Notification of Plutonium Forum Databreach - September 2021
-
MrAmos123 Im baiting as you/they are using a free service provided by people doing it for no reward who have no obligation to value your privacy in any way. Using this service and expecting some sort of privacy or security is, sorry, stupid. if you have systems in place to hide your IP on the internet but disable it on plutonium, then congratulations, you created a vulnerability isaiah666 ImSarah
This is kind of like saying "she was asking for it, look what she was wearing" type shit.
If you provide a service, you are absolutely expected to value your users information and work your hardest to ensure issues like this don't occur.
There are paid users/donators also involved in this breach.
-
guys if you are leaving plutonium i would recommend x labs because there you can play mw2, ghosts and advance warfare.
iw4x = modern warfare 2
iw6x = ghosts
s1x = advance warfareand you dont need a account
-
xFD Eh, you make a point.
-
Hello community,
It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.
The stolen data DOES NOT include:
- Passwords
- Server keys
- Hardware information used for Anti-Cheat ban evasion detection
- Information on any of the 2 million registered users who signed up after September 23rd, 2021
The stolen data does include:
- Usernames
- User IDs
- Email address history
- IP addresses used to access the forum
- Registration dates
- Last login dates
As such, no server keys or passwords have been reset.
Our investigation:
Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.
During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.
The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.
Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.
What happens next:
The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.
We will also be in touch with the appropriate authorities.
All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.
Timeline of events:
September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
September 20th 2022: Plutonium Staff are notified of a potential breach.
September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
September 22nd 2022: Investigation is completed, notification of breach is sent to the community.Context of Breach:
As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.Once again, we would like to apologize for this isolated incident.
@Mr-Android whatās even worse is that there are staff members on the team that are cheaters. Besides that, all the cheats that get to bypass plutonium. A staff member falsely said ā98% of cheaters canāt even make it past the main menuā. The idiot that wrote this is VERY incorrect. More than half the player base uses cheats in some way. Even staff members used cheats. If you guys canāt even detect a simple cheat then thereās no surprise it took over a YEAR for you guys to detect a data breach this serious but yet so easy to patch.
-
guys if you are leaving plutonium i would recommend x labs because there you can play mw2, ghosts and advance warfare.
iw4x = modern warfare 2
iw6x = ghosts
s1x = advance warfareand you dont need a account
I wouldn't say this will cause Plutonium to die but we the users have to be careful now.
They had the duty to inform the users and failed to protect them.
With such a breach, will we see it happen again? Staff members having files of information on users should not be a thing.
-
@Mr-Android whatās even worse is that there are staff members on the team that are cheaters. Besides that, all the cheats that get to bypass plutonium. A staff member falsely said ā98% of cheaters canāt even make it past the main menuā. The idiot that wrote this is VERY incorrect. More than half the player base uses cheats in some way. Even staff members used cheats. If you guys canāt even detect a simple cheat then thereās no surprise it took over a YEAR for you guys to detect a data breach this serious but yet so easy to patch.
KrKd AxiZ One of their admins is a doxxer
-
How do I delete my account? There's no option in the settings..
-
How do I delete my account? There's no option in the settings..
@zombiepepega
Click edit profile on your profile page, there's a delete button
Rip brother.
-
How do I delete my account? There's no option in the settings..
@zombiepepega Edit Profile > Delete Account
-
Also, if you don't know how to tell if you have a dynamic IP...
Open up Command Prompt and type "ipconfig/all" and look under everything. If most areas that say "DHCP Enabled" say Yes, then it's dynamic. If they all say No, then your IP is static.Also, since no one wants to use plutonium, we can either find something else online, or go back to OG BLOPS2 servers! Right..? -_-
@zombiepepega DHCP does not mean dynamic ips in the way your thinking. DHCP is just a form of protocols that your device uses to set the ip. Otherwise you would have to manually enter a ip and subnet to connect to anything.
Especially if you do have a dynamic ip. Because DHCP automatically reconfigures your network settings for that device every time it notices a change.
I'm all static. Even my local networks. But they all still use DHCP Incase I change local ips through my switch.
-
man, this really hit people in the shit box huh.
1 year to discover there had been a breach in the first place of information, more work should've been put in to look into this in the first place and looking into what staff has access to sensitive information such as IP's. which i understand people are pretty upset by especially those with static ip's.
this whole thing is more humiliating to plutonium's reputation than being caught practicing skat by the masses and i think they need to take a good look in the mirror, wipe the shit off their faces and vet their staff to properly keep their own and other shit secure. i'm not personally outraged since i have a dynamic ip and was probably reset since then but, yeah. do better lads.
-
Could someone explain to me why the average user should be worried about Email addresses and IP addresses being leaked? For the average user, i.e. not a public figure, there is no reason to be specifically targeted by any attack.
The other information is either already publicly available (Usernames, Registration dates, Last login dates) or only relevant to Plutonium services (User IDs). I'm not sure why anyone should care about these being leaked.
Not trying to discredit anyone worried about this leak, just trying to learn.
CoinFlipper Leaks like these are how people get added to mass spam lists, it isn't just this breach to worry about it's the linking of multiple data breaches together to form a profile of you as an individual.
Granted, being in a leak sucks and having the information at that time leaked may not seem like a big deal.
But, imagine malicious actors using multiple pieces of each data breach to build up a portfolio as you and then take your identity?
It's unlikely, but not impossible.
-
-
yogakumi maybe stop spamming this shit?
-
This post is deleted!
-
Cigar I have a static IP, I have been extremely careful about using a VPN and shit. But guess what? I trusted plutonium to not steal my information cause they are "trusted" and now my IP has finally been leaked. So that's fun. Anyone know any good Plutonium alternatives?
imsarahh Just call up your ISP and tell them you need a new IP. Think of some bullshit reason to let them change it and BOOM, you're done and set!
-
this is my last post. Cya guys its been fun
-
xFD okay sry
-
imsarahh Just call up your ISP and tell them you need a new IP. Think of some bullshit reason to let them change it and BOOM, you're done and set!
Most ISP's should be able to use your IP being leaked as a valid reason to change it.
-
Hello community,
It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.
The stolen data DOES NOT include:
- Passwords
- Server keys
- Hardware information used for Anti-Cheat ban evasion detection
- Information on any of the 2 million registered users who signed up after September 23rd, 2021
The stolen data does include:
- Usernames
- User IDs
- Email address history
- IP addresses used to access the forum
- Registration dates
- Last login dates
As such, no server keys or passwords have been reset.
Our investigation:
Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.
During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.
The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.
Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.
What happens next:
The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.
We will also be in touch with the appropriate authorities.
All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.
Timeline of events:
September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
September 20th 2022: Plutonium Staff are notified of a potential breach.
September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
September 22nd 2022: Investigation is completed, notification of breach is sent to the community.Context of Breach:
As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.Once again, we would like to apologize for this isolated incident.
It is sad to hear it took a whole year to notice this breach, but however it is good to hear it was a breach of a user and not the system itself with the breach only containing semi important PII but nothing that could ruin an individual. Hopefully this is the last and only data breach we hear of come from Plutonium.
