Fallout 4

Important Security Notice

  • Comment
What has happened?

In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service.

Even though we were able to secure the endpoint as soon as we discovered the exploit, as a measure of security, we are informing all of you, as we cannot rule out that further access to other user data including email addresses, password hashes and password salts has taken place.

We immediately worked to rectify the situation and, as part of the process, brought forward our release schedule for our long-planned new user service to ensure no other potential exploits on the old user service could be used to obtain user data. This step we took is ensuring that the new passwords are not only better protected, but that any encrypted passwords that have - potentially - been obtained from the old user service are already out of date.   

Further, and as is required by law, we have informed the ICO about this incident and we are in the process of fulfilling our obligations related to the matter.


What does this mean for you?

While we noticed the suspicious activity on 8th November 2019, and we have no evidence of past activity in our logs, we cannot say for certain whether the exploit had been used before, and thus cannot ascertain how many - if any - email addresses, password hashes and salts were accessed. 

Recognising our obligation to all of you, however, we are strongly urging you to be vigilant of potential phishing and credential stuffing attacks.


General Recommendations

  • If you haven’t already, please log out and back in, in order to update your account and password and migrate to the new user service. If you’ve already used the new user service, then there is no need to change your password again.
  • If you were using the same password you had on our old user service on other sites, please, change your password on these other sites as soon as possible.
  • We strongly recommend using a password manager and to not reuse passwords across sites.
  • Always use unique and strong passwords of at least 12 characters for each service you use.
  • Consider using Two-Factor Authentication, especially if you are a mod author.

285 comments

  1. pufthemajicdragon
    pufthemajicdragon
    • member
    • 377 posts
    • 43 kudos
    IT engineer here. You know what the absolute worst thing is for password security? Complex passwords. Counter-intuitive, I know, right? But longer and more complex passwords lead to people reusing more passwords and saving them in Word or Excel documents on their desktops. That's why Microsoft has minimal complexity requirements but encourages (and in some cases requires) MFA. And the cool thing about MFA? A 6 character simple password is no less secure (and arguably more secure) than a 12 character complex password as long as you use MFA.

    And what's funny is seeing supposed security people talk about brute forcing like it's still how accounts get cracked. "Gotta make the passwords harder to guess!" as if anybody's trying to guess it. Nah, legit hackers don't brute force anymore. If they want your password, they send you phishing e-mails, malware with keyloggers, malware that takes advantage of password manager vulnerabilities (and you thought that would keep you safe), or the real good ones take advantage of website vulnerabilities to steal hashes (oh, look, what happened to Nexus). I do still see brute force attacks, but only in business and they're pretty lazy attacks against outdated protocols where the attacker figures "if they're still using PPTP then they're probably using stupid simple passwords".

    But what this really boils down to is Nexus screwed up by having bad security and instead of fixing their $%^& they make their users jump through hoops that meet (outdated) "security best practices" but don't actually improve security.
    1. patchling
      patchling
      • premium
      • 193 posts
      • 2 kudos
      I use really complicated passwords, long complicated passwords. Never two times either. Write them down? You bet I write them down, in pen and paper offline.

      MFA? started looking into that. But umm... where do I get the other piece from? My home phone? That is about all I have to get something else on.
    2. Kulze
      Kulze
      • member
      • 1 posts
      • 0 kudos
      Umh... like any other common application nowadays? Either use MFA via phone or E-mail? It's an extra layer of security after all, one which can very very hardly be cracked in any way outside of mistakes from the user-side.

      Hardly, everything is possible... but that's stuff which should be common practice by now and luckily is for many companies handling sensible data.
    3. lefttounge
      lefttounge
      • supporter
      • 6,205 posts
      • 106 kudos
      I am also an IT major, with a cyber security concentration. I gotta say, a true hacker isn't even going to go for the small fry's "12 character long" password. They're just gonna go directly hack the admins, which would give them access to all of the users passwords, even the 12 character long ones. The sad matter is that many of the vulnerabilities that are associated with these kind of breaches doesn't have anything to do with the nexus. It's Windows. Windows is extremely exploitable, perhaps one of the most exploitable software in history (even if its just my opinion).
      In fact you could go in your windows computer right now, and delete an important file you need in order to operate your computer, and completely destroy your software. If you can do this, a hacker can do the same thing.
      No, the real thing that needs to be protected is not just the data, but the actual database. In where if software is compromised, it can easily affect the company. From what I'm seeing, nexus mod's website is still slightly old fashioned compared to what could be improved, this is just from a glance.

