1. Updated Resource Submission Rules: All model & skin resource submissions must now include an in-game screenshot. This is to help speed up the moderation process and to show how the model and/or texture looks like from the in-game camera.
    Dismiss Notice
  2. The Results have come out of the old ARENA oven. Check out who won the 30th Texturing Contest!
    Dismiss Notice
  3. Hey guys, we've posted the Results for the 30th Modeling Contest. Check them out!
    Dismiss Notice
  4. The 15th Mini-Mapping Contest came to an end. The Secrets of Warcraft 3 are soon to be revealed! Come and vote in the public poll for your favorite maps.
    Dismiss Notice
  5. The 12th incarnation of the Music Contest is LIVE! The theme is Synthwave. Knight Rider needs a song to listen to on his journey. You should definitely have some fun with this theme!
    Dismiss Notice
  6. Join other hivers in a friendly concept-art contest. The contestants have to create a genie coming out of its container. We wish you the best of luck!
    Dismiss Notice
  7. Check out the Staff job openings thread.
    Dismiss Notice
Dismiss Notice
60,000 passwords have been reset on July 8, 2019. If you cannot login, read this.

The 2016 Hack

Discussion in 'Latest Updates and News' started by Ralle, Jul 8, 2019.

  1. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,181
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    Hey all,

    Today I was contacted by a good samaritan on Discord who had found that a list of usernames and passwords for The Hive Workshop had been leaked from the hack back in 2016. I did not reset people's passwords back then, so I have done it now.

    If you cannot login:
    Use the 'Forgot your password?' feature.

    If you don't have access to the email account or don't get an email:
    Use this 'Contact Us' link.

    Do not create a new account.

    I have deleted the passwords for around 60,000 accounts on the site because they were leaked. I am sorry if this is an inconvenience to you.

    If you used your password and email from 2016 on any other site, I highly recommend you change it. Go to this site to get a quick overview of the status of whether any of your emails or passwords are in the hands of someone else.

    I also recommend using LastPass for storing randomized passwords for each site instead of re-using the same old ones.
     
    Last edited: Jul 11, 2019
  2. YetAnotherYoutuber

    YetAnotherYoutuber

    Video Producer

    Joined:
    Jun 9, 2015
    Messages:
    210
    Resources:
    0
    Resources:
    0
    a password reset, hmm, so upon trying to log-in next time, the affected will be prompted to select a new password?
    or is there something more elaborate that the affected will have to do
     
  3. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,181
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    All users with old passwords will be instantly logged out and have to do password recovery, the 'I forgot my password' feature.
     
  4. Mister_Haudrauf

    Mister_Haudrauf

    Joined:
    Mar 14, 2014
    Messages:
    1,033
    Resources:
    57
    Models:
    52
    Icons:
    2
    Packs:
    3
    Resources:
    57
    Well i checked.... I am apparently save. Was not found in any way.
     
  5. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,181
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    Try for fun searching for my old Gmail "ralleab at gmail .com" on haveibeenpwned and see what happens when you register on forums for 15 years.

    Progress:
    Code (Text):
    Processing (48346/61968) - 0 failed, 853 already changed
     
  6. LeP

    LeP

    Joined:
    Feb 13, 2008
    Messages:
    437
    Resources:
    0
    Resources:
    0
    yeah i cant login and i cant access the old email address.

    e: smooth operated.
     
    Last edited: Jul 8, 2019
  7. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,181
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    You didn't read the thread. It said to use Contact Us, not create a new account, that's kinda against the rules man.
     
  8. Darklycan51

    Darklycan51

    Joined:
    Jan 12, 2011
    Messages:
    1,322
    Resources:
    3
    Maps:
    3
    Resources:
    3
    hope the passwords aren't stored in plain text anymore :p at least bcrypt
     
  9. Mister_Haudrauf

    Mister_Haudrauf

    Joined:
    Mar 14, 2014
    Messages:
    1,033
    Resources:
    57
    Models:
    52
    Icons:
    2
    Packs:
    3
    Resources:
    57
    The Passwords should be encrypted so much, that the Hacker would need an entire day just to decrypt one password. It would be a Nightmare for him/her. That's for sure.
     
