Update on the Unity Forum Hack.
关于Unity论坛Hack的更新。
Hi all,
大家好,
On April 30, our public forum website was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.
4月30日,我们的公共论坛网站由于实施了错误的密码例程而遭到攻击并成功遭到入侵; 我们的调查表明,此攻击没有盗用密码,也没有影响任何其他Unity服务。
However, the attack did result in defacement of the site (which has since been fixed) and subsequent messaging to all of our registered forum users.
但是,该攻击确实造成了该网站的污损(此漏洞已得到修复),并随后向我们所有注册的论坛用户发送了消息。
We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:
我们正在积极努力改善服务中的身份验证选项,并为了保护您的数据,我们将在接下来的几周内推出以下服务:
2FA Authentication
2FA认证
2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.
2FA使您可以使用与Unity Authentication平台绑定的一次性密码。 这也将在论坛中强制执行。
Device Identification
设备识别
Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.
如果新的PC或移动设备尝试使用您的凭据连接到Unity服务,则设备标识将警告和/或提示您。
Password Policy
密码政策
Enable a per organization password reset, rotation and strength policy.
启用每个组织的密码重置,轮换和强度策略。
We’re sorry. We know you put your trust in us. We will learn from our mistakes.
我们很抱歉。 我们知道您信任我们。 我们将从错误中学习。
Andreas Haugsnes
安德烈亚斯·豪格尼斯
Director of Security
安全总监
—–
-
Update: May 2
更新:5月2日
Thanks to all of you for waiting patiently. In Security, we’ve been looking at every question that you’ve submitted and are making our best effort to answer them. Below is a list of the most frequently asked questions, and we hope this addresses a few of your concerns.
感谢大家耐心等待。 在安全方面,我们一直在研究您提交的每个问题,并尽最大努力回答这些问题。 以下是最常见的问题列表,希望我们能解决您的一些问题。
Q: What steps are you taking to help prevent this attack from happening again ?
问:您正在采取哪些步骤来防止这种攻击再次发生?
A: As posted in the original blog entry, we’re rolling out three key features for authentication and password management. With these features, each registered user and organization will over time have more control over their security features at Unity. These controls will give us new insights into unauthorized access attempts, helping us better detect and combat such attempts.
答:如原始博客条目中所述,我们将推出三个用于身份验证和密码管理的关键功能。 有了这些功能,每个注册用户和组织将随着时间的流逝在Unity上对其安全功能有更多的控制权。 这些控件将使我们对未经授权的访问尝试有新的了解,从而帮助我们更好地检测和应对此类尝试。
Q: Are the forums safe to use now ?
问:现在可以安全使用这些论坛了吗?
A: There’s no such thing as perfect or complete security, especially for high risk targets like public forums. In this case, we’ve identified the entry point for the unauthorized access and have since closed it. The forums have been restored from backups to the state prior to the incident to remove any data the unauthorized access may have caused to be left behind.
答:没有完美或完整的安全性,特别是对于公共论坛等高风险目标。 在这种情况下,我们已经确定了未经授权访问的入口点,并已将其关闭。 论坛已从备份还原到事件发生前的状态,以删除未经授权访问可能留下的任何数据。
Q: Was my e-mail address exposed ?
问:我的电子邮件地址是否公开?
A: There was unauthorized access to servers and an unauthorized email blast. This means that email addresses were exposed. However, this does not necessarily mean that any or all of those email addresses were separately collected and stored. This is part of the ongoing investigation.
答:有未经授权的服务器访问和未经授权的电子邮件爆炸。 这意味着电子邮件地址已公开。 但是,这并不一定意味着这些电子邮件地址中的任何一个或全部都是分别收集和存储的。 这是正在进行的调查的一部分。
Q: How did Unity store the passwords on the forum ?
问:Unity如何将密码存储在论坛上?
A: No passwords were stored in the forum database.
答:论坛数据库中没有存储密码。
Q: Is my password at risk ?
问:我的密码有风险吗?
A: Our investigations have determined that no passwords were stolen in this incident. No one can ever guarantee the safety of your passwords, thus reasonable measures should always be taken to protect them. For instance, subscribing to user and password compromise notification services, while protecting your accounts with unique passwords in a password manager, can help reduce your exposure considerably. The combination of having a unique password per site, and changing them frequently, also assists in increasing your security.
答: 我们的调查表明,此事件中没有密码被盗。 没有人能够保证您密码的安全性,因此应始终采取合理措施保护它们。 例如,订阅用户和密码泄露通知服务,同时在密码管理器中使用唯一密码保护您的帐户,可以大大减少您的访问风险。 每个站点具有唯一的密码,并经常更改它们的组合,也有助于提高安全性。
Q: Is Unity taking any additional actions to help protect my passwords ?
问:Unity是否采取任何其他措施来帮助保护我的密码?
A: Yes. The first phases of “Device Identification” as mentioned in the original blog post has started to rollout. If we detect that your registered account has been brute forced or flagged in a compromised account list (“known hashes”), your account will be prompted to reset the password on next login.
答:是的。 原始博客文章中提到的“设备识别”的第一阶段已经开始推广。 如果我们检测到您的注册帐户已被强行使用或在受感染的帐户列表中进行了标记(“已知哈希”),则将提示您的帐户在下次登录时重置密码。
Q: What should I do to protect myself ?
问:我该怎么做才能保护自己?
A: While we can’t give advice in individual cases, here are some general recommendations and best practices:
答:虽然我们无法在个别情况下提供建议,但以下是一些一般性建议和最佳做法:
If you received the e-mail sent by “ourmine” via Unity’s systems, discard it.
如果您通过Unity的系统收到“ ourmine”发送的电子邮件,则将其丢弃。
Check if your address has been a part of a prior breach.
检查您的地址是否属于先前的违规行为。
If your information was leaked on other sites, make sure to change your passwords.
如果您的信息在其他站点上泄露,请确保更改密码。
Use a password manager to reduce your exposure.
使用密码管理器减少您的访问量。
翻译自: https://blogs.unity3d.com/2017/05/01/unity-forum-hack-update/
扫一扫
4973
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
