Transparency

[☼ morgana]

posting to support.

my two cents is this:

I mean the following as constructive criticism, not to be mean:

the reason that people are comparing this to flight rising is that, while CS may not have been under an attack like FR was, FR was instantly transparent and kept people up to date AS things were happening.

From my own experience on another site that tried to sweep something under the rug, as we here on CS are perceiving the staff is doing, it does not work out for staff. Trust is lost, and even more is lost when we find that up until recently, majority of the security based things that are in place now, weren't. There might've only been a handful of users that were effected and hacked, but in the long run, the lack of security effects everyone.

I agree with others stating that people are continuing conversations from other threads due to a lack of understanding. Draft up a site wide ping or email that goes into detail on what happened and a FAQ. For me, posting on threads across site is not transparency. I am not an avid forum reader outside of my usual corner of CS. I wasn't aware of this until someone else told me about it. Something should have been said the minute staff became aware of the issue.


It's for the reasons above I urge staff to make an announcement and give as much detail as they can, what WE can do to be safer, and what THEYRE doing to aid in keeping us safe.

[ActualWoodelf]

posting to support.

my two cents is this:

I mean the following as constructive criticism, not to be mean:

the reason that people are comparing this to flight rising is that, while CS may not have been under an attack like FR was, FR was instantly transparent and kept people up to date AS things were happening.

Thanks very much for adding your two cents as to the comparison I brought up regarding FR, that is exactly what I was getting at with it. The incident isn't the point. The way it was immediately openly shared was my point. Communication and collaboration with the community is vital, or that community doesn't feel safe.

[CousinEnby]

on the note of FR in regards to transparency... we felt SO taken care of when they shut down the site for emergency maintenance recently. (sourcing their tweets about it) was it a huge pain for the site to be down for a long time while they sorted out the issue? yes, it was a bummer to be without FR, especially during an event (i believe?) but as soon as they noticed that accounts could be compromised, they took action, informed the public, and made statements to reassure players/. immediately.

what we would like to see from CS in the future is an immediate notice to players if more than one account is hacked in the same way. even if it's "just" reused passwords. players on CS had their accounts directly affected and yet we sat in fear of being impacted while we had no statement from the staff. it doesn't have to be the fault of CS security. it just needs to be about making sure players are at the heart of safety concerns.

importantly, it didn't take account information being taken for FR to take new security measures. they saw the possibility of it and took action right away and communicated as much as they could. we felt safer at that time than ever before, which is the opposite of what we experienced—and are still experiencing— on CS after this hacking event.

the hacking isn't the problem. it's the lack of transparency when things were happening. a tiny front-page announcement that trade reversals were happening as the result of compromised accounts would've flattened the curve of panic so much. just to know that staff cared how we felt would've gone a long way.

please, in the future, let players know in an easily accessible way that you care about how scary security breaches can be. it's like that old saying, an ounce of prevention is worth a pound of cure.

[*Icarus*]

on the note of FR in regards to transparency... we felt SO taken care of when they shut down the site for emergency maintenance recently. (sourcing their tweets about it) was it a huge pain for the site to be down for a long time while they sorted out the issue? yes, it was a bummer to be without FR, especially during an event (i believe?) but as soon as they noticed that accounts could be compromised, they took action, informed the public, and made statements to reassure players/. immediately.

what we would like to see from CS in the future is an immediate notice to players if more than one account is hacked in the same way. even if it's "just" reused passwords. players on CS had their accounts directly affected and yet we sat in fear of being impacted while we had no statement from the staff. it doesn't have to be the fault of CS security. it just needs to be about making sure players are at the heart of safety concerns.

importantly, it didn't take account information being taken for FR to take new security measures. they saw the possibility of it and took action right away and communicated as much as they could. we felt safer at that time than ever before, which is the opposite of what we experienced—and are still experiencing— on CS after this hacking event.

the hacking isn't the problem. it's the lack of transparency when things were happening. a tiny front-page announcement that trade reversals were happening as the result of compromised accounts would've flattened the curve of panic so much. just to know that staff cared how we felt would've gone a long way.

