Forced Password Resets

  • Comment
As you may be aware, we discovered a database breach in November 2015. The “good” news was that the data was very old, with the last registration date in the database being July 22nd 2013. This means anyone who registered on Nexus Mods after that date was not included in the database breach, and anyone before that date was included in the breach. The breach included email addresses, usernames and encrypted passwords.

As time has gone by, we’ve placed a number of warnings on the site alerting everyone of this breach, urging everyone to change their passwords.

We’ve recently received multiple confirmations that a fully decrypted version of this data is now being sold and shared on the black market so we’ve taken the only action left to us - we’ve forced a password change on any account that was created before August 2013 and that hasn’t logged on to the site in the whole of 2016.

Anyone who has logged in to the site since December 2015 will have seen a notification on the site telling them to change their password. You should have changed your password at that time. If you STILL haven't changed your password then you really, really, REALLY should now as we know for a fact that the passwords in the database leak have now been completely cracked. If you haven't changed your password yet, despite all these warnings, then you only have yourself to blame at this point.

We have been forced to automatically change user's passwords without warning to ensure that user's accounts remain safe, to prevent unauthorised logins and also to prevent "hackers" from gaining access to inactive mod author accounts and defacing or deleting mods from our database (or worse).

If you have had your password changed you will need to use the password reset form on the login page to request a new password. This is the only way you can regain access to your account. All passwords were changed to a random very long string of characters that we have not saved on our end in any sort of plain-text, so even we cannot tell you what your password is. 

I once again want to apologise for this database leak and the inconvenience it has caused to all of us.

181 comments

Comments locked

A moderator has closed this comment topic for the time being
  1. GraVmaN
    GraVmaN
    • member
    • 0 kudos
    I think its unlikely anyone will buy that list so they can high jack a user account to post in the forums or download some files. Its more likely the email addresses will be used to send spam to. Looks like I am among the affected as my account was made almost 6 years ago. As such, I have changed my password of course.
    1. PositiveGamer101
      PositiveGamer101
      • member
      • 1 kudos
      XD you also have to remember some of these accounts could have real information...critical information like a credit card or such
    2. Helmic
      Helmic
      • member
      • 5 kudos
      Password reuse is common for people that aren't already using a password manager. A username/email/password combination presents a habit. If [email protected] uses the password l@ad7ph1dz on one site, they likely use that same email and password on another site. You're also attaching that email to a likely demographic and interest - if someone has a Nexus Mods account, they likely also have, say, a Steam or Humble Bundle or Battle.net account or anything else gaming-related.

      Each individual account stolen doesn't have to be worth tens of thousands of dollars, it just needs to be worth something because they're dealing in bulk. Something high value like a Humble Bundle account can easily be flipped by grabbing all the keys and throwing them onto G2A who quite famously don't give a fuck. The hacker would be using scripts to try all these accounts, comparing them to leaked emails from other sites to see who's been confirmed to be signed up where.

      Or they might just use it for cheating. Log into someone else's Steam, hack in CS:GO or Overwatch and have fun, and when the banhammer comes down it's no skin off their nose.

      Using a strong, unique password on each site is really the only way to stay safe nowadays, and that's just not going to be doable by human beings without the help of a password manager.
  2. Zaldiir
    Zaldiir
    • Moderator
    • 488 kudos


     
    In response to post #42022505.


    Spoiler:  
    Show

    GraVmaN wrote: I think its unlikely anyone will buy that list so they can high jack a user account to post in the forums or download some files. Its more likely the email addresses will be used to send spam to. Looks like I am among the affected as my account was made almost 6 years ago. As such, I have changed my password of course.


    XD you also have to remember some of these accounts could have real information...critical information like a credit card or such
     


    No credit card information is stored on NexusMods.
  3. PositiveGamer101
    PositiveGamer101
    • member
    • 1 kudos
    I wish there was a way I could help but dont bother asking me to donate because after what happen I dont think putting real info is going to help...no offense
  4. User_1076479
    User_1076479
    • account closed
    • 0 kudos
    Yeah well i got hacked, look at haveibeenpwned.com and my s#*! was up for sale in the deep web from a breach of this site. You fuckers downplay these breaches to save your own asses, yet you want me to donate cash to you to run the site but my s#*! gets stolen under your noses. Thank Jesus i never gave you any info into my pay pal or credit cards. Get your s#*! together. You find a fucking breach a year later?! Do you even check your fucking logs on a weekly bases? Daily?
  5. bben46
    bben46
    • premium
    • 781 kudos
    Ten years ago ( some of our accounts go back much further than that) a simple password for a site like Nexus was sufficient. After all, there was no money to be had for the effort and the worst you could do was use a hijacked account to troll the site. Then, the criminal scum discovered that many of the members were dumb enough to use the same password on other accounts where they could steal real money. Not many as the majority of the users on a game site were young enough that they didn't have credit cards. But those kiddies grew up and many still didn't change their simple easy to crack passwords. But now they had jobs, money, bank accounts and credit cards. Now cracking a password on Nexus still didn't get them any money directly, but it might get them access to other accounts where they could steal some money. And access to social media accounts where they could harvest a lot of personal info that scammers and spammers will pay for.
     
