has happend to the information of the accounts made before September 23rd, 2021?
-
They got lucky the hacker only stole trivial data. No one really cares about IP addresses anymore. HOW it happened is more than concerning though.
-
They got lucky the hacker only stole trivial data. No one really cares about IP addresses anymore. HOW it happened is more than concerning though.
xFD said in Notification of Plutonium Forum Databreach - September 2021:
HOW it happened is more than concerning though.
True, this is what actually matters
-
They got lucky the hacker only stole trivial data. No one really cares about IP addresses anymore. HOW it happened is more than concerning though.
xFD A lot of people still have static IP addresses. And it's not just a small niche group of peoples data, this is 1.3 million IPs, emails, and usernames.
-
So you guys aren't even gonna give us instructions on how to negate the effects of the attackers having ONE AND A HALF MILLION IP ADDRESSES??
They can just sell where I live whenever they want and you guys aren't gonna post even like an option that we can do to help ourselves.@zombiepepega luckily i have a dynamic ip, otherwise i would have been scared all my life
-
Everyone is giving the staff hell for not realizing the data breach when in reality. Everyone who owns a server and has access to the forums has most if not all scrapped data already available. None of the information is compromised. I appreciate the staff's transparency.
Invenios I know this is nowhere near the level of Plutonium's scale but i've owned Minecraft servers before. I'm the only person who ever even had access to anything even remotely personal. I have never given my staff anything more than that. And the fact Plutonium has given Staff this access is extremely stupid. Imagine one of the staff just decided they don't like someone and leak their IP. I wouldn't be shocked if that has happened before.
-
Cigar Very true. This is awful and really embarrassing for something as big as Plutonium.
There's nothing we can really do besides complain or help repair though. -
xFD A lot of people still have static IP addresses. And it's not just a small niche group of peoples data, this is 1.3 million IPs, emails, and usernames.
Cigar I genuinely believe IP addresses won't matter, except for specific targets.
Email addresses though, will likely be sold for targeted marketing... -
Invenios I know this is nowhere near the level of Plutonium's scale but i've owned Minecraft servers before. I'm the only person who ever even had access to anything even remotely personal. I have never given my staff anything more than that. And the fact Plutonium has given Staff this access is extremely stupid. Imagine one of the staff just decided they don't like someone and leak their IP. I wouldn't be shocked if that has happened before.
imsarahh said in Notification of Plutonium Forum Databreach - September 2021:
Invenios I know this is nowhere near the level of Plutonium's scale but i've owned Minecraft servers before. I'm the only person who ever even had access to anything even remotely personal. I have never given my staff anything more than that. And the fact Plutonium has given Staff this access is extremely stupid. Imagine one of the staff just decided they don't like someone and leak their IP. I wouldn't be shocked if that has happened before.
It really is odd for staff to have access to this information in such a manner, poor way of handling security.
-
Condolences to anyone with a static IP. absolute embarrassment with such poor handling.
-
xFD A lot of people still have static IP addresses. And it's not just a small niche group of peoples data, this is 1.3 million IPs, emails, and usernames.
Cigar I don't know any provider that still hands out static IP addresses to the common folk, maybe on request. IF you have a static IP you should know the risks anyway.
-
xFD A lot of people still have static IP addresses. And it's not just a small niche group of peoples data, this is 1.3 million IPs, emails, and usernames.
Cigar I have a static IP, I have been extremely careful about using a VPN and shit. But guess what? I trusted plutonium to not steal my information cause they are "trusted" and now my IP has finally been leaked. So that's fun. Anyone know any good Plutonium alternatives?
-
Cigar I have a static IP, I have been extremely careful about using a VPN and shit. But guess what? I trusted plutonium to not steal my information cause they are "trusted" and now my IP has finally been leaked. So that's fun. Anyone know any good Plutonium alternatives?
imsarahh how can an IP be leaked? It's not like its private information. Im curious
-
Cigar I have a static IP, I have been extremely careful about using a VPN and shit. But guess what? I trusted plutonium to not steal my information cause they are "trusted" and now my IP has finally been leaked. So that's fun. Anyone know any good Plutonium alternatives?
imsarahh Condolences. At the moment, there isn't a Plutonium alternative that I am aware of. However, I would suggest contacting your provider and try to inquire about dynamic IPs instead of your current static one. Also, changing your information and or deleting your account on the forums would be wise as well if you don't support/trust Plutonium anymore. (Highly suggest doing so.)
-
xFD Fixed, static addresses could be directly used to gather personal identification and or information.
You can most certainly leak this, given knowledge.It's absolutely not public information.
Either you're being genuine in question, or you're being sarcastic and baiting. I can't tell.
Don't make absolute statements whilst not knowing much about a given topic. It's called naivety.
-
xFD An IP (if static) can be used to DDOS, leak city, and scare dumb people. Sure it's "public information" but it's not treated as such (unless you have a dynamic IP) I've been very careful about not letting sketchy websites have it (I have a browser VPN and a client VPN) and now that good streak is ruined due to plutonium's stupidity. Also anyone wanna mention how theres atleast 30 STAFF who have that information. 30.
-
Even though I am Dynamic, I normally don't give a damn. If something changes in the future, I might reconsider, but for now, I'm deleting my account. However, 1.3M IPs is a considerable number. Larger YouTubers are affected by this, as well as smaller users. I know you notice of this two days ago, but it still doesn't improve Plutonium's lack of security. I appreciate everyone who took the time to read this.
-
imsarahh Condolences. At the moment, there isn't a Plutonium alternative that I am aware of. However, I would suggest contacting your provider and try to inquire about dynamic IPs instead of your current static one. Also, changing your information and or deleting your account on the forums would be wise as well if you don't support/trust Plutonium anymore. (Highly suggest doing so.)
Cigar I don't manage my internet. That's my step dad's thing. He has an old router and he's modded it alot so i'm assuming he wants to keep it. Besides he doesn't care about "static ip's and dynamic ip's" or whatever.
-
Yeah unfortunately static IP's can lead to people being de-anonymized.
A general location, a little personal info gathered via social engineering or public domain and you can gather someone's info very easily. (Not super common but possible)
-
Cigar I have a static IP, I have been extremely careful about using a VPN and shit. But guess what? I trusted plutonium to not steal my information cause they are "trusted" and now my IP has finally been leaked. So that's fun. Anyone know any good Plutonium alternatives?
imsarahh you can play mw2, ghosts and advanced warfare on x labs
