- Joined
- Dec 29, 2002
- Messages
- 15,914
- Reaction score
- 1,949
- Pronouns
- He/Him
- Staff
- #1
For those who might need a bit of a refresher, the original announcement was back here.
As some of you may be aware, several hundred Nintendo Network IDs were recently compromised. The compromised NNIDs alledgedly related to a 2016 hack of the Nugget Bridge forums, where people had used the same password for their NNID that they had for their forums account. We made a two tweets about this a few days ago, which you can see here and here.
Without going into too much detail, the technique used by the attacker to obtain Nugget Bridge user's passwords was to intercept login form information. You can read more about that hack on Nugget Bridge from an update they made in December of last year, but the short version is that only those who actually manually logged into the forums via a login form in the period between the attacker inserting their code and it being removed would have had their credentials stolen. This is quite similar to what was done by the person who'd targeted our forums. Up until now, while we had some suspicion that these may be linked (particularly given the same attacker had allegedly been responsible for a similar attack on Pokémon Showdown as well) we had no evidence to firmly connect the two.
Earlier today however, a threatening tweet was sent to the Bulbagarden Twitter account in reply to our tweet on the compromised accounts. This tweet, which they have since deleted, stated that "you are not better... quite obvious i had compromised your database ill soon release." As of yet, we've not seen any such release, but personally we think it's better to be safe than sorry.
If the attacker did use the same technique on us in 2015 as they did on Nugget Bridge in 2016, then what they have is your (2015) forums username(s) and your (2015) password(s). Though I haven't confirmed this, it would seem plausible they may have also been able to obtain your email if you did a lost password reset. We have no firm evidence for any actual penetration of the forums database at this point in time, however if they did then they would have that email.
If you did not reset your Bulbagarden forums password after we moved to XenForo, you should change your password immediately. If your email is with one of the providers that has caused us problems (e.g. @aol.com, @comcast.com, @verizon.net), you should make sure you set up an email with an alternative provider such as @gmail.com first, even if you're only going to use that as an email specifically for your Bulbagarden account.
If you use the same combination of username and password on any other services, particularly those relating to Pokémon or Nintendo, I would urge you to change those passwords immediately. If you have the same combination of email and password on any other services, you might still be okay, but it's never a good idea to use the same password on multiple websites and you should really change those passwords anyway.
You can use tools such as the LastPass online password generator to help you in generating strong passwords. Secure Password Managers such as KeePass (which is free and open source) are also a good way to help you manage and create large sets of strong passwords.
We'll continue to give updates in this thread if any further information comes to light.
As some of you may be aware, several hundred Nintendo Network IDs were recently compromised. The compromised NNIDs alledgedly related to a 2016 hack of the Nugget Bridge forums, where people had used the same password for their NNID that they had for their forums account. We made a two tweets about this a few days ago, which you can see here and here.
Without going into too much detail, the technique used by the attacker to obtain Nugget Bridge user's passwords was to intercept login form information. You can read more about that hack on Nugget Bridge from an update they made in December of last year, but the short version is that only those who actually manually logged into the forums via a login form in the period between the attacker inserting their code and it being removed would have had their credentials stolen. This is quite similar to what was done by the person who'd targeted our forums. Up until now, while we had some suspicion that these may be linked (particularly given the same attacker had allegedly been responsible for a similar attack on Pokémon Showdown as well) we had no evidence to firmly connect the two.
Earlier today however, a threatening tweet was sent to the Bulbagarden Twitter account in reply to our tweet on the compromised accounts. This tweet, which they have since deleted, stated that "you are not better... quite obvious i had compromised your database ill soon release." As of yet, we've not seen any such release, but personally we think it's better to be safe than sorry.
If the attacker did use the same technique on us in 2015 as they did on Nugget Bridge in 2016, then what they have is your (2015) forums username(s) and your (2015) password(s). Though I haven't confirmed this, it would seem plausible they may have also been able to obtain your email if you did a lost password reset. We have no firm evidence for any actual penetration of the forums database at this point in time, however if they did then they would have that email.
If you did not reset your Bulbagarden forums password after we moved to XenForo, you should change your password immediately. If your email is with one of the providers that has caused us problems (e.g. @aol.com, @comcast.com, @verizon.net), you should make sure you set up an email with an alternative provider such as @gmail.com first, even if you're only going to use that as an email specifically for your Bulbagarden account.
If you use the same combination of username and password on any other services, particularly those relating to Pokémon or Nintendo, I would urge you to change those passwords immediately. If you have the same combination of email and password on any other services, you might still be okay, but it's never a good idea to use the same password on multiple websites and you should really change those passwords anyway.
You can use tools such as the LastPass online password generator to help you in generating strong passwords. Secure Password Managers such as KeePass (which is free and open source) are also a good way to help you manage and create large sets of strong passwords.
We'll continue to give updates in this thread if any further information comes to light.