Password breach clarification
This post is intended to be a clarification of the previous password breach notifications. I'll go over the games one-by-one:
'Pixelio', 'Pixel Castle' or 'GTMS'
(75 accounts affected) - I've been able to confim that these games contained a password logger, and I have enough suspicions that the developer attempted to sell these passwords for profit.
(5,900 accounts affected) - This game was made by the same developer as 'Pixelio'. I do not have conclusive proof that this game contained a password logger, but based on various sources and the history of the developer I find it likely that it did contain one.
The developer of the two games above is no longer welcome on GameMaker Server, and any games with his involvement will be banned.
(1,000 accounts affected) - This game has been storing passwords since May 19, 2018 up until August 3, when I became aware of this. I am currently of the belief that this was a misguided attempt at implementing a password recovery feature, and as such this game has not been removed from GameMaker Server. If you have proof of the contrary, you can mail it to email@example.com. However, do note that given recent events I want to be able to verify this proof independently.
'Cubic Planet' by Korean
(unknown accounts affected) - This game is one of the many derivatives of the original 'Cubic Planet'. When I received the source code from the developer at my request, I discovered a piece of code that could be used to secretly make you send your password to another user. Update:
I've worked with the developer, and have allowed a newer version of the game without password stealing code on GameMaker Server.
All other Cubic Planet derivatives
- I'll be banning any and all games derived from 'Cubic Planet', given the likelyhood that these games may also contain a password logger. Under certain conditions, I'm willing to make an exception (send a mail to firstname.lastname@example.org).
If you are developing a game using GameMaker Server, you are to never store or transmit user passwords (or hashes, or encoded variations). Not remotely, nor locally. Any violation of this will get your game banned.
What you can do
- Use unique passwords for every service. This limits the damage when a password is leaked.
- Report suspicions of malicious activity like stealing passwords to email@example.com.
- Please refrain from publically posting private messages and mails, or harassing the developers involved. This does not need to turn into a witchhunt.
Last message on 4 Aug 2018