Update: I have released an update to this article with more information on the potential breach.
Original news post follows.
It is with a heavy heart that I must inform you of a potential database breach at Nexus Mods. I understand that sounds horrifically ambiguous at best, but the simple truth of the matter is that we have yet to fully confirm the database breach has occurred any time recently but, in light of recent events, I cannot in good conscience not warn you of the potential for such an eventuality.
I was first tipped off to a problem late on Friday night when a link to a Reddit post
was sent to me about a possible breach. The post explained that a security firm that looks after (or helps with the security for) several universities in America had contacted the IT departments who had then contacted the university network users about a database breach at Nexus Mods. The email wasn't particularly informative
I reached out to the security firm for more information but was required to jump through hoops to access sensitive information, finally succumbing to sleep around 3am on Saturday morning, and have yet to hear back from them, likely because this has happened over a weekend and they don't work weekends.
While it seems clear cut that we've had a breach from that email, unfortunately, it's too ambiguous to draw any concrete conclusions. We indeed had a database breach several years ago when hackers gained entry to our systems by hacking our file server hosts (a horrible way to be hacked, when it's not even directly your fault), so this could potentially be a result of that previous leak, or it could be a result of recent database breaches at other major networks (like the Playstation Network, EBay or otherwise) and hackers correlating information from reused passwords, or any number of things.
Things became more suspicious yesterday when three Fallout 4 mods from three separate authors had their files changed by the author's themselves, but the file change contained a .dll file that while it isn't being reported as a virus by our Virus Total system (that scans files using 56 different virus scanners), it is still highly suspicious, and the authors have reported it wasn't them who did it. Indications suggest these author accounts were compromised. Which, once again, isn't conclusive proof of a total database breach, but is rather damning.
It was at this point I decided that the possibility of a breach had increased enough that it couldn't wait for us to fully confirm it before informing the user base. Despite the fact there's still the potential there hasn't been a recent breach, the evidence is mounting up now and I invoked Occam's Razor in writing this news post.
To clarify, we store all passwords in our database in a hashed and salted system (i.e. not plain text). This does not mean
your passwords are completely safe, however. Because all encryption is a mathematical formula based around how complex it is to crack, given enough time and processing power almost all forms of encryption can be cracked eventually. The problem gets worse if your password is easily recognisable or very simple. If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). Because of this, it's possible this is a result of the database breach from a few years ago coming back to haunt users that haven't changed their passwords. The problem is, we're just not sure yet.
For any worried Premium Members, we do not store your credit card numbers, expiry dates or secure numbers at all. That's all handled by Pay Pal.
Because we haven't actually confirmed a recent breach it means we haven't plugged any holes related to such a breach. Unfortunately this isn't like someone breaking and entering into your home, where there are obvious signs of tampering; broken locks or windows and missing or damaged things. This is an extremely complex process where we look for the slightest of anomalies to try and work out whether anything bad has actually happened, and then try to work out how that bad thing actually happened so we can plug it. It's not easy, and we're really trying our hardest. And obviously, we'll keep you updated as and when we have any more information.
Right now, we wholeheartedly recommend changing your password here
and please ensure it's not a password you use anywhere else. Just in case it's not obvious; because we haven't found a breach yet, if there is a breach, it means they could access the database again, so just updating your password now won't make it completely secure. However, if you update it now and make sure it's a complex password (minimum 8 characters in length, including special characters and numbers) then you're ensuring that anyone who does have your hash and salt would take such a considerable time trying to crack it that it would largely be a waste of time for them to even try. On top of that, if you use your Nexus password anywhere else, especially on "high profile" accounts like Steam, XBox, Playstation or the like, change it immediately to be on the safe side.
Please respect and follow safe password practises. Complex passwords of a minimum length of 8 characters that you change regularly (ideally every couple of months) really are a must on any account you care about.
On the site security front, while not related to a database breach such as this, we have been actively working to get the entirety of our network under SSL/an encrypted connection rather than just our Premium Member payment pages for some time now. Unfortunately this isn't as simple as paying for an SSL cert and slapping it on the site. There are complications with the way we serve and transmit our files, especially in regards to our CDN, that make things complex.
In a similar vein, we've had two-factor authentication on our to-do list for a while now. Considering the ever increasing popularity of the network we'll bump the priority of this functionality right up the list and hopefully we'll get something out very soon in that regard. I'd highly recommend you ensure the email address tied to your Nexus account right now is the correct email address, as it's likely any such system will make use of a proper and valid email address in order to function properly.
While breaches often suggest the contrary, we take security extremely seriously and try our utmost hardest to ensure it. On a personal level, it's horrific for me to find out about these things. You guys trust me with your data and trust that I'll keep it secure, and sometimes I fail in that despite my best attempts. I'm very sorry about this. It leads to many sleepless nights and a toilet pan that utterly resents me. We spend about £40,000 ($60,000 USD) a year on professional mitigation and prevention systems trying to directly prevent malicious people from accessing or altogether destroying these sites. We prevent hundreds of malicious attacks on our network every day, sometimes even thousands. Often these come from automated bots constantly prodding away at our servers looking for weaknesses, sometimes from dedicated malicious individuals who want to gain access. We've prevented hundreds of thousands of attempted intrusions, but it only takes one to get through, despite our best efforts, for the failure to be complete.
I'm sorry for (potentially, at this point) breaking your trust in us. We'll continue working away at this to get a conclusive answer and, when we do, you'll be the first to know.Update:
Many people have asked about the three Fallout 4 files that were mentioned in this post. The three files affected were:
- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)
The suspect file contained in the archives was called "dsound.dll".