Jump to page
Just a quick heads up that we're currently testing out the implementation of SSL security across the Nexus site (not the forums, yet).
The switch has been flicked and you should be seeing a nice padlock in your URL bar while browsing the site. Some pages aren't showing a green padlock yet due to links to the non-SSL side of the forums.
While initial testing has been positive, we'd appreciate it if you could let us know if you notice any errors, issues or anomalies browsing the site today as we cannot extensively test every single last nook and cranny of these sites as effectively as a few hundred thousand of you folks today!
Thanks for your time.
We’re currently in the process of adding new features into Nexus Mod Manager, Robin covered it briefly in a previous news post, so I’ll try and expand a little more.
What we are aiming for with NMM is a piece of software that will make the installation, management and visibility of mods incredibly easy and open. You see a mod you like on our site, you click ‘Download with NMM’ and have it seamlessly downloaded, unpacked and placed in the right location with minimal fuss. Don’t like the file, then click to uninstall and NMM will go through and ensure that all remnants of that file are removed and your game functions exactly as it did previously. We’ve not really scratched the surface of advanced modding techniques yet, but we’ll get there once we’ve sussed out the simple stuff!
The thing is, with a bare-bones team behind the scenes here at the Nexus, testing and bug finding is a very long and tedious process, and we often miss things that an extended team might pick up on. So we are looking to find some current users of the NMM to join Robin, myself and the team in testing the future builds and helping us develop a concise and user-friendly bit of software.
You will be added to a closed focus group that will be dedicated to the NMM platform and be able to try out new test builds before we publish the new version to the masses. It’ll be your job to try and break the test builds and inform us of the problem so we can fix it.
If you fancy joining in then either drop me a PM through the site or an email email@example.com and I will send you an invite through a piece of software called‘Slack’ We have once again had such a huge response that this group is now full... Thank you so much to everyone that has volunteered!
Here we will have a number of channels where you can discuss bugs you find for a particular build, ideas you have for improving the software or even just to chat about the weather. Within the group you will have direct access to Robin, Tom, Dave and Myself along with the NMM developers and with all of us working together we’ll move the NMM platform onwards and upwards.
Our current tests involve the new ‘Profile backup and sharing’ functionality. Here a user can save their mod profile and have it backed up on the Nexus Mods site. This profile can either be kept as a personal backup, available only to yourself, or it can be shared with other users, allowing them to download any mods they’re missing from your profile and have it setup exactly how you have it (including scripted installer options, installation order and load order). The result being they can play their game with the exact same mods and options as yourself.
In addition, we'd like to invite those of you interested in directly helping us with the development of NMM to the new repo we've opened on Github. Though NMM has always been open-source, we're hoping that the well-known Github interface and functionality will inspire even more collaboration. We're always on the lookout for new and better ways of doing things as well as expanding NMM's feature-set. So, if you're familiar with modding and software development, your contributions will undoubtedly go a long way in helping us offer a better modding experience for everyone.
Thanks to everyone for their assistance
Update: This issue should now be resolved.
We're aware of some issues with our download mechanism today which certain users are experiencing on certain files. The problem stems from our current work trying to get the sites switched over to a fully SSL secured system -- a complex and costly procedure we've been working on for some time now to better secure our sites and your user data.
Because the way this is affecting the CDN, this issue is likely to get worse before it gets better as the CDN cache begins to empty out. We obviously hope to get it fixed as soon as possible, but it could take some time. Hopefully hours, rather than days!
To help us sort out our ad serving we’ve added a new “report this ad” feature underneath any ad placements on the site. This functionality will quickly let us know about the ad placement you’re reporting which we can then pass on to our ad supplier to help them quickly get to the root of the problem.
A bad ad that we would appreciate you reporting if you see it would be considered as:
- Any ads with auto-playing sound.
- Any ads that look like those crazy epilepsy inducing ads of the early 2000s with flashing colours.
- Any pop-ups. We do not use pop-up ads.
- Any ads that “break” the page layout as they’re larger than the space they’re supposed to fill.
- Any ads that automatically redirect the user away from the page. That’s a massive no-no.
- Obviously, any malicious ads (e.g. ones that your anti-virus program says are unsafe).
