Skip to content
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Donate
Collapse

Plutonium

  1. Home
  2. Announcements
  3. Notification of Plutonium Forum Databreach - September 2021

Notification of Plutonium Forum Databreach - September 2021

Scheduled Pinned Locked Moved Announcements
133 Posts 67 Posters 26.1k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Lightshadow368undefined Lightshadow368

    Soliderror I wish I could say they learn, but they don't learn and they have proven it before. It's the reason I have left, and why many others have left plutonium as well. There is a wild lack of care to make a community or listen to it, and that is why the Discord server is left mostly dead. There is still a playerbase, but at this point, likely on a last limb after this information. They even locked down the discord server, simply because they didn't want backlash from a problem of their own making.

    Soliderrorundefined Offline
    Soliderrorundefined Offline
    Soliderror
    wrote on last edited by
    #91

    Lightshadow368 what haven't they learned from exactly?

    1 Reply Last reply
    0
    • A Former User? Offline
      A Former User? Offline
      A Former User
      wrote on last edited by A Former User
      #92

      The fact it took YOU AND YOUR TEAM a year to realise such events is f*cking embarrassing. So they have MY information and over 1 MILLION IP ADDRESSES? Embarrassing on your side honestly. Just so you know, i will be deleting my account and will no longer use Plutonium.

      1 Reply Last reply
      0
      • hindercanrunundefined Offline
        hindercanrunundefined Offline
        hindercanrun
        wrote on last edited by
        #93

        Deleting ur account won’t fix it

        1 Reply Last reply
        0
        • Bone Crusherundefined Bone Crusher

          @Mr-Android said in Notification of Plutonium Forum Databreach - September 2021:

          September 23rd, 2021

          Glad you have realized it, what has happend to the information of the accounts made before September 23rd, 2021?

          hindercanrunundefined Offline
          hindercanrunundefined Offline
          hindercanrun
          wrote on last edited by
          #94

          Bone Crusher who knows, they could be apart of it, or they could be safe

          1 Reply Last reply
          0
          • Lightshadow368undefined Lightshadow368

            Soliderror I wish I could say they learn, but they don't learn and they have proven it before. It's the reason I have left, and why many others have left plutonium as well. There is a wild lack of care to make a community or listen to it, and that is why the Discord server is left mostly dead. There is still a playerbase, but at this point, likely on a last limb after this information. They even locked down the discord server, simply because they didn't want backlash from a problem of their own making.

            hindercanrunundefined Offline
            hindercanrunundefined Offline
            hindercanrun
            wrote on last edited by
            #95

            Lightshadow368 you have to remember this is a community project, they don’t get paid for this
            you won’t have the best security

            1 Reply Last reply
            0
            • nor14undefined Offline
              nor14undefined Offline
              nor14
              wrote on last edited by nor14
              #96

              incredible how it was 1 year to notice about this so now some people from us or uk have information of me? the gmail account linked to this account is from my big brother... in the first point
              Staffs should not have ip information or have the cloud on another cloud not iCloud...
              second
              why 1 year to notice that u guys didnt fix the problem? double checking exists... anyway goodbye and good luck

              1 Reply Last reply
              0
              • Soliderrorundefined Soliderror

                For everyone that thinks deleteing your account and using a different client would be the best thing to do, It isn't. The best thing to do now is: Change your password, Make a new email to keep away from spam, call your isp and ask for a ip change. The Pluto team found the attack, and that's what matters, they will learn from this mistake and are putting new security measures in place, lots of other clients would not even try to add new security measures let alone let you know what happened. It took alot for them to even notify the community but it was the right thing to do.

                KrKd AxiZundefined Offline
                KrKd AxiZundefined Offline
                KrKd AxiZ
                wrote on last edited by
                #97

                Soliderror Plutonium isn’t going to learn when there are cheaters on their staff team and their anticheat is terrible.

                Crypticundefined Soliderrorundefined 2 Replies Last reply
                1
                • KrKd AxiZundefined KrKd AxiZ

                  Soliderror Plutonium isn’t going to learn when there are cheaters on their staff team and their anticheat is terrible.

                  Crypticundefined Offline
                  Crypticundefined Offline
                  Cryptic
                  wrote on last edited by
                  #98

                  KrKd AxiZ you do realize bots get names from staff right? >.<

                  KrKd AxiZundefined 1 Reply Last reply
                  0
                  • Crypticundefined Cryptic

                    KrKd AxiZ you do realize bots get names from staff right? >.<

                    KrKd AxiZundefined Offline
                    KrKd AxiZundefined Offline
                    KrKd AxiZ
                    wrote on last edited by
                    #99

                    @TheCryptic I don’t understand how this relates, unless you’re implying that plutonium staff act like bots. Then I get it.

