First of all I understand that multiple posts were already made on this subject, however I wanted to do my best to include all of the relevant information related to this disaster in one post. Most of what I’ve had to rely on while gathering this information was private Discord servers, private messages, rumors, and the brief posts on the matter.
A few days ago someone manipulated DSRPG by uploading code into the image upload section, this gave the attackers control over the game. Following this was a ton of chaos, and then what seemed to be order restored not long after. It didn’t take long before users began to realize that the attackers had access to the entire database.
Meaning passwords as well…
But surely they’re encrypted?
The administration of Dragon Swords has assured us that passwords are indeed encrypted and that there is nothing to worry about, however the original code writer (draven714 on Reddit) informed us that they are hashed via md5. Any developer worth his salt would tell you md5 is no longer considered secure and might as well be plain text.
Here’s a quote directly from draven714;
md5, no salt. So, please, change your passwords everywhere if you used the same password in DS on other sites!
To further reinforce this I have a quote from Vysn the owner of Avabur;
I cannot confirm, but there are rumors that DSRPG’s (it’s a different PBBG - if you don’t know what it is or never played it, you have nothing to worry about) database was compromised. If you made an account there and used the same password as you use here, consider changing your password here :shrug:
While he does say he cannot confirm, the fact that a game owner thinks the issue is dire enough to warrant a notice should be enough, but all of this was before what happened next…
What Happened Next?
Not a day after all of the chaos I was informed via reliable members of the community that dsrpg accounts are being taken over by the same person / people that were responsible for the earlier issues with dsrpg, reputable guild owner euphone (pickupeuphone on Reddit) has claimed that his accounts was logged into and used to delete his guild. Additionally a few users here and there have also claimed to not be able to login anymore due to their passwords being changed without their knowledge.
Here’s a quote directly from euphone;
I can personally confirm that my account was stolen while I was asleep, the culprit was impersonating me on main chat, deleted the guild I had leadership of, and that I can no longer log in.
At this point, I am just waiting for HM to process the refund. Others that bought in have said that they have already received theirs over the last couple of days, so at least he is getting around to doing the right thing in that regard.
But Wait! There’s More!
So a few hours after I released this post there was yet another development, and following with my original idea of putting all of the information in one place I’m going to edit it in.
PotentiallyVital, a vital part of DSRPG’s development team has left due to what we can assume is all of the chaos, from what we know he was DSRPG’s primary developer and was going to be responsible for the upcoming rewrite. Dragon Swords’ future is beginning to look even more bleak.
So What Now?
Personally I would urge all users to ensure that they change their password anywhere that they used the same (or similar) password as they did on dsrpg. And if you want to keep your account on DS then change that one to a different password, unless you want a hacker to impersonate you in main chat.
Also to anyone that donated money to Dragon Swords I’ve heard second hand that they will accept charge-backs instantly, though I don’t know how reliable that information is and won’t condone doing it.
Alright, that’s it for this post. I’m going to continue to write up more, so if you enjoyed it then be sure to read the next one! If you disliked it then please tell me why down in the comments, and I’ll consider your opinion.
Note that I’m not gaining anything from this post, so be sure to share it with your friends if you would like to reward me somehow.
This post was also released on Reddit.
- Reddit Version Link
This series of posts is archived at the link below if you missed any.