The ad spaces we use: a 728x90 pixel banner below the top navigation and above the site content, a 300x250 box ad either on right navs or next to the file stats on file pages, a 728x90 at the bottom of the page and a 300x250 at the bottom of the page. If you see anything else, it’s wrong, and we want to know about it!
Personally, I’ve been less than impressed with our ad provider of late. I’ve had many reports of issues that have been too numerous to ignore. I have been applying considerable pressure for them to sort out the issue but, without proper reporting, it’s hard to gauge just how endemic the issue is. It’s our hope that this new functionality will show us the extent of the problem so I can make a more informed decision about what to do next, whether it’s applying the right level of pressure backed up with statistics this new functionality will provide us, or looking for a new supplier altogether.
I understand that talking about ads is utterly undesirable. They are an unfortunately necessary scourge of the internet because there’s just no other way of paying for the servers and staff that keep resource intensive sites like this afloat. This year, Nexus Mods is projected to need £550,000 to keep running ($780,000). A figure that’s more than doubled in just under two years as we’ve continued to grow. We just can’t do it without ads on the site.
With this in mind, we have recently finished work on a slightly improved experience for users of this site who do not use Adblock. We are yet to release this functionality as I want to get a grasp of the current ad situation before I implement a system that incentivises turning off adblockers.
Because any talk of ads brings with it recommendations from certain users in the comments that everyone turn on their adblockers (something I find slightly rude, I won’t lie), I feel it necessary to talk about an upcoming feature we’ll be adding to the sites.
I understand and I get Adblock, and I understand and get why people use it. Whether it’s privacy, security, or just removing an annoyance. But unfortunately I have to sit on the other side of the argument simply because, if everyone used Adblock, then this site wouldn’t be able to afford paying the $780,000 bill this year. Indeed, the only reason why Adblock has “worked” up to this point is because there’s still enough users out there not using it to subsidise the people who are. As it stands, roughly 45% of Nexus users, who aren’t Premium or Supporters, use Adblock. That’s quite a high number. If that number gets much higher, we’re going to have serious issues. The same applies to many, many more of your favourite sites online.
There’s been a recent increase in sites not allowing users who use Adblockers on the site being spearheaded largely by the already dying newspaper industry’s websites online. A high-profile example is Forbes.com. I think we’re going to see more of this sort of stuff in the coming years. It’s a big deal on the internet right now as Adblock user numbers increase. However, I do not plan nor want to go that route at all. Instead, I want to thank those users who do not use an Adblocker by giving them a slightly better experience on the sites, without penalising Adblock users at all. Just to confirm, this new system will not change anything, at all for users who keep their adblockers on. For adblockers, the site will remain exactly the same as it is now and you won’t be locked out of anything you’re not already locked out of now (e.g. Supporter Image Share). Guaranteed.
The idea is to have a tiered system of membership with adblock users, non-adblock users, Supporters and Premium Members offering different levels of advantages. What you have right now, as a normal non-Supporter, non-Premium user of the site will be the adblock user level. So if you’re perfectly content right now, nothing is changing for you. Users who do not use adblockers will get a 50% download speed boost on the sites. Rising from 1MB/second to 1.5MB/second. A thank you from us, to you, for not using an adblocker. Supporter perks will remain the same, except for also gaining the 50% download speed boost, and Premium will remain unchanged as they already have uncapped download speeds among other perks.
The idea is not to punish people who use Adblockers. The idea is to incentivise turning off Adblockers and to thank those users who don’t use them on Nexus Mods. It’s an attempt at a positive reaction to Adblockers rather than the largely negative ones we’re seeing elsewhere online. With the raucous amount of abuse thrown out about advertising online, it’s only right that we thank users who willingly browse the sites with the ads turned on for helping to support the upkeep of the sites.
I’d like to remind users that Supporter membership on the site, which costs just £1.29 (roughly $2) and applies to your account forever (e.g. it’s not £1.29 a month, it’s just a one-off £1.29 to permanently be upgraded) removes all ads on the site for you. Similarly, if you become a Premium Member even for a single month (£2.99, roughly $4.25) you will never see ads on the site ever again, even after your Premium Membership expires. The idea being to make it as cheap as possible to remove the ads on the site, and to negate the often seen criticism elsewhere on the web that “there’s no cheap way to remove ads, so I use an adblocker”. I’m sorry, you can’t use that excuse here.
