Dear EMC Community,
It has come to our attention that one of our Staff Team member’s accounts was recently compromised. A banned player with malicious intentions utilized a Staff member’s account and accessed staff confidential information. Some of you may have already been aware of this, due to the player’s not-so-subtle temp and permabans of some players. After analysis and information gathered, we have determined the full extent of the breach and are sharing it with you, the community so that you are aware. Please note that this was a Moderator account and as such, certain details were not made accessible to them at all. Information such as player registration email, private chat, etc are only accessible to the Senior Staff and above and was not compromised. And even if it was a Senior Staff account, we made security improvements after the last incident to lock the admin panel down to an IP white-list to avoid future data deletion as had occurred.
We are initiating a Zero Tolerance policy with regards to this issue. Note that the inquiry into, or the sharing of, the private information as it was leaked, is grounds for an immediate and permanent in-game and site ban, as well as further legal action if deemed necessary.
The player that was involved has already been handled, but may be reaching out via Skype or other social media to share this information. Do not give them the recognition that they seek by continuing to share it or giving them credit by name.
Data that was accessed and downloaded includes the following:
Staff Google Drive:
- Contact Sheet
- Emails for all staff members
- Phone numbers for some staff members (Note: Harassment is a criminal offense and the police may be involved if this occurs)
- An Explanation and a REALLY Thorough Guide (The Staff Guide/Moderator Handbook)
- All Vote Appeal Polls
- Security Breach and Good Password Practices (Player had access for a little longer than we initially thought and saw the thread where we instructed staff to change their passwords)
- Multiple Stream Team Guide Threads
Staff Tool – Square:
- The Front page and Reports against tab in a static page – All Staff Members as well as some players. Players will be notified in a private conversation if their information was accessed.
- The Front page includes the most recent IP and Staff Notes for each player, time on the Empire, rupee balance, token balance, experience totals, and residences owned at the time of download.
- The Reports Against tab Includes all reports made against the account through the /report feature
- IP Ban List
- Derelict Protection Account List
- Watch List for the Moderator Account Accessed
- One page of recent Staff Events
- One page of recent Staff Notes
- One page of recent session logs (Players will be notified if their information was present on this page)
- The Square dashboard at the time of the access
Given when this player first started harassing us, we took the effort to get all staff to review their password policies, to choose stricter passwords, and to enable 2-factor authentication where they can. The issue was purely due to bad password policies (password re-used that was also used on another service that was compromised and their passwords published)
While 2-factor authentication would have helped some here, the proper course of action is to ensure staff has unique and complex passwords. We will explore 2-factor authentication on the entire forum login level, but given the complexity to add that, it might take some time. A good password is the best first step, and 2-factor is just a fail-safe.
If anyone has any further questions, please send a pm to pmss.emc.gs in order to discuss. One of our Senior Staff or Krysyy will respond.