sign in security (2fa)

[sirenni]

I just witnessed an entire thread getting locked because a hacker had gotten into a users account and made a very detabaitable ‘site suggestion’. This has gotten to be more than trading, hackers are impersonating users and posting/commenting things against cs’s rules. not only this but this was a user who had been active (adopting and such) throughout 2023 but was still hacked - they aren’t targeting older accounts anymore ! This has been serious the moment it started but this has gone to far - we shouldn’t have to worry about a hacker getting into our accounts and causing irrachangable chaos/damage right under our noses.

I think it’s obvious by now but they (hackers) are trying to cause chaos throughout cs - saying things against cs rules, causing unnecessary drama and discouraging people from trading from fear it will be reversed. They are trying to outsmart the cs staff but creating topics about the hacking which they are causing. I don’t know what everyone else are thinking but I know what I am - this is crazy.

I’ve already given my support but I truly believe this should be implemented ! I agree with this suggestion above all because this is giving the users a choice in their accounts safety ! sure not everyone will choose this option but the point is it will be available!

I need something protecting my account - we need something protecting our accounts

[lyney]

I just witnessed an entire thread getting locked because a hacker had gotten into a users account and made a very detabaitable ‘site suggestion’. This has gotten to be more than trading, hackers are impersonating users and posting/commenting things against cs’s rules. not only this but this was a user who had been active (adopting and such) throughout 2023 but was still hacked - they aren’t targeting older accounts anymore ! This has been serious the moment it started but this has gone to far - we shouldn’t have to worry about a hacker getting into our accounts and causing irrachangable chaos/damage right under our noses.

I think it’s obvious by now but they (hackers) are trying to cause chaos throughout cs - saying things against cs rules, causing unnecessary drama and discouraging people from trading from fear it will be reversed. They are trying to outsmart the cs staff but creating topics about the hacking which they are causing. I don’t know what everyone else are thinking but I know what I am - this is crazy.

I’ve already given my support but I truly believe this should be implemented ! I agree with this suggestion above all because this is giving the users a choice in their accounts safety ! sure not everyone will choose this option but the point is it will be available!

I need something protecting my account - we need something protecting our accounts

this is a bizarre pattern ive noticed with the second hacker in this website. they are oddly supportive of threads involving changes in the site's security? i even had them go on my safety post with a compromised account and try to compliment it. it's just.. so weird? like, you want to support the site's protection, yet youre the one causing it?? i don't get it. make up your mind.

but yeah, i cant believe they went under our nose like that, and a part of me is even annoyed. the compromised user from last night seemed to be involved in different breached websites, so please use this as a reminder to make a unique password only for chicken smoothie and chicken smoothie alone. the hacker is obviously seeking for attention through all of this, so the best you can do is just keep yourself and your account safe.

(edit: by annoyed, i don't mean the compromised user!! it's not your fault. i'm irritated with the hacker going on 2fa threads and supporting them despite being the root of the problem, AND starting the controversial thread. crosses my arms.)

i already said i supported, but bumping for others to see this thread. nick's implementations seemed to have slowed the hacker, but not fully.

[sapphipop]

god this is an even messier situation than before, it makes me want to be inactive until the issue is completely resolved but i'm absolutely terrified of ending up in a situation where i'm hacked and impersonated as well. we really need more security measures, and fast. i know the staff is taking their time and trying to figure everything out, but this needs to end.

[Lacuna]

I don't know if it was said on this thread, but CS's security was not compromised. User data was breached from another site in the past, which allowed bad actors to get into some CS accounts where users had not updated their passwords or used unique passwords. If you follow proper password protocol you are likely not in danger (can't say never, because some CS "hacks" come from literally inside your house, for example) and there is no reason to take a break from the site or anything similar. Please do not spread misinformation about data from CS being compromised, as this is not true.

Nick posted this (prior to the current front page announcement, but as stated there will be more):

I'm working on several security improvements right now, and I've deployed some already, there will be a news post soon with the announcement.

In the meantime, all it takes to keep your account secure is to have a unique good password for your CS account that you don't also use on other websites. The issues have been due to leaked passwords from sites like NeoPets being re-used here.