  10. The_Silent

    The_Silent

    Joined:
    Feb 4, 2008
    Messages:
    2,797
    Resources:
    155
    Models:
    45
    Icons:
    89
    Packs:
    8
    Skins:
    12
    Maps:
    1
    Resources:
    155
    Got pwned apparently. First time i had to change password since joining, so was probably about time, haha.

    Either way,
    should probably sent a notification to all affected parties just in case. If that is plausible. I was expecting a 'reset' mail, not that I had to generate it myself :p

    They could just 'pass-the-hash' it. The encryption is primarily to ensure that they wouldn't be able to use it on all other sites you use the same password on.
     
  11. Kyrbi0

    Kyrbi0

    Joined:
    Jul 29, 2008
    Messages:
    7,715
    Resources:
    1
    Models:
    1
    Resources:
    1
    Woah dang
     
  12. map designer

    map designer

    Joined:
    May 2, 2011
    Messages:
    896
    Resources:
    1
    Maps:
    1
    Resources:
    1
    is my username on the list? :p
     
  13. Dr Super Good

    Dr Super Good

    Spell Reviewer

    Joined:
    Jan 18, 2005
    Messages:
    25,385
    Resources:
    3
    Maps:
    1
    Spells:
    2
    Resources:
    3
    One cannot just move emails like that and should not need to. As long as you have unique passwords it should be fine.

    That site is also useless since it just mentions generic compromises. If it showed what passwords were associated with your email then you would know which sites to reset. For example my email had 3 matches from 2017 and 2018 but those could be either my THW password, my UPlay password or even my email password as all those were compromised by hacks (server hacks, not my fault) at some stage and forced to be changed.

    Password managers are just another way to mess you over. I know someone who used Apple's in built password manager and had to move computers due to a soldered GPU failure. I swapped the drives between the computers, both identical models and specs, and although the OS loaded perfectly all passwords were discarded and the password manager forgot everything. All passwords had to be recovered or retrieved from other less secure sources which fortunately existed.
     
  14. RED BARON

    RED BARON

    Joined:
    Oct 9, 2006
    Messages:
    5,119
    Resources:
    42
    Models:
    37
    Icons:
    3
    Packs:
    1
    Skins:
    1
    Resources:
    42
    Ah, figured there was a reason why my pass suddently didn't work, got somewhat worried for a second. :grin:

    Comparing it with my own mail and it shows up with the exact same numbers :grin:

    Depends on the password managers, I personally would recommend something KeePas. Its open source, works well and the highly encrypted datafile can be saved to external storage or backup location and isn't bound to a computer.
     
  15. Chaosy

    Chaosy

    Joined:
    Jun 9, 2011
    Messages:
    10,575
    Resources:
    18
    Maps:
    1
    Spells:
    11
    Tutorials:
    6
    Resources:
    18
    Been considering to use lastpass for a while anyway as I have been running out variations of my usual password.
    Better late than never I suppose.
     
  16. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,181
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    I agree. But most of these accounts haven’t changed passwords since 2016 where we were running a version of forum software practically 10 years out of date. And you can’t re-hash passwords if a user hasn’t logged in. You need the plain text password to store it in a harder hashing mechanism.
     
  17. Misha

    Misha

    Joined:
    Jun 9, 2008
    Messages:
    7,174
    Resources:
    71
    Models:
    62
    Icons:
    1
    Packs:
    2
    Skins:
    4
    StarCraft II Resources:
    2
    Resources:
    71
    I.. seem to be okay? still logged in Ouo
     
  18. WhiteFang

    WhiteFang

    Joined:
    Jul 6, 2014
    Messages:
    3,303
    Resources:
    0
    Resources:
    0
    Still logged in,that means my weird profile pictures in 2016 terrified the hackers too much
     
    Last edited: Jul 9, 2019
  19. A Void

    A Void

    Joined:
    Mar 29, 2011
    Messages:
    2,484
    Resources:
    10
    Models:
    2
    Spells:
    1
    Tutorials:
    7
    Resources:
    10
    I can still login *phew*
     
  20. Ralle

    Ralle

    Owner

    Joined:
    Oct 6, 2004
    Messages:
    11,181
    Resources:
    22
    Tools:
    3
    Maps:
    5
    Tutorials:
    14
    Resources:
    22
    I'm helping people who can't. Typically if they were logged in yesterday, I can do an IP match with the Contact Us form mail and confirm identity.