Notification of Plutonium Forum Databreach - September 2021
-
Hello community,
It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.
The stolen data DOES NOT include:
- Passwords
- Server keys
- Hardware information used for Anti-Cheat ban evasion detection
- Information on any of the 2 million registered users who signed up after September 23rd, 2021
The stolen data does include:
- Usernames
- User IDs
- Email address history
- IP addresses used to access the forum
- Registration dates
- Last login dates
As such, no server keys or passwords have been reset.
Our investigation:
Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.
During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.
The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.
Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.
What happens next:
The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.
We will also be in touch with the appropriate authorities.
All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.
Timeline of events:
September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
September 20th 2022: Plutonium Staff are notified of a potential breach.
September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
September 22nd 2022: Investigation is completed, notification of breach is sent to the community.Context of Breach:
As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.Once again, we would like to apologize for this isolated incident.
Data breaches happen all the time... what do you think happens when google gets their data breached and millions of user's info gets sold as a result? I get why people are freaking out but at the same time, if somebody really wanted to come hunt you down, they would have done it by now.... Besides, I don't think some random stranger would want to hunt down some random person that plays video games in their freetime.
Not only to top this reply off... but do none of you realize that phone books are still a thing and every person's address is listed in the phone book as well as somebody's email and phone number? I'm not undermining the seriousness of the situation, I'm just simply stating that overworrying doesn't help anyone and giving shit to the staff of Plutonium isn't fair. Anybody can get hacked, that's just the risk you take when you use the internet.
-
FaZe Flick said in Notification of Plutonium Forum Databreach - September 2021:
@Mr-Android truly embarrassing that you guys didn't know this information. And wanna know the worst part besides this overall? We still have yet to get a fucking update for bo1 Pluto but I see that's gonna take longer now just cause of this situation that happened. Yall need to be more alert with personal information amongst yourself to keep your client application and your forums safe. Otherwise people would move to a different client if this gets robust and personally I wouldnt want to do that because I think that pluto itself is a but more funner than the steam versions of these games even tho the development of bo1 is still a bit rubbish. Don't let us down again.
lil bro is asking for a lot from an unpaid staff team
chasef7 said in Notification of Plutonium Forum Databreach - September 2021:
FaZe Flick said in Notification of Plutonium Forum Databreach - September 2021:
@Mr-Android truly embarrassing that you guys didn't know this information. And wanna know the worst part besides this overall? We still have yet to get a fucking update for bo1 Pluto but I see that's gonna take longer now just cause of this situation that happened. Yall need to be more alert with personal information amongst yourself to keep your client application and your forums safe. Otherwise people would move to a different client if this gets robust and personally I wouldnt want to do that because I think that pluto itself is a but more funner than the steam versions of these games even tho the development of bo1 is still a bit rubbish. Don't let us down again.
lil bro is asking for a lot from an unpaid staff team
Your constant dickriding isn't helping, either. So shut the fuck up and sit down, kiddo.
-
Hello community,
It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.
The stolen data DOES NOT include:
- Passwords
- Server keys
- Hardware information used for Anti-Cheat ban evasion detection
- Information on any of the 2 million registered users who signed up after September 23rd, 2021
The stolen data does include:
- Usernames
- User IDs
- Email address history
- IP addresses used to access the forum
- Registration dates
- Last login dates
As such, no server keys or passwords have been reset.
Our investigation:
Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.
During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.
The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.
Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.
What happens next:
The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.
We will also be in touch with the appropriate authorities.
All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.
Timeline of events:
September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
September 20th 2022: Plutonium Staff are notified of a potential breach.
September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
September 22nd 2022: Investigation is completed, notification of breach is sent to the community.Context of Breach:
As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.Once again, we would like to apologize for this isolated incident.
Good project but
-
As a used-to-be supporter of Plutonium, hearing this is unsurprising. I disliked Plutonium staff as most of them tend to be complete jerks. This is also shown in the way you muted every channel leaving modding and support questions to be solved on their own and I bet you you'll pull a Pokimane and filter out specific words or mute people to let this die down instead of answering questions of what actually happens next when it comes to privacy and security. Maybe because you don't even know.
