[Announcement] Security Incident 2/10/24 - 2/11/24

[annoying furry 6,300 / 63,965]

Hello,

 

Last night I was made aware of an issue in which a large number of people had been banned by an individual who had obtained the GFLBans tokens for Hide and Seek and Rotation. We determined that a staff member's Pterodactyl account was compromised by the individual due to reused passwords, which they used to obtain the GFLBans tokens and vandalize the servers they had access to. We responded by deactivating the tokens and revoking the compromised staff member's panel account. As some servers were rendered inoperable, we are currently working on restoring backups and will have them up as soon as possible.

 

With the access the individual had, it is possible they would've been able to access the following potentially sensitive items:

• User Steam account IDs and associated IP addresses of users who had connected to the affected servers.
• In-game chat logs.
• Source code for plugins on the affected game servers.

 

That said, based on the logs our system collects to monitor staff member activity on the panel, we have no evidence that the user attempted to access any of this information except for plugin source code. The activity logs suggest that the log files containing PII were deleted without being read by the individual during their wider effort to vandalize system resources. As such, we do not expect that any PII has actually been exposed but we publish this notice out of an abundance of caution.

 

We don't believe it is necessary for users to take any action at this time, but as always we caution against reusing passwords and recommend that everybody, players and staff members alike, utilize a password manager to aid in maintaining secure and unique passwords for all of the websites you use.

 

[Liloz01 1,256 / 19,855]

gfl sponsored by lastpass (you probably shouldn't use lastpass)

 

[annoying furry 6,300 / 63,965]

8 minutes ago, Liloz01 said:

gfl sponsored by lastpass (you probably shouldn't use lastpass)

 

don't use lastpass

[nathan22211 0 / 13]

I'd advise using Bitwarden and a 2FA app like google auth where possible. Bitwarden does have a 2FA option but you need to pay for it unless you self host it

[The1337Gh0st 238 / 8,599]

17 minutes ago, nathan22211 said:

I'd advise using Bitwarden and a 2FA app like google auth where possible. Bitwarden does have a 2FA option but you need to pay for it unless you self host it

 

if you want something simpler, you can use something like KeePassXC since it's a purely offline program (which could be a benefit or drawback depending on how you want to use it)

[annoying furry 6,300 / 63,965]

On 2/11/2024 at 5:20 PM, nathan22211 said:

I'd advise using Bitwarden and a 2FA app like google auth where possible. Bitwarden does have a 2FA option but you need to pay for it unless you self host it

 

BitWarden is my personal favorite 👍. We require do require MFA, but unfortunately there is a way around that I am aware of currently in certain instances.

 

On 2/11/2024 at 5:45 PM, The1337Gh0st said:

 

if you want something simpler, you can use something like KeePassXC since it's a purely offline program (which could be a benefit or drawback depending on how you want to use it)

I used to use this and it's still pretty good since you do not need to rely on a third party's security practices to guard your data, but I would make sure you have a good backup solution in place to guard against a corrupted database or your system dying. I find that KeePassXC is good when paired when something like Syncthing as you can keep the database file synced up on multiple devices, including on Android.