On January 8 2017, users informed us that information from our database (including username, email, encrypted password, birthdate and IP address) was for sale. We believe this came from a vulnerability that our security monitoring service had alerted us to six weeks earlier which was fixed, immediately, upon discovery. But as we are now aware, information was stolen, and once we became aware, we began the process of notifying users and forced password resets were initiated.

It is also our opinion that this was not a problem with the software which runs our forums. We and the vendor (vbulletin) are of the belief that it is safe and secure. Rather it was an issue with some auxiliary software on our servers which are located at Rackspace, INC. Steps have been taken, believed successful, to ensure as much as possible such problems do not reoccur.

As a reminder, please, do not use your (new) forum password (or similar) on any other site. If you used your old forum password elsewhere, do not neglect to change those passwords as well. Finally, do not rely on a user's 2+2 identity, alone, when conducting any transactions which matter to you.

Does this mean someone can hax my zynga account?

ty for update, don't understand why these people have been hacking forums lately when everytime they try to sell the info or hold it for ransom the sites just say w.e we aren't paying anything and just get everyone to reset their passwords etc.

Dec 26 a popular gaming forum for counterstrike got hacked (esea.net) in presumably the same way and the people were trying to hold the info ransom for $100k before giving up in days and releasing it all publicly lol.

Worst thing that probably happens is everyones emails getting put/sold on spamlists so we get nigerian princes contacting us more often

is it only the current password that has been hacked or all the past passwords?

To our knowledge, only the password that existed on approximately November 20 is vulnerable.

FFS, how many times is this going to happen?

Who was the hacker?

Tuma has a good point.
Why would anyone hide the hackers identity?
2+2 should publish everything they know abt the hacker, email address, ip address, everthing.

Maybe to play devils advocate, or to just state the obvious, if someone is hijacking large forum databases passwords / info etc they probably know how to use a proxy and hide their identity / ip / email etc.

kb5zcr & Tuma,

It might be illegal to make public allegations of criminality.

Just as it might be illegal in many jurisdictions to say the operator of vehicle with registration ABC-123 is a wife beater (without, of course a guilty verdict) it might be illegal to say the operator of IP address 123.456.789.012 is a hacker. This is even more likely when there's a good chance that the true operator/owner of that IP address is innocent (after all, if the FBI or NSA can't even conclusively attribute hacks in a definitive manner, how can 2p2 possibly be expected to do so?).

I'd be interested in what an expert lawyer might say on such an issue.

I am a noob.... What does this mean for your average Joe?

Should we change anything else other than our passwords? IE is it feasible for someone to have my bank details now?

I understand the point, but I still think that some info could be released, i.e. the Ip address was in Florida, or China, or wherever. It just seems like there should be more info than "We were hacked, about this date, change your password"

Besides the liability concerns already mentioned: Assume your house is broken into. Your stuff is stolen, maybe some things you borrowed from various friends. Is your first move to tell all your friends the evidence or to tell the authorities? Especially if your friends in this case are tens of thousands of people and telling them required you to tell the public at large.

This happens to much larger companies than twoplustwo, some of the largest companies and governments have had much more sensitive data than usernames, emails and IPs released. They don't release identities or location info this early in the game.

Don't forget the skype IP leak where you can gain user IPs just by using skype. That's a major Microsoft product. That's been going on for a long time and the "solution" is to open a Microsoft live account. If you give MS enough info they will protect you.

Microsoft patched the Skype IP vulnerability more than a year ago.

Thanks for the correction. It was found in 2011, so only took them five years!

There's still the issue with spam accounts (those links that end in =username), that's been going on awhile too.

Would be good to know how info is stored

As someone in the information security industry, releasing this information would provide no value (if it's even available, the originating IP may not have been logged or if it was logged the log may have been deleted.) Any low level hacker will be utilizing someone elses already compromised PC - it could very well be yours and you wouldn't know it. At a minimum they won't "attack" from "out in the open" via their home.

Investigations take a long time and for breaches like this the cost of an in depth one isn't worth it. Not saying that no investigation is being done , just basing it off of my experience. The only thing likely known at this point is that there was a breach and as stated, you should change your password. Also, change your passwords on other sites if you used the same username/password combo.

For critics of this being another breach, you severely (and i really mean severly) underestimate the number of breaches you don't hear about. Ignorance can be bliss.

Assume the person/people that were successful in this attack are reading these posts and are looking to leverage your account for more monetary gains (i.e. using your 2p2 username/password to login to your online banking.)

If you were using the same password (especially username/password combo) you should go ahead and change your online banking password. Never reuse passwords for sites that have any $$$. If your bank offers two factor authenticaction, use it.

As for the average Joe, this probably doesn't mean much. Data breaches happen daily. Just don't reuse your credentials across websitea, email services, etc. Companies overall are just really behind the ball when it comes to security and often times something small goes overlooked which allows a breach to happen.


(I'm in no way affiliated with 2+2, just wanted to chime in here)