There is absolutely no way that the staff member noticed them trying to breach several sensitive accounts except for their Plutonium backup? How does that even work. You would think that if you are being targeted on not just one account but several, that maybe they'd also go for your Plutonium account. Most of all, how did you notice the exfiltration of the data the first time? I bet that staff member was specifically targeted and they most likely have spoken to their attacker some day. Why would a staff member even need access to so much information when you guys treat them like friends and not workers. Hopefully this is a learning lesson that shows just how little trust there is in business whether the wrongdoings were done on purpose or not. If you guys can't even create a simple filtering system, I wouldn't expect you to take less than half a year to figure this out. Hopefully one day a different client comes about so that a lot of us can switch.
I bet you one of your culty discord followers that loves admins is going to reply with something dumb too.
-
Everyone is giving the staff hell for not realizing the data breach when in reality. Everyone who owns a server and has access to the forums has most if not all scrapped data already available. None of the information is compromised. I appreciate the staff's transparency.
Invenios If an admin doesn't like someone, they can by all means DDoS attack them or leak it out to have anyone go at it.
-
chasef7 said in Notification of Plutonium Forum Databreach - September 2021:
FaZe Flick said in Notification of Plutonium Forum Databreach - September 2021:
@Mr-Android truly embarrassing that you guys didn't know this information. And wanna know the worst part besides this overall? We still have yet to get a fucking update for bo1 Pluto but I see that's gonna take longer now just cause of this situation that happened. Yall need to be more alert with personal information amongst yourself to keep your client application and your forums safe. Otherwise people would move to a different client if this gets robust and personally I wouldnt want to do that because I think that pluto itself is a but more funner than the steam versions of these games even tho the development of bo1 is still a bit rubbish. Don't let us down again.
lil bro is asking for a lot from an unpaid staff team
Your constant dickriding isn't helping, either. So shut the fuck up and sit down, kiddo.
FIamezKiIIer you talk real tough for a bitch boy
-
Cigar I genuinely believe IP addresses won't matter, except for specific targets.
Email addresses though, will likely be sold for targeted marketing...Daltax Yeah idk why people are only talking about the ip addresses being leaked like, oh no somebody on the internet knows somebody who uses my wifi plays cod on it
-
Sad to hear with the databreach, and i can understand some of the arguments of the people here. However, people going crazy about IP-Adresses. If you are really scared that your IP could be leaked, then you should play Singleplayer. Every Dedicated Server has your IP-Info. If you really beeing that paranoid you shouldn't installed Plutonium.
Thank you for your transparency, a lil late, but better than never.
And no, the Plutonium Dev's not going to DDoS someone, or leaking IP's just by not liking someone. Jesus, what a wild year
-
Data breaches happen all the time... what do you think happens when google gets their data breached and millions of user's info gets sold as a result? I get why people are freaking out but at the same time, if somebody really wanted to come hunt you down, they would have done it by now.... Besides, I don't think some random stranger would want to hunt down some random person that plays video games in their freetime.
Not only to top this reply off... but do none of you realize that phone books are still a thing and every person's address is listed in the phone book as well as somebody's email and phone number? I'm not undermining the seriousness of the situation, I'm just simply stating that overworrying doesn't help anyone and giving shit to the staff of Plutonium isn't fair. Anybody can get hacked, that's just the risk you take when you use the internet.
fiftysdeath said in Notification of Plutonium Forum Databreach - September 2021:
Data breaches happen all the time... what do you think happens when google gets their data breached and millions of user's info gets sold as a result? I get why people are freaking out but at the same time, if somebody really wanted to come hunt you down, they would have done it by now.... Besides, I don't think some random stranger would want to hunt down some random person that plays video games in their freetime.
Not only to top this reply off... but do none of you realize that phone books are still a thing and every person's address is listed in the phone book as well as somebody's email and phone number? I'm not undermining the seriousness of the situation, I'm just simply stating that overworrying doesn't help anyone and giving shit to the staff of Plutonium isn't fair. Anybody can get hacked, that's just the risk you take when you use the internet.
"I don't think some random stranger would want to hunt down some random person that plays video games in their freetime."
