What's New Dashboard Articles Forums Chat Room Achievements Tournaments Player Map The Promenade Volunteers About Us Site Index
Article Archives
First EditionSecond EditionTribblesAll

All Categories Continuing CommitteeOrganized PlayRules CommitteeDeck DesignsVirtual Expansions
Card ExtrasSpecial EventsTournament ReportsEverything ElseSpotlight SeriesContests
Strategy Articles

The Continuing Committee Has Been Hacked

by Maggie Geppert, Vice Chairman

2nd March 2018

We regret to inform the TrekCC community that our website has been a target of a cyberattack.  We first learned of a possible attack in a post in the buzz from user enusbaum on Wednesday, December 20th.  At that time, I immediately asked Chris Lobban (Maelwys) and James Heaney (BCSWowbagger), our intrepid code monkeys, to look into this.  Neither of them were able to find evidence that an attack had occurred, so we thought it was the end of the story.

Well, this past Tuesday evening, that all changed.  James informed me and Chris that he had just found that indeed one of his email addresses had made it onto a password dump on Pastebin.  This email address was a part of a dump from our database, which was presumably also sold on the Dark Web.  Now, there is some good news here.  First off, the table stolen only has usernames, passwords, birthdays and sig lines.  In the grand scheme of things, it could be worse.  No addresses or other personal information appear to have been stolen.  The Continuing Committee also does not store any financial information of our users.  Finally, all of the passwords they collected were encrypted.  However, a large number of the users here have very weak passwords, and, using only the data that was stolen, James was able to decrypt nearly a sixth of our users’ passwords in 2 minutes and 28 seconds. 

So where do we go from here?  Chris will be sending out a global email to all of our users letting them know what’s happened, so that even inactive users can update their accounts.  Additionally, he will be implementing a global password reset at 11:59 pm server time on Saturday, March 3rd.  At that time, everyone will be forcibly logged out of the system.  When you next login, you will be asked to change your password.  Please use a password that is strong.  Here’s a pretty good article from Buffer on how to craft a secure password that is easy for you to remember but hard for hackers to crack. 

If you use your TrekCC password on other websites, we strongly advise you to update them on those other sites as well. Hackers do not care at all about your Star Trek card decks (well, not most of them). They want access to your email, social media profiles, and, ultimately, your financial accounts. If you reuse your passwords, they could gain that access, especially if you do not use two-factor authentication or a password manager.

When you want to change your password in the future, you can do this via the User Control panel (Profile > Edit account settings). Chris and James have spent the last year or so making our site more secure.  They believe that the holes in our security that allowed this breach have been patched and will continue to implement better safety protocols into the future.  We are happy to answer any and all of your questions about the hack and the site reset in the forum thread associated with this article. Again, we deeply regret that this breach has happened and apologize to our members for any harm this may cause in the future. 

Discuss this article in this thread.

Back to Archive index