We’ll likely wait a month or two to release this new Adblocker incentive while we analyse the reports we get on our current ad setup with the new ad reporting system this news post was originally all about. I want to ensure the ads we’re serving are as tight and right as possible before suggesting to otherwise skeptical Adblock users that they help us out by turning them off.
It came to our attention last week, in a random forum post unrelated to the topic, that the unique file download stats have been broken for quite some time now. I honestly had no idea this was the case.
The unique download stat you see on file pages is supposed to tell you how many individual members have downloaded a file. Irrespective of how many times that user comes back to download that file (or multiple versions of a file on the same page) the unique download counter should only go up once per user who downloads from a file page. As an example, imagine a new user goes to the SkyUI file page for the first time. There are currently 14 files available for download for SkyUI. The first time the user downloads SkyUI the unique download counter will go up by 1. The second time the user downloads that file, or any other file on that page, the unique download counter should not increase by 1 again.
On top of that, each individual file uploaded to the file page (in SkyUI’s case, 14) has its own unique download counter as well. These are file specific. So if I download SkyUI 1.0 a total of 5 times, and SkyUI 2.0 a total of 5 times, then the unique download counter for SkyUI 1.0 will go up by only 1, the unique download counter for SkyUI 2.0 will go up by 1, and the unique download counter for the SkyUI file page as a whole will go up only by 1. In contrast, the total download counter for SkyUI 1.0 will go up by 5, the total download counter for SkyUI 2.0 will go up by 5, and the total download counter for the SkyUI file page as a whole will go up by 10.
As a result, you end up with two markedly different figures; unique downloads tells you how many individual members have downloaded the mod. Total downloads tells you how many times the file has been downloaded overall, unique or not. The disparity can go some way to showing you how many users like the mod enough to update it through multiple versions, among other things, though you take that with a pinch of salt, of course.
Users who download the file without being logged in (any files under 2MB can be downloaded without an account) do not count towards the unique download counter at any time, but will count towards the total downloads. This is because we cannot accurately track unique download statistics for non-logged in users due to the prevalence of dynamic IP addresses. As such, unique downloads are only based on registered members downloading files.
That is how it was supposed to work. That is how I actually thought it did work. However, that’s not how it was working up until today.
To explain how it was wrongly counting the figure before I’ll go back to the SkyUI example. Before, if I download SkyUI 1.0 a total of 5 times, and SkyUI 2.0 a total of 5 times, then the unique download counter for SkyUI 1.0 will go up by only 1, the unique download counter for SkyUI 2.0 will go up by 1, and the unique download counter for the SkyUI file page as a whole will go up by 2. As a result, if I were to download all 14 files on the SkyUI page then the unique download counter for the SkyUI file page as a whole would have gone up by 14.
This meant that up until now, the unique download counters for file pages were incorrect and not accurate. The unique download counters for the individual downloadable files themselves (e.g. SkyUI’s 14 individual files available from the “files” tab on the file page) were correct, just the overall total unique downloads for the file pages were wrong.
Over the past four days we’ve been running a script in the background to go through all 1.4 billion downloads we’ve logged to date in our file database and recalculate the correct unique download counters. We’ve also patched out the error in our calculations to ensure the correct counting method is used. The figures you now see on the site are the correct, fixed figures. Initial comparisons show a 30%-50% change downwards for most file page’s unique download counters.
I understand that it can be disheartening to log on to your file pages today to find your unique download counts revised down, a lot. I’m sorry about that. However, I’m sure everyone would rather the correct, accurate figures were shown rather than sticking with the incorrect figures.
Well we've entered 2016 with a productivity bang, all hands are on deck and there is plenty going on behind the scenes here at the Nexus so I thought I'd give you all an insight into what's happening...
Firstly a quick recap - we began the redesign process in the second half of 2015 by first trying to work out what our users like and dislike about the site. We were overwhelmed with the response to our survey which provided us with a wealth of information, our community is definitely one of the best in the world and it was great to see how truly passionate you all are in regards to our site.
