On Saturday, March 23rd, 2019, multiple files were unfortunately released containing information on almost every Everybody Edits account from July 9th, 2010 to January 5th, 2019. We wish to address this leak, explain who is and is not affected, and what has been done to avoid such incidents in future.
There are 4 types of Everybody Edits accounts:
- Main Site Accounts (SimpleIDs)
- Facebook Accounts
- Kongregate Accounts
- ArmorGames Accounts
Thankfully, all Kongregate and ArmorGames accounts are safe. The only information we ever stored from these accounts were IDs to link Everybody Edits to their respective sites. As far as we are aware, Kongregate has not received any similar breaches, meaning no information has been released regarding any of these accounts. However, ArmorGames recently released their own statement.
Sadly, some Facebook accounts have been affected. Facebook IDs are stored, and the names (and only the names, not emails) are taken from the Facebook Profiles associated. As such, the information released included the real names of most of our Facebook users, and, in some cases, the ability to view Facebook profiles associated with the accounts.
This leaves us with the Simple Accounts. Here is the personal information we do not store:
- Dates of Birth
- National Insurance/Social Security Numbers
- Phone Numbers
- Any information connected to looks, appearance and behaviour
- Tax Information
- Student Numbers
- Political Alignment Information
- Medical History
- Genetic Data
- Any financial information, such as card details.
We did store:
- Email Addresses
- IP Addresses
- Date of Registration
Passwords are fully hashed/encrypted, and have not been leaked or dehashed/decrypted in these documents. However, this whole endeavour is a good lesson in how important it is to make sure: Your password should be different on every site you have an account on. There are some individuals which have searched for leaks from other sites where the email addresses in these documents are listed, and have found passwords through those, trying them on Everybody Edits accounts only to find it successfully logs them in. As such, we highly recommend updating your password on Everybody Edits, and every few weeks after.
Most of the IP Addresses that were leaked are now outdated, as they were the last known login IP addresses as of 5th January, 2019. Nevertheless, we sincerely apologise that the IP Addresses were stored at all, and we have now disabled collection of IP addresses. We are now only able to access your IP address while you are logged on (which we rarely need to do anyway).
The IP Addresses (that were available) were released for both the Email Addresses and the Facebook Accounts. As such, regrettably, the Facebook Accounts are the most at risk here, if your IP Address hasn’t updated since you last logged on prior to 5th January, 2019. As far as we are aware, there is no danger of anyone accessing your Facebook account, but if someone out there really wanted to track down your location for whatever reason, they may be able to find out a good approximation of where you live via your real name and IP Address, even though it’s rare that IP Addresses can pinpoint an exact location within a zone. We realize this is scary, and we’re sorry it ever got to this stage, but, if possible, if this does apply to you, we would advise using Virtual Private Networks to hide your IP address in future.
The following is what we see when we view the stored account information. There is no way for us (or anyone) to access the IP Address or the Password.
Let’s move on to how this breach occurred. On 5th January, 2019, we believe a staff member at the time exported the entirety of this storage area from this link:
We do not know the reason the staff member in question chose to export this information, and we don’t believe this staff member was involved in any of the recent hacking. However, the export sends an email to the person logged in to Player.IO with the exported information via a link to download the file(s). It has been confirmed that anyone that knows how these files are formatted is able to run a program going through every ‘DateTime’ within a certain period, and access the file themselves, which is how we believe the hackers got hold of these files. We have been in contact with Player.IO, which has now updated their systems, so these exports can no longer be found as easily, by adding extra completely random strings into the links. As such, we believe it is no longer possible to access this information in this manner. I am also the sole individual able to export these files now, and I have no intention, or need, to do so.
Separate to this, the hackers appeared to have access to what is known as the “BigDB”, where the “OnlineStatus” information is stored. Below is the information we have, and the information was exported in a similar fashion as above. As such, the hackers may have been able to access this export in a similar manner if they didn’t have access themselves.
Previously, this information was kept with the IP Address for years, but this is no longer the case, so it is now only possible for us to see your IP Address while you’re logged in. I believe this includes if you have “Remember Me” ticked, so you do not have to input your information on every login.
We have taken every precaution to make sure such an incident can never happen again. Player.IO has successfully co-operated and transferred the game again to a new Player.IO account I created, and all current members of staff have brand new Player.IO accounts as well, just in case one of us was somehow compromised. Our contact at Player.IO has confirmed that anyone that may previously have had access through a development server is now locked out, so whatever access the hackers once had is no longer possible.
Another possibility for how the hackers gained access was through ‘connections’, which are the systems we use to authorize people. For example, there was once a “Facebook” connection, which has now been deleted entirely, and we have updated all of the access keys to all the connections, so only the current developers are able to use them to change information.
We appreciate your patience and support through this whole ordeal. Please contact firstname.lastname@example.org if you wish to have the email associated with your account changed to a new one, and I will work over the next few days to get as many of those updated as possible.
I am personally sorry any of this occurred, and we have done all we can to make sure this can never ever happen again.
Owner of Everybody Edits
~ Xenonetix ~