I live...again!

Cheers all, should be back in more-secured business now: many thanks to Tom for helping me sort that out, and thanks to the messages from all. Hell of a holiday surprise!

Feel free to let me know if you see any other oddities from me besides love and peace: hopefully cleaned up the last of it.

Here's being back to reviewing the best of the month and spreading holiday cheer!

Dang this post reminds me of some cartoons where enemies trap you and heroes are about to rescue you and defeat naughty enemies.

2FA is great, I wish all sites had at least some form of such functionality implemented, be it via app or email or what have you. As long as there's no way to bypass it; some alternative method that makes that extra layer of security all moot...

Good reminder.

done and done

any hacks so far? or are they dying down?

I think there still looking for any other accounts they have access to how ever they could also be hacking people on other websites are planning for there next attack in the mean time I will keep you guys updated in case I find any other NG account that’s being hacked

Well I decided to activate 2FA after some consideration.

Honestly the only thing that surprises me is that this clown didn’t decide to change up the pattern and name hacked accounts “Water Crow” if we want to get fancy about how the guy was using their word play with the hacked accounts.

Inb4 Jim Melon reads this thread under a VPN and notices this post.

@DongffTK is finaly back. But one thing i noticed is that i cant follow/unfollow, comment or react to his stuff. I havent interacted with his stuff mutch but im for shure i have never said shit worthy of blocking. My theory is that the hacker blocked ppl so they coudnt avoid the shock porn and gore via unfollowing. Since i coudnt unfollow DonkffTK when he was hacked.

Is this a thing others have? That you cant interact with hacked acounts.

proof:

more on this

I'm a heavy user of password managers, if anyone is interested. I have over 200 passwords in my database, which has a master password of around 60 characters, and it is synced between three personal devices: my home laptop, my smartphone and my internship workstation

I use KeePassXC. the password database used is de facto standardized, so KeePass2Android and other implementations can open and modify this database. I use SyncThing in order to synchronize the password database across devices.

the technology itself is strong and historically well established. there are strong guarantees provided by all hardware, operating system, underlying libraries and end-user software as well. at this point I just "trust it"

my choice of software was made by my supervisor at my first internship, I did not consider all implementations and possibilities for password managers. for instance, there are cloud-based solutions and managers built-in into browser, however I stuck with the choices of my previous supervisor

never EVER save your password database in a device not TOTALLY controlled and owned by you, never EVER open your password manager in such alien device. I have to use my university password in many public computers. it is a strong password, but it is manageable to type manually by looking at it from my smartphone. it is convenient, and if a keylogger captures my password, it is just one account compromised. if you go through the hassle of opening a password manager in an alien device, it is indefensible and then every account is compromised.

I have been sloppy about synchronizing my password database, and now I have divergent copies at every personal device. currently, it is a minor headache, thus I took no actions so far. unless there is a built-in solution, I will simply put all three versions in a thumb-drive and merge manually. it happens.

make backups of your password database. even if you keep in sync between many devices, replication and redundancy is not backup!!!! there is a negligible chance that a corrupt copy overwrites consistent copies while syncing. currently I did one backup so far, a year ago, to an external HDD. this is really bad, I need more backups.

beware old or broken systems. some systems refuse long passwords, or worse: silently accept a long password while truncating it, and then rejecting your login. some systems will go crazy when you add culture-specific characters like áàûïóíç or emojis. it is very possible for a system to keep track of character encoding, even if it has to be reencoded several times while in transit (did you know JavaScript uses UTF-16?), but some systems do it incorrectly and will lose information and break. if the system is robust and you use it a lot, you can try to set a very long password with several culture-specific characters, otherwise stick to standard ASCII special characters like *!&$%@#()[]{}. if the system does not inform limits and appears broken with long passwords, try lengths like 32, 20, 16, 12, 8 and 6. be specially wary when creating an account on a beautiful Web form, while you will have to login later using an old-ass broken desktop game or app. some systems are so broken, they will keep multiple versions of passwords, in this case don't edit your password entries (which would overwrite the previous password), create a new one while keeping the original for a while

do not underestimate unimportant websites. maybe you are creating an one-time throw-away account, or else you had the problems described above. even then, settle for a strong password within the constraints of the system or lack of personal interest. I do not know anecdotes to share, but I follow this ideal. I think that if someone wants to destroy you, that one-time throw-away account with a weak password may bite back.

minimize the time you leave you password manager open. typing the master password might be boring and error-prone, but DO NOT let it open the entire day for convenient login at any time. beware the evil maid attack. and remember: "keep your friends close, and enemies closer" -- some gangster movie quote. your friends and family and coworkers are the more likely to stab you, specially if they were blackmailed into doing it

</braindump>

edit: don't lose your master password or password database, stupid! don't trust your brain memory.

