Forum and Support Update

We have a new forum running. It has two major issues:

  • It is empty. It is completely different forum software so we may not be able to recover old posts. We are looking at ways to make old posts available without opening the forum security hole that allowed all this in the first place.
  • We don’t have individual forums for leagues yet.

Up until tonight, there was a bug that prevented many (or most) people’s passwords from working on the forum. This is fixed.

Until we get league forums, please just post in the forum where your league belongs (Dynasty, Speed, Trial, etc.) and put the name of the league in the title of the thread. We’ll hopefully have league forums within a couple of days.

Support will no longer be handled via the forums, please keep using support.simdynasty.com for support.

Support is backing up because we are still finding issues with the rebuild, so most support tickets are requiring code fixes, so tickets are taking in some cases hours to resolve. Please be patient as we work through the system. Thank you!

Forum and Support Update

Newsletter

The following message was sent to all users, but unfortunately some users may have gotten it filtered out, or sent to spam. This is the official statement on the outage:


If you are an active owner, you undoubtedly noticed we have been offline since Thursday.  
Summary
Our site suffered a security breach.  Some or all of the user passwords may have been compromised.
All paying customers, past or present, will receive a $10 credit.  In addition, anyone with more than 1 team will receive an additional $5 credit per team.
We expect the site will be back online Monday morning.
All user passwords have been reset.  You’ll receive an email with a link to reset your password when you try to login.
Games and other league events will resume on Tuesday.
What Happened?
Our site has suffered a security breach, similar to the ones that recently hit Equifax.  Some or all of the user passwords may have been compromised.  Through or analysis our conclusion is that the third party software we use to run the forums was the initial failure point, they were able to log into the forum as an Admin.  The hackers also discovered the Admin password which is used by Admins on the game site to log into our administrative panel on the game site.  
Once logged into the forums as an Admin, they used a built in feature on the forums to email all the users with a blackmail email.  We don’t know how many people received this email before we shut it down, but it was a good portion of you.
What information was compromised?
Using the administrative panel, they had access to all user names, email addresses, and passwords.  Through our log analysis, it doesn’t appear they looked up more than a handful of accounts using this method.  But to be safe, we are operating as if this information has been compromised and suggest you do as well.  If you use the same email/password combination on other websites, we recommend you change your password on those websites.  
What about my PayPal/Credit Card Info?
We do not store or have access to your credit card or PayPal information.  PayPal “pushes” payments to us; we cannot “pull” payments from PayPal. This is why you have to manually cancel a subscription when you leave a league; we have no control over payments. This means that no matter what level of access the intruder has, your PayPal account is safe.
What have we done as a result of this attack?
We’ve been busy changing many things on the site to address the vulnerability.  The result of this is that you will need to set a new user password; you will be prompted to do so when you first log in. An E-mail will be sent to your registered address with a link to change your password. Although we believe few passwords were compromised, we recommend you select a new one.
We have also taken the forums offline.  We are currently evaluating other solutions for our message boards, that are secure and frequently updated. We will be separating the support database from the forum; this will allow us to continue providing support while we bring the new forums on line, and should allow us to provide you a more efficient support experience going forward..
We will try to either import the forum history into the new forums, or find another way to make all the forum posts accessible.
For the time being, all support requests should go through a support portal we set up at https://simdynasty.freshdesk.com/support/home.
What if I can’t remember which email address I have on file?
Open a support ticket at https://simdynasty.freshdesk.com/support/home and provide your username and the first and last name you registered at signup and we will work out a solution.
What about the intruder?

We recommend NOT responding to the intruder’s demand for money.  Naturally there is no indication that any payment would actually be respected by the intruder.

Credits for Outage
As a small measure to account for the outage and any inconvenience this may have caused, we will be placing $10 in credits in each paying customers account, past or present.  In addition, we have added an additional $5 for each Speed League or Dynasty team you have beyond one.  So if you have 4 teams, you will see a credit for $25.

Thank you to everyone for your support and understanding while we work through these issues.  

Thanks!
Chris, Tyson, and the Sim Dynasty Team

Newsletter

Play Ball

Baseball games are running! All scheduled processes are working. The Dynasty game that was missed on Thursday has been run, and the Trial missed games are running now. Other leagues will need to be caught up by hand.
 
A bug that was giving some people with mixed case usernames trouble logging on has been fixed. Some of you may be forced to log in again; you won’t have to change your password, just re-log in as the encryption on your cookie will be a bit different.
 
We are still working on getting the changes ported to football and getting new forums running. Thank you all again for your patience.
Play Ball

Doors Are Open

The doors are back open. Because it takes time for DNS changes to work through the Internet, you may still be getting redirected to the blog; depending on your ISP’s settings it may be a few minutes to a few hours before you can see the site again.

If your E-mail in our system is not current, you won’t be able to get in. If this is your situation, please go to https://simdynasty.freshdesk.com/support/home and click “New Ticket” in the upper right and give me your new address, your screen name, and your first and last name in our database. I may not get to these until morning as at this point I need some sleep.

-Chris

Doors Are Open

Re-Opening News

Thank you all for your support and patience!
 
We are working with our web hosts to get the blocks on our site released. We’ll let some testers in and make sure the attacks have not resumed, and then make a public announcement to re-open the baseball sim. I still have to port the changes to the football side.
 
Here is what you will find:
 
– The forums will not be available. We will likely have to start a new forum completely from scratch. Naturally once both sims are back up this is our next priority
 
– All passwords have been removed from the system. So the first time you connect, you will have to go through password recovery which will E-mail a password reset link to your registered E-mail.
 
– Once you are in, the game is essentially frozen. You will be able to make roster changes, complete trades, etc, but items dependent on the scheduler (drafts, games, offseasons, traded protests, etc) will not be moving forward.
 
– If all goes well, I will turn the scheduled processes on tonight so games will restart Monday.
 
– Many leagues will be behind schedule. I will be working to catch these up to where they should have been at the end of Thursday night. I will not try to run games that should have run Friday, Saturday or Sunday.
 
– We will be sending out an E-mail detailing what happened, what we’ve learned, what we’re doing in response, and how we will compensate owners for the missed time.
 
Since we have no forums, we will have to bring another support system online. Watch the site front page once the game is back up for more details.
 
Thank you again for all your support and patience. The biggest thing we have learned from this incident is what a fantastic community of owners we have.
 
-Chris and Tyson
Re-Opening News

Security Breach Update

SECURITY BREACH UPDATE:
 
We have been analyzing the site and forum logs, and have identified several attempted attack points starting about ten days ago. The site has an automatic hack detection system that logs the attack points (in this case one of the roster pages and a draft page). What we are seeing is that although the attacks on the site were turned away, they did find a few “soft spots” that we are in the process of patching now. If they had continued to probe those spots, they likely could not have gotten passwords but could have dome some damage.
 
Interestingly, our investigation appears to show that rather than downloading the database as claimed, they seem to have looked up a few accounts to post to make it look like they had more than they did (and even those passwords weren’t all correct) as opposed to a systematic collection. Only a couple of the listed accounts are even active. So we doubt that very many people’s passwords were compromised. Nevertheless, we are proceeding assuming a worst case scenario and recommend that you do too, changing your passwords on sites where you may use the same username and password as Sim Dynasty.
 
We are working on the necessary changes to bring the site back up. Bringing the forums up may take longer. I am hoping to have the necessary changes into testing within a day or two.
 
We will be sending out an E-mail to all users with this information as well.
Security Breach Update