Allways was happen in the Scene. Black Ops 2 Booting/DDoS attacks, MW3 Server DDoS Attacks, all the things happen in past years.
Phone books are a thing, but in my Country its totally free of decision, you don't need to be in the phone book, so the argument is a bit lacking in comparison on databreaches
-
FIamezKiIIer you talk real tough for a bitch boy
chasef7 said in Notification of Plutonium Forum Databreach - September 2021:
FIamezKiIIer you talk real tough for a bitch boy
Correct, kid. I don't fear anyone.
You think you can just come here and try to insult others by defending people who should own up to their mistakes.
Let me tell you something son. You think you're bigger than me and bigger than everyone here because they're all concerned over a security risk that happened last year.
-
chasef7 said in Notification of Plutonium Forum Databreach - September 2021:
FaZe Flick said in Notification of Plutonium Forum Databreach - September 2021:
@Mr-Android truly embarrassing that you guys didn't know this information. And wanna know the worst part besides this overall? We still have yet to get a fucking update for bo1 Pluto but I see that's gonna take longer now just cause of this situation that happened. Yall need to be more alert with personal information amongst yourself to keep your client application and your forums safe. Otherwise people would move to a different client if this gets robust and personally I wouldnt want to do that because I think that pluto itself is a but more funner than the steam versions of these games even tho the development of bo1 is still a bit rubbish. Don't let us down again.
lil bro is asking for a lot from an unpaid staff team
Your constant dickriding isn't helping, either. So shut the fuck up and sit down, kiddo.
FIamezKiIIer Back off. I can rant to them if I want to; I have the right to do so. I've been doing it a lot anyway cause of how things have been with their development.
-
FIamezKiIIer Back off. I can rant to them if I want to; I have the right to do so. I've been doing it a lot anyway cause of how things have been with their development.
FaZe Flick Even well known and paid companies like google have been data breached many times. Netflix is notorious for data breaches. Need to give plutonium a break, because this isn't new to anyone and plutonium isn't getting paid for anything.
-
Also, if you don't know how to tell if you have a dynamic IP...
Open up Command Prompt and type "ipconfig/all" and look under everything. If most areas that say "DHCP Enabled" say Yes, then it's dynamic. If they all say No, then your IP is static.Also, since no one wants to use plutonium, we can either find something else online, or go back to OG BLOPS2 servers! Right..? -_-
A Former User said in Notification of Plutonium Forum Databreach - September 2021:
DHCP
God, are people really this dumb? Private IP addresses wouldn't be affected by an external IP address breach; and, even if they were, so what? You can not do anything with a public IP address unless you port forward, which is required in service hosting, so it's publicly available anyways.
Everyone is crying about the IP address leaks. It's PUBLIC INFORMATION. Anything you connect to on the internet has and logs your IP address. So people are really worried about an IP more than an email? Jesus Christ, stop talking about things you aren't educated in people.Plus, why would you not sign up using an email different from your main email? Any free service should be used by a separate email, now you guys blame plutonium who is giving out free games and hosting services, a small team, like nothing could go wrong with security?! Stop crying about things that don't matter and educate yourselves for Gods sake.
-
oh well i guess its time for me to play bo2 on the 360 now
@Squidzo1d
IF YOU KNOW NOTHING ABOUT NETWORKING, COPE. PRIVATE IP ADDRESSES ARE BEHIND NAT. IP LEAKS ARE HARMLESS UNLESS YOU PORT FORWARD WHICH IS VERY OBVIOUS YOU DON'T KNOW HOW TO DO.
Yeah, lmao, Microsoft has never been the victim of data breaches. Not to mention the endless mod menus on Xbox that allow anyone to see your Microsoft ID and IP addresses! YOU PEOPLE ARE DUMB. -
Soliderror Plutonium isnβt going to learn when there are cheaters on their staff team and their anticheat is terrible.
KrKd AxiZ I think the anticheat works very well, if the anticheat didnt work then why is there no cheaters? I have never once ran into any cheaters on Pluto, the only time you MIGHT find a cheater is when a server admin is a dick and has a gsc mod menu loaded into the server that only THEY can access. Other then that, you would have to do things to cheat that the anticheat detects and will ban you for..
