Velogames Fantasy Cycling
Dear Velogamers,

LATEST UPDATE - 7TH MARCH 2019

For those of you on the site ahead of the start of the 2019 fantasy cycling season, I advise you learn about the issue below, especially if you set up your Velogames before July 2015.

As an update on latest developments, the new user login system mentioned below is now fully live, with passwords encypted using modern bcrypt technology and options to alternatively connect and set up a user account using your existing social media accounts.

All accounts held within the previous login system, including associated email addresses and password hashes, have been fully decommissioned.

All users will need to set up a new account ahead of entering their first team in 2019.

As always, if you have any questions or need advice on any subject, please do feel free to contact me using the details shown on the Contact Velogames page.



IMPORTANT SECURITY NOTICE - 24TH FEBRUARY 2019

Some bad news ahead of the 2019 season that definitely deserves your attention.

This morning, Sunday 24th February, I concluded an investigation arising from recent strong anecdotal evidence that at least some email addresses and passwords associated with Velogames accounts might have been compromised.

There is no particularly pleasant way to deliver this news, so here follows the headline conclusions drawn as a result of this investigation, which has provided strong indication of a historic incident that saw user accounts compromised in the Summer of 2015.

THE CORE ISSUE

If you set up a user account on the website prior to August 2015, there is a strong possibility that your user account data (being usernames, email addresses and hash-encrypted passwords) could have been obtained by an unauthorised third-party around that time, and at least some passwords within the compromised accounts have been unencrypted back into plain text.

I strongly suggest you change any password details for other internet accounts that share the same password you have been using on Velogames.

For those of you who set up a user account after August 2015, I have not found any evidence of your details entered into Velogames being compromised, but I would certainly recommend you take this opportunity to similarly ensure that you do not duplicate the use of a single password across multiple websites.


SUMMARY OF INVESTIGATION

I was alerted to this potential issue after receiving notice from two Velogames users concerning “ransomware” emails received into their inbox.

These emails contained an extortion threat for Bitcoin payments and, of most concern, included each user’s plain text password.

Importantly, both users asserted that their email address and/or passwords were used exclusively on the Velogames platform and not shared with any other accounts.

While I initially supposed that the presence of these recent emails suggested a recent compromise of the database, as I investigated further it became apparent that this breach was an historical event.

I was able to identify 289 accounts in the user database that were likely to have been created exclusively for use on the Velogames platform, in that these accounts included an email address containing the word “velogames” in the first part of the email address.

I reviewed all these email accounts using tools available at information security website Have I Been Pwned, which is an invaluable resource that allows internet users to check if their personal data has been included in any known data breaches.

The key results of this investigation are:

- 45% of these user accounts created exclusively for use on Velogames, which were created BEFORE 31st July 2015, are flagged by Have I Been Pwned as having been included in a previous data breach, due to their presence in one or more known “combination lists” containing email address and password pairs, which intermittently appear on hacker forums or elsewhere on the “dark web”

- 0% of these user accounts created exclusively for use on Velogames, which were created AFTER 31st July 2015, are flagged by Have I Been Pwned as having been included in a previous data breach.

The first evidence any of the above accounts being compromised was the inclusion of several within a huge “combination list” of 458 million unique email address and password pairs, apparently obtained from many different online sources, that appeared on the dark web in December 2016.

Further analysis of data available on Have I Been Pwned, in addition to the two emails forwarded to me, suggests that some of these compromised email addresses have been recirculated in other “combination lists” in 2017, 2018 and, most recently, in January 2019, when a large collection of lists containing almost 2.7 billion records, including 773 million unique email addresses alongside passwords, apparently obtained from many different online sources, was published on a popular hacking forum.

MORE INFORMATION ABOUT PASSWORD SECURITY

All user passwords are encrypted in the Velogames database. However, the encryption algorithm used in the user login module of the site is several years old now, and is unlikely to stop a determined hacker who gains access to the list of passwords from cracking the hash encryption of a simple-format text-based password, and reversing it back to plain text.

As explained further below, this existing user database has now been removed of all usernames, email address and hashed passwords, and a new system using the modern bcrypt encryption function will go live in advance of the main 2019 Velogames season.

I strongly suggest you change any password details for other internet accounts that share the same password you have been using on Velogames.

Going forward, I also advise you look into using a password manager. With a password manager, you can generate a unique and strong password for every website you sign up to, without having to remember each password individually. This means that, in the event that an account is compromised, the damage is limited to just that one account on that single website. Password managers can be free or paid software, and examples to check out are LastPass, Dashlane and 1Password.

ACTIONS TAKEN TO MITIGATE ONGOING RISKS

Out of an abundance of caution, I immediately deactivated the user login functionality on the website when initial suspicions arose, and deleted all records of existing usernames, email addresses and password hashes.

The user database is now completely empty of valid user accounts, so unauthorised visitors will no longer be able to access any account information online.

This version of the user database will never come back online - the user system is basically now decommissioned for good and will shortly be replaced with a new system.

All users will need to create new account within the new user system the first time they select a team in 2019.

The new user system (which ironically was an already planned upgrade ahead of the 2019 season), utilises modern bcrypt encryption technology and is future-proofed to update itself to use more secure encryption algorithms as technology progresses.

This means that, even if any snoopers manage to gain access to user records from now on, then they will have a much, much, harder job to retrieve a usable password record.

The new user system also provides also provides additional options to sign up and log into the site using your existing social media (Facebook and Twitter) accounts, so if you do not want to set up a password directly on the site, you will not need to.

All of the above will be live within an updated Velogames website early next month, in advance of the main 2019 season, which will start on the usual schedule with the spring stage race contests and Fantasy Spring Classics game starting early next month.

CONCLUSION

I realise all the above might come as a bit of a shock.

On a personal note, I am both upset and embarrassed that some accounts could have been compromised in this way.

I hope the fact that this is a historic event, with no evidence of ongoing account security concerns since 2015, will provide you with some confidence, as will the steps I have taken to decommission the current user system and replace it with a new system which utilises the most modern encryption technologies.

But I fully respect that it might take some of you some time to process all this information, and you may have doubts using the Velogames platform in the future.

If so, please be assured that your data privacy will remain top of my concerns from now on, and that I remain committed to make the 2019 Velogames season a memorable one for all the right reasons.

Your in fantasy cycling,

George

George Chapman

Velogames Fantasy Cycling