17:35 ST
Reply
Account security and compromised passwords

Hi,

By the looks of it, a new list of compromised passwords has surfaced somewhere, and people are trying to use them against accounts on Mycena Cave. So far, we’ve noticed a few successful logins to various accounts on Mycena Cave.

[redacted: the list of affected users]

If you use the same password on Mycena Cave as you do elsewhere, you are at risk.

I’ve locked the known-compromised accounts’ ability to trade or transfer for the time being, but if you have traded or transferred anything with these accounts within the last four hours or so, those trades / transfers will most likely be rolled back. Additionally, if you have participated in any cross-site trades with any of these accounts within that timeframe, please let me know so we can pass along the off-site receiving account identities to the respective site administrators.

As always, we recommend you practice good security hygiene to help keep your accounts protected. You can find some tips on how to do that in our Account Security Knowledgebase article and in our previous thread from a similar situation a few years ago.

Posted Feb 10, edited Feb 10
Oop… That’s very good to know. Thank you for being so quick on that, glitch!
Posted Feb 10
Uhh I feel like I picked a bad time to come back to the site. If there’s any need for conformation that I am actually me, though, you can ask my spouse, Asher. xD
Posted Feb 10

Reiterating glitch’s edit for visibility:

To help mitigate the issue and result in less cleanup after the fact, we are temporarily disabling trades and transfers site-wide.

Trades and transfers have been reenabled!

Please let us know if you have any questions or concerns regarding this issue!

Posted Feb 10, edited Feb 10
Oh dang, thank you for the heads-up.  It’s a good reminder for a password change, so I changed mine out regardless, but I’m sorry there were folks impacted.  I hope you’re able to resolve everything smoothly. :(
Posted Feb 10
looks like it’s time to change mine again too
Posted Feb 10
Thank you for looking out for us. <3
Posted Feb 10
Update

To help mitigate these kinds of issues, we’ve implemented a “recognized browser” feature into trades, transfers, and account settings. When you go to one of those systems for the first time on a new device, it will ask you to verify a code sent to your email. Once you verify the code, you won’t need to verify it again on that device.

The idea here is that if someone does learn your password somehow and logs in as you, they won’t be able to trade, transfer, or change your account settings, unless they also have access to your email address.

From some minimal testing, I’ve noticed these emails like to get routed to spam (especially if you use Gmail). If you can’t find the confirmation email, please give it a few minutes and check your spam folder :)


With that out of the way, things should mostly be back to normal, and I can soon restore the ability to trade for all users except those named above. If you’re in the list above, I need to finish moving the illicitly traded items and pets back before I can re-enable you. Thank you for your patience!


Blanket trade-lock has been lifted — if you aren’t one of the accounts listed above, you can now trade again.

Posted Feb 10, edited Feb 10
thank you glitch for being so prompt and communicative! i’m imagining this took up a lot of your day, it shows a lot of care how quickly this was fixed!
Posted Feb 10
Thanks for the update! To be safe I’ve changed my password.
Posted Feb 10
thanks for being on top of things glitch! [ok hand emoji]
Posted Feb 10, edited Feb 10
If I changed my password to a new, unique one within the past couple months, should I do so again? I always have trouble remembering new passwords, so I dislike changing too often, but will do so if I should.
Posted Feb 10

Final update — everything relevant has been rolled back, so I’m calling this incident closed :)


raus if the password you use on Mycena Cave is unique, you don’t use it anywhere else, and you haven’t told it to anybody else, then no need to change it :) What occurred today was not a result of someone gaining access to Mycena Cave passwords, but rather someone gaining access to several players’ passwords from elsewhere and finding that they worked on Mycena Cave too.

Posted Feb 10
glitch Awesome, thanks!
Posted Feb 10
At least now it wasn’t just me who got hit. But, ugh, why me?! Now I have to deal with password resets else where Dx. Sorry. But thank you Glitch and staff for helping keep us safe!!
Posted Feb 10
Reply