At approximately 2:30PM GMT on Monday 6th March our Admin Control Panel was accessed by a user who had gained unauthorised access to an Admin account belonging to one of our members of staff. The unauthorised person logged in with the full username and password of this staff member which we currently believe has been obtained through another breach or security issue which is not related to ValveTime.net.
Once the unauthorised person gained access to the Admin CP, they attempted to lock out existing staff members, and delete content from the forum. After this, they started an automated process to send out emails to a number of our users.
Despite claims by the unauthorised person to the contrary, the user WAS NOT able to gain access to any passwords or create copies of our database. It is not possible to access the database directly from the Admin Control Panel or view user's passwords. All actions taken in the Admin Control Panel are logged and it is clear from reviewing these logs that the unauthorised person has not accessed any personal details, including email addresses and dates of birth.
Due to the low severity of this breach, we have decided that it is not necessary to reset any user passwords. However, if you would like to change your own password as a precaution, you may do so here: http://valvetime.net/account/security.
The following steps are being put in place to ensure the issue does not happen again in the future:
1) All staff passwords are being reset
2) All staff access is being reviewed and limited
3) The forum software is being updated and we are implementing 2FA (2 Factor Authentication) and making that mandatory for all staff members
4) The database is being rolled back to this morning's backup to reverse any content that may have been deleted
Due to the steps being taken above, the site will be down for a short period of time. Thank you for your understanding.
ValveTime.net Team
Once the unauthorised person gained access to the Admin CP, they attempted to lock out existing staff members, and delete content from the forum. After this, they started an automated process to send out emails to a number of our users.
Despite claims by the unauthorised person to the contrary, the user WAS NOT able to gain access to any passwords or create copies of our database. It is not possible to access the database directly from the Admin Control Panel or view user's passwords. All actions taken in the Admin Control Panel are logged and it is clear from reviewing these logs that the unauthorised person has not accessed any personal details, including email addresses and dates of birth.
Due to the low severity of this breach, we have decided that it is not necessary to reset any user passwords. However, if you would like to change your own password as a precaution, you may do so here: http://valvetime.net/account/security.
The following steps are being put in place to ensure the issue does not happen again in the future:
1) All staff passwords are being reset
2) All staff access is being reviewed and limited
3) The forum software is being updated and we are implementing 2FA (2 Factor Authentication) and making that mandatory for all staff members
4) The database is being rolled back to this morning's backup to reverse any content that may have been deleted
Due to the steps being taken above, the site will be down for a short period of time. Thank you for your understanding.
ValveTime.net Team
