Morrowind

Potential Database Breach

  • Comment
Update: I have released an update to this article with more information on the potential breach.

Original news post follows.

It is with a heavy heart that I must inform you of a potential database breach at Nexus Mods. I understand that sounds horrifically ambiguous at best, but the simple truth of the matter is that we have yet to fully confirm the database breach has occurred any time recently but, in light of recent events, I cannot in good conscience not warn you of the potential for such an eventuality.

I was first tipped off to a problem late on Friday night when a link to a Reddit post was sent to me about a possible breach. The post explained that a security firm that looks after (or helps with the security for) several universities in America had contacted the IT departments who had then contacted the university network users about a database breach at Nexus Mods. The email wasn't particularly informative.

I reached out to the security firm for more information but was required to jump through hoops to access sensitive information, finally succumbing to sleep around 3am on Saturday morning, and have yet to hear back from them, likely because this has happened over a weekend and they don't work weekends.

While it seems clear cut that we've had a breach from that email, unfortunately, it's too ambiguous to draw any concrete conclusions. We indeed had a database breach several years ago when hackers gained entry to our systems by hacking our file server hosts (a horrible way to be hacked, when it's not even directly your fault), so this could potentially be a result of that previous leak, or it could be a result of recent database breaches at other major networks (like the Playstation Network, EBay or otherwise) and hackers correlating information from reused passwords, or any number of things.

Things became more suspicious yesterday when three Fallout 4 mods from three separate authors had their files changed by the author's themselves, but the file change contained a .dll file that while it isn't being reported as a virus by our Virus Total system (that scans files using 56 different virus scanners), it is still highly suspicious, and the authors have reported it wasn't them who did it. Indications suggest these author accounts were compromised. Which, once again, isn't conclusive proof of a total database breach, but is rather damning.

It was at this point I decided that the possibility of a breach had increased enough that it couldn't wait for us to fully confirm it before informing the user base. Despite the fact there's still the potential there hasn't been a recent breach, the evidence is mounting up now and I invoked Occam's Razor in writing this news post.

To clarify, we store all passwords in our database in a hashed and salted system (i.e. not plain text). This does not mean your passwords are completely safe, however. Because all encryption is a mathematical formula based around how complex it is to crack, given enough time and processing power almost all forms of encryption can be cracked eventually. The problem gets worse if your password is easily recognisable or very simple. If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack.

For any worried Premium Members, we do not store your credit card numbers, expiry dates or secure numbers at all. That's all handled by Pay Pal.

Because we haven't actually confirmed a recent breach it means we haven't plugged any holes related to such a breach. Unfortunately this isn't like someone breaking and entering into your home, where there are obvious signs of tampering; broken locks or windows and missing or damaged things. This is an extremely complex process where we look for the slightest of anomalies to try and work out whether anything bad has actually happened, and then try to work out how that bad thing actually happened so we can plug it. It's not easy, and we're really trying our hardest. And obviously, we'll keep you updated as and when we have any more information.

Right now, we wholeheartedly recommend changing your password here and please ensure it's not a password you use anywhere else. Just in case it's not obvious; because we haven't found a breach yet, if there is a breach, it means they could access the database again, so just updating your password now won't make it completely secure. However, if you update it now and make sure it's a complex password (minimum 8 characters in length, including special characters and numbers) then you're ensuring that anyone who does have your hash and salt would take such a considerable time trying to crack it that it would largely be a waste of time for them to even try. On top of that, if you use your Nexus password anywhere else, especially on "high profile" accounts like Steam, XBox, Playstation or the like, change it immediately to be on the safe side.

Please respect and follow safe password practises. Complex passwords of a minimum length of 8 characters that you change regularly (ideally every couple of months) really are a must on any account you care about.

On the site security front, while not related to a database breach such as this, we have been actively working to get the entirety of our network under SSL/an encrypted connection rather than just our Premium Member payment pages for some time now. Unfortunately this isn't as simple as paying for an SSL cert and slapping it on the site. There are complications with the way we serve and transmit our files, especially in regards to our CDN, that make things complex.

In a similar vein, we've had two-factor authentication on our to-do list for a while now. Considering the ever increasing popularity of the network we'll bump the priority of this functionality right up the list and hopefully we'll get something out very soon in that regard. I'd highly recommend you ensure the email address tied to your Nexus account right now is the correct email address, as it's likely any such system will make use of a proper and valid email address in order to function properly.

While breaches often suggest the contrary, we take security extremely seriously and try our utmost hardest to ensure it. On a personal level, it's horrific for me to find out about these things. You guys trust me with your data and trust that I'll keep it secure, and sometimes I fail in that despite my best attempts. I'm very sorry about this. It leads to many sleepless nights and a toilet pan that utterly resents me. We spend about £40,000 ($60,000 USD) a year on professional mitigation and prevention systems trying to directly prevent malicious people from accessing or altogether destroying these sites. We prevent hundreds of malicious attacks on our network every day, sometimes even thousands. Often these come from automated bots constantly prodding away at our servers looking for weaknesses, sometimes from dedicated malicious individuals who want to gain access. We've prevented hundreds of thousands of attempted intrusions, but it only takes one to get through, despite our best efforts, for the failure to be complete.

