New Donation Store

[haloman30 168]

Alright, so apparently not too long ago the website that hosted our donation store, MinecraftMarket, got hacked. After doing some research, it's guaranteed that it will never recover.

 

If you're not overly interested in what the details on the matter are, all you need to know is that we have hand-rebuilt our entire donation store with a new host - CraftingStore. They offer custom domain names (using your own subdomain as the store URL) and other key features without charge, unlike BuyCraft which requires a monthly fee for these features. Things may not be fully ironed out yet, but everything should be more or less good to go. If you are concerned about any leaking of personal details, know that MinecraftMarket only stored your Minecraft username and other basic details of the transactions (date, item purchased, and so on). Additionally, PayPal emails were leaked, so consider that as you will - no passwords were leaked however.

 

If you were a customer of MinecraftMarket itself (you had your own store on the site), we strongly encourage you to change your password on any sites where you used the same password.

 

If you are more interested in what actually happened, keep reading.

 

MinecraftMarket has had a history of being insecure. It was apparently hacked on a very minor level in 2015, something most folk never even knew about until recently. On June 21, the website was hacked and the only thing visible was the following message from "XrtGroup":

 

Hacked by XrtGroup, all users accounts and MinecraftMarket source code have been leaked! Enjoy

 

Along with the website, the Twitter, GitHub, and Discord were all deleted as well. These "hackers" left nothing alone (except the Facebook page which hasn't been updated in 3 years).

 

As of now, the old website link goes nowhere. Users of MinecraftMarket who had their own stores had their email, username, and hashed password leaked in pbkdf2_sha256 format. For all the security holes in MinecraftMarket, it appears that nobody is able to decrypt the encrypted passwords at this point (though that may change one day, who knows). The leaked source code of MinecraftMarket itself is a docker container (missing the actual image, it seems) and the website sources themselves are created in Python and Djengo. Also in the leaked source was the Cloudflare email and API keys used for the MinecraftMarket website. All of this was in the official GitHub repository for the work-in-progress self-hosted option for MinecraftMarket's upcoming Enterprise plan. Later on, BuckinghamIO - the owner of MinecraftMarket - stopped the radio silence and a few screenshots were posted to a forum topic on SpigotMC:

Spoiler

 

 

 

He essential gave up and his general stance was "oh well shit happens". He never made an official statement, he simply quit and walked away. All the details of what was leaked (check this post on the SpigotMC thread) was provided by a user named R4G3_BABY. After this fact and lists of what information was compromised to the over 40,000 people who had stores on MinecraftMarket, BuckinghamIO sent the following message to R4G3_BABY:

Spoiler

 

The owner effectively pulled a killerteddy after this, and simply disappeared. For those unaware what "pulling a killerteddy" means, it basically refers to an owner/leader of something running away with any profits before the ship sinks, never to be seen again. There are other details scattered around that suggest the possibility of BuckinghamIO leaking all of this himself in order to run off with the cash. All of these are theories and aren't able to be proven (though a very strong case can be made).

 

That's just about all the info that exists for now, though. In the future we are going to likely move to a self-hosted solution later down the road, perhaps developing our own if the resources are available.

 

Lastly, some of the pricing on anything that isn't a rank may be different as we don't have any sort of backup or other copy of the pricing structure for those anymore. Along with that, we lost the original NuclearDistrict donation store - also hosted with MinecraftMarket - as well as any donation history from that. It honestly sucks and it hurts for a small piece of CU/ND history to be lost like this (you know me, obsessive over history xd). Hell, the CU donation store dates back to the Chaotic District days - which, for those unaware, was the original name of my server that eventually became the reboot of CU - before Aly and the others were even here, it was just me