It is with a heavy heart that I must inform you of a potential database breach at Nexus Mods. I understand that sounds horrifically ambiguous at best, but the simple truth of the matter is that we have yet to fully confirm the database breach has occurred any time recently but, in light of recent events, I cannot in good conscience not warn you of the potential for such an eventuality.
While it seems clear cut that we've had a breach from that email, unfortunately, it's too ambiguous to draw any concrete conclusions. We indeed had a database breach several years ago when hackers gained entry to our systems by hacking our file server hosts (a horrible way to be hacked, when it's not even directly your fault), so this could potentially be a result of that previous leak, or it could be a result of recent database breaches at other major networks (like the Playstation Network, EBay or otherwise) and hackers correlating information from reused passwords, or any number of things.
Things became more suspicious yesterday when three Fallout 4 mods from three separate authors had their files changed by the author's themselves, but the file change contained a .dll file that while it isn't being reported as a virus by our Virus Total system (that scans files using 56 different virus scanners), it is still highly suspicious, and the authors have reported it wasn't them who did it. Indications suggest these author accounts were compromised. Which, once again, isn't conclusive proof of a total database breach, but is rather damning.
To clarify, we store all passwords in our database in a hashed and salted system (i.e. not plain text). This
does not mean your passwords are completely safe, however. Because all encryption is a mathematical formula based around how complex it is to crack, given enough time and processing power almost all forms of encryption can be cracked eventually. The problem gets worse if your password is easily recognisable or very simple. If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). Because of this, it's possible this is a result of the database breach from a few years ago coming back to haunt users that haven't changed their passwords. The problem is, we're just not sure yet.
For any worried Premium Members, we do not store your credit card numbers, expiry dates or secure numbers at all. That's all handled by Pay Pal.
Update: Many people have asked about the three Fallout 4 files that were mentioned in this post. The three files affected were:
- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)
The suspect file contained in the archives was called "dsound.dll".
http://www.nexusmods.com/games/news/12670/