                    Resxtundefined 1 Reply Last reply
                    0
                    • KrKd AxiZundefined KrKd AxiZ

                      @TheCryptic I don’t understand how this relates, unless you’re implying that plutonium staff act like bots. Then I get it.

                      Resxtundefined Offline
                      Resxtundefined Offline
                      Resxt
                      Plutonium Staff
                      wrote on last edited by
                      #100

                      KrKd AxiZ there's none.. it's just that you can set ANY name for bots and for some reason some servers set bots names to the Plutonium staff names

                      KrKd AxiZundefined 1 Reply Last reply
                      0
                      • Resxtundefined Resxt

                        KrKd AxiZ there's none.. it's just that you can set ANY name for bots and for some reason some servers set bots names to the Plutonium staff names

                        KrKd AxiZundefined Offline
                        KrKd AxiZundefined Offline
                        KrKd AxiZ
                        wrote on last edited by
                        #101

                        Resxt yes because plutonium staff act like bots lmao. Over a year of our data being leaked. Over a year of cheaters constantly running rampant with FREE cheats on this crap. Hell I know ROBLOX game makers in their teens with better security and anticheat than this. You people can’t use the excuse of “free client” either when it’s a whole team of developers working on an project that gets VIEWED and PLAYED by YouTubers with millions of subscribers and viewers, versus some 13 year old with better development and anticheat knowledge than you guys.

                        1 Reply Last reply
                        0
                        • Temp Noggerundefined Offline
                          Temp Noggerundefined Offline
                          Temp Nogger
                          wrote on last edited by
                          #102

                          So lately for the past few months there has been cheaters like crazy and now a data breach?! RIP PLUTONIUM 2022 might wanna find someone who knows how to make a proper anticheat.. just saying but wait i already know how you guys deal with cheaters… it’s always “Report it to the server owner” like what!!!! brilliant but lazy…

                          1 Reply Last reply
                          1
                          • ljave018undefined Offline
                            ljave018undefined Offline
                            ljave018
                            wrote on last edited by ljave018
                            #103

                            Most of the users probably have a dynamic IP, meaning IPs got changed (A LOT) for the past year.
                            If you feel paranoid, change email, password, username and change IP by calling up your ISP or by simply restarting router.
                            NEVER link your account data and authenticators to your iCloud account, or to any account that can store shit in cloud. That's the #1 thing you should never do in terms of security. You can avoid storing your data on the cloud, or use separate phone that has no access to any accounts (almost as it is airgaped).
                            As of the apology, I can forgive you, but next time, tell your staff to always report any breaching attempts and successions (and to preferably blur sensitive accounts).

                            1 Reply Last reply
                            0
                            • Mr. Androidundefined Mr. Android

                              Hello community,

                              It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.

                              The stolen data DOES NOT include:

                              • Passwords
                              • Server keys
                              • Hardware information used for Anti-Cheat ban evasion detection
                              • Information on any of the 2 million registered users who signed up after September 23rd, 2021

                              The stolen data does include:

                              • Usernames
                              • User IDs
                              • Email address history
                              • IP addresses used to access the forum
                              • Registration dates
                              • Last login dates

                              As such, no server keys or passwords have been reset.

                              Our investigation:
                              Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.

                              From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.

                              During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.

                              The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.

                              Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.

                              What happens next:
                              The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.

                              We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.

                              We will also be in touch with the appropriate authorities.

                              All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.

                              Timeline of events:
                              September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
                              September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
                              September 20th 2022: Plutonium Staff are notified of a potential breach.
                              September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
                              September 22nd 2022: Investigation is completed, notification of breach is sent to the community.

                              Context of Breach:
                              As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.

                              Once again, we would like to apologize for this isolated incident.

                              wuywauydawUYDundefined Offline
                              wuywauydawUYDundefined Offline
                              wuywauydawUYD
                              wrote on last edited by
                              #104

                              @Mr-Android took yall a whole ass year to figure this out?

                              1 Reply Last reply
                              0
                              • A Former User? A Former User

                                A whole year to address this? Absolutely unacceptable.

                                MrDeathFoxundefined Offline
                                MrDeathFoxundefined Offline
                                MrDeathFox
                                wrote on last edited by
                                #105

                                @rawssh FR

                                1 Reply Last reply
                                0
                                • bonbon321undefined bonbon321

                                  Absolute embarassment, a year to realise this. Why did that staff member have access to so much personal data?

                                  "During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and ASSUMED we had fixed the issue." - Utter negligence.

                                  And the gall to mute every channel in the discord server...