Additionally, I think some recent posts here are quite astute: people who used this data to compromise accounts did seem to want to sow discontent. They are likely responsible for some of the current rumors that are being repeated about CS data being breached, or that a much larger number of accounts were affected than reality. If there actually had been a data breach I'm sure there would have been a sitewide announcement that shared that, but that was not the case. The security being worked on now is to help protect users from other sites having poor security.

I understand that when I come into threads like this it can seem like I'm downplaying the situation, but I'm just trying to bring clarity and shut down misinformation that is making people afraid. Many have asked for staff to say something, and I am doing the best I can with what I know. Your feelings are valid but they may have been incited by bad information and I hope knowing the truth and seeing a calm post will help alleviate some of it.

[50blessingzz!]

thank you for clearing that up! i saw someone talking about a data breach in another thread and got really confused since it doesn't show up on the site i use to check if any of my emails are connected to compromised accounts, and they keep it updated daily.
also very important to remind everyone to use unique, *strong* passwords on every site they're on! if anyone doesn't do this out of concern of forgetting them, there's lots of free password managers! the ones built into your browsers are good enough, but there's more secure ones too that are offline and stored in an encrypted file on your computer

[macintalk]

like i said in one of my last replies in this thread, just because the amount of actual accounts that were compromised was low, does not mean a large number of accounts were NOT affected by this. there are hundreds of users who had reversed trades with hackers that they had no idea were even hackers, these people count as affected too. just because they weren't hacked themselves, does not mean the hacking did not affect them. also i think a large part of the misinformation is most likely because no staff (even still, excluding nick's post, which still doesn't give much information into what actually was happening) is giving information where EVERYONE can see it. people should not have to look 10+ pages into random threads to find information on what is going on from staff, that's just really unfair, and that's the main reason misinformation is still spreading - a large part of the player base probably has no idea of what staff has even said on the matter because they don't know to specifically go look for it. all of what you've said on this thread should be easily accessible to the rest of the users on site /gen - i don't think it should be buried in here, especially not the message about ways people can get out of C$ debt. the rumors that are being spread are being spread solely because we did not get information sooner, leading to much of the users thinking of conspiracy theories and posting wondering what was even going on. as the days went by continuing to be ignored by staff (at least, that's what it seemed to most people) people continued to spread more rumors because we were all trying to figure out what was going on. if we were told what was happening, something as simple as "hey, there was an exploit, and some accounts are compromised, we're working on fixing it right now," would have saved a lot of people conspiring and spreading rumors about what's going on.

[bubbaberriboo]

maybe if the staff was communicating with us better we wouldn’t be spreading misinformation.

posting important updates and whatnot on random threads is not the way to do it. there are still plenty of users completely unaware of all of this because nothing has been said on the actual announcements section. being vague about it and hiding real information in the forums where it’s difficult to find is exactly why misinformation is spreading in the first place. the lack of proper communication is making the userbase uneasy and on edge because they don’t know who or what to believe.

[Lacuna]

Just to be clear, I have no power to make sitewide announcements. I just wanted to put that info here as a PSA as the thread was getting off-topic. I have been posting where I can to the best of my abilities since I have been available (I personally was away at a work conference when this started). I apologize, I should have requested the thread to get back on topic in my post, but I am doing so now.

[lovely!]

10000% support

[Darni]

I don't know if it was said on this thread, but CS's security was not compromised. User data was breached from another site in the past, which allowed bad actors to get into some CS accounts where users had not updated their passwords or used unique passwords. If you follow proper password protocol you are likely not in danger (can't say never, because some CS "hacks" come from literally inside your house, for example) and there is no reason to take a break from the site or anything similar. Please do not spread misinformation about data from CS being compromised, as this is not true.

Gonna snip this little part because when this first started happening I was told ChickenSmoothie's security was breached and then told it was other sites like Neopets / other that got breached and the hackers were trying accounts here with same names using same password as the other site and getting in. I know you can't answer everything so I'm not expecting a long answer, but were all the users hacked so far sharing the password with other forum games/ pet collected / same type of sites? Again if you can't confirm or answer that's totally okay too!