Hello everyone, Quinn here.
We will NOT request any passwords, emails addresses, or other personal information via PM. If any information is requested via PM, please report it and do not respond. With that out of the way, on to the meat of the post:
Hacking Round 1
Sometime yesterday, some of the arcengames.com accounts of Chris Park (company founder/owner) were compromised. The person who compromised the accounts attempted to get sensitive data from Keith and myself. However, database searches do do not show record of him (or her) trying to get data from anyone else.
It was quite clever social engineering, but fortunately there were enough red flags that Keith and I were each able to pick up on the phishing attempt, and contacted Chris via external means to check if it was really him. Once we had confirmation it was not, we locked down the accounts. Chris was able to reset his passwords, we did a variety of security sweeps, and (after a few issues), Chris has full control of his accounts again.
Nothing seems to have been damaged in this — it was mainly a prelude to a second goal.
Hacking Round 2
Mid-morning today, Chris’ Steam account was abruptly compromised. It’s safe to say that this was the same individual as the first attempt, because it fits with the goals they originally had, and they again leaned heavily on particular infiltration tactics.
Today’s attack was much more concerning for a variety of reasons, including what they targeted and how they did it. We’re omitting that second part for hopefully obvious reasons. Valve worked with us to piece together what happened, and there’s pretty good odds that exact approach won’t work again.
As part of gaining access to his Steam account, the attacker triggered an instant notification to Chris, which led to a quick shutdown of his Steam account. After thorough review, we believe the attacker didn’t actually do anything once logged on as Chris. Build data and similar have detailed logs that show no activity, and the cosmetic areas that are not logged as stringently seem untouched.
We don’t know if the attacker made any posts on Steam as Chris, or if he sent any chat messages. If you did get a message, post, or anything else from Chris’ Steam account today, please do not hesitate to contact us to verify the identity of who sent it.
Mostly this was a case of very clever social engineering. There was a second prong that involved actual hacking, which enabled that to be particularly convincing. Chris does of course use 2 Factor Authentication, but that was circumvented via a particular obscure method. Fortunately, the fact that multiple accounts have 2FA on them enabled us to catch and correct it particularly quickly. The vagueness here is to not encourage copycats; it was not a case of password reuse between Arcen and Steam or something embarrassing like that.
At any rate, the initial method through which we believe the attacker got the password for Chris’s arcengames.com services was by exploiting a weakness in Mantis, which has now been patched to prevent further exploits.
We have not gotten reports of any other arcengames.com accounts being compromised. However, if any staff member sends you a PM and it seems out of place, please report it and do not answer it.
When in doubt, please send Arcen Games (arcengames AT gmail DOT com), the staff member who sent the PM, Chris Park (chrispark7 AT gmail DOT com), and myself (quinnbeltramo AT yahoo DOT com) an email regarding the matter. The reason behind sending everyone an email about it is to reduce the likelihood that the person will get away with the attempt. We can get in touch with each other by phone for any suspicious requests, as we did here.
We’ve spent most of the rest of the day combing through our databases and services, and Chris has spent that time scanning and examining his computers. We’ve found no other evidence of anything unusual.
We would like to remind everyone to stay safe on the Internet, and use different, strong passwords for each site you visit. That will reduce the damage that can occur should an account be compromised — although in cases such as this, that’s more of a helpful measure than an absolute barrier.
I was able to verify that there was no unauthorized access to the web server or the database, so any information that was contained there is still secure. Passwords on our site are hashed and salted, and are not stored in plain text for obvious security reasons. We do not keep any credit card, paypal, address, or other such information on our own servers.
Everything is fine, but if Chris or someone else from the staff said anything strange to you today or yesterday, please report it to us. We had a very clever individual spending a lot of time trying to gain access to our steam partner site for some reason, so we’ve circled the wagons quite a bit. The biggest negative result of this has been lost productivity today, near as we can tell.