The following message was sent to all users, but unfortunately some users may have gotten it filtered out, or sent to spam. This is the official statement on the outage:
If you are an active owner, you undoubtedly noticed we have been offline since Thursday.
Our site suffered a security breach. Some or all of the user passwords may have been compromised.
All paying customers, past or present, will receive a $10 credit. In addition, anyone with more than 1 team will receive an additional $5 credit per team.
We expect the site will be back online Monday morning.
All user passwords have been reset. You’ll receive an email with a link to reset your password when you try to login.
Games and other league events will resume on Tuesday.
Our site has suffered a security breach, similar to the ones that recently hit Equifax. Some or all of the user passwords may have been compromised. Through or analysis our conclusion is that the third party software we use to run the forums was the initial failure point, they were able to log into the forum as an Admin. The hackers also discovered the Admin password which is used by Admins on the game site to log into our administrative panel on the game site.
Once logged into the forums as an Admin, they used a built in feature on the forums to email all the users with a blackmail email. We don’t know how many people received this email before we shut it down, but it was a good portion of you.
What information was compromised?
Using the administrative panel, they had access to all user names, email addresses, and passwords. Through our log analysis, it doesn’t appear they looked up more than a handful of accounts using this method. But to be safe, we are operating as if this information has been compromised and suggest you do as well. If you use the same email/password combination on other websites, we recommend you change your password on those websites.
What about my PayPal/Credit Card Info?
We do not store or have access to your credit card or PayPal information. PayPal “pushes” payments to us; we cannot “pull” payments from PayPal. This is why you have to manually cancel a subscription when you leave a league; we have no control over payments. This means that no matter what level of access the intruder has, your PayPal account is safe.
What have we done as a result of this attack?
We’ve been busy changing many things on the site to address the vulnerability. The result of this is that you will need to set a new user password; you will be prompted to do so when you first log in. An E-mail will be sent to your registered address with a link to change your password. Although we believe few passwords were compromised, we recommend you select a new one.
We have also taken the forums offline. We are currently evaluating other solutions for our message boards, that are secure and frequently updated. We will be separating the support database from the forum; this will allow us to continue providing support while we bring the new forums on line, and should allow us to provide you a more efficient support experience going forward..
We will try to either import the forum history into the new forums, or find another way to make all the forum posts accessible.
What if I can’t remember which email address I have on file?
What about the intruder?
We recommend NOT responding to the intruder’s demand for money. Naturally there is no indication that any payment would actually be respected by the intruder.
Credits for Outage
As a small measure to account for the outage and any inconvenience this may have caused, we will be placing $10 in credits in each paying customers account, past or present. In addition, we have added an additional $5 for each Speed League or Dynasty team you have beyond one. So if you have 4 teams, you will see a credit for $25.
Thank you to everyone for your support and understanding while we work through these issues.
Chris, Tyson, and the Sim Dynasty Team