Jump to content

Important Security Update - Please READ THIS.


Reg
 Share

Recommended Posts

Evening All,

In the world that we live in today, security is a major priority on all sites and this one is also included.

The T&C for the site says lots of things, but one of the most important is this.

If you attempt to sign up with what looks like a fake email address - the chances are - you will not be allowed in and your account will remain inactive or just outright banned.  Sometimes we reach out behind the scenes and at other times, we simply will not apporve the registration and a second account will count as a duplicate account.

I am pretty happy with my catch ratio of these - but you could be the owner of an account that you currently use that has a throwaway email address.  This is going to potentially cause you a problem very soon.

Behind the scenes, I am constantly getting alerts saying this.

Allowing users to log in with a display name can represent a security weakness for your community because display names are public information and malicious users may attempt to login to multiple accounts with common passwords until they find an account for which the passwords work.  It is recommended that you only allow users to log in with their email addresses.

This means something has got to change.

We are constantly being hit by a barrage of failed login attempts, here is an example of what I look when I check now.

This site is now big enough that we have the attention of people that want to use accounts that are not theirs, it may not also be FME related - there are plenty of other reasons such as social engineering, phishing attacks and such.

That is a credit to the success of this site that it's a worthy target, but now I need to address this.

image.thumb.png.aee34a2cb203ecb220ba5563867832c1.png

That is slightly edited as it's clear that the ones with a 2 were user errors.  Currently I have over one hundred and sixty pages of what you see above, it goes on and on and on.

This means that from this weekend, a change will be made to this site.

  • You will no longer be able to login with your username and must use your email address.

For anybody that has an email account that is a fake / throwaway / don't have access to, this is your time to fix this.

I will also be emailing everybody via the mass-mailer to notifiy them of this thead.

I also ask, please consider for additional security, please also use Two-Factor Authentication.

To access it you need to Edit Account Settings as shown below.

1.png.2f657fe9af285a4cf3a48888acf053eb.png

You can then go into the Account Security tab and enable it.

2.thumb.png.c0fe6aaac8c669a6cb6f47fc7e17ee14.png

With it running it will ask you to verify a code.

4.png.749501c3a85cde83da5fc2ea59131846.png

This will make your account even more secure, with something you know ( your email and password ) along with something that you have ( an authentication app ).

Reg.

  • Like 9
  • Thanks 1
  • Awesome 3

Gentlemen02.png.da52791c8396717d0719dc50bdda588f.png

Link to comment
Share on other sites

Just to add, in the very short time it took me to write this post above, here is an update of new enteries on the list.

image.png.3a80f3fe11099580d9a7dc1c606dac96.png

This is all done via scripts against compromised passwords and logins which highlights why you should always have different passwords for all sites you use.

Once the account is compromised they will check the results and anything that is a pass is then confirmed by them and they could equally use the working details for other sites.

Be safe out there.

  • Like 1

Gentlemen02.png.da52791c8396717d0719dc50bdda588f.png

Link to comment
Share on other sites

Well I presume my gaming email on my account is still satisfactory? I assume it is or you would of told me by now, need this email just as much as my own personal one as it keeps an eye on arseholes (know what I mean;)) in my group on FB which continues to grow. If it is a problem for you or site security I can switch to my personal which is of no consequence to me. 

Great work with securing things around here and use two step across my apps.

 

Zippy🤐

Zippy🤐 from Rainbosays "Head over to my thread for extra fun and frolics" https://www.desertislandfruits.com/forum/index.php?/topic/2941-emptiers/&tab=comments#comment-19855

 

Link to comment
Share on other sites

36 minutes ago, mr x said:

i need to change my email address to my new one @Reg how do i do it as i cannot find the option anywhere

I thought we could change it but nope as I can't change mine.

I found this by clicking on the arrow next to your username at the top of the page and then click on 'Account Settings' and from there click 'overview'.

It'll show your current e-mail address there but can't change it, unless admins/mods have the ability to change it?

Link to comment
Share on other sites

2 hours ago, mr x said:

i need to change my email address to my new one @Reg how do i do it as i cannot find the option anywhere

Ok - something may have changed with this - I can't find the option quickly at the moment - this might mean that I put back the change for a week to allow everybody to do this.