      In terms of constant mod manager updates, you gotta keep in mind that the actual files for the mods are also old fashioned, and if it isn't, trust me, it will be, I'd be shocked if it wasn't) , and so the way they're handled can be old fashioned as well.
      Not every user on the nexus is computer savvy in wanting to upgrade to vortex, many are nervous they'll lose their mods, even the slightest change can destroy their whole game. It's that finicky, and so it's very stressful for them to not only create a hard to remember password that usually doesn't stop hacking attempts, but upgrade to completely new managers while installing, uninstalling mods. Very stressful!
      This discourages new users, and makes old users wanna move on.

      Also another vulnerability, there are many spam users that serve as bots. With Hackers becoming more advanced in programming, and not to mention desperate, they're finding new ways to get their software to get past the CAPTCHA, I think they're Youtube videos that show programs doing this. This combined with a super fluency of bots can further harm the confidentiality of the network.
      The bots are the huge portion of why the nexus is being compromised so many different ways. As time goes on, these new gen bots capable of passing CAPTCHA (so like over 1,000 bots able to do this) this is gunna butcher the entire site and be very difficult to keep up with, as I'm sure admins do all day is remove fake user accounts for spam.
      I can go on about what different improvements can be done.

      Another fun note for those who wanna keep reading, it talks about the utilization of demilitarized zones
      Spoiler:  
      Show

  2. ToxicSquirrel88
    ToxicSquirrel88
    • member
    • 2 posts
    • 0 kudos
    Is this related to that time many accounts were exposed in a data breech and passwords stolen while the site Admin, or whoever, failed to inform Nexus users of the breech until much later? Perhaps I'm wrong about action being taken to inform of the breech, but I cannot remember ever being informed unless it had been posted via Nexus Site news back then. Fortunately for me, the password I used back then was only used on the Nexus. I received an email from a hacker trying to con me out of bit coins by attempt to scare me by flashing an old Nexus password. I was able to trace the breech back to Nexus mods via a (Have I been had check) which is where I first found out about the Nexus breech.

    Regardless, I barely have any trust in this site anymore . Of course I still use Nexus, but I find it funny the site actually wants us to buy premium for faster downloads when I would not even trust this site with a phone number. LOL
  3. Regnier1919
    Regnier1919
    • supporter
    • 6 posts
    • 0 kudos
    My Avast told me it had safely aborted a connection to Skyrimgems.com because it was infected with HTML:script-inf(susp) Could someone clarify have I downloaded an infected file from Nexus or is this something else?
    1. bvanharjr
      bvanharjr
      • member
      • 14 posts
      • 0 kudos
      Get rid of Avast altogether (it's bad nowadays), and use something better - or, if you are on Windows 10 (and version 1903 or HIGHER), use the built-in protection.

      This comes from 5+ years of personally USING THEIR SOFTWARE. Their code is so filled with bugs that it's a miracle that my PC hasn't required me to reinstall Windows from scratch yet.

      (not listing every issue I have with Avast - the final straw I had with 'em was with their exclusion system not working AT ALL - quarantining files THAT I PUT ON THAT LIST as "malicious & dangerous" - EVEN THOUGH THOSE FILES WERE 100% CLEAN.)
    2. Dazner
      Dazner
      • member
      • 14 posts
      • 0 kudos
      Avast is actually pretty good. I use it and mod skyrim extensively. Not many complaints there.
    3. 1ae0bfb8
      1ae0bfb8
      • supporter
      • 2,621 posts
      • 33 kudos
      Avast you say? Pretty good you say?

      https://www.vice.com/en_us/article/3a8vjk/czech-data-protection-authority-investigation-avast-jumpshot
    4. marijn211
      marijn211
      • member
      • 37 posts
      • 1 kudos
      I used Avast for around 2 years and found myself reinstalling Windows 2 times because of false positives on system files which after that had been removed, now I stick to Malwarebytes, it costs money for more protection than just weekly scans but if you donacdum on the internet that should be enough
    5. trishaxuk
      trishaxuk
      • member
      • 1 posts
      • 0 kudos
      Totally agree with this. I too was an avid user of Avast 4+ years (and previous to that, used AVG for 3+ years at home). In both cases; I eventually stopped using them because of many false positives which could not be rectified through a controllable whitelisting system, and their reporting mechanism and remedies for these problems was ineffectual.

