CHANGE THE CS SECURITY SYSTEM

[Lex.]

made these using EPIC!’s template!! (full creds 2 them!) figured id post some i made on here just in case anyone wanted to use them :)

These are AWESOME!

This has been happening for around a week and I am only finding out now? Why hasnt there been an official annoucement beyond a generic 'change your password' message?
This issue hasnt damaged my account at all thankfully, but I put zero care into the message that we did recieve. My password is saved in my computer, its randomized from when I forgot my password years ago, and I still don't know it, lol. However, had I known this is a serious issue, I wouldve changed my password immediately. Why isnt CS taking accountability for this security issue and owning up to it via the announcements? Why did I have to find out so late, and by other players -- not staff/admin? Am I missing something? Are they looking for more info before announcing? I would understand if thats the case, but at the same time, that allows the victim count to add up as each day passes. You shouldnt have to be an avid forum browser to know about this massive security breach.

Perhaps I am late to the party here, and please dont take my concern as aggression... but Im really aghast here.

Yeah, that's exactly why SO many of us are upset. Well, at least one reason.

[Seasonal]

This has been happening for around a week and I am only finding out now? Why hasnt there been an official annoucement beyond a generic 'change your password' message?
This issue hasnt damaged my account at all thankfully, but I put zero care into the message that we did recieve. My password is saved in my computer, its randomized from when I forgot my password years ago, and I still don't know it, lol. However, had I known this is a serious issue, I wouldve changed my password immediately. Why isnt CS taking accountability for this security issue and owning up to it via the announcements? Why did I have to find out so late, and by other players -- not staff/admin? Am I missing something? Are they looking for more info before announcing? I would understand if thats the case, but at the same time, that allows the victim count to add up as each day passes. You shouldnt have to be an avid forum browser to know about this massive security breach.

Perhaps I am late to the party here, and please dont take my concern as aggression... but Im really aghast here.

Chicken Smoothie's security was not compromised. Other sites similar to CS have had their security breached in the past, and people tend to recycle their login info on websites that are similar to each other. This means that if you are using a password on CS that has been compromised elsewhere, then your account (and any account using that password anywhere) is at risk of also being compromised. It is very unfortunate for those who have been affected by this, but it is also a reminder of why using a unique password everywhere is so important - not just on pet sites, but across the Internet.

[onion]

im gonna be honest.... seasonal that felt like a slap on the wrist to us. basically a "well YOU should have better security!" im kinda disappointed and hurt.

[daybreak.]

im gonna be honest.... seasonal that felt like a slap on the wrist to us. basically a "well YOU should have better security!" im kinda disappointed and hurt.

It is well known among cybersecurity experts (not one myself, but I have two friends in the field professionally) that human error (e.g. reusing passwords or accidentally downloading malware) is the most common cause for security breaches (citation), so I don't think Seasonal's advice is unwarranted.

That said, since human error is known to be responsible for so many of these, there are measures in place that a cite like CS could use to mitigate it, many of which are floating around as suggestions in this topic. I would like to see a more robust security system implemented in CS: it's not uncommon for other adoptable sites nowadays. Take for example Flight Rising's response to a similar situation:

In most cases, account compromises are the result of using a weak password, or re-using the same password on a third-party site which experiences a breach. While no method is entirely watertight in today's digital landscape, we feel [implementing the new security measures] will be another good step in the right direction.

The new measures aim to more precisely detect suspicious login activity, and add an extra layer of authentication to the login process if an anomaly is found.

I also understand CS is a much tinier team than FR, but I still think this should be a priority for site development. A periodical reminder to change your password is not a bad place to start. I'm eager to find out what additional improvements are planned c:

[Animall]

Chicken Smoothie's security was not compromised. Other sites similar to CS have had their security breached in the past, and people tend to recycle their login info on websites that are similar to each other. This means that if you are using a password on CS that has been compromised elsewhere, then your account (and any account using that password anywhere) is at risk of also being compromised. It is very unfortunate for those who have been affected by this, but it is also a reminder of why using a unique password everywhere is so important - not just on pet sites, but across the Internet.

With this issue being so broadly problematic... Even if CS refuses to admit fault, there is *definitely* fault in withholding information, and that fault grows larger each day. Its been a week without an annoucement. At this point, its hard to not feel as if CS is complicit. If it isn't a cs-specific security breach, and cs isnt at fault, then why is there an obvious hesitancy to mention it via annoucements? Do we know what website are you implying had a breach? Why are there more victims every day? Why didn't you answer any of my other questions? Why are all the mods/admins here in defense, and quiet via announcements, if cs isn't to blame? Please forgive my brashness, I just dont think the staff/website response thus far has been adequate, and as a lifetime player, Im really disappointed.