A lot of people commented as to how they cannot browse the site on anything other than their PC, others were more interested in trying to find mods quickly and easily, others just wanted the site to be made 'fresher' and 'inline with modern web standards'. We took the time and read through each and every response that we received, that in itself took several weeks.
We decided to aim towards specific goals that were brought up over and over again, the first is for us to create a cracking mobile / tablet / responsive experience so that the site can be enjoyed by any user on any device, but without this experience lessening the experience from our core crowd of users who still visit the Nexus via their desktops. Secondly, we want the site to be easy to navigate around with search deeply integrated with the main functions, and thirdly, we want it to look nice and be a pleasure to use. The list goes on and on, but you get the general gist.
We knew that we weren't going to be able to do this all ourselves and that we were going to need some help from a professional, so we advertised for a UX/UI designer and got a great response from a number of people. Each person brought something to the table but after a lot of deliberation we contracted Phill into the position. He immediately took it upon himself to read through the research we had already conducted (survey results, hot-spots, device statistics) and started producing diagrams and wireframes for us to check out based on his conclusions from the research.
Things were moving along swiftly, but we wanted input from the community and setup a focus group of 15 Nexus users to help. This group has been nothing but brilliant, right from the word go we have had a constant and thorough source of input from them. What has been great is that they come from such a diverse demographic that they represent a great cross section of the Nexus community, giving us an all around feel for what we are doing and whether it would or wouldn't work. I tip my hat to them for the time and effort they have expended on assisting us, it's not over yet though guys ;)
The focus group talks on behalf of the Nexus users. While we would love to include everyone in every stage of the design process, I hope you can appreciate that having 10 million people all chiming in on any sort of process is just completely untenable. I understand that some people are concerned that they’re not being more involved in the process, however, we believe we’ve done well by you these past 14 years and ask that you trust that we’ve got everyone’s best intentions in mind once again!
With the focus group onboard we went full steam ahead on the wireframes. These proved invaluable to begin placement of features on the site and begin to visualise the site routes that people would take to do things.
An example of one of the wireframes we used is below, please note that these are old wireframes and may not reflect the final layout / look of the site.
After the wireframe stage we worked on design mocks, which included things like fonts, icons, more placement tests and colour schemes. Again, please note that these are old designs and may not reflect the final layout / look of the site.
Our aim now is to get the site to a stage where we can open it up to run alongside the current site, at first simply as a shell to allow you to experience it and see if it breaks when you try and do things. But should this be successful it will then be attached to the live database and you will be able to use it alongside the existing site. Between us we’ll iron out any bugs that are discovered and hopefully come out the end with a product that is better, and that we are all proud of.
For those interested, I’ve created a small timeline of events since the beginning of the redesign process.
Any questions, please feel free to get in contact.
I still play XCOM: Enemy Unknown and despite it’s age, it still feels fresh to me thanks to thoughtful design and mechanics, classic sci-fi setting, white-knuckle tactical action, and of course mind blowing mods like XCOM:Long War.
2K has apparently done it again! XCOM 2 has been in the hands of reviewers and word on the street is nothing but praise. It seems they’ve taken the beloved formula of mixing global decisions with explosive tactical action to new heights that include procedural environments, stealth mechanics, and so much more.
This time around the folks at 2K really seem to have kept us modders in mind throughout the development process as the new title has been designed to be extremely moddable. This isn’t hyperbole, either. In fact, they’ve teamed up with our friends at Long War Studios (who, by the way, have begun work on their own game), to offer fully functional mods day-one. See their announcement here: https://xcom.com/news/en-long-war-studios-preparing-three-xcom-2-mods-for-launch
Needless to say, we’re super-excited! We’re prepping a new XCOM 2 Nexus Site to discuss and share your creations that will launch soon. Likely shortly after the game is released, Friday.
In other news...
=== ATTENTION MOD AUTHORS ===
This likely doesn’t affect many, but some of you may remember. Long ago, we relied on a webserver plugin to help manage large file uploads. We don't know exactly when this plugin stopped working on our servers, but we believe that it hasn't be functional for quite some time. As a result, several mod authors who've wanted to upload very large files have been struggling.