      Thankfully; Microsoft's previously poor AV products have much improved, so I use that for basic cover now. Malwarebytes is a solid product for all the stuff which gets through the cracks. Even the free/trial mode is a life saver. Sometimes I use Sophos too (as I get home license coverage from work). It's always been very solid (due to good support - not just the client software), but it can be a bit over hard on the machine performance for gamer type scenarios. It's best left on your 'work' machine..
    6. quadraphone
      quadraphone
      • supporter
      • 143 posts
      • 1 kudos
      Systems Engineer here:

      Don't make suggestions if you don't know what you are talking about. Windows Defender isn't a bad anti-virus product in real-world scores, it's better than nothing, but it isn't better than Avast. Avast consistently scores better in real-world tests and has less performance impact.

      See for yourself:

      https://www.av-test.org/en/antivirus/home-windows/

      https://www.av-comparatives.org/consumer/
    7. quadraphone
      quadraphone
      • supporter
      • 143 posts
      • 1 kudos
      Please limit recommendations to something you have expertise in. If you aren't a doctor or a nurse practitioner, don't hand out medical advice.
      If you aren't an IT professional, don't hand out anti-virus recommendations.
    8. quadraphone
      quadraphone
      • supporter
      • 143 posts
      • 1 kudos
      Malwarebytes is a great tool for removing malware infections, but as an anti-virus platform, it is below the middle of the pack in real-world tests. In short, the performance of it's resident protection modules are unacceptable.
    9. quadraphone
      quadraphone
      • supporter
      • 143 posts
      • 1 kudos
      This sounds like a malicious script stored in your browser cache.

      For future use, you can use a free tool called CCleaner from Piriform to clean the caches of multiple browsers at the same time, and the Windows system temp files:

      https://www.ccleaner.com/ccleaner/builds
    10. quadraphone
      quadraphone
      • supporter
      • 143 posts
      • 1 kudos
      Following the Vice article, Avast stopped the harvesting and selling of browsing history, bought stock back in the company Jumpshot that was responsible, and closed the company down.

      https://www.vice.com/en_us/article/wxejbb/avast-antivirus-is-shutting-down-jumpshot-data-collection-arm-effective-immediately
  4. Thandal
    Thandal
    • Moderator
    • 22,948 posts
    • 174 kudos
    Avast, (and AVG, they are owned by the same outfit now) flags many games' and mods' executables as malware. For example, they keep any game using the Frostbite engine from starting.

    There are many alternatives, including free ones (e.g. "Windows Defender", which is built-in to Win10) that do a much better job.
    1. Saggaris
      Saggaris
      • member
      • 668 posts
      • 16 kudos
      And what of the 'aborted connection to skygems.com' that MANY are concerned about is that safe?, should we just say "yeah, well it's probably OK"
    2. Pickysaurus
      Pickysaurus
      • Community Manager
      • 11,855 posts
      • 255 kudos
      Most people can visit that page fine. I'd guess GEMS either doesn't use SSL or the certificate has expired. Really it's on the GEMS team to sort out whatever is triggering that warning.
    3. quadraphone
      quadraphone
      • supporter
      • 143 posts
      • 1 kudos
      Systems Engineer here:

      Windows Defender scores in the middle of anti-virus products on the market, in real-world AV tests. . It's better than nothing, but it does not do a much better job than Avast or AVG, both of which consistently score near the top.
  5. amadeuskun
    amadeuskun
    • member
    • 46 posts
    • 0 kudos
    *uses the same password across every website* "I can't believe I got hacked" *blames The nexus for getting hacked*

    Ppl who use one password for everything are playing with fire, just like people who use easy-to-guess passwords and PIN numbers.