please, in the future, let players know in an easily accessible way that you care about how scary security breaches can be. it's like that old saying, an ounce of prevention is worth a pound of cure.

there was no breach on cs tho the breach happened somewhere else were the same login was used, it also seemed to only affect a small percent of people on cs, most of the people on this thread have stated they werent affected by it, what does cs need to "be transparent" about. one of the first rules of internet safety when it comes to making an account is not to reuse passwords,its unfortunate that their accounts were comprimised but its not cs's fault, they probably werent even aware of it till recently. security breaches arent scary, theyre common and happen literally all the time. dont fear them, instead do your best to learn about them and how to protect yourself effectively

[answrs]

on the note of FR in regards to transparency... we felt SO taken care of when they shut down the site for emergency maintenance recently. (sourcing their tweets about it) was it a huge pain for the site to be down for a long time while they sorted out the issue? yes, it was a bummer to be without FR, especially during an event (i believe?) but as soon as they noticed that accounts could be compromised, they took action, informed the public, and made statements to reassure players/. immediately.

what we would like to see from CS in the future is an immediate notice to players if more than one account is hacked in the same way. even if it's "just" reused passwords. players on CS had their accounts directly affected and yet we sat in fear of being impacted while we had no statement from the staff. it doesn't have to be the fault of CS security. it just needs to be about making sure players are at the heart of safety concerns.

importantly, it didn't take account information being taken for FR to take new security measures. they saw the possibility of it and took action right away and communicated as much as they could. we felt safer at that time than ever before, which is the opposite of what we experienced—and are still experiencing— on CS after this hacking event.

the hacking isn't the problem. it's the lack of transparency when things were happening. a tiny front-page announcement that trade reversals were happening as the result of compromised accounts would've flattened the curve of panic so much. just to know that staff cared how we felt would've gone a long way.

please, in the future, let players know in an easily accessible way that you care about how scary security breaches can be. it's like that old saying, an ounce of prevention is worth a pound of cure.

there was no breach on cs tho the breach happened somewhere else were the same login was used, it also seemed to only affect a small percent of people on cs, most of the people on this thread have stated they werent affected by it, what does cs need to "be transparent" about. one of the first rules of internet safety when it comes to making an account is not to reuse passwords,its unfortunate that their accounts were comprimised but its not cs's fault, they probably werent even aware of it till recently. security breaches arent scary, theyre common and happen literally all the time. dont fear them, instead do your best to learn about them and how to protect yourself effectively

I don't mean to be rude, Icarus, but it seems you may have read CousinEnby's point wrong. You're tunneling on the idea that "CS didn't get hacked" but the point is that it didn't have to be hacked, user accounts were actively being compromised, the staff knew this, and nothing was said to the users about any of it. not even a dang "y'all change your passwords please, a different site was compromised and users with similar passwords here are being affected." Also a lot of CS users are literal children or joined as such, let's please not blame users for not always knowing the best security measures for existing online. If CS doesn't even tell them what happened, how are they suppose to learn how to avoid it in the future?

bolding mine:

what we would like to see from CS in the future is an immediate notice to players if more than one account is hacked in the same way. even if it's "just" reused passwords. players on CS had their accounts directly affected and yet we sat in fear of being impacted while we had no statement from the staff. it doesn't have to be the fault of CS security. it just needs to be about making sure players are at the heart of safety concerns.
[...]
the hacking isn't the problem. it's the lack of transparency when things were happening. a tiny front-page announcement that trade reversals were happening as the result of compromised accounts would've flattened the curve of panic so much. just to know that staff cared how we felt would've gone a long way.

[Darni]

-snip-

I want to add a situation that was basically deleted that I know a lot of people don't know about- A user had their account compromised and was not told or emailed. They logged in to find their pets were being traded and whoever had taken over their account made a thread/suggestion that was very malicious and actively had this person impersonating them and fighting/arguing with people in the thread. They said something along the lines of "I logged on and messaged staff and was basically old 'oh yeah you got hacked twice lol'". This also didn't effect a small group of people... a small amount of accounts were hacked, but the accounts that were effected by all the trades they were doing because they were very very fast- they would gift multiple people or post "QUITTING- FREE PETS" and then start trading as soon as they posted. The people who were hacking into accounts were definitely CS users because they knew how to quickly and effectively hit people with trades so fast no one could catch up. Once reverse trades started rolling in people went into debt, people were losing pets, and people started to just quit. Someone went thousands of C$ into debt and others were slandered by the hackers talking as if they were them to fight with people. Some were traded a ton of C$ or pets and then did more trades with what they got from the hackers then those got reversed and every trade involving the stolen pets or C$ were reversed.

