*goes to look* ... well seems like my MTSversary is just days away .. I'll have been here 18 years

I would never think to go anywhere else.

Thank You for maintaining and keeping MTS alive; it's greatly appreciated!

Just posted THIS at EA Answers:

-
ModTheSims - is SAFE. Here is the Truth

Site News - No, MTS is not "compromised" and it's safe to download from here!

https://modthesims.info/showthread.php?t=687747

-

https://answers.ea.com/t5/Mods-CC-I...14249966#M70051

TM wrote 'to download MY mods' and not mods in general. This is a tiny difference.

Randomly blacklisting mods does doesn't make MTS a nice place for mod authors to keep their mods updated.
I keep my mods updated on GitHub after spending days to fix my mods to comply with the mod guidelines and since then waiting forever for feedback or to get it approved.

The reason why it can take a while to get mods approved is because the number of moderators is waaay smaller than the number of users on the site - and those uploading to the site. (I can't determine the exact number of mods there are in total and how many of them are actually responsible for the vetting process). Plus, people have lives outside of MTS... Some are grown people with jobs, and kids, and pets, and houseplants to take care of. On top of that, the moderators tend to be very thorough in reviewing uploads, as I'm sure you are aware of by the rigorous upload process. (So shout out to the moderators/admin! )

The process is not meant to deter or intimidate you from uploading. It's meant to keep everyone fully informed of what you have to offer and, hopefully, prevent any sort of damage to your save/game/PC.

Kind of ironic when you think about it. "MTS is not a safe place to download." and "It takes ages to get my mods approved due to the thorough review process.".

No one notice the conflict here?

I'd argue the fact there is a stricter review process makes it safer than some random tumblr.

Besides, I kind of prefer the organisation of MTS since it makes it easy to find things in general instead of googling "Sims 2 <wanted mod>" and having to filter through all the sims 4 stuff. (Pet peeve of mine, trying to find something for Sims 2 and getting lots of Sims 4 results.)

Well done @Tashiketh for dealing with this so promptly! People tend to use the same passwords for different sites, which could be how the accounts were compromised perhaps.

My mistake, sorry. That does make a difference.



If you have enough uploads though, you can bypass the queue, so you only have to wait for ages until you have a good enough reputation to be considered trustworthy. Also, I thought they just recently hired a bunch of new moderators?



I only have one email. XD

Silly simsample- I totally meant passwords, but typed email instead! Sorry for confusion. Of course, have different passwords for each site!

I may have recycled passwords on some sites. XD I only have so many pets. j/k But I make sure that my bank passwords etc. are unique.



Unfortunately they already responded to you.

@WvMISKAvW Please see my explanation here for why I'm not reporting MTS-only mods. It's about ongoing trust and my (volunteered) time.

I'll note that other mod-news services (non-AHQ) have made the same decision. I'm sorry I can't provide more explanation about our distrust due to most discussion having been in private.

Players are welcome to track what modders do on their own, without relying on update news services, the way we all did, for all Sims games, before I started this list in 2015.

It sounds like they have ongoing problems with MTS, but won't say what they are. And the boycotting is already spreading. DX

Thanks for putting out a statement where most simmers can see!

I just took a look at their signature; looks like they're a part of the EA MLM Creator Network...



So, I'm not surprised by their response... Still p!sses me off! Like why is there no transparency?!

Might I chime in that I'm one of those creators who hasn't been able to get anything approved on MTS but a malicious user was able to log into two popular creator accounts and compromise multiple popular mods.

Your statement isn't the home run you think is it. I'm just saying.

My "random Tumblr" is run by me. I'm also this person: https://new.reddit.com/r/Sims4/comments/1akzieh/

Anyway, I'm gone. Bye!

Let's talk Opsec for a moment then.

A few things come to mind for the accounts that were compromised:
- Did you and your fellow authors follow good opsec on your own computers to ensure you yourselves had no malicious software on your own computer (Like a keylogger, for example)? Is your computer up to date? Do you have anti-virus software? Do you avoid shady websites? Do you use a secure non-browser and non-cloud based password manager?
- Are you absolutely certain your computer isn't compromised? Some modern malicious software can hide in your UEFI and your OS will never be able to detect it, even during a virus scan. It can be significant too, where even a format and reinstall of the OS would not be enough to clear it.
- Do you ensure every single password on each of your accounts is unique with no two passwords the same and are at least to the minimum length of 16-characters (preferably much longer)?
- Do you enable 2FA where available?
- Have you ensured your email accounts are not compromised in anyway and follow the same high level of security?
- All of the above applies to mobile device stuff too, if you share any accounts between your mobile device and your computer.
- And remember, most hacking occurs from social engineering as opposed to a security failure, causing someone to compromise themselves unintentionally.

It's easy to blame a website for an opsec failure, while ignoring your own. Typically a total website compromise will involve much more than one or two accounts, usually when it is an account or two it is a failure of the account holder where the account holder themselves are responsible by failing to keep to one of the above.

An attacker who compromised the website itself would have aimed for actively updated mods and the most popular mods. They also could have forged the updated date to hide that it was updated in the first place, avoiding detection. After all, if you have compromised the website to a high level of access, you could simply edit the database entry directly avoiding the date being updated, or even just swap the file out directly.

