The short answer is NO, absolutely it was not. An individual used emails and passwords found on the internet and used a brute force attack to log into peoples accounts that have used the same emails and passwords for multiple online services. Though none of Uplands servers were compromised the event has given the Upland team an opportunity to evaluate ways they can help protect users who may re-use passwords. Please see the announcement made on the Upland Official Discord Server today.
Compromised accounts via scripted access using publicly available account database , Jul 21st 2020
On July 21st, an Upland player has committed a malicious abuse of Upland’s authentication API. This method involved taking publicly available combinations of emails and passwords from accounts (outside of Upland) who have been compromised in the past and trying to log into Upland with those combinations. Out of millions of attempts made, the perpetrator seems to have gained access to about 293 Upland accounts, out of which 58 were active Upland players (as opposed to visitor accounts that have been recycled). It is possible that there are more accounts on those public lists that have matching accounts in Upland.
It is extremely important to note that at no point were Upland’s servers ‘hacked’. Upland does not store passwords on its backend (but only stores hashes of passwords that are impossible to hack or reverse engineer)
Following the brute force action, the perpetrator then proceeded to login with 6 compromised accounts, and managed to steal a total of 83 properties out of these accounts into two separate Upland account that he seems to have been using. Following this action the perpetrator’s account was then jailed in Alcatraz.
In the aftermath of the event, the perpetrator posted different lists and api data (that is only accessible with a known password) in different social channels. Although we assumed from the start that his claims were fake, we took the time to investigate and validate beyond our doubt that a) The lists posted were the same lists that are available today publicly on the Internet b) Most of the accounts listed there were either non-existing in Upland, or existed but did not enable access to the account c) The supposed API returns (shown in the screenshots) were manipulated to seem as though they carry the password in them which is an absolutely impossible scenario
It is important to state loud and clear that what the perpetrator did is considered criminal activity. We have numerous identifying details of that person and have begun working with law enforcement.
What we did in the short term:
These are the actions we took immediately as a response:
1. Locking out of those 58 identified accounts, so they can only log in back after they’ve changed their passwords
2. Implemented a mechanic that locks out player accounts that have failed to login with correct credentials for 3 consecutive attempts
3. Added increased security rules for our authentication API that will help disrupt similar attempts in the future
It’s important to note that part of the reasons why we didn’t have stricter rules to help prevent this type of activity had to do with our tendency to support legit 3rd party tools that wanted to make use of our APIs. We are going to reevaluate this policy in order to find the best middle ground to still allow api usage while also providing stronger protection against attacks. At the end of the day, it is impossible for us to ultimately protect against an account who’s password was compromised.
What we are doing in the longer term:
Uplander’s digital assets accumulated in the game all have an extra layer of security by virtue of being stored on a public blockchain network. Access to these assets is only possible with the knowledge of the player’s private password, which is used to decipher the player’s private keys and is never stored deciphered on Upland’s servers. Nevertheless, we have seen how disruptive any form of account compromise can be for the community, and here are some of the things we will be working on in order to improve transparency and trust: 1. We will start working with an external security auditing party and will publicly post findings 2. We will evaluate integrating more methods for 2FA as suggested by the community 3. We will work on offering a proactive authentication via 2FA, so players aren’t set back with authentication with time-sensitive features such as treasure hunts
How can players protect themselves in the future:
We urge everyone to make sure that they use a unique and strong password for their Upland account. This will prevent any chances of having the account compromised using these types of penetration methods. On top of that, we strongly encourage enabling 2FA with your own real phone number. Phone based 2FA is extremely difficult to get past without access to the physical phone, and provides yet another layer of protection. Upland will never call you or send a message via phone other than for authentication and we will never share your phone number with a 3rd party.
Please, if you re-use passwords, don't do it somewhere with real world value. Or even better, don't re-use passwords. Get a password manager and use strong passwords. Whenever possible use 2FA. Stay careful out there everyone.
I hope you find my posts informative, helpful, or amusing. Whatever the case thanks for your time.
Please comment with your thoughts.
You can follow me on the following platforms:
To learn more about me or support my blogging efforts check me out here:
If referrals are your thing then you can check those out here:
Uplandme, Inc. is not responsible for any content or any other public communication by me on this or any other medium.