    Don't use any personally identifiable information in your passwords, bible verses, famous quotes, lucky numbers, easy-to-guess number combinations (12345, 77777, 6969, birthdays, SSNs, etc.) If someone can go on your social media page and write down everything they know about you and break the password, it wasn't a good password.
    1. Saggaris
      Saggaris
      • member
      • 668 posts
      • 16 kudos
      What do you want, a badge?
      Yet another know it all that thinks everyone should have the same grasp as he, let me tell you something, people are different and and MANY can't remember what they go to the toilet for... not everyone has the same outlook as you.
      Of the 20 million folks here a good number of them wouldn't understand what the hell you were talking about, they might not have spacebook, facetube or even read the bible.
      You're preaching to those that already understand and others that ain't listening and don't care.
      I've used the site for 15 years and I still know nothing.
    2. Ethreon
      Ethreon
      • supporter
      • 13,903 posts
      • 474 kudos
      Sorry to break your bubble but if you are on a modding site. You should more knowledgeable than the average user. So yes, if you use the same password everywhere it's your own damn fault.
    3. Saggaris
      Saggaris
      • member
      • 668 posts
      • 16 kudos
      Wrong...
      working in the mental health industry for a decade gives you a different outlook on peoples understanding and their desires, they are in many cases at very different levels.

      Now, I say if you have 20 million peoples details, details that you demand when they join, it should be up to you to keep those safe, not each and everyone that you enticed in.
    4. metaphorset
      metaphorset
      • member
      • 220 posts
      • 1 kudos
      @Saggaris - the badge is yours. This stuff isn't exactly breaking news. In this day and age ignorance is a choice. You chose ignorance and you seem to carry it quite proudly.
    5. Saggaris
      Saggaris
      • member
      • 668 posts
      • 16 kudos
      Nope, you're the ignorant one that wishes to assume a level ability playing field, you obviously don't mix with folks with different abilities, after all it's down to the hedgehog to learn when to cross the road isn't it?
    6. CommandantShepard
      CommandantShepard
      • supporter
      • 4 posts
      • 0 kudos
      @Saggaris You are correct that it is on the website to protect their (your) data to the highest possible standard. However, ultimately it is a user's responsibility to manage their own personal online security. I don't expect everyone to understand this and am well aware they don't as I work in Software Support, however a user refusing or unwilling to learn more about this does not make it any less true. Not defending NexusMods or this breach in any way, just stating a general fact.

      I also think posting what you did and the way you did it is completely unnecessary, as @amadeuskun wasn't specifically bashing anyone but in fact was sharing information that could potentially help someone in a situation of having bad passwords.
    7. zlostnypopolnik
      zlostnypopolnik
      • member
      • 1,150 posts
      • 24 kudos
      Remember the hack, when a 100+ megabyte file was replaced with a few kilobytes file (if I remember good) ? How can a 100 digit password help you then? I am not saying that one should not use such passwords, I use combined and different passwords for each account myself, but you know what I am trying to say.
      I downloaded the file and ran it. Since then, penis extensions offers have been sent to my (dummy) email address
  6. MumblesMalarky
    MumblesMalarky
    • member
    • 25 posts
    • 0 kudos
    Are passwords encrypted server side?
  7. DaisukeNiwaKun
    DaisukeNiwaKun
    • supporter
    • 925 posts
    • 51 kudos
    Geeez people you are arguing about usernames, 12 letter passwords and god knows whatever else. I was mad too about my username but it's only a username it took me 5 min to understand this change. But one thing is really silly!

    Well the site knows exactly with user is premium and who isn't. So why when clicking download it takes me to a sub site to choose slow download or fast download. I think people here made a bad decisions and users will gonna quit not only because of their usernames and passwords but also because of the psychological forcing to buy a premium subscription. Staff add only a button, but what the future will brings? 30 seconds timeout with ads for free users next?

    Dear Nexus please stop where you are now because you choose the wrong side. The year 2020 should be better not worse! Do not let this happen.
    P.s. The subscription lifetime plan is little to expensive, make a promo.
    1. dragonagesusi
      dragonagesusi
      • supporter
      • 112 posts
      • 2 kudos
      amen!
    2. crowsraven
      crowsraven
      • member
      • 3 posts
      • 0 kudos
      I agree wholeheartedly with what you said about psychologically forcing premium, DaisukeNiwaKun. We all know how to opt for a premium account, and we all know that download speeds are capped unless you pay. So why do we need to be taken to a "choice" screen where we are shown - in the same way those tacky file share sites display it - how our choice to use the free version of Nexus is a bad one? The downloads don't take long even at slow speeds, many of them being small, and I have never downloaded anything for which I impatiently waited.

