We want to inform you about a recent security breach that has affected our community. An attacker managed to compromise a staff member’s account by reusing a password that had been exposed in a breach of a third-party company. Using this stolen password, they gained unauthorized access to an in-game moderation panel. From there, this could be used to obtain users’ encrypted passwords (not the actual raw text password). While these details were not directly visible in the moderation panel, the attacker could have intercepted them by capturing packet data.
What Can Be Done with an Encrypted Password?
We want to reassure you that your actual passwords were not leaked. Additionally, the risk of these encrypted passwords being decrypted is extremely low. However, as a precaution, we are requiring all users to reset their passwords to ensure maximum security.
Encrypted passwords in our system are stored as “hashes,” which are created by passing your original password through a mathematical algorithm to generate a unique, irreversible string. This ensures that even if the hash is exposed, it cannot easily be reversed into your original password.
Our platform uses bcrypt, a highly secure encryption algorithm specifically designed to slow down cracking attempts. While bcrypt is one of the most reliable tools available, no system is entirely impervious to attack. With enough computational power, attackers could potentially crack weak or commonly used passwords.
To safeguard your account, we strongly recommend creating strong, unique passwords for every account you use. This simple step significantly increases your security, even in the event of an unlikely breach.
How a Password Manager Can Help
To simplify managing strong, unique passwords, we recommend using a password manager. These tools generate, store, and autofill complex passwords so you don’t have to remember them all.
Benefits of Password Managers:
- Strong Passwords: Generate random, hard-to-crack passwords effortlessly.
- Convenience: Store all your passwords securely in one place, accessible with a single master password.
- Time-Saving: Autofill your login details instantly.
Popular password managers include Bitwarden, LastPass, Dashlane, and 1Password. Pairing a password manager with MFA adds a robust layer of security to your accounts.
What We’ve Done to Address the Issue
- Password Resets: We are implementing a platform-wide password reset to ensure all accounts are protected. You will be required to create a new password upon your next login.
- Improved Staff Security Practices: Moving forward, we will ensure our staff team adheres to better security practices, such as not reusing passwords and enabling Multi-Factor Authentication (MFA) on all accounts they manage.
- Multi-Factor Authentication Coming to All Users Soon: We will soon be rolling out Multi-Factor Authentication (MFA) as an optional feature for all users. This additional security layer will enhance account protection and provide peace of mind.
We take full responsibility for this breach and recognize the need to do better. Your trust is invaluable to us, and we are committed to making significant improvements to ensure incidents like this do not happen again.
Taking Accountability
We sincerely apologize for this breach and the inconvenience it may have caused. Protecting your data has always been and remains our top priority. This incident has highlighted areas where we must improve, and we are fully committed to taking the necessary steps to safeguard your information.
If you notice any suspicious activity on your account or need assistance, please contact us via our ticketing system.
Thank you for your understanding and patience as we work to strengthen our security.
Sincerely,
The Club Penguin Journey Staff Team