To put it bluntly, at the moment we cannot guarantee files that are ~2GB or larger in size will successfully complete the upload process. This can result in uploads never finishing or files not appearing after what seems like a successful upload. Even if the website does report that the file has been successfully transferred there is still a chance that the file is corrupt. You can usually confirm this if there is any discrepancy between file sizes.
I know. Annoying, right! So, we’ve started some research to resolve this issue in earnest. We hope to A) get a solution in place quickly, and B) provide more flexibility for large downloads. We’re not sure whether we’ll custom build a solution or implement an existing package, but know that we’re looking to fix this problem sooner rather than later. I’ll keep you updated.
For the time being, as a temporary work-around, Paul (our lovely Director of Content) has graciously offered to “hand-deliver” any large files (~2GB+) that need to be uploaded. There will be some logistics that’ll need to be worked out, such as delivery methods, descriptions, categories and such. However, by providing him with your file, he’ll be able to inject it into the site without issue. He can be reached as BlindJudge on the forums or firstname.lastname@example.org. Thanks, Paul!
Phew. Now that that’s out of the way, I can get back to preparing for XCOM 2 by authorizing the “interrogation” of a particularly pesky Muton in my latest ironman run in Long War. Wish me luck! ;)
CD PROJEKT RED just announced a modding contest for all of you designers out there. Create a holiday themed outfit for your favorite Witcher 3 character and you could win a real Witcher 3 sword! So awesome!
Head over to the official contest page for more details:
Be sure to fill out the form on the contest page and tag your creation with "Witcher Mod Contest" so that everyone can find it!
We can't wait to see your submissions. Good luck! (I'm already jealous of the winner...)
I promised I'd update you all on the possibility of a database breach on Nexus Mods that I announced yesterday morning and I am here with relatively "good" news.
I am now in possession of the database dump, that was first reported on Reddit, via university security networks, and I can confirm several things. First, the database dump is "old", with the last member in the database having registered on July 22nd 2013. If you're one of the 4.2 million users who registered on Nexus Mods after this date, your details are not included in this database dump and are therefore considered "safe". Second, the database dump isn't a complete database rip. The dump contains user IDs, usernames, email addresses, hashes and salts, and that's it. It does not contain cracked passwords i.e. anyone with access to the dump would need to attempt to crack the hashes and salts themselves in order to get any sort of use out of them on the site.
From this we can conclude a further two things. Firstly, that it's relatively safe to assume that whoever made this dump no longer has access to our database. Why? Because if they did, they'd have released a much more up-to-date dump of our member database. It would make sense they no longer have any access, considering we've patched up a lot of holes, applied countless security updates and switched to a far more secure database cluster system since July of 2013.
Second, if you've updated your password since July 2013, your account on the Nexus sites should be safe and secure, as they will not have your new hashes/salts/password information. If you have not updated your password recently, please do so now as I am now personally confident that there have been no recent breaches of our network or databases. Similarly, if you still use the password you were using in July 2013, or before that date, on any other sites or services you should update them immediately.
I would like to thank the HPE Security Research team who have personally helped me with this investigation and who securely provided me with the database dump as part of this investigation. Their help has been invaluable.
My previous news post also mentioned three compromised mod author accounts that had uploaded a suspicious file in place of legitimate mods on the site. I have been in contact with one of the owners of the compromised accounts personally, along with another individual who I know was compromised recently, and both were using extremely simple passwords. Passwords that would take a simple cracker mere seconds to crack. This helps to confirm that whoever is using this information is going for high-profile, but extremely easy accounts to crack.
To my knowledge, we have not seen any further suspicious activity in the file database at this time.
The malicious file that was uploaded, "dsound.dll", has been sent away to the malware research team at HPE Security Research to find out what it does and, hopefully, spread the word so it can be flagged by anti-virus software appropriately. Once again, a big thank you to the HPE Security Research team. They've provided an excellent service.
While we would like to force everyone to update their passwords so we can be completely in the clear when it comes to this breach, the only way we could force a password update is to make everyone's password invalid on the site and force you to do a password recovery via your email address. While that might be OK for our newer members (who this doesn't even affect), I imagine there are thousands, if not hundreds of thousands of users on this site who have signed up with email addresses they no longer have access to and would, instantly, become completely locked out of their accounts with no way of gaining entry back. So we have a bit of a conundrum in this respect, and I'm not entirely sure what to do.
