The 2016 Hack

Ralle

Owner
Level 68
Joined
Oct 6, 2004
Messages
9,543
Hey all,

Today I was contacted by a good samaritan on Discord who had found that a list of usernames and passwords for The Hive Workshop had been leaked from the hack back in 2016. I did not reset people's passwords back then, so I have done it now.

If you cannot login:
Use the 'Forgot your password?' feature.

If you don't have access to the email account or don't get an email:
Use this 'Contact Us' link.

Do not create a new account.

I have deleted the passwords for around 60,000 accounts on the site because they were leaked. I am sorry if this is an inconvenience to you.

If you used your password and email from 2016 on any other site, I highly recommend you change it. Go to this site to get a quick overview of the status of whether any of your emails or passwords are in the hands of someone else.

I also recommend using LastPass for storing randomized passwords for each site instead of re-using the same old ones.
 
Last edited:

LeP

LeP

Level 10
Joined
Feb 13, 2008
Messages
496
yeah i cant login and i cant access the old email address.

e: smooth operated.
 
Last edited:
Got pwned apparently. First time i had to change password since joining, so was probably about time, haha.

Either way,
should probably sent a notification to all affected parties just in case. If that is plausible. I was expecting a 'reset' mail, not that I had to generate it myself :p

The Passwords should be encrypted so much, that the Hacker would need an entire day just to decrypt one password. It would be a Nightmare for him/her. That's for sure.

They could just 'pass-the-hash' it. The encryption is primarily to ensure that they wouldn't be able to use it on all other sites you use the same password on.
 

Dr Super Good

Spell Reviewer
Level 58
Joined
Jan 18, 2005
Messages
26,537
If you used your password and email from 2016 on any other site, I highly recommend you change it. Go to this site to get a quick overview of the status of whether any of your emails or passwords are in the hands of someone else.

I also recommend using LastPass for storing randomized passwords for each site instead of re-using the same old ones.
One cannot just move emails like that and should not need to. As long as you have unique passwords it should be fine.

That site is also useless since it just mentions generic compromises. If it showed what passwords were associated with your email then you would know which sites to reset. For example my email had 3 matches from 2017 and 2018 but those could be either my THW password, my UPlay password or even my email password as all those were compromised by hacks (server hacks, not my fault) at some stage and forced to be changed.

Password managers are just another way to mess you over. I know someone who used Apple's in built password manager and had to move computers due to a soldered GPU failure. I swapped the drives between the computers, both identical models and specs, and although the OS loaded perfectly all passwords were discarded and the password manager forgot everything. All passwords had to be recovered or retrieved from other less secure sources which fortunately existed.
 
Level 35
Joined
Oct 9, 2006
Messages
6,374
Ah, figured there was a reason why my pass suddently didn't work, got somewhat worried for a second. :grin:

Try for fun searching for my old Gmail "ralleab at gmail .com" on haveibeenpwned and see what happens when you register on forums for 15 years.
Comparing it with my own mail and it shows up with the exact same numbers :grin:

Password managers are just another way to mess you over. I know someone who used Apple's in built password manager and had to move computers due to a soldered GPU failure. I swapped the drives between the computers, both identical models and specs, and although the OS loaded perfectly all passwords were discarded and the password manager forgot everything. All passwords had to be recovered or retrieved from other less secure sources which fortunately existed.

Depends on the password managers, I personally would recommend something KeePas. Its open source, works well and the highly encrypted datafile can be saved to external storage or backup location and isn't bound to a computer.
 

Ralle

Owner
Level 68
Joined
Oct 6, 2004
Messages
9,543
The Passwords should be encrypted so much, that the Hacker would need an entire day just to decrypt one password. It would be a Nightmare for him/her. That's for sure.
I agree. But most of these accounts haven’t changed passwords since 2016 where we were running a version of forum software practically 10 years out of date. And you can’t re-hash passwords if a user hasn’t logged in. You need the plain text password to store it in a harder hashing mechanism.
 

Dr Super Good

Spell Reviewer
Level 58
Joined
Jan 18, 2005
Messages
26,537
I had my password reset but the password I was using was much older that 2016. I probably set it around 2008 odd or even before. Never really bothered to update it since I cannot imagine THW passwords having any real value or use to them as it is a gaming site with as good as 0 interlinking. Of course all my other accounts use completely different passwords, especially ones with monetary value attached to them.
 

Deleted member 219079

D

Deleted member 219079

I also recommend using LastPass for storing randomized passwords for each site instead of re-using the same old ones.
LastPass seems to be a browser extension. Seems inconvenient compared to KeePass. KeePass supports multiple databases, so you can have an additional one to share for reading, which is a 'premium' feature for LastPass. KeePass also supports auto-fill (highlight entry > Ctrl+V), another 'premium' feature for LastPass ('LastPass for Applications'). Also a 'premium' feature is '1GB encrypted file storage', have they not heard of Dropbox, OneDrive, Google Drive, etc.
 

Ralle

Owner
Level 68
Joined
Oct 6, 2004
Messages
9,543
LastPass seems to be a browser extension. Seems inconvenient compared to KeePass. KeePass supports multiple databases, so you can have an additional one to share for reading, which is a 'premium' feature for LastPass. KeePass also supports auto-fill (highlight entry > Ctrl+V), another 'premium' feature for LastPass ('LastPass for Applications'). Also a 'premium' feature is '1GB encrypted file storage', have they not heard of Dropbox, OneDrive, Google Drive, etc.
I haven't looked into it but how do you sync your Keepass to your phone then? I have Lastpass wherever I go and can even sign in on random computers by going to lastpass.com.
 

Deleted member 219079

D

Deleted member 219079

I haven't looked into it but how do you sync your Keepass to your phone then? I have Lastpass wherever I go and can even sign in on random computers by going to lastpass.com.
I have my .kdbx file in my Dropbox and use KeePass2Android to access it on my phone. For web, I've used KeeWeb to access the file in my Dropbox.
 

Retera

Tool Reviewer
Level 36
Joined
Apr 19, 2008
Messages
1,280
Good thing that after redwing.asingaurd got banned, he took out his vengeance on me by taking the Retera account password and email and changing them to something new for himself. This milestone meant that my password and email on this site both changed last year. Otherwise, I might still be using an old one from 2008
 
Level 35
Joined
Oct 9, 2006
Messages
6,374
Good thing that after redwing.asingaurd got banned, he took out his vengeance on me by taking the Retera account password and email and changing them to something new for himself. This milestone meant that my password and email on this site both changed last year. Otherwise, I might still be using an old one from 2008

Hehe, mine was from 2006 - actually thought I had changed it since, but well this made me notice I hadn't. Quite fun to discover one place where I didn't have like a 25+ digit pass.
 
Top