    I have a very close friend who posted her telephone number on an open FB post to someone. She has been swamped with spam and scam phone calls on that number. As many as 7 and 8 a day. That phone number was likely harvested by a scraper that reads thousands of FB posts every second looking for data like phone numbers, email addresses, mailing addresses and any other valid personal information. The scraper then sold her verified phone number, along with hundreds of others for about 5 cents per number, That doesn't sound like much, but they likely sold her number in a package that included  around 10,000 already verified good numbers making them $500 from each of a dozen or so scammers making their total haul around $6 to 7k
     
    Change your password if you haven't already - AND do not post private info on any public forum.
    1. Gharuk
      Gharuk
      • member
      • 0 kudos
      > there was no money to be had for the effort

      I think a significant danger is the use of hijacked mods to distribute malware (ie: to grow botnets). If I were a nexus coder, I'd build some kind of tripwire into the nexus that would be set on any account that had more than N downloads a day on it and post an email to moderators to check out uploads if they came from IP addresses that the account owner had never uploaded a mod from before, or something like that.
    2. Roccondil
      Roccondil
      • supporter
      • 1 kudos
      that or at least if an account has been inactive and then suddenly re-uploads/updates an old mod that hasn't been touched in years it should be flagged.
    3. nurmi90
      nurmi90
      • supporter
      • 4 kudos
      Haven't thought before somebody using ad tactics for stolen info. Curious puzzle.

      Ten years ago my WoW & Curse login were same so can't help recalling, so obviously one day my dear Tauren Shaman got cleaned up and back then it clicked for me that we are going to see so much trouble from people using same logins. I figured to just tier accounts so its easy to manage and pointless to have my forum account, plus if "C" tier game login gets stolen then I know to change them all. Simple password doesnt matter because no body is going to really crack password and its you who is making the mistakes.

      Very likely that most Nexus logins work everywhere and can be sold separately from game to game, then finally it ends up being Twitter bot.

      PS: I think that my same old forum account have been stolen from every single forum I have put it into and its like my very own cancer-pet. Then its also amusing to think site admin seasonally just selling the whole list like its some ad revenue.

      Short version: You only need one cancer-pet.
    4. ragnaroklucifer
      ragnaroklucifer
      • premium
      • 28 kudos
      " Then, the criminal scum discovered that many of the members were dumb enough to use the same password on other accounts where they could steal real money." So my friend's banned account's password stolen from nexus could be used to logged in to his other accounts on other sites? Why not scrub the passwords of banned accounts? They can't log in anyway...
    5. Trafalgard
      Trafalgard
      • member
      • 0 kudos
      > So my friend's banned account's password stolen from nexus could be used to logged in to his other accounts on other sites? Why not scrub the passwords of banned accounts? They can't log in anyway...

      Why doesn't your friend change his other passwords, lol? It's not like changing his nexus password will stop anyone who already has it from trying it for his other accounts on other sites.
  6. gta0gagan
    gta0gagan
    • member
    • 0 kudos
    how to check when our account got created
  7. Thandal
    Thandal
    • Moderator
    • 184 kudos
    @Onigamibr;  Please submit a Support Ticket using the "Contact Us" link at the bottom of the page.
  8. Onigamibr
    Onigamibr
    • member
    • 28 kudos
    I've been away from Nexus a bit and seems that I've lost my password too, and I think this account is connected to an old email which I don't use it anymore and don't have access to it anymore. How do I get my account back? Will I be forced to make a new account, cuz of this?
  9. KenzakiJirou
    KenzakiJirou
    • member
    • 1 kudos
    Sup Guys!

    About password recovery, can I get my old account back? I tried to change my password, the email is not sent to my email. Anyone, please help. //Sorry for my bad English.
  10. Korodic
    Korodic
    • premium
    • 610 kudos
    This explains why some A'hole russian tried to hijack my EA and Ubisoft account. Wasn't hard to take it back, I'll be more careful going forward. Plenty more breaches coming up -- too many websites to have a custom setup for anyone really. :/