Skip to content
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Donate
Collapse

Plutonium

  1. Home
  2. Announcements
  3. Notification of Plutonium Forum Databreach - September 2021

Notification of Plutonium Forum Databreach - September 2021

Scheduled Pinned Locked Moved Announcements
133 Posts 67 Posters 26.1k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • imsarahhundefined imsarahh

    Cigar I have a static IP, I have been extremely careful about using a VPN and shit. But guess what? I trusted plutonium to not steal my information cause they are "trusted" and now my IP has finally been leaked. So that's fun. Anyone know any good Plutonium alternatives?

    yogakumiundefined Offline
    yogakumiundefined Offline
    yogakumi
    wrote on last edited by
    #37

    imsarahh you can play mw2, ghosts and advanced warfare on x labs

    imsarahhundefined 1 Reply Last reply
    0
    • MrAmos123undefined MrAmos123

      xFD Fixed, static addresses could be directly used to gather personal identification and or information.
      You can most certainly leak this, given knowledge.

      It's absolutely not public information.

      Either you're being genuine in question, or you're being sarcastic and baiting. I can't tell.

      Don't make absolute statements whilst not knowing much about a given topic. It's called naivety.

      xFDundefined Offline
      xFDundefined Offline
      xFD
      wrote on last edited by xFD
      #38

      MrAmos123 Im baiting as you/they are using a free service provided by people doing it for no reward who have no obligation to value your privacy in any way. Using this service and expecting some sort of privacy or security is, sorry, stupid. if you have systems in place to hide your IP on the internet but disable it on plutonium, then congratulations, you created a vulnerability isaiah666 ImSarah

      isaiah666undefined imsarahhundefined MrAmos123undefined A Former User? 4 Replies Last reply
      0
      • yogakumiundefined yogakumi

        imsarahh you can play mw2, ghosts and advanced warfare on x labs

        imsarahhundefined Offline
        imsarahhundefined Offline
        imsarahh
        wrote on last edited by
        #39

        yogakumi Oh I love Ghosts. Thank you.

        1 Reply Last reply
        1
        • A Former User? Offline
          A Former User? Offline
          A Former User
          wrote on last edited by
          #40

          Also, if you don't know how to tell if you have a dynamic IP...
          Open up Command Prompt and type "ipconfig/all" and look under everything. If most areas that say "DHCP Enabled" say Yes, then it's dynamic. If they all say No, then your IP is static.

          Also, since no one wants to use plutonium, we can either find something else online, or go back to OG BLOPS2 servers! Right..? -_-

          OhTanoshiundefined Tori_cadundefined 2 Replies Last reply
          0
          • xFDundefined xFD

            MrAmos123 Im baiting as you/they are using a free service provided by people doing it for no reward who have no obligation to value your privacy in any way. Using this service and expecting some sort of privacy or security is, sorry, stupid. if you have systems in place to hide your IP on the internet but disable it on plutonium, then congratulations, you created a vulnerability isaiah666 ImSarah

            isaiah666undefined Offline
            isaiah666undefined Offline
            isaiah666
            wrote on last edited by
            #41

            xFD

            Yeah, unfortunate for those affected, still, at the end of the day what matters is that Plutonium failed to keep users information safe and also failed to inform users in a timely manner.

            1 Reply Last reply
            0
            • xFDundefined xFD

              MrAmos123 Im baiting as you/they are using a free service provided by people doing it for no reward who have no obligation to value your privacy in any way. Using this service and expecting some sort of privacy or security is, sorry, stupid. if you have systems in place to hide your IP on the internet but disable it on plutonium, then congratulations, you created a vulnerability isaiah666 ImSarah

              imsarahhundefined Offline
              imsarahhundefined Offline
              imsarahh
              wrote on last edited by
              #42

              xFD This has to be a staff's alt right LMAO

              xFDundefined 1 Reply Last reply
              1
              • OhTanoshiundefined Offline
                OhTanoshiundefined Offline
                OhTanoshi
                wrote on last edited by
                #43

                I never understood the whole if you have my ip you can find where I stay crap. Like wow they know you live in such in such city. In my case it's like over 50miles of the city. Cause it doesn't give my specific town and even if it did my town is still huge not to mention if they could find all that info how are they gonna find me even if they did get down to a 1-2 mile radius of they don't have any real info. Other then a ip. Sure they could contact my service provider but they won't give that info out.