In spite of the fact we think that we're "in the clear" on the possibility of a recent breach, we're not going to sit back and pretend like we couldn't be doing more. This scare has given us a real kick up the backside, so we're putting aside our work on the front-end for our NMM Profile Sharing at this time so we can focus on some improvements.
In the short-term, we've already begun work on more verbose logging of user actions on the site, especially in regards to logging the IP addresses you login with and use when performing major actions, such as uploading or removing files to the database. This should allow us to more easily analyse and spot suspicious activity on the sites when it occurs. If someone who previously used a static IP address for years starts making wild changes to all their files using IP addresses traced back to TOR, it's safe to say we're going to find that suspicious and will react accordingly.
We're also working on a system that will allow us to notify you, the users, when something as important as this comes up again. As it is, we have the functionality to send "full page notifications" to individual users when we want to make sure a user gets a message. Imagine a Private Message, but one you're forced to view and tick a box saying you've read the message, before you can browse the site again. While we can send these to individual users, we can't send this en-masse to every user of the sites, so we're going to modify this system so I can send out site-wide alerts and notifications for these important matters. You'll know when this system is finished because you will receive a notification (hopefully in the next few days) with information contained in these news posts and a reminder to change your password.
Following on from that, beginning next week we're going to bring forward work we had planned for the middle of next year in regards to our forum system. We aim to devolve more functionality away from our off-the-shelf Invision Board forums and into our own custom coded system that will allow us to have complete control over the member database and login security. Essentially, transitioning away from account security being controlled via the forums to account security being controlled via our own custom coded systems. Not only will this mean you no longer need to visit the forums to change your details, but it will also allow us to implement much stronger encryption of user data, Two-Factor authentication (no details as yet, but right now we're leaning towards Google Authenticator that will allow you to generate secure codes from your smart phones) and lots of our own custom touches that should make things a lot more secure in the backend. Idea being that even if the worst were to happen and another dump was released to the public, we'd make it absolute hell for anyone looking to crack the data.
And lastly, I'd like to thank you all for your response to this mini-crisis. Your words of understanding, support and encouragement, both publicly and via the outpour of private messages I've received have helped to stem the horrible feelings of disappointment in the announcement of this leak and provided me with added resolve to work my absolute hardest to get this sorted. I've said it plenty of times before, but I'll say it again; it really does make a massive difference when the people you're looking to do good by are as understanding and supportive as this community is.
Update: I have released an update to this article with more information on the potential breach.
Original news post follows.
It is with a heavy heart that I must inform you of a potential database breach at Nexus Mods. I understand that sounds horrifically ambiguous at best, but the simple truth of the matter is that we have yet to fully confirm the database breach has occurred any time recently but, in light of recent events, I cannot in good conscience not warn you of the potential for such an eventuality.
I was first tipped off to a problem late on Friday night when a link to a Reddit post was sent to me about a possible breach. The post explained that a security firm that looks after (or helps with the security for) several universities in America had contacted the IT departments who had then contacted the university network users about a database breach at Nexus Mods. The email wasn't particularly informative.
I reached out to the security firm for more information but was required to jump through hoops to access sensitive information, finally succumbing to sleep around 3am on Saturday morning, and have yet to hear back from them, likely because this has happened over a weekend and they don't work weekends.
While it seems clear cut that we've had a breach from that email, unfortunately, it's too ambiguous to draw any concrete conclusions. We indeed had a database breach several years ago when hackers gained entry to our systems by hacking our file server hosts (a horrible way to be hacked, when it's not even directly your fault), so this could potentially be a result of that previous leak, or it could be a result of recent database breaches at other major networks (like the Playstation Network, EBay or otherwise) and hackers correlating information from reused passwords, or any number of things.
Things became more suspicious yesterday when three Fallout 4 mods from three separate authors had their files changed by the author's themselves, but the file change contained a .dll file that while it isn't being reported as a virus by our Virus Total system (that scans files using 56 different virus scanners), it is still highly suspicious, and the authors have reported it wasn't them who did it. Indications suggest these author accounts were compromised. Which, once again, isn't conclusive proof of a total database breach, but is rather damning.
