Upland - Was it hacked?



The short answer is NO, absolutely it was not.  An individual used emails and passwords found on the internet and used a brute force attack to log into peoples accounts that have used the same emails and passwords for multiple online services.  Though none of Uplands servers were compromised the event has given the Upland team an opportunity to evaluate ways they can help protect users who may re-use passwords.  Please see the announcement made on the Upland Official Discord Server today.

 

Compromised accounts via scripted access using publicly available account database , Jul 21st 2020

What happened:
On July 21st, an Upland player has committed a malicious abuse of Upland’s authentication API. This method involved taking publicly available combinations of emails and passwords from accounts (outside of Upland) who have been compromised in the past and trying to log into Upland with those combinations. Out of millions of attempts made, the perpetrator seems to have gained access to about 293 Upland accounts, out of which 58 were active Upland players (as opposed to visitor accounts that have been recycled). It is possible that there are more accounts on those public lists that have matching accounts in Upland.

It is extremely important to note that at no point were Upland’s servers ‘hacked’. Upland does not store passwords on its backend (but only stores hashes of passwords that are impossible to hack or reverse engineer)

Following the brute force action, the perpetrator then proceeded to login with 6 compromised accounts, and managed to steal a total of 83 properties out of these accounts into two separate Upland account that he seems to have been using. Following this action the perpetrator’s account was then jailed in Alcatraz.

In the aftermath of the event, the perpetrator posted different lists and api data (that is only accessible with a known password) in different social channels. Although we assumed from the start that his claims were fake, we took the time to investigate and validate beyond our doubt that a) The lists posted were the same lists that are available today publicly on the Internet b) Most of the accounts listed there were either non-existing in Upland, or existed but did not enable access to the account c) The supposed API returns (shown in the screenshots) were manipulated to seem as though they carry the password in them which is an absolutely impossible scenario

It is important to state loud and clear that what the perpetrator did is considered criminal activity. We have numerous identifying details of that person and have begun working with law enforcement.  

What we did in the short term:
These are the actions we took immediately as a response:
1. Locking out of those 58 identified accounts, so they can only log in back after they’ve changed their passwords
2. Implemented a mechanic that locks out player accounts that have failed to login with correct credentials for 3 consecutive attempts
3. Added increased security rules for our authentication API that will help disrupt similar attempts in the future

It’s important to note that part of the reasons why we didn’t have stricter rules to help prevent this type of activity had to do with our tendency to support legit 3rd party tools that wanted to make use of our APIs. We are going to reevaluate this policy in order to find the best middle ground to still allow api usage while also providing stronger protection against attacks. At the end of the day, it is impossible for us to ultimately protect against an account who’s password was compromised.  

What we are doing in the longer term:
Uplander’s digital assets accumulated in the game all have an extra layer of security by virtue of being stored on a public blockchain network. Access to these assets is only possible with the knowledge of the player’s private password, which is used to decipher the player’s private keys and is never stored deciphered on Upland’s servers. Nevertheless, we have seen how disruptive any form of account compromise can be for the community, and here are some of the things we will be working on in order to improve transparency and trust: 1. We will start working with an external security auditing party and will publicly post findings 2. We will evaluate integrating more methods for 2FA as suggested by the community 3. We will work on offering a proactive authentication via 2FA, so players aren’t set back with authentication with time-sensitive features such as treasure hunts  

How can players protect themselves in the future:
We urge everyone to make sure that they use a unique and strong password for their Upland account. This will prevent any chances of having the account compromised using these types of penetration methods. On top of that, we strongly encourage enabling 2FA with your own real phone number. Phone based 2FA is extremely difficult to get past without access to the physical phone, and provides yet another layer of protection. Upland will never call you or send a message via phone other than for authentication and we will never share your phone number with a 3rd party.

 

 

Please, if you re-use passwords, don't do it somewhere with real world value.  Or even better, don't re-use passwords.  Get a password manager and use strong passwords.  Whenever possible use 2FA.  Stay careful out there everyone.    

I hope you find my posts informative, helpful, or amusing.  Whatever the case thanks for your time.

Please comment with your thoughts.

 

You can follow me on the following platforms:

Publish0x: https://www.publish0x.com/recourierhttps://www.publish0x.com/upland-uncovered

Blogger: https://www.recouriercrypto.com/ & http://www.uplanduncovered.com/

Twitter:  https://twitter.com/recourier 

 

To learn more about me or support my blogging efforts check me out here:

https://www.recouriercrypto.com/p/about.html

 

If referrals are your thing then you can check those out here:

https://www.recouriercrypto.com/p/referrals.html

 

Uplandme, Inc. is not responsible for any content or any other public communication by me on this or any other medium.

 

Comments

Post a Comment

Popular posts from this blog

The four best Upland San Francisco neighborhoods you should invest in

Image
Finding the right property in San Francisco can be tricky, you have to really pay attention to what people are doing and most importantly to make the most money you need to be in it for the long haul. These properties are all in entirely sold out neighborhoods, and yet they are still undervalued. Don’t believe me? Hop on the Upland Fans Discord and check for yourself. https://discord.gg/zWFbVGcyjN Dogpatch Photograph: Courtesy Nichirin Total Properties : 223 Properties for sale (At time of writing): 26 Cheapest property: 67,480 UPX With an organized road map for success and an active channel in the Upland Fans Discord (#dogpatch) this small community has brought up a lot of buzz within San Francisco. There’s no question many people have seen the value of Dogpatch already, nothing in the neighborhood sells for under 50,000 UPX, but don’t let the high cost of entry scare you, this small city within a city has some of the most well-known and active Uplanders around, which includes its uno
Read more

Upland NFT Mining

Image
What is Upland NFT Mining? Upland Comics & Collectibles  is excited to partner with CryptomonKeys and MetaForce Comics to bring NFT mining to Upland.  But what exactly does that mean?  Is this a game mechanic produced by the Upland team?  No, this is not provided by Upland, but you do need to be in the Upland game to participate.  Upland has not at any time promised NFT giveaways or direct peer to peer gifting in app and it doesn't appear anywhere on their roadmap.  As they have an exciting and ever growing set of future mechanics available though, it very well may be a possibility.  But, until such time that they do, Upland Comics has decided to go for it themselves. The idea initially has been tested by the Cryptomon K eys team in Alien Worlds .  Though Alien Worlds does have a plan to provide in game NFT distribution by individual land owners, that function isn't just ready.  So Cryptomon K eys has been doing it manually, check out their monKeymining page for more det
Read more

Highlights of Spud and the Minting Challenge

Image
I saw a lot of people confused by the recent minting challenge, so I decided to pick out some highlights from the recent Upland Medium article . All points are from the Medium article unless otherwise noted.  Note: We still don't know all of the details. I'll update as more is released.  Spud Property development will be driven by Spark (which is a token). However, the sandbox (which will allow players to play with the property development interface) will use a temporary resource we’re calling “Spud”. During the sandbox competitions, Spud will be used to build properties. All players of Uplander status and above will receive Spud when it is distributed. Spud will have no direct utility beyond these sandbox competitions.
Read more