In general, I would argue that if another site has a breach, and it directly causes hacking on cs to this extent, then its basically a low-level non-threatening 'breach' with an easy solution... transparency. The silence has honestly made me feel like cs is to blame. I really dont want to feel that way. An hour before I found out about this (today), I was telling my fiance that CS is the safest place on the internet that Ive experienced and is really good at protecting its players. I immediately had to recind that appreciation and Ive been here since 09. Weird how that works. Weird timing. Lol.

Im so sorry if my concerns are redundant, but considering I just found out about this, as well as the lack of an official annoucement of this problematic trend (that has caused this much damage)... I just dont have the time to search the forums of all the different threads about this and read 20-40+ pages of discussion between players and staff. This is rares list level drama that I dont have time for anymore lol, I just want to be kept up to date to happenings and know that you guys are doing your best. I cannot believe that to be true unless its posted on the home page announcements with emails sent out.

And @Onion, I agree. Ty.

@daybreak.
I dont think anyone is really butthurt about the reminder to change/make strong passwords. The hurt stems from the defensiveness of the cs team and lack of transparency for a considerably simple scenario. FR has a larger team but it takes 2 seconds and $0 to let us know whats going on. Staff are all up in these threads but still no announcement.

Edit: I guess this is all off-topic, which is valid, so I'm content without a reply here. Fully support an overhaul of the security system but ultimately I don't think it's the biggest concern to me. I'll switch over to the transparency thread (I found that way afterwords).

[jesse.faden]

jeeeez, reading all this.... im really not up to date on much. i only log in every so often for pet collecting. im not an avid player like i used to be.
what the heck is up with cs not taking accountability? i get the password notif, but everything else? they could have at least made an announcement. they need more staff and mods for this kinda thing. cant believe theyre JUST now implementing this kinda thing too. cs has been around more than a decade now, and it just now put in a "you haven't changed your password in a while!" thing?
edit: like one person here said, yes, these people are all humans with faults and flaws. but just bc they put a bare-bones statement for "change your password!" doesn't mean im gonna praise them. they did the bare minimum, if that, and have yet to put a REAL announcement. at this point, it's kind of ridiculous.
edit 2: nick codes this by himself?????? omg. yeah they should definitely hire some coders. the site itself runs fine, but nick doing this by himself isnt fair to him or users.

[daybreak.]

@daybreak.
I dont think anyone is really butthurt about the reminder to change/make strong passwords. The hurt stems from the defensiveness of the cs team and lack of transparency for a considerably simple scenario. FR has a larger team but it takes 2 seconds and $0 to let us know whats going on. Staff are all up in these threads but still no announcement.

That's what I read in onion's post; if that's not what was meant, then I apologize. I absolutely agree that there needed to be an official announcement about the situation and that it would've mitigated a lot of the initial confusion and disappointment over reversed trades, and the following chaos over the compromised accounts. I'm in full agreement there

[ActualWoodelf]

That said, since human error is known to be responsible for so many of these, there are measures in place that a cite like CS could use to mitigate it, many of which are floating around as suggestions in this topic. I would like to see a more robust security system implemented in CS: it's not uncommon for other adoptable sites nowadays. Take for example Flight Rising's response to a similar situation:

Thanks Daybreak for linking to that response from 2021 by FR, that is helpful! One thing I think DEFINITELY could make a difference that Chicken Smoothie needs, in my opinion, to implement is that when a user changes their email address, the verification email confirming the change NEEDS to go to the old email, NOT the new one. Or at least to both and require both to verify. Because of the recent hacks, I went to change my email address to one that doesn't have my IRL name in it and when I did that, it had me verify I wanted to make the change by: sending to the new email. Hackers who have already gotten in by use of a breached password can easily change the email address on the account and lock the original user out in this way??

[onion]

im not butthurt that seasonal recommended more secure passwords, im upset that theres been no transparency and that the blame seems to be shifted onto the users for this. thats all. u_u

[jesse.faden]

im not butthurt that seasonal recommended more secure passwords, im upset that theres been no transparency and that the blame seems to be shifted onto the users for this. thats all. u_u

gonna agree with ya here. i kinda read it as "breeches happen all the time so you should've updated your passwords anyway".
like yes, but also no lmao