• Home
  • Download FFR
  • Play in-browser
  • --- Info ---
  • New Player FAQ
  • Song List
  • Daily Stats
  • Credit Shop
  • Tokens
  • Wiki
• Leaderboards
• Community
  • Forums
  • Profile Search
  • Random Thoughts
  • Latest Photos
  • --- Contact Us ---
  • FFR Staff
  • Suggestions
  • Report a Bug
• Sign Up!

Information Breach

Hello everybody.

As some of you may have seen from the forums, the website https://haveibeenpwned.com/ is reporting that there was a breach of FFR in February of this year, resulting in the compromising of Usernames, Email Addresses and IP information, as well as Salted MD5 password hashes. Further, the Vigilante.pw twitter feed claims that as of July of this year, a large majority of those accounts had their passwords successfully cracked into plaintext.

What this means for you is a couple of things. If you use your FFR password for any other websites or services, you need to change those passwords right away. We actually have no evidence on our side of this breach, but there’s no reason to doubt muiltiple sources reporting it, so we need to treat it like it is fact.

What it means for FFR passwords is a little more complicated. Some levelling with you is going to happen now.

Due to various issues (Mostly the non-profit nature of the site and the absence of Synthlight) it is unlikely that we’ll be able to upgrade the security architecture in any especially meaningful way. As well, while in 2008, salted MD5 hashes were fairly secure, that has become less so as time passes. We are investigating ways to store passwords more securely that are still compatible with our existing systems, but in the near-term in today’s information security climate, we have to basically be frank that we lack any especially compelling ways to secure your password.

Out of the salted hashes compromised in the breach, nearly 400,000 of them remained uncracked. Those were users who had very strong passwords. Even with the comparative ease with which MD5 can be cracked, sufficiently strong passwords are at least some deterrant to these attacks. So for FFR, like any and every other service you have with a password, your best bet is to use a password manager like KeePass to generate you very strong passwords unique to each source. If you don’t want to use something like that, the usual suggestions for strong passwords apply: a mix of uppercase, lowercase, numbers and symbols, as long as possible, bearing no resemblence to any personally identifying words or phrases, and avoiding things like simple substitution (3 for e or 1 for i etc).

While we are definitely sympathetic to anybody who had passwords compromised that are used in any other places, please do understand that the first we heard about this breach was when it was posted in the forums, and investigation on our end needed to happen to try and confirm the reports, assess what happened, and try to figure out where we actually stood with regards to our options, and that we haven’t been trying to avoid, ignore or otherwise not address these issues by mostly remaining quiet up until now.

We apologise for the effort in changing passwords this is going to cause, and any alarm caused by our taking a few days to assess before saying something.

- Devonin and the FFR Team

This entry was posted on Thursday, September 8th, 2016 at 11:35 pm and is filed under Flash Flash Revolution. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

17 Responses to “Information Breach”

1. 1: rayword45
   Posted at 11:47pm on September 8th, 2016

   I haven’t used this password since I was 12.

   If you wanna hack this account and gain absolutely nothing be my guest.
2. 2: RenegadeLucien
   Posted at 12:48am on September 9th, 2016

   Dang it Tonic what have you done now
3. 3: _Zenith_
   Posted at 12:56am on September 9th, 2016

   I have been PWNED!
4. 4: IwasAsquidOnce
   Posted at 3:08pm on September 9th, 2016

   Youre telling me my neopets, battleon, and even RUNESCAPE passwords are at stake here?! WTF!
5. 5: Dinglesberry
   Posted at 3:15pm on September 9th, 2016

   I hope someone logs into my account and Aaas some songs :p
6. 6: ricky54326
   Posted at 1:39am on September 10th, 2016

   Hey FFR team, maybe you’ll see this, maybe you won’t.

   I’m a software engineer, and I’d be happy to work with you all to add some more robust-ness to the security. Out of the kindness of my heart and the fact that I’ve enjoyed FFR since I was in middle school.

   Shoot me a PM if you guys would like some help, I’d hate to see the site go to shit just because you guys don’t have the manpower to deal with this.

   Ricky
7. 7: devonin
   Posted at 9:53am on September 10th, 2016

   It’s honestly less of a manpower issue and more of a “The versions of everything we’re running are years out of date, and we don’t have any way to move them to newer versions” issue.
8. 8: ricky54326
   Posted at 11:47am on September 10th, 2016

   For compatibility reasons? I’d definitely be happy to help, if it’s something you all want. I don’t want to see FFR die, it’s definitely been my go-to rhythm game for a decade now lol
9. 9: JojoII
   Posted at 1:21pm on September 10th, 2016

   Let him help. Id offer my help, im fluent in C, learning asm, wrote an mmorpg, script engine and did a wide variety of shit that i just never got finished due to drugs being more fun.

   it totally is a manpower issue if the issue is that no one feels like re-writing crap.

   i can understand that though and i can understand that these types of hackers are just scumbags who have nothing better to do. i used to find this kind of shit funny but really all it does is piss me off now a days

   it’s like witchcraft but instead it’s niggercraft
10. 10: Dinglesberry
    Posted at 5:51pm on September 10th, 2016

    Lol man the hell does that mean fluent in C? You mean you understand memory management and pointer manipulation?

    The issue is everything is a tangled Web of links and dependencies, if you ever looked at the source codes that are available, you would realize this. Like for example, the engine for the game is hard coded to the site, so if they wanted to move the site forward, they would need a complete engine rewrite.

    The scope is alot larger than you think unfortunately, the first thing is rewriting the engine, but to do that you need to rewrite the site, but to do that you need to rewrite the engine, but to do…
11. 11: ricky54326
    Posted at 9:18pm on September 10th, 2016

    Sure, but switching over to better authentication, possibly 2FA and a better solution to storing passwords is something I can definitely help with. Did InfoSec at Visa for awhile, and engineering at tons of other places. If it’s something I can help with, PM me, otherwise if not nbd.
12. 12: HeZe
    Posted at 10:48am on September 11th, 2016

    Lol, the saddest thing to hack FFR!
13. 13: Felyx
    Posted at 8:28pm on September 11th, 2016

    If you need security help I’m around. I’ve got 7 years experience in database management and security (both MSSQL and MySQL)
14. 14: Skullbac
    Posted at 10:29pm on September 12th, 2016

    Im gonna be hated for this but im one of the few lucky ones who hasnt got their stuff compromised. Phew
15. 15: pedolad
    Posted at 1:33pm on September 14th, 2016

    lol my pettalad account was compromised… boo
16. 16: Dinglesberry
    Posted at 3:02pm on July 28th, 2017

    jokes on ya’ll i still havent changed my password since, hack me bruh i dare you

Leave a Reply

You must be logged in or registered to post a comment.