Leak at Nexus Mods concerns a database dump from 2013
Nexus Mods administrator Dark0ne has revealed that a database dump of the website has been made, as suspected, but a July 22, 2013 dump that contains 4.2 million usernames, email addresses, and hashed & salted passwords. .
Dark0ne tells the Nexus Mods news page that he considers it relatively likely that the hacker no longer has access to the site’s database. His reasoning for this is that otherwise the hacker would have published a much more recent version of the database. In addition, security has improved significantly since then, he continues. Anyone who created a Nexus Mods account on or before July 22, 2013, and is therefore among the first 4.2 million users, would do well to change their password if they haven’t already done so by then.
While a forced reset of all passwords with Nexus Mods is a possibility, Dark0ne is hesitant to do so. According to him, there are many users at the site who no longer have access to the email address they have in their profile; a complete reset of the passwords would then cost them their account.
To tighten security, the administrator promises to no longer run account security via the forum, but via the site itself. This creates the possibility to further increase the encryption of the data on the server. Two-step authentication is also being worked on. In addition, he wants to implement a more extensive logging system to make the actions of users more transparent and thus more easily detect suspicious activity. Finally, full-page notifications will soon be introduced on the website to more easily notify users of these types of situations. Soon the site will show a test notification that will immediately be accompanied by the advice to everyone to change their password. “The idea is that, in the worst case scenario, we can saddle a hacker with a load of data that is a nightmare to crack.”
Indeed, the suspicious .dll files he talked about on December 7 had been uploaded to the site by the hacker. It turned out that the three mod makers whose mods included the file were using very weak passwords that “can be retrieved by a cracker in seconds,” despite the passwords being encrypted in the database. The mods in question are ‘BetterBuild’, ‘Rename Dogmeat’ and ‘Higher Settlement Budget’. Users of these mods would do well to check if the suspicious file, dsound.dll, is on their computers. The Hewlett-Packard Enterprise Security Research Team has assisted Dark0ne in coming to grips with the situation and they are now in possession of the suspicious file.
Nexus Mods is a website that hosts a large amount of mods for games like The Elder Scrolls V: Skyrim and the Fallout games. In addition, the team has developed the Nexus Mod Manager, which makes installing mods significantly more accessible and simple. The site has recently reached the milestone of ten million users.