                isaiah666undefined imsarahhundefined 2 Replies Last reply
                0
                • imsarahhundefined imsarahh

                  xFD This has to be a staff's alt right LMAO

                  xFDundefined Offline
                  xFDundefined Offline
                  xFD
                  wrote on last edited by
                  #44

                  imsarahh no, you can add me on discord if you really want to find out. lol

                  1 Reply Last reply
                  0
                  • OhTanoshiundefined OhTanoshi

                    I never understood the whole if you have my ip you can find where I stay crap. Like wow they know you live in such in such city. In my case it's like over 50miles of the city. Cause it doesn't give my specific town and even if it did my town is still huge not to mention if they could find all that info how are they gonna find me even if they did get down to a 1-2 mile radius of they don't have any real info. Other then a ip. Sure they could contact my service provider but they won't give that info out.

                    isaiah666undefined Offline
                    isaiah666undefined Offline
                    isaiah666
                    wrote on last edited by
                    #45

                    OhTanoshi

                    It's a case by case thing, most people will not be at risk from their IP being leaked, though there are some that will be.

                    1 Reply Last reply
                    0
                    • OhTanoshiundefined OhTanoshi

                      I never understood the whole if you have my ip you can find where I stay crap. Like wow they know you live in such in such city. In my case it's like over 50miles of the city. Cause it doesn't give my specific town and even if it did my town is still huge not to mention if they could find all that info how are they gonna find me even if they did get down to a 1-2 mile radius of they don't have any real info. Other then a ip. Sure they could contact my service provider but they won't give that info out.

                      imsarahhundefined Offline
                      imsarahhundefined Offline
                      imsarahh
                      wrote on last edited by
                      #46

                      OhTanoshi I live in a small city. And my IP is exactly in my city.

                      1 Reply Last reply
                      0
                      • xFDundefined xFD

                        MrAmos123 Im baiting as you/they are using a free service provided by people doing it for no reward who have no obligation to value your privacy in any way. Using this service and expecting some sort of privacy or security is, sorry, stupid. if you have systems in place to hide your IP on the internet but disable it on plutonium, then congratulations, you created a vulnerability isaiah666 ImSarah

                        MrAmos123undefined Offline
                        MrAmos123undefined Offline
                        MrAmos123
                        wrote on last edited by
                        #47

                        xFD If you were baiting, then that's fine... I guess... It's a little redundant since people like me waste their time correcting you.

                        I'm personally unaffected by this leak, so I couldn't care less. But falsely stating facts will only cause misinformation, which you're a party to.

                        xFDundefined 1 Reply Last reply
                        0
                        • CoinFlipperundefined Offline
                          CoinFlipperundefined Offline
                          CoinFlipper
                          wrote on last edited by
                          #48

                          Could someone explain to me why the average user should be worried about Email addresses and IP addresses being leaked? For the average user, i.e. not a public figure, there is no reason to be specifically targeted by any attack.

                          The other information is either already publicly available (Usernames, Registration dates, Last login dates) or only relevant to Plutonium services (User IDs). I'm not sure why anyone should care about these being leaked.

                          Not trying to discredit anyone worried about this leak, just trying to learn.

                          isaiah666undefined A Former User? 2 Replies Last reply
                          0
                          • MrAmos123undefined MrAmos123

                            xFD If you were baiting, then that's fine... I guess... It's a little redundant since people like me waste their time correcting you.

                            I'm personally unaffected by this leak, so I couldn't care less. But falsely stating facts will only cause misinformation, which you're a party to.

                            xFDundefined Offline
                            xFDundefined Offline
                            xFD
                            wrote on last edited by
                            #49

                            MrAmos123 What type of misinformation? Check the thread, it's filled with people not knowing what theyre talking about. Pluto got it right by just muting their discord until things have calmed

                            MrAmos123undefined 1 Reply Last reply
                            1
                            • xFDundefined xFD

                              MrAmos123 What type of misinformation? Check the thread, it's filled with people not knowing what theyre talking about. Pluto got it right by just muting their discord until things have calmed

                              MrAmos123undefined Offline
                              MrAmos123undefined Offline
                              MrAmos123
                              wrote on last edited by
                              #50

                              xFD
                              You say this.

                              It's not like its private information.

                              This is false.

                              xFDundefined 1 Reply Last reply
                              0
                              • CoinFlipperundefined CoinFlipper

                                Could someone explain to me why the average user should be worried about Email addresses and IP addresses being leaked? For the average user, i.e. not a public figure, there is no reason to be specifically targeted by any attack.

                                The other information is either already publicly available (Usernames, Registration dates, Last login dates) or only relevant to Plutonium services (User IDs). I'm not sure why anyone should care about these being leaked.

