The owners of the Nexus Mods site have posted an update following yesterday’s news that accounts for the popular site for Fallout 4, Skyrim and other mods had been compromised.
In the post, one of the site’s owners has proclaimed a great deal in confidence in the site’s security after obtaining access to the database dump that was posted online.
Part of the concern behind yesterday’s blog post was the lack of clarity surrounding the information that was made available. But after gaining access to the database dump that was posted online, site owner Robin Scott said that the information leaked was “old” and the most recent account exposed in the breach had registered on July 22, 2013.
“If you’re one of the 4.2 million users who registered on Nexus Mods after this date, your details are not included in this database dump and are therefore considered ‘safe’,” Scott wrote. “Second, the database dump isn’t a complete database rip. The dump contains user IDs, usernames, email addresses, hashes and salts, and that’s it. It does not contain cracked passwords i.e. anyone with access to the dump would need to attempt to crack the hashes and salts themselves in order to get any sort of use out of them on the site.”
HPE Security Research have been assisting Nexus Mods following the breach, and Scott says that anyone who registered an account prior to July 22, 2013, but updated their password should be fine as the hackers would “not have your new hashes/salts/password information”. There has also not been any suspicions of malware or other infected files within the Nexus Mods database.
Two-factor authentication is still a major priority for the site’s developers as a result of the breach, although Scott said that NexusMods would also be working to merge more of the site’s functions “away from our off-the-shelf Invision Board forums and into our own custom coded system”.
In the immediate term, the site has begun “logging the IP addresses you login with and use when performing major actions” so admins can better analyse and track suspicious actions. “If someone who previously used a static IP address for years starts making wild changes to all their files using IP addresses traced back to TOR, it’s safe to say we’re going to find that suspicious and will react accordingly.”