Ditto, I can observe this too when I visit his profile

I think the hacker put the accounts' followers on a blocklist, I wasn't following that guy and caninteract with his stuff just fine, but I was following princessninjato before she got hacked and now I'm blocked.

The new requirement of not being allowed to login using a VPN is way too harsh, lots of legitimate users use VPNs for privacy reasons. I really don't want to stop visiting Newgrounds because of this.

This is temporary while we work on some other updates.

i think they managed to block EVERY SINGLE USER IN EXISTENCE EVEN THE BOTS

am not blocked by the account i can still follow it and even send it messages it seems to be just there past followers if by any chance non past followers got blocked by it they likely started blocking people that talk to the account in the past so that there follow count stays at 0

oh boy having to wake up with 0 fans

Will be the most painful thing ever

am just thinking they might of stopped for the rest of 2023 meaning they might return in 2024 when people least expect it are maybe there still planning something

That's great to know, I was really worried!

What's their purpose in hacking Newgrounds accounts? Is it to resell accounts or do a massive message spam?

Do we at least have any educated guesses on the person's motives?

The hacked accounts have been spam posting gore and porn to the portals. Some also PM people.

Considering half the emails I get these days are "reset your password" links I didn't ask for, going 2FA on everything seems to be the only thing keeping me from losing just about everything.

Sad people and their sad lives...

2 days and nothing happened

Thank you well noted

~X~

Anyone reading this, a crash course in security best practices.

First, pick two: Something you know, something you have, something you are. Unless NG starts selling Tankman branded retinal scanners or blood analysis kits, you'll stick with the first two: Something you know (password) and something you have (e-mail account, phone) for 2FA. It's a good idea.

Also, I know everyone is terrible at this but STOP using the same password for everything. Servers across the internet get compromised constantly. I've racked up many years of free identity-theft protection as a result of class action lawsuits.

Equally important, I recommend you stop using your browser to store all your passwords. We've encountered problems with this in my job, and it wasn't pretty. There are good password management tools out there. Personally, I like Bitwarden. It's free, open source, and widely regarded as a best-of-class tool.

More tools for your safety and security can be found here for the interested.

It can be daunting to create new passwords for the dozens of logins most of us have gotten used to. Passphrases are a little easier to remember and tough for password crackers to beat. So a format like:

xxxx-XXXX-1234-xxxx-XXXX

can be pretty powerful.

new-GROUNDS-1234-tank-MAN is an example.

While I'm on my soapbox, open up a cmd line or powershell and run ipconfig /all. Look for your "default gateway" and copy/paste that IP address into your browser. It probably looks like 10.0.0.1

This will take you to the admin login portal for your router. If you can get in with "admin" and "password", it's time to change it. If you are using "password" or "password1" or "p455w0rd" or anything like that, it's going to be a problem for you. If you see any password cracking software in action, they automatically run through all these common passwords. You'd be amazed at the terrible passwords attached to critical systems and infrastructure.

Also another tip, make sure to use password managers! Like KeePass, Bitwarden, DashLane, 1Password, RoboForm, etc.

I've listed free, paid, open source, proprietary, cloud, and local options. There are many other password managers out there, find one that works best for you.

what about Chrome build in password manager

Nope, anyone who has access to your computer automatically has access to all those stored passwords in the browser. I understand it can be quite inconvenient, but that's the sad truth. They can get access through remote control too, so it doesn't have to be physical. It is unlikely though, so not much to worry about, as long as you have a good general base of security. BeEF can sometimes be used for gaining access to one's computer.

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

what if you have 2 step on or/and Windows hello

If someone grabs your password, but you have 2FA enabled you're most likely going to be safe. I've saved my passwords in my web browser all my life, recently though I was downloading some sketchy files and I probably installed a keylogger so now my accounts have been compromised so I have been taking my security to the absolute max, almost going insane.

So as long as you're smart about your general online browsing, security, have the basic security recommendations (2FA on all accounts with a strong password, ideally avoiding phone number due to SIM-swapping) then you'll be good. You can keep them saved, but make sure to not fuck up elsewhere.