Hi all,

To combat unauthorised logins due to lots of password leaks lately (none from MTS, just other larger hacks elsewhere), I have added an IP address check to the login process. If a login attempt is made and does not match the last few IP addresses you have used, then your account will be locked and you will have to unlock it via email.

This should help prevent (along with the 3 month inactivity timer) unauthorised logins on accounts from hackers who stole credentials from elsewhere.

Remember folks - always try and use unique passwords on sites (using a password manager or so) to prevent one leak compromising your accounts!

Regards

PS No, MTS is not compromised... and no we have not been hacked.

Re the IP address check to the login process - I don't think it is working properly as I was locked out this morning.
I spend my time at 2 locations but the IP addresses should be constant over the last two years (prior to that did change the internet provider for one of the locations).
Please look into it.
Thank you

Update: one of my locations uses a mobile internet device and therefore a generates a new IP address everytime the computer and/or internet is switched on although it is physically in the same place. This is a nightmare constantly having to reactivate my account. I am sure there are other members with mobile internet devices.

Thanks for the feedback, and I totally understand the pain points. I've done some further revisions so that you can now "Remember device" for 30 days, when activating that device. In addition, it now remembers which ASN (ISP) you use so even if you IP address changes a lot it (as in the case of your mobile device) it should not trigger the re-activation all the time.

Let me know if it's working better for you now!

Hello Tashiketh
Thank you for sorting this; once a month is okay to reactivate my account.
A slight problem that I did have to reactivate twice but will monitor - it could be a one-off.

Thank you again.

So how will that work for anyone that normally logs in over a proxy/VPN with a non-static IP? Is the account going to be automatically locked each time?

I figured when this was posted on reddit, that they had weak passwords.

Not if you use the same VPN since that'll be caught by the "Same ISP" check. But then that opens you up to someone else using the same VPN if your password ever gets leaked in a data leak.

I use a password manager and a unique password on every site/service, so I'm not worried about a password leaked elsewhere leading to login attempts on my account here. I'm currently logged in over Tor though, and I'm guessing that's not going to qualify under the "Same ISP" check, so presumably my account will be locked the next time I need to log in.

This is extremely misleading at best, and outright false at worst. This has happened multiple times now when it should not have been possible to happen even once.

I know hindsight is 20/20 but as an extremely popular site (and therefore a very tempting target for hackers) MTS has a responsibility to do what it can to ensure its users are not downloading malicious files from this site. Requiring 2FA and requiring extra authentication for inactive accounts or logins from unusual locations are pretty basic security measures these days and should have been implemented years ago.

MTS can't stop users from reusing their passwords. That means MTS needed to assume users will re-use their passwords and implement what mitigation measures they can to combat this (like 2FA). Someone at MTS should take some responsibility for the fact that this did not happen instead of blaming users for re-using passwords when they may not know any better.

So yes, I suppose technically MTS wasn't "hacked" in the traditional sense (meaning this wasn't a vulnerability of the MTS software that was exploited), but it was compromised. MTS was handing out malicious files. That is the definition of a compromised site. MTS refusing to acknowledge this or take any responsibility is why many users are swearing off MTS altogether. It's a trust issue at this point.

TLDR, this would be like a bank (MTS) who let someone access a safe deposit box (MTS creator account) because they had the key (password), but failing to check their ID first (require 2FA). Then saying they aren't responsible for the contents getting stolen (a malicious file getting uploaded/downloaded) because "well they had a key!" when it turned out they got the key out of the owners car somewhere offsite (they got a leaked password from another website).

You could say the same thing about Tumblr, Loverslab, or any other site that peoples accounts get hacked on and then malicious files are uploaded to. Yes, it's a trust issue, but other than implement security measures there really isn't much more I can do to stop this other than removing files after the fact - which we did, within hours of them being uploaded, and then implement additional measures to stop it in future. If somebody deliberately decided to upload malware and we removed it, we'd still get blamed either way.

I do acknowledge that we should have had these measures in place before, and I accept the hit to the sites credibility. The only thing I can do is to move forward and try to make it more secure the next time.

Why not just implement 2FA, at a minimum for uploaders, if not for all users? I agree with @Chicken0895 that MTS could clearly be taking more steps to prevent this. You're not responsible for hacks on other sites, but you're absolutely responsible for what goes on your site and when your site's main purpose is providing downloadable content security is extremely important so that people's computers and data are not compromised from what they download here. 2FA is not difficult to implement so there's no reason not to make it a requirement for anyone uploading stuff or just for everyone.

Hello. I tried to log in after quite a few years, and as expected I couldn't. My problem is I followed the steps to get access to my account again by asking for a reset of my password. I received the email with the new password and was allowed to enter, but everything after that is a mess. If I close the page, I get kicked out and my new password (the one I received in the email) is taken as fake. I try to change the password and I get kicked out again. To access my account I need to keep clicking on "forgot my password" to get a new email with a new one. I can't even open a new account because the site recognizes my email address as already registered.
Could you please help me?
Thank you

Hello.
I just checked and still have the same problem when I try to change my password. It says "You do not have access to this content, due it to either being removed, deleted, or otherwise hidden, or you are not logged in and it is members only."
It doesn't say my account is locked, so I'm not sure if it's the same thing. If I have to send an email somewhere to solve this problem, could somebody tell me what the email address is?
Thank you.

Calling @Tashiketh please

I'm thirding the call for 2FA. If a website offers it, I use it, no questions asked. It gives me peace of mind.

I'm against forcing people to use it, however - no website I know makes 2FA mandatory. But it should at the very least be offered and advertised/recommended. It would definitely help reduce the numbers of cases.

2FA isn't something that's "easy to add" - especially not for MTS. One of the things I have to deal with is the fact that the core codebase is now 20+ years old, and, unfortunately, cannot be upgraded without an entire rewrite of everything on the site. (Downloads, Download Browsing, Forums, moderation, uploads, everything...). This is, as you can imagine, a massive undertaking. I've implemented a lot of security patches and features over the years, but there's still a lot of old school stuff.

This is also why just bolting on existing 2FA libraries doesn't work. What I am looking into, though, is a way to hook into the existing logon sequence to add an authenticator, but this takes a bit of time.

Right now, there is semi-2FA in that you need to verify via email, but obviously using an authenticator would be a more secure step. I'm looking into it.

Hi! This is very sad news ((( We in our country are exhausted by blocking everything, and such a decision will only add to our problems. The only way for me to access this site right now is to use a VPN or Tor browser. Which, as far as I understand, implies IP substitution.

That's why you can Remember your device for 30 days so it wont keep asking you. This should persist on a VPN. TOR, as I understand it, clears all cookies, so that's unfortunately a side effect.