Pirates Forums Briefing

I would like to start by stating that this is a public service announcement made to raise community awareness, and a harsh critique of the highly questionable decisions made by the members of the Pirates Forums team.

Internet security is of the utmost importance, thus it is regrettable that this situation has occurred. In what can only be described as a clear lapse in judgement, a Pirates Forums moderator was found to be using the same password across multiple platforms. Unfortunately, both their username and password were included in an old database leak and they had not changed them prior to the events that took place on March 16th.

I have obtained circumstantial evidence that nullifies Davy Darkrage’s unsubstantiated claims regarding the March 16th breach. The forums staff, consisting of long-time POTCO members and notable members of the TLOPO team, has decided to share false information with the community – either due to sheer ignorance of the fact, or with selfish and iniquitous intent.

“We have reviewed server access logs, and there is no indication that sensitive information (such as IP address logs) was obtained during the breach.”

The quote above is an excerpt from a forums post, written by what appears to be Pirates Forums’ lead administrator. This is completely false, as when the hacker(s) gained access to the moderator’s forums account they had immediate access to an IP-retrieve button. It is extremely reckless of them to assume that nothing had happened, even if they supposedly have systems in place to identify whether or not their monitoring tools had been used.

Additionally, it has come to my knowledge that the hacker(s) in question are yet to target any individuals and are weary of exposing the fact that they hold the IPs of multiple players, mainly to prevent the community from knowing their IPs were compromised and to give themselves more time to plan any malignant activities.

I also have reason to believe that the individual(s) are in hold of IPs and personal information belonging to important members of the community such as Stephen Teague, John Foulroberts, and Kat Five Knives. Fortunately, they are only yet to act on this information, as far as I’m aware.

The decision to withhold this information is nothing short of a betrayal of trust of the users of the forums site, and is unethical to say the least. With this PSA, I hope to have shined some light on the incompetence of the team behind the forums that we’ve trusted with our information.	They have either decided to act in their own self-interest or displayed the true extent of their lack of diligence, by failing to highlight that this breach of IPs had occurred. Another explanation for why this information has not come to the limelight is that they were concerned about how their incapacity to prevent this would have come to be viewed.

TL;DR:

To summarize, a Pirates Forums moderator made terrible security decisions when it came to his passwords. I learned that this moderator shared the same password on his forums account as he did with the “other” remake. By accessing this account, a certain user now has access to the IPs of multiple members within our Forums community. It has been confirmed to me (both publicly and in private) that they also hold IPs of various (current and ex) Pirates Forums and TLOPO staff. Our community’s privacy was jeopardized, and the Forums Team decided to act with their best interest in mind or they are simply unequipped and generally oblivious when it comes to the monitoring of their moderation tools.


Sources:

1 - Account security thread [https://piratesforums.co/threads/account-security-reminder.28222/]
2 - Proof of PF breach [https://pasteboard.co/IcaV55B.png]

Disclaimer: I have more sources and proof, but a few individuals who shared sensitive information wish to remain unnamed.