                                Not trying to discredit anyone worried about this leak, just trying to learn.

                                isaiah666undefined Offline
                                isaiah666undefined Offline
                                isaiah666
                                wrote on last edited by isaiah666
                                #51

                                CoinFlipper

                                You most likely don't have anything to worry about if you don't have a static IP.

                                If you do, still unlikely you have anything to worry about unless you use identifying information such as your full irl name on public domains like Discord or other social media that can be linked to your Plutonium account in some way.

                                Edit: You personally have a new account so aren't affected by the leak

                                1 Reply Last reply
                                0
                                • MrAmos123undefined MrAmos123

                                  xFD
                                  You say this.

                                  It's not like its private information.

                                  This is false.

                                  xFDundefined Offline
                                  xFDundefined Offline
                                  xFD
                                  wrote on last edited by
                                  #52

                                  MrAmos123 well, now it is šŸ˜›

                                  MrAmos123undefined 1 Reply Last reply
                                  0
                                  • xFDundefined xFD

                                    MrAmos123 Im baiting as you/they are using a free service provided by people doing it for no reward who have no obligation to value your privacy in any way. Using this service and expecting some sort of privacy or security is, sorry, stupid. if you have systems in place to hide your IP on the internet but disable it on plutonium, then congratulations, you created a vulnerability isaiah666 ImSarah

                                    A Former User? Offline
                                    A Former User? Offline
                                    A Former User
                                    wrote on last edited by
                                    #53

                                    This is kind of like saying "she was asking for it, look what she was wearing" type shit.

                                    If you provide a service, you are absolutely expected to value your users information and work your hardest to ensure issues like this don't occur.

                                    There are paid users/donators also involved in this breach.

                                    1 Reply Last reply
                                    4
                                    • yogakumiundefined Offline
                                      yogakumiundefined Offline
                                      yogakumi
                                      wrote on last edited by yogakumi
                                      #54

                                      guys if you are leaving plutonium i would recommend x labs because there you can play mw2, ghosts and advance warfare.

                                      iw4x = modern warfare 2
                                      iw6x = ghosts
                                      s1x = advance warfare

                                      and you dont need a account

                                      isaiah666undefined 1 Reply Last reply
                                      1
                                      • xFDundefined xFD

                                        MrAmos123 well, now it is šŸ˜›

                                        MrAmos123undefined Offline
                                        MrAmos123undefined Offline
                                        MrAmos123
                                        wrote on last edited by
                                        #55

                                        xFD Eh, you make a point.

                                        1 Reply Last reply
                                        0
                                        • Mr. Androidundefined Mr. Android

                                          Hello community,

                                          It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.

                                          The stolen data DOES NOT include:

                                          • Passwords
                                          • Server keys
                                          • Hardware information used for Anti-Cheat ban evasion detection
                                          • Information on any of the 2 million registered users who signed up after September 23rd, 2021

                                          The stolen data does include:

                                          • Usernames
                                          • User IDs
                                          • Email address history
                                          • IP addresses used to access the forum
                                          • Registration dates
                                          • Last login dates

                                          As such, no server keys or passwords have been reset.

                                          Our investigation:
                                          Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.

                                          From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.

                                          During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.

                                          The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.

                                          Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.

                                          What happens next:
                                          The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.

                                          We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.

                                          We will also be in touch with the appropriate authorities.

                                          All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.

                                          Timeline of events:
                                          September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
                                          September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
                                          September 20th 2022: Plutonium Staff are notified of a potential breach.
                                          September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
                                          September 22nd 2022: Investigation is completed, notification of breach is sent to the community.

                                          Context of Breach:
                                          As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.

                                          Once again, we would like to apologize for this isolated incident.

                                          KrKd AxiZundefined Offline
                                          KrKd AxiZundefined Offline
                                          KrKd AxiZ
                                          wrote on last edited by
                                          #56

                                          @Mr-Android what’s even worse is that there are staff members on the team that are cheaters. Besides that, all the cheats that get to bypass plutonium. A staff member falsely said ā€œ98% of cheaters can’t even make it past the main menuā€. The idiot that wrote this is VERY incorrect. More than half the player base uses cheats in some way. Even staff members used cheats. If you guys can’t even detect a simple cheat then there’s no surprise it took over a YEAR for you guys to detect a data breach this serious but yet so easy to patch.

                                          xFDundefined 1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • 1
                                          • 2
                                          • 3
                                          • 4
                                          • 5
                                          • 6
                                          • 7
                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Users
                                          • Groups
                                          • Donate