I need to investigate - keep an eye on this thread.

Gentlemen02.png.da52791c8396717d0719dc50bdda588f.png

Link to comment
Share on other sites

Noted, since enabled 2 step verification. 

Thanks for your hard unpaid work on this. 

  • Thanks 1

About me: Arcade, Pinball & Fruit machine fan. 

At home: 7x Pinballs (90's to present day), Monopoly60th (£10), Indiana Jones (£8) & Sonic (£8).  

Looking for: Astra Bartops, Astra Reel Stampede, JPM Big50, Big Banker & Big Bucks.

Link to comment
Share on other sites

11 minutes ago, fits said:

Afternoon Reg just Tried logging in with my email and keep getting wrong email,user, password. Is there something I’ve got to change. 

Nope.  The switch is happening at the weekend, this is the notification for it.

Gentlemen02.png.da52791c8396717d0719dc50bdda588f.png

Link to comment
Share on other sites

I'm a bit lost here and sorry for being a pain - the email I use here is a Gmail account and I only use it for here and other FME sites. It's 'disposable' in that it's a Gmail account. 

Will these changes impact me?

Decal collection photography got sidetracked during my month without internet - will get caught up on it soon! :)

Link to comment
Share on other sites

1 minute ago, slotsmagic said:

I'm a bit lost here and sorry for being a pain - the email I use here is a Gmail account and I only use it for here and other FME sites. It's 'disposable' in that it's a Gmail account. 

Will these changes impact me?

As long as you can recover that password and login should you need to do a password reset - then nope you are good.

If you have used a burner type email address to login ( one of the disposeable ones such as Guerrilla Mail ) you will be screwed as that email literally only exists for usually about ten minutes or so.

  • Like 1

Gentlemen02.png.da52791c8396717d0719dc50bdda588f.png

Link to comment
Share on other sites

Just now, Reg said:

As long as you can recover that password and login should you need to do a password reset - then nope you are good.

If you have used a burner type email address to login ( one of the disposeable ones such as Guerrilla Mail ) you will be screwed as that email literally only exists for usually about ten minutes or so.

Oh that's fine then, I do use the email account regularly and have no intention of binning it, just like to keep my proper email account for business and family only and send forum things to different accounts :)

Thanks for the quick reply :)

  • Like 1

Decal collection photography got sidetracked during my month without internet - will get caught up on it soon! :)

Link to comment
Share on other sites

This is actually a timely change to do this as well.  @Big J spotted this at Fruit-Emu.

image.thumb.png.eb3fd7354e5c2bb3ba7ddea70b09a134.png

That above was posted today.

The account details are these and this is very likely a compromised account.

image.png.83bf38ce54c51dc7253900e598e1a3ac.png

Although that post I hope would be deleted over there and the account closed, the risk is the person that did this could also do all kinds of links to unsuspecting people via PM's.

This is why we do what we do here and will be making the changes as mentioned this weekend.

  • Like 2

Gentlemen02.png.da52791c8396717d0719dc50bdda588f.png

Link to comment
Share on other sites

I didn't post it because you and others know how I feel about Fruit Emu I did it for the exact reason you have said @Reg and what you are doing here, I sincerely hope that DadsFme and The Mecca will be secured against this type of threat/nonsense/bullshit. In all honesty I wish FE could be shaken up/improved and harbour no I'll feelings towards its owner anymore as there is a tiny spark in me that still has love for the place believe it or not but you never heard me say that.

Tbh it was Dads FB page where I blessed eyes on it originally thanks to Daryl aka Stardust.

I wonder if it is a good idea to attach some sort of alert in the new members area as one of them may get caught off guard?

Zippy🤐

Zippy🤐 from Rainbosays "Head over to my thread for extra fun and frolics" https://www.desertislandfruits.com/forum/index.php?/topic/2941-emptiers/&tab=comments#comment-19855

 

Link to comment
Share on other sites

We check every single Email and IP address at DADsFME and if they look even just a little bit dodgy they get binned!

I have to say I've rejected a lot more suspect accounts since the recent server move.

  • Like 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...