[Lex.]

Dropping my support here again!

[vicasterology]

-snip-

I want to add a situation that was basically deleted that I know a lot of people don't know about- A user had their account compromised and was not told or emailed. They logged in to find their pets were being traded and whoever had taken over their account made a thread/suggestion that was very malicious and actively had this person impersonating them and fighting/arguing with people in the thread. They said something along the lines of "I logged on and messaged staff and was basically old 'oh yeah you got hacked twice lol'". This also didn't effect a small group of people... a small amount of accounts were hacked, but the accounts that were effected by all the trades they were doing because they were very very fast- they would gift multiple people or post "QUITTING- FREE PETS" and then start trading as soon as they posted. The people who were hacking into accounts were definitely CS users because they knew how to quickly and effectively hit people with trades so fast no one could catch up. Once reverse trades started rolling in people went into debt, people were losing pets, and people started to just quit. Someone went thousands of C$ into debt and others were slandered by the hackers talking as if they were them to fight with people. Some were traded a ton of C$ or pets and then did more trades with what they got from the hackers then those got reversed and every trade involving the stolen pets or C$ were reversed.

yup lol i was the person who got impersonated and it was not fun

i keep cs in my bookmarks bar at the top of chrome and thankfully the night after was hacked (after nearly a year of forums inactivity, and after not logging onto the site for at least a week) i decided to just check in on my cs account. had i not done that and seen that i was logged out and unable to log back in using my current password, i would have had absolutely zero idea i had been hacked. even though the posts made had already been deleted by staff before i logged in (as well as the trades that had been reversed by this time as well) i still was not notified by cs that i had been hacked despite staff clearly being aware of it. if a general message to all users is supposedly too much to ask, you'd think they'd at least attempt to inform the users who WERE hacked. talking to other users after i had calmed down was what brought me back to the site and is why i'm semi-active now, but if i hadn't clicked on that bookmark out of boredom on that night, i could have gone days or weeks without even knowing i was hacked. that's my issue. (and correct me if i'm wrong but someone said the hackers seemed to target inactive accounts, so i couldn't have been the only one in this situation.)

here's the post where i talked more about it if anyone was curious lmao. i'm assuming the person went on my account seeing it was ~9 years old looking to cause chaos with my pets, then realized my account is worth next to nothing since i tend to just give pets away more often than not because trading confuses me. so their next best bet must have been to just wreak havoc on the forums as me lol idek

[*Icarus*]

I you'd think they'd at least attempt to inform the users who WERE hacked. talking to other users after i had calmed down was what brought me back to the site and is why i'm semi-active now, but if i hadn't clicked on that bookmark out of boredom on that night, i could have gone days or weeks without even knowing i was hacked. that's my issue. (and correct me if i'm wrong but someone said the hackers seemed to target inactive accounts, so i couldn't have been the only one in this situation.)

howre staff supposed to know your hacked before you do, bro had your literal login information

[CHINARIZING]

I you'd think they'd at least attempt to inform the users who WERE hacked. talking to other users after i had calmed down was what brought me back to the site and is why i'm semi-active now, but if i hadn't clicked on that bookmark out of boredom on that night, i could have gone days or weeks without even knowing i was hacked. that's my issue. (and correct me if i'm wrong but someone said the hackers seemed to target inactive accounts, so i couldn't have been the only one in this situation.)

howre staff supposed to know your hacked before you do, bro had your literal login information

You misunderstood or misinterpreted it. Vicasterology said staff knew and "fixed" it e.g. deleting all posts the hacker made when they were in the account, etc. but never once informed the actual owner of the account.