It was at this point I decided that the possibility of a breach had increased enough that it couldn't wait for us to fully confirm it before informing the user base. Despite the fact there's still the potential there hasn't been a recent breach, the evidence is mounting up now and I invoked Occam's Razor in writing this news post.
To clarify, we store all passwords in our database in a hashed and salted system (i.e. not plain text). This does not mean your passwords are completely safe, however. Because all encryption is a mathematical formula based around how complex it is to crack, given enough time and processing power almost all forms of encryption can be cracked eventually. The problem gets worse if your password is easily recognisable or very simple. If you've ever wondered why some sites ask you to have at least 1 number and one "special" character, this is why. It makes passwords a lot harder to crack (and yes, we'll implement these forced requirements soon, too). Because of this, it's possible this is a result of the database breach from a few years ago coming back to haunt users that haven't changed their passwords. The problem is, we're just not sure yet.
For any worried Premium Members, we do not store your credit card numbers, expiry dates or secure numbers at all. That's all handled by Pay Pal.
Because we haven't actually confirmed a recent breach it means we haven't plugged any holes related to such a breach. Unfortunately this isn't like someone breaking and entering into your home, where there are obvious signs of tampering; broken locks or windows and missing or damaged things. This is an extremely complex process where we look for the slightest of anomalies to try and work out whether anything bad has actually happened, and then try to work out how that bad thing actually happened so we can plug it. It's not easy, and we're really trying our hardest. And obviously, we'll keep you updated as and when we have any more information.
Right now, we wholeheartedly recommend changing your password here and please ensure it's not a password you use anywhere else. Just in case it's not obvious; because we haven't found a breach yet, if there is a breach, it means they could access the database again, so just updating your password now won't make it completely secure. However, if you update it now and make sure it's a complex password (minimum 8 characters in length, including special characters and numbers) then you're ensuring that anyone who does have your hash and salt would take such a considerable time trying to crack it that it would largely be a waste of time for them to even try. On top of that, if you use your Nexus password anywhere else, especially on "high profile" accounts like Steam, XBox, Playstation or the like, change it immediately to be on the safe side.
Please respect and follow safe password practises. Complex passwords of a minimum length of 8 characters that you change regularly (ideally every couple of months) really are a must on any account you care about.
On the site security front, while not related to a database breach such as this, we have been actively working to get the entirety of our network under SSL/an encrypted connection rather than just our Premium Member payment pages for some time now. Unfortunately this isn't as simple as paying for an SSL cert and slapping it on the site. There are complications with the way we serve and transmit our files, especially in regards to our CDN, that make things complex.
In a similar vein, we've had two-factor authentication on our to-do list for a while now. Considering the ever increasing popularity of the network we'll bump the priority of this functionality right up the list and hopefully we'll get something out very soon in that regard. I'd highly recommend you ensure the email address tied to your Nexus account right now is the correct email address, as it's likely any such system will make use of a proper and valid email address in order to function properly.
While breaches often suggest the contrary, we take security extremely seriously and try our utmost hardest to ensure it. On a personal level, it's horrific for me to find out about these things. You guys trust me with your data and trust that I'll keep it secure, and sometimes I fail in that despite my best attempts. I'm very sorry about this. It leads to many sleepless nights and a toilet pan that utterly resents me. We spend about £40,000 ($60,000 USD) a year on professional mitigation and prevention systems trying to directly prevent malicious people from accessing or altogether destroying these sites. We prevent hundreds of malicious attacks on our network every day, sometimes even thousands. Often these come from automated bots constantly prodding away at our servers looking for weaknesses, sometimes from dedicated malicious individuals who want to gain access. We've prevented hundreds of thousands of attempted intrusions, but it only takes one to get through, despite our best efforts, for the failure to be complete.
I'm sorry for (potentially, at this point) breaking your trust in us. We'll continue working away at this to get a conclusive answer and, when we do, you'll be the first to know.
Update: Many people have asked about the three Fallout 4 files that were mentioned in this post. The three files affected were:
- Higher Settlement Budget (downloads from 5th December)
- Rename Dogmeat (downloads from 4th December)
- BetterBuild (downloads from 29th November)
The suspect file contained in the archives was called "dsound.dll".
Jump to page