On Saturday, March 23rd, 2019, multiple files were unfortunately released containing information on almost every Everybody Edits account from July 9th, 2010 to January 5th, 2019. We wish to address this leak, explain who is and is not affected, and what has been done to avoid such incidents in future.
There are 4 types of Everybody Edits accounts:
- Main Site Accounts (SimpleIDs)
- Facebook Accounts
- Kongregate Accounts
- ArmorGames Accounts
Thankfully, all Kongregate and ArmorGames accounts are safe. The only information we ever stored from these accounts were IDs to link Everybody Edits to their respective sites. As far as we are aware, Kongregate has not received any similar breaches, meaning no information has been released regarding any of these accounts. However, ArmorGames recently released their own statement.
Sadly, some Facebook accounts have been affected. Facebook IDs are stored, and the names (and only the names, not emails) are taken from the Facebook Profiles associated. As such, the information released included the real names of most of our Facebook users, and, in some cases, the ability to view Facebook profiles associated with the accounts.
This leaves us with the Simple Accounts. Here is the personal information we do not store:
- Dates of Birth
- National Insurance/Social Security Numbers
- Phone Numbers
- Any information connected to looks, appearance and behaviour
- Tax Information
- Student Numbers
- Political Alignment Information
- Medical History
- Genetic Data
- Any financial information, such as card details.
We did store:
- Email Addresses
- IP Addresses
- Date of Registration
Passwords are fully hashed/encrypted, and have not been leaked or dehashed/decrypted in these documents. However, this whole endeavour is a good lesson in how important it is to make sure: Your password should be different on every site you have an account on. There are some individuals which have searched for leaks from other sites where the email addresses in these documents are listed, and have found passwords through those, trying them on Everybody Edits accounts only to find it successfully logs them in. As such, we highly recommend updating your password on Everybody Edits, and every few weeks after.
Most of the IP Addresses that were leaked are now outdated, as they were the last known login IP addresses as of 5th January, 2019. Nevertheless, we sincerely apologise that the IP Addresses were stored at all, and we have now disabled collection of IP addresses. We are now only able to access your IP address while you are logged on (which we rarely need to do anyway).
The IP Addresses (that were available) were released for both the Email Addresses and the Facebook Accounts. As such, regrettably, the Facebook Accounts are the most at risk here, if your IP Address hasn’t updated since you last logged on prior to 5th January, 2019. As far as we are aware, there is no danger of anyone accessing your Facebook account, but if someone out there really wanted to track down your location for whatever reason, they may be able to find out a good approximation of where you live via your real name and IP Address, even though it’s rare that IP Addresses can pinpoint an exact location within a zone. We realize this is scary, and we’re sorry it ever got to this stage, but, if possible, if this does apply to you, we would advise using Virtual Private Networks to hide your IP address in future.
The following is what we see when we view the stored account information. There is no way for us (or anyone) to access the IP Address or the Password.
Let’s move on to how this breach occurred. On 5th January, 2019, we believe a staff member at the time exported the entirety of this storage area from this link:
We do not know the reason the staff member in question chose to export this information, and we don’t believe this staff member was involved in any of the recent hacking. However, the export sends an email to the person logged in to Player.IO with the exported information via a link to download the file(s). It has been confirmed that anyone that knows how these files are formatted is able to run a program going through every ‘DateTime’ within a certain period, and access the file themselves, which is how we believe the hackers got hold of these files. We have been in contact with Player.IO, which has now updated their systems, so these exports can no longer be found as easily, by adding extra completely random strings into the links. As such, we believe it is no longer possible to access this information in this manner. I am also the sole individual able to export these files now, and I have no intention, or need, to do so.
Separate to this, the hackers appeared to have access to what is known as the “BigDB”, where the “OnlineStatus” information is stored. Below is the information we have, and the information was exported in a similar fashion as above. As such, the hackers may have been able to access this export in a similar manner if they didn’t have access themselves.
Previously, this information was kept with the IP Address for years, but this is no longer the case, so it is now only possible for us to see your IP Address while you’re logged in. I believe this includes if you have “Remember Me” ticked, so you do not have to input your information on every login.
We have taken every precaution to make sure such an incident can never happen again. Player.IO has successfully co-operated and transferred the game again to a new Player.IO account I created, and all current members of staff have brand new Player.IO accounts as well, just in case one of us was somehow compromised. Our contact at Player.IO has confirmed that anyone that may previously have had access through a development server is now locked out, so whatever access the hackers once had is no longer possible.
Another possibility for how the hackers gained access was through ‘connections’, which are the systems we use to authorize people. For example, there was once a “Facebook” connection, which has now been deleted entirely, and we have updated all of the access keys to all the connections, so only the current developers are able to use them to change information.
We appreciate your patience and support through this whole ordeal. Please contact email@example.com if you wish to have the email associated with your account changed to a new one, and I will work over the next few days to get as many of those updated as possible.
I am personally sorry any of this occurred, and we have done all we can to make sure this can never ever happen again.
Owner of Everybody Edits
~ Xenonetix ~
9 thoughts on “Everybody Edits Data Security Breach”
I was wondering if the passwords were hashed or encrypted, seeing as hashed passwords cannot currently be broken, but encrypted passwords are very easy to find
It sounds like they are hashed. (I think when they used the words “encrypted” and “decrypted” they were just trying to use layman terms.) I would also hope they are salted using an algorithm like bcrypt.
Thanks so much for the detailed report! From the looks of things it seems like this is mostly Player.IO’s fault. Correct me if I’m wrong; someone was essentially bruteforcing download URLs on Player.IO and out of sheer luck one of your employees happened to generate a download URL for all the players in the database. While exporting all that data is a bit scary, it sounds like even if the employee took every precaution in handling the file that this could not have been avoided because Player.IO generates easily guessable links. That sucks. Sorry guys. I hope you all recover from this, but thanks so much for all that transparency!
I lose my facebook’s account 1 year ago. I tried to recover the password of it, but i can’t.
My usernamde is Antonio123457.
so is everybody edits at risk or not of players emails and such being compromised
i been trying to get into my account with an old email i had on it but it says the email doesnt exist my account name is Alezz
Haven’t played on it much, but still seems good that even these days the staff team are doing effort to make sure everything is back up and fine