I'm sorry for (potentially, at this point) breaking your trust in us. We'll continue working away at this to get a conclusive answer and, when we do, you'll be the first to know.

Update: Many people have asked about the three Fallout 4 files that were mentioned in this post. The three files affected were:

- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)

The suspect file contained in the archives was called "dsound.dll".

366 comments

Comments locked

A moderator has closed this comment topic for the time being
  1. Dark0ne
    Dark0ne
    • Site Owner
    • 2,885 kudos
    I have just released an update to this news post in a separate article.

    To prevent messages and questions being spread between between both comment topics I am now closing this older news article.

    If you have anything you'd like to say or share on this topic then please use the other new article's commenting system.

    Thank you.
  2. Dovahkiin567
    Dovahkiin567
    • member
    • 0 kudos
    A few days ago, I noticed a pop-up saying that I may have a virus. This pop-up occurred while I was on the nexus website. I called tech support and ended up getting patched through to some call center in India, where the technician did some kind of scan on my computer through some remote control session, and the scan said that I had a virus called Koobface. I didn't know if this was a hoax or the real deal, but I installed anti-virus software nonetheless. Could this be related to this database breach? I would also like to point out that in the last month or so, I have been automatically sent to a seemingly fake webpage that wanted me to install something on my computer, which I immediately closed. Each of these incidents occurred while I was on the Nexus website, so someone might want to look into that as well.
    1. Roguer
      Roguer
      • premium
      • 8 kudos
      Umm, you've got scammed. And the "remote control" session they did, most likely installed an actual virus right there and then.
  3. N3X15
    N3X15
    • premium
    • 2 kudos
    If you're still getting attacked, I HIGHLY recommend putting the site into maintenance mode, chmod 000 the entire site, or redirecting it to a static page/blog until you've found how they're getting in and patched it.  If the attackers are still putting up executable files, it's time to quarantine the site for the users' protection.
  4. VampZombie
    VampZombie
    • member
    • 0 kudos
    I seem to have multiple dsound.dll files on my system, there's 4 dsound.dll files in C:/Windows and 1 dsound.dll in D:/Fallout4/data and i do seem to recall downloading one of the listed mods I just can't remember when. Would it be safe to delete dsound.dll in the fallout folder? 
  5. vepha
    vepha
    • premium
    • 3 kudos
    If there was/is a breach and they manipulated some files then it is most likely everyone who downloaded it once is probably infected, deleting files/reinstalling will not really help much, especially if the virus can not be identified by security programs, such breaches are not done by rookies.

    Luckly Nexus informed us so soon, most others would wait until it is 100% proven. So thanks.

    We can hope for the best offcourse but l wouldnt count on that, I would do a few things to make sure I am safe no matter what.

    I would suggest 2 things : if nexus has ever stored your very personal data like purchases, then go ahead and inform your visa/credit card company and double the security like "no purchases without live aproval from your private mobile device" (like SMS approval) as the first step.

    Change your Passwords for ALL the sensitive accounts (emails, banks, online-shops) on a DIFFERENT computer! And try not to use them on the machine where mods are installed. Just to make sure.

    just my opinion and suggestions, nothing more.

    One more thing : This happens all the time, doesnt mean you are or you are not safe if that made sense.

    Cheers
  6. GrnGbln
    GrnGbln
    • supporter
    • 0 kudos
    At the risk of coming across as a dunce, I did a system search for dsound.dll and found one instance in my System32 subfolder. Is this normal or should I remove it (no, I won't delete the System32 file so don't even try it)?
    1. Fo0
      Fo0
      • premium
      • 0 kudos
      NO do not remove. your system needs dsound.dll to run properly.
  7. literallybyronic
    literallybyronic
    • premium
    • 135 kudos
    I downloaded "BetterBuild" on Nov 27th and it still contains this dsound.dll, FYI.
  8. AmyrlynBlue
    AmyrlynBlue
    • premium
    • 0 kudos
    I wanted to know if it would be a good idea to uninstall the mods I have been using for Fallout 4 until the security breach has been dealt with. They are the only mods I have installed (and I have been grateful for them), but if it is too risky to use them atm, I need to know. Thanks.
    1. Antroz59
      Antroz59
      • member
      • 0 kudos
      I think that the "unsafe" mods are the ones listed below. If you don't use any of these, you might be able to use your mods without any security issues.
  9. mallak75
    mallak75
    • supporter
    • 0 kudos
    i downloaded betterbuild on the 26th and it had the dll file in it
  10. bben46
    bben46
    • premium
    • 781 kudos
    DO NOT remove the system32 file - If you do your entire Windows is borked and will have to be reinstalled - Just don't do that. Not even to test.
    1. GrnGbln
      GrnGbln
      • supporter
      • 0 kudos
      So, to be absolutely, 100% clear, I should NOT remove the dsound.dll from the system32 folder?
    2. Doxxy
      Doxxy
      • supporter
      • 0 kudos
      Generally a bad idea to start randomly deleting files out of the Sys32 folder. Im not saying you can't, Im just saying its a really bad idea, and you shouldn't.
    3. GrnGbln
      GrnGbln
      • supporter
      • 0 kudos
      I know this but it is the file has the same name as the one we have just been warned about.