Regarding Password Change Email

[JoeW]

Hey all, 

I am forcing password resets on accounts, so I figured I would let people know what was up. 

Earlier today we found a long time forum user post a spam link. When checking into a case of an apparent compromised account I noticed several others. At that point as a in an abundance of caution I forced password resets for most users while I investigated the cause. 

We didn't see anything else unusual and it appears to just be the regular old badguy fishing for weak accounts. 

I did make a change to require stronger passwords, not TOO strong because that's super annoying. But strong enough to avoid super weak passwords. (which I believe is what this badguy is doing)

Also, please make sure to use a unique password with a mix of letters and numbers. 

If you run into any issues, just hit us up on our support site at https://support.klei.com and we'll be happy to help you out. 

[JeMiChi]

Thank you for taking care of this and letting us know!

My friend that's no longer active here asked me if I knew what was up with a password reset request they received. Now I can let them know.

[Jacq]

Thanks for the explanation also. It had been so long since I was here last I thought the request form itself might have been fishing haha.

[1337bignose]

how should i opt-out the klei account? at least want to delete klei forum account but there's no option for get out of here.

if this reset are for anti spambot purpose, hope to give some choice to users long time not active on Klei's game and forum.

(as far as i've known, keep saving not-activated customer account info on server more then 5 years or reject on dismiss account and force it to maintaining is illegal in most of OECD countries)

also there's no explanation of this event to user email.. considering send one more mail to customer's not shock or nervous about email.

Thx.

[rek]

I was about to ask if there was a data breach, haven't been here in years and thought it was out of the blue, good to know there is no major incident

[TheKingDedede]

If I'm able to log into my Klei Account just fine (I was unaware of a malicious phishing link going around) does that mean I have to reset my password the next time I log off of my account?

[patokaakotap]

same here. made the account close to a decade ago and never did anything with it, didnt even remember i had it. cant find way to delete it either, which is sth i always do to my old accounts. havent even not-starved in over 8 years...

[Dracconis69]

As others have mentioned above, the process in which this was done was in a manner not becoming of a great company. For future reference, when requesting a password reset, the email needs a more detailed explanation giving the reason for the request. Because in this day and age of sp(c)am mail that inboxes are inundated with on a daily basis can seriously be overlooked and deleted due to suspicion, especially to those, like myself and the ones mentioned above, who have not been to the forums in a sufficient amount of time to have forgotten they had an account. An out of the blue "For security reasons, the administrator of Klei Entertainment Forums has required you to reset your password." email is very suspicious and most will delete it.

[mulholland]

I haven't been here for years. Sorry for that!  

Anyways, just wanted to say that because of the password reset I noticed that I really missed being able to activate any multi factor authentication methods. Please add the option to do so. It makes it feel safer. Thanks!

[JustGeorgie]

i was worried something big happened and came here to find this, but i'm glad it was a minor case. unfortunatly i agree that the way the email is written may make people wary of it and i dont expect everyone to come here and see whats going on like i did.

all in all thank you for looking out for us

[CameoAppearance]

Personally I was wondering if you were checking account info against something like Have I Been Pwned, since not everyone was getting the emails. I examined the sender address very closely and it sure looked legit, but I was still suspicious that it could have been spoofed, so instead I opened up the "forgot your password?" form and had it send me a reset email from there. (It came from the exact same email address, but I wasn't sure, and years of internet safety training taught me not to open links in emails that asked me to input or reset my password if I didn't request them.)

[Sinister_Fang]

Ah, I was wondering what was going on. The email looked very suspicious due to how short and vague it was. Had it been anything else I would have just deleted it and moved on, but a Klei forum account seemed like a weird thing for a phishing attempt so I came to investigate.

[JoeW]

Yeah, I'm sorry it was such a pain for you all. 

Unfortunately I wasn't aware the forum was going to automatically send out the emails, I was going to send those out separately. In the 11 years we have operated these forums, this is the first time we had to reset passwords. 

I certainly would have sent a more clear message out. Sorry for the scare. 

[Duck986]

I suppose they were reset only for "pure" accounts (created using an email)? Because I used Steam to register a Klei account, and I don't see any changes.

[minespatch]

I was scared for a second. Thank god I checked my notifications.

[JoeW]

2 hours ago, Duck986 said:

I suppose they were reset only for "pure" accounts (created using an email)? Because I used Steam to register a Klei account, and I don't see any changes.

I didn't reset all passwords. And if you login with steam the forums won't have a password for you to reset. (Usually)

[isam2k]

I have never received a legit email like that and thought for sure it was a phishing attempt. The link was also http instead of https which set off alarm bells for me.

But now I'm curious and maybe we can figure this out. My mail requires a hardware token to log into and I get alerts for every login on my phone. I have not seen any suspicious activity on my mail or on any other accounts my mail is linked to except for these forums (which doesn't mean much because not everyone informs their users when stuff like this happens).

However that's still a hell of a coincidence for all of this to happen here, with multiple users of these forums affected. I'm not 100% sure but I think my old password was a generated one and I used a vault to log in. I'll continue to check on my end for any weak points but I suggest people at klei take another close look at their security.

[JoeW]

14 minutes ago, isam2k said:

I have never received a legit email like that and thought for sure it was a phishing attempt. The link was also http instead of https which set off alarm bells for me.

But now I'm curious and maybe we can figure this out. My mail requires a hardware token to log into and I get alerts for every login on my phone. I have not seen any suspicious activity on my mail or on any other accounts my mail is linked to except for these forums (which doesn't mean much because not everyone informs their users when stuff like this happens).

However that's still a hell of a coincidence for all of this to happen here, with multiple users of these forums affected. I'm not 100% sure but I think my old password was a generated one and I used a vault to log in. I'll continue to check on my end for any weak points but I suggest people at klei take another close look at their security.

I reset passwords across the board, not just accounts with suspicious activity. Basically, I hit the nuke button a bit too early. 

Normally, I think most of us are used to getting an email after the situation has fully been investigated. Generally, so they can avoid having to make a mess if they don't need too. At the time, I thought it was better to be safe than sorry. 

This definitely inconvenienced some people and I am sorry for that, but it was done to minimize any sort of damage. 

It's actually not abnormal to reset passwords for various reasons and it's a generally good thing to do anyway - however, the email that went out freaked a lot of people out (for obvious reasons). And as noted previously, I was unaware the forum was going to do that. I am going to be sending out a ticket to Invision about that. 

[isam2k]

Quote

I reset passwords across the board, not just accounts with suspicious activity.

 

I completely misread what you've written and I thought my account was among the spammers. Sorry for that.

[minespatch]

7 hours ago, JoeW said:

Basically, I hit the nuke button a bit too early. 

I would've sent a email to prepare people. Thanks for explaining.

[patokaakotap]

sorry to be a party pooper, but so is there a way to delete my data? been lookin for a while and havent been successful. dont starve was great for the semester that i wasted, but thinking about it mostly makes me sad these days, so i'd like to finally end that chapter for me

ps: great forum function btw, remembered this whole ash comment eventhough i closed the browser, navigated away and almost a week later it's still here.