:::
Spoiler Text
:::
-
Hello community,
It is with deep regret that the Plutonium Staff Team need to give notice that in September 2021, data was stolen from our forum. This affected all 1.3 million registered users at the time at the date of the breach. We became aware of this breach on September 20th, 2022, after being alerted that the data is being sold on cybercrime forums.
The stolen data DOES NOT include:
- Passwords
- Server keys
- Hardware information used for Anti-Cheat ban evasion detection
- Information on any of the 2 million registered users who signed up after September 23rd, 2021
The stolen data does include:
- Usernames
- User IDs
- Email address history
- IP addresses used to access the forum
- Registration dates
- Last login dates
As such, no server keys or passwords have been reset.
Our investigation:
Upon being alerted, Plutonium Staff Administrators confirmed the legitimacy of the data in the breach and began investigating the root cause of the breach. This root cause is that a staff members' iCloud account was compromised, this iCloud account had an iPhone backup stored on it and the attacker restored this backup to a phone they controlled. This also restored the staff members' 2-Factor Authentication Secrets which allowed the attacker to generate authentic 2FA codes and thus allowed them to login to our forum as the compromised staff account.From here the attacker used our forum's API to scrape all registered users' profile data, and due to having access to a staff account, this data included IP address and Email Address history. Hence the stolen data includes more than the public facing profile information.
During the attack in 2021 the Plutonium Staff team did detect the exfiltration of the data, however we mistakenly believed this to be somebody scraping the public information from profiles as we did not realise a staff account was being used. We put mitigations in place to stop the scraping of this information and assumed we had fixed the issue. We did not report this scraping to the community due to our belief that the scraped information was public profile information, such as usernames, registration date and last login dates.
The staff member that was compromised did not report the issue to Plutonium Staff Administrators due to the attacker attempting to access their bank accounts and other sensitive accounts and as such the idea that they may have targeted the staff members' Plutonium account did not occur to them, however they did reset their passwords and re-generate their 2 Factor Authentication secrets.
Passwords and server keys were confirmed to not have been stolen. Server keys are stored in a different database and passwords are stored in a hashed fashion that even Plutonium Forum Administrators cannot access.
What happens next:
The only thing we can do is to notify you all as soon as possible and offer our most sincere apologies for this situation. We deeply regret that it has happened and hope our community can forgive us. Our entire Staff Team take responsibility for this lapse in what is usually a very robust Security Posture.We are unable to contact all affected users as we do not have the email abilities to send over 1 million emails, but by posting this message publicly we are hoping that the news will travel to most of them.
We will also be in touch with the appropriate authorities.
All our staff are required to have 2 Factor Authentication enabled on all Plutonium accounts, this has been in place since we started our forums in 2020, however we will now be doing periodic re-generation of 2FA secrets to avoid backed up Authenticator apps from being useful if they fall into the wrong hands.
Timeline of events:
September 2021: Data is stolen using a compromised staff account and compromised iCloud iPhone backup.
September 2021: Exfiltration of data is spotted by Plutonium Staff and is mistakenly identified as public data, protections to stop the scraping is put in place.
September 20th 2022: Plutonium Staff are notified of a potential breach.
September 21st 2022: Plutonium Staff confirm breach is legit and begin investigation.
September 22nd 2022: Investigation is completed, notification of breach is sent to the community.Context of Breach:
As of September 2022, Plutonium has 3 million registered users, this breach affects 1.3 million users who registered before September 24th, 2021. From our understanding there has been 1 year from when the data was originally stolen to when it started to be publicly sold online.Once again, we would like to apologize for this isolated incident.
@Mr-Android Sad to hear that. But no problem, I know plutonium would investigate and will catch that hacker. I trust&support plutonium and it's developers.
-
leobipbop that has been an option for a long time. Just have to add -lan to your launch options when launching from the bootstrapper, instead of the launcher, for both the client and server.
INSANEMODE I don't understand, could you be more specific?
-
INSANEMODE I don't understand, could you be more specific?
SkratchZ u could play on lan for awhile
-
SkratchZ u could play on lan for awhile
-
hindercanrun hahahah cool
Amine213 wash a amine ana thani amine