                                  SFMPlayzundefined Offline
                                  SFMPlayzundefined Offline
                                  SFMPlayz
                                  wrote on last edited by
                                  #106

                                  bonbon321 Is that why no one can talk in the discord? Because all the channels are muted?

                                  Memeking254undefined 1 Reply Last reply
                                  1
                                  • SFMPlayzundefined SFMPlayz

                                    bonbon321 Is that why no one can talk in the discord? Because all the channels are muted?

                                    Memeking254undefined Offline
                                    Memeking254undefined Offline
                                    Memeking254
                                    wrote on last edited by
                                    #107

                                    SFMPlayz yep lol

                                    1 Reply Last reply
                                    0
                                    • Mr. Androidundefined Mr. Android

                                      Hello community,

                                      It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.

                                      The stolen data DOES NOT include:

                                      • Passwords
                                      • Server keys
                                      • Hardware information used for Anti-Cheat ban evasion detection
                                      • Information on any of the 2 million registered users who signed up after September 23rd, 2021

                                      The stolen data does include:

                                      • Usernames
                                      • User IDs
                                      • Email address history
                                      • IP addresses used to access the forum
                                      • Registration dates
                                      • Last login dates

                                      As such, no server keys or passwords have been reset.

                                      Our investigation:
                                      Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.

                                      From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.

                                      During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.

                                      The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.

                                      Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.

                                      What happens next:
                                      The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.

                                      We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.

                                      We will also be in touch with the appropriate authorities.

                                      All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.

                                      Timeline of events:
                                      September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
                                      September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
                                      September 20th 2022: Plutonium Staff are notified of a potential breach.
                                      September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
                                      September 22nd 2022: Investigation is completed, notification of breach is sent to the community.

                                      Context of Breach:
                                      As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.

                                      Once again, we would like to apologize for this isolated incident.

                                      FaZe Flickundefined Offline
                                      FaZe Flickundefined Offline
                                      FaZe Flick
                                      wrote on last edited by
                                      #108

                                      @Mr-Android truly embarrassing that you guys didn't know this information. And wanna know the worst part besides this overall? We still have yet to get a fucking update for bo1 Pluto but I see that's gonna take longer now just cause of this situation that happened. Yall need to be more alert with personal information amongst yourself to keep your client application and your forums safe. Otherwise people would move to a different client if this gets robust and personally I wouldnt want to do that because I think that pluto itself is a but more funner than the steam versions of these games even tho the development of bo1 is still a bit rubbish. Don't let us down again.

                                      chasef7undefined 1 Reply Last reply
                                      1
                                      • RedxSkullundefined Offline
                                        RedxSkullundefined Offline
                                        RedxSkull
                                        wrote on last edited by
                                        #109

                                        The matter at hand is unfortunate, but I'm glad they decided to address the issue to the community. Rather, then keep it to themselves. I just hope this doesn't happen again and no staff member decides to make money for themselves with users information. Yes, you can make money selling IP addresses and emails to 3rd parties. Another project called Teknogods had staff members that were doing this and nothing was done about it. Plutonium addressing this issue shows they do care about the community. Security just needs to be better, and not only from outside of plutonium, but within as well.

                                        1 Reply Last reply
                                        1
                                        • Mr. Androidundefined Mr. Android

                                          Hello community,

                                          It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.

                                          The stolen data DOES NOT include:

                                          • Passwords
                                          • Server keys
                                          • Hardware information used for Anti-Cheat ban evasion detection
                                          • Information on any of the 2 million registered users who signed up after September 23rd, 2021

                                          The stolen data does include:

                                          • Usernames
                                          • User IDs
                                          • Email address history
                                          • IP addresses used to access the forum
                                          • Registration dates
                                          • Last login dates

                                          As such, no server keys or passwords have been reset.

                                          Our investigation:
                                          Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.

                                          From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.

                                          During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.

                                          The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.

                                          Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.

                                          What happens next:
                                          The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.

                                          We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.

                                          We will also be in touch with the appropriate authorities.

                                          All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.

                                          Timeline of events:
                                          September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
                                          September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
                                          September 20th 2022: Plutonium Staff are notified of a potential breach.
                                          September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
                                          September 22nd 2022: Investigation is completed, notification of breach is sent to the community.

                                          Context of Breach:
                                          As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.

                                          Once again, we would like to apologize for this isolated incident.

                                          MystWickedundefined Offline
                                          MystWickedundefined Offline
                                          MystWicked
                                          wrote on last edited by
                                          #110

                                          oh well i guess its time for me to play bo2 on the 360 now

                                          Tori_cadundefined 1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • 1
                                          • 2
                                          • 3
                                          • 4
                                          • 5
                                          • 6
                                          • 7
                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Users
                                          • Groups
                                          • Donate