- Staff
- #1
- Oct 20, 2016
- 1,878
- 2,327
In an effort to be transparent, I am letting people know that we have had a leak of user login credentials for the Dragon Saga server. This is due to Paris taking unknown backups of an older database, binaries and source code without our knowledge and storing them on her Mega account when stepped down from our team, which was then compromised. We had known about the leak of binaries and source code, but were unaware that a backup containing credentials had also been leaked. I became aware of this when I was alerted that someone was claiming to have all of our user credentials, and that they could login to any of our user accounts.
While credentials have been leaked, they are fully encrypted, and the likelihood that they have actually accessed any accounts is low. The passwords that were shown to the person who alerted us to this were still in MD5 format, so it's likely that the people involved haven't or can't decrypt the passwords.
We have changed all passwords to a randomized encrypted 32-character password, which users can change through the account manager account manager. If you have used the same password elsewhere, I recommend changing it there as well.
This leak only affects Dragon Saga login credentials, and does not include anything relating to the website. This means that no actual personal information (such as email) or financial information has been leaked. We also do not personally hold or maintain any financial information (that is all handled by Xsolla or Paypal), and only maintain a record of purchases.
As far as how backups are actually handled, they are generated and immediately encrypted and password, then transferred to a physical server that only I have access to, and require a Yubikey to access data from.
EDIT: Clarifying that Paris did not leak the database, but her Mega account was compromised.
While credentials have been leaked, they are fully encrypted, and the likelihood that they have actually accessed any accounts is low. The passwords that were shown to the person who alerted us to this were still in MD5 format, so it's likely that the people involved haven't or can't decrypt the passwords.
We have changed all passwords to a randomized encrypted 32-character password, which users can change through the account manager account manager. If you have used the same password elsewhere, I recommend changing it there as well.
This leak only affects Dragon Saga login credentials, and does not include anything relating to the website. This means that no actual personal information (such as email) or financial information has been leaked. We also do not personally hold or maintain any financial information (that is all handled by Xsolla or Paypal), and only maintain a record of purchases.
As far as how backups are actually handled, they are generated and immediately encrypted and password, then transferred to a physical server that only I have access to, and require a Yubikey to access data from.
EDIT: Clarifying that Paris did not leak the database, but her Mega account was compromised.
Last edited:
