Forced Password Resets
As time has gone by, we’ve placed a number of warnings on the site alerting everyone of this breach, urging everyone to change their passwords.
We’ve recently received multiple confirmations that a fully decrypted version of this data is now being sold and shared on the black market so we’ve taken the only action left to us - we’ve forced a password change on any account that was created before August 2013 and that hasn’t logged on to the site in the whole of 2016.
Anyone who has logged in to the site since December 2015 will have seen a notification on the site telling them to change their password. You should have changed your password at that time. If you STILL haven't changed your password then you really, really, REALLY should now as we know for a fact that the passwords in the database leak have now been completely cracked. If you haven't changed your password yet, despite all these warnings, then you only have yourself to blame at this point.
We have been forced to automatically change user's passwords without warning to ensure that user's accounts remain safe, to prevent unauthorised logins and also to prevent "hackers" from gaining access to inactive mod author accounts and defacing or deleting mods from our database (or worse).
If you have had your password changed you will need to use the password reset form on the login page to request a new password. This is the only way you can regain access to your account. All passwords were changed to a random very long string of characters that we have not saved on our end in any sort of plain-text, so even we cannot tell you what your password is.
I once again want to apologise for this database leak and the inconvenience it has caused to all of us.
181 comments
Comments locked
A moderator has closed this comment topic for the time beingEach individual account stolen doesn't have to be worth tens of thousands of dollars, it just needs to be worth something because they're dealing in bulk. Something high value like a Humble Bundle account can easily be flipped by grabbing all the keys and throwing them onto G2A who quite famously don't give a fuck. The hacker would be using scripts to try all these accounts, comparing them to leaked emails from other sites to see who's been confirmed to be signed up where.
Or they might just use it for cheating. Log into someone else's Steam, hack in CS:GO or Overwatch and have fun, and when the banhammer comes down it's no skin off their nose.
Using a strong, unique password on each site is really the only way to stay safe nowadays, and that's just not going to be doable by human beings without the help of a password manager.
No credit card information is stored on NexusMods.
I have a very close friend who posted her telephone number on an open FB post to someone. She has been swamped with spam and scam phone calls on that number. As many as 7 and 8 a day. That phone number was likely harvested by a scraper that reads thousands of FB posts every second looking for data like phone numbers, email addresses, mailing addresses and any other valid personal information. The scraper then sold her verified phone number, along with hundreds of others for about 5 cents per number, That doesn't sound like much, but they likely sold her number in a package that included around 10,000 already verified good numbers making them $500 from each of a dozen or so scammers making their total haul around $6 to 7k
Change your password if you haven't already - AND do not post private info on any public forum.
I think a significant danger is the use of hijacked mods to distribute malware (ie: to grow botnets). If I were a nexus coder, I'd build some kind of tripwire into the nexus that would be set on any account that had more than N downloads a day on it and post an email to moderators to check out uploads if they came from IP addresses that the account owner had never uploaded a mod from before, or something like that.
Ten years ago my WoW & Curse login were same so can't help recalling, so obviously one day my dear Tauren Shaman got cleaned up and back then it clicked for me that we are going to see so much trouble from people using same logins. I figured to just tier accounts so its easy to manage and pointless to have my forum account, plus if "C" tier game login gets stolen then I know to change them all. Simple password doesnt matter because no body is going to really crack password and its you who is making the mistakes.
Very likely that most Nexus logins work everywhere and can be sold separately from game to game, then finally it ends up being Twitter bot.
PS: I think that my same old forum account have been stolen from every single forum I have put it into and its like my very own cancer-pet. Then its also amusing to think site admin seasonally just selling the whole list like its some ad revenue.
Short version: You only need one cancer-pet.
Why doesn't your friend change his other passwords, lol? It's not like changing his nexus password will stop anyone who already has it from trying it for his other accounts on other sites.
About password recovery, can I get my old account back? I tried to change my password, the email is not sent to my email. Anyone, please help. //Sorry for my bad English.