Speedrun.com moderator accounts hit by password reuse attack

A popular gaming website has forced a password reset for all users and rolled back its database to a previous state following a security breach earlier this month.

Speedrun.com, a forum and hall of fame for amp-video game speedrunners – reported last week that a handful of its moderator accounts had been compromised after they used the same logon passwords across other sites.

While only a few moderator accounts are said to have been affected, they were associated with prominent leaderboards for major games such as The Legend of Zelda and Super Mario World, according to amp-video games blog, Kotaku.

Speedrun.com immediately reset all user passwords and rolled back its database to March, 30 in order to get the site back up and running securely. This means that individuals who have inputted scores after this date will have to resubmit.

Passwords used on previously compromised sites are thought to be the cause of the breach, a Speedrun.com administrator said in a forum post on April 3.

“If your password was a password that was not previously used on a compromised website, your account was never at risk,” the post reads. “We’re acutely aware that resetting passwords and rolling back the database is a disappointing approach.”

It added: “We have every intention to implement further safeguards against this method of account compromise.”

Speedrun.com says it plans to implement two-factor authentication (2FA), and will also utilize the Pwned Passwords API from Have I Been Pwned’s Troy Hunt in order to stop compromised passwords from being used from the get-go.

“It is our current understanding that every compromised password was gained from that list,” Speedrun.com said.

The speedrunning site said that the recent security issue was similar to an incident that occurred in November last year, which again prompted a mandatory password reset after unauthorized access was gained to several moderator accounts.

“The site’s leaderboards as a whole are only as secure as the least secure user, and we’re very aware this is a problem,” Speedrun.com said.

The Daily Swig has reached out to Speedrun.com for comment.


RELATED Gamasutra user privacy fragged following IP leak discovery