      I have paid in the past (under a different account, which is gone now hence the new one; I used to be under the user name "centime") for a premium account, but this hard sell guarantees that I never will again. And I also agree about the price of a lifetime subscription...49.00 UK exchanges to $64.74 US; too much for a game modding site (in my opinion, which counts for nothing to anyone but me). Perhaps if I were younger...

      Call me whatever you like, but there is no need for pushing our faces down into the idea of paying for a subscription. Again, we all know how to do it and what is at stake if we don't, but this new tactic will, I believe, turn off a lot of would-be financial contributors to Nexus. This has left such a bad taste I don't think I will be here for too long anyway. Greed is, to me, the most ugly of human attributes.
  8. tirtan1
    tirtan1
    • member
    • 1 posts
    • 0 kudos
    As a prem life time member already Please explain why you are asking me to pay again
    1. PCGirl
      PCGirl
      • premium
      • 1,477 posts
      • 25 kudos
      I am confused by your comment. Where in this news post do you see anything about paying again?
    2. splitwires
      splitwires
      • member
      • 76 posts
      • 0 kudos
      they probably got sent to the page asking them to sign up for premium
    3. Pickysaurus
      Pickysaurus
      • Community Manager
      • 11,855 posts
      • 255 kudos


      As you can see your account is not Premium. Perhaps you had another account with a different email address?

      Send a copy of your purchase invoice to [email protected] and we'll help you track it down.
  9. Demonlord091
    Demonlord091
    • member
    • 255 posts
    • 0 kudos
    My primary complaint is how slow the Nexus runs after its "upgrade". Why would we have any faith in the Premium version of downloads when the bloody website can barely load mod pages? It's like it's running on an old AMD cpu from 15 years ago with a dial-up or crappy satellite connection. (Slight exaggeration, but not by much)

    I had actually considered upgrading to the premium downloads before the absurd changes, but after seeing how slow the website is now and hearing about when this security breach happened and how long it took for them to notify people about it, I don't think putting money into the website is such a good idea anymore.
  10. aragas11
    aragas11
    • premium
    • 16 posts
    • 0 kudos
    "Always use unique and strong passwords of at least 12 characters for each service you use." Longer passwords don't guarantee security though.
    1. CommandantShepard
      CommandantShepard
      • supporter
      • 4 posts
      • 0 kudos
      It's the unique and strong passwords part of this statement that really matters. Of course longer passwords will help, but ultimately having many complicated and unique passwords will potentially stop you from getting other accounts hacked. The best security guarantee is to not use any services, anything else is a compromise.
    2. splitwires
      splitwires
      • member
      • 76 posts
      • 0 kudos
      nothing guarantees security, but your biggest security threat is bots mass guessing a password, those bots will be scrolling through all potential passwords, and as such a COMPLEX password won't make a notable difference, but each extra character in length will make it take exponentially longer for the bot to guess
    3. PradaLoci
      PradaLoci
      • member
      • 34 posts
      • 1 kudos
      Gonna hop in as I did my dissertation on the ease of modern password cracking and I wanna flex

      Things note about passwords:
      1. Each real dictionary word is essentially one character, as dictionary lists are the first things we use
      2. Anything shorter than 6 characters is not a password
      3. Using l33t sp33k is useless as rule lists try these with very little increase in effort
      4. Using personal information in your password is a death sentence, this info can be fished/mined with ease
      5. Don't use your good pwds on janky old websites, they probably use MD5 and that's pretty much raw text password storage
      *PLEASE don't use those dice-roll sites they're terribly insecure passwords with modern cracking techniques.

      The best passwords are, of course, randomly generated password from things like KeePass2. Though you'll have no chance of remembering them. I think the best passwords would be a short sentance of words purposly spelt wrong with random 'special' chars thrown into the words;

      example: AS8/{00}dBl44ck\\othingNess#