It's no different to how people who have their steam accounts 'hacked' blame Steam and once you dig deeper you find out it was the user who failed their own security (For example: enabling API keys to their account to try to trade, etc.).

With that said, it is possible to target a specific account and break into it if it has a weak password to begin with by brute forcing it. Though, in theory the website should lock accounts with too many password failures. (If it doesn't, that's an opsec failure on the websites behalf.)

To be clear, I'm talking strictly from a computer security point of view, not a personal one. It'll be interesting to see exactly where the failure was in these instances, because as it stands there is not nearly enough information to correctly point the finger.

I've finished work on a first version of a TS4Script upload and checker tool. It can be accessed here: https://packagedb.modthesims.info/ts4scripts.php

I've gone ahead and added all the unique TS4Scripts I found here on MTS (inside the attachments). So far there is 909 results, but you can all add more if you want, including from other sites.

What ongoing problems? 2 creator accounts got logged into, and the persons responsible uploaded malicious files. This could happen to ANY website, not just MTS. (And in fact, has happened... a LOT... on curseforge, especially with Minecraft mods). There's only so much I can do to prevent people from re-using passwords...

The same person who hacked into those 2 accounts also DID try and hack into multiple other accounts (at least 3 others), but wasn't able to, presumably because the passwords where changed since the hackers got the passwords from wherever they where leaked from (which wasn't MTS!).

If you don't mind my asking - I'm genuinely curious.

I'm guessing you went over the server logs and found the attacker logged into multiple accounts with the same IP address (Probably a VPN or TOR), which is how you were able to identify this? (They always do this. )

Were you able to verify whether brute forcing took place or not? This should be evident from the logs.

If no brute force took place, and they got into the account within 1 to 3 tries it would almost certainly point to someone having re-used a password, and that their password was previously compromised. Thus the website itself is technically not at fault (user error). This is a common problem with old abandoned accounts and re-used old passwords.

Though, the changes you've implemented of locking old accounts and notifying users upon a new login should suffice to resolve this, if that was the case.

Yes, the attacker used a VPN. They also tried brute force (multiple attempts per account) for the other accounts, however, with TwistedMexi and moxiemason, it was a first-time login. No brute forcing.

We store both logins and login attempts for, well, ever (I have records going back to 2011 on my own account), including email and password changes too. So we have a good track of what people do.

this. it's not just mts, any website without two factor authentication is vulnerable to the clever and devious attack known as "knowing the password and typing it in", and even 2fa probably won't save you if someone reeeeally wants to get into your account. wherever they're hosting their mods can be "compromised" in exactly the same way
then again, people like this also download smooth patch (a mod that changes another program. by definition. it's in the name) and write terrified comments when it gets flagged by windows defender. rest in peace basic technical literacy

I'm not seeing what the relation between the sign-in process and moderation for uploads is. There are myriad parts of the rubric that are clearly explained as you go through the upload wizard that I can only assume you must not have corrected once pointed out. I have to say that between this comment and your profile bio you sound a little bitter toward MTS. You shouldn't be letting that compromise the integrity of your website that's used by a large number of players that trust your judgement.

Ugh...I don't wish to respond to that attitude and I have no interest engaging with anyone having private discussions with 'who knows who' and then blasting false/opinionated statements (arrived at in said private discussions) across the Internet. That person is lucky they are not getting Sued for Libel.

The responsible thing for that person to have done would be to contact MTS and find out what is going on instead of hauling off and posting false statements. Furthermore, the fact that 'private discussions' were mentioned without any insight on who was actually involved sounds fishy.

Just my .02

In this instance then it really doesn't seem MTS was at fault. It sucks how people always jump to fear mongering over understanding how things work.

Though, if you haven't already it may be worth adding a feature to lock accounts after X number of failed logins (3 to 5 attempts is typical) requiring the user to take further action to get into their account again. (such as requesting them to click a confirmation link sent by email before granting access, even if the password is now correct.)


2FA works fine in most cases, it usually fails when someone puts the code into a fake site setup by the attacker, again social engineering. If the attacker is ready and waiting they could simply have a script that immediately logs into the legitimate service using the details you just gave it (2FA included!), which now gives them access to the account.

MTS does have a lock out if you try too many times to guess a password. Me and my dumbass brain tried it out extensively when I was trying to log in on another computer and couldn't remember my password.



I'm not blaming you in any way! I was just commenting on the people I quoted's remarks about 'ongoing trust' making it sound as if they had more problems than they were willing to talk about. Which honestly just makes them look suspicious if they have these problems, but they are secret!

I'm impressed by all the steps you've taken to make things more secure!

Correct, although this lock does only last till midnight. I might actually switch this to lock the account completely, similar to the 3 month inactivity login.



Apologies if I was a bit peturbed. It did feel like an attack on MTS. People have always had issues with MTS, for decades. That isn't going to change. The amount of times I've heard "Well I'm going to go make my own site! It'll be better! It'll have beer, and hookers!"... and then make it on Wordpress, or a Forum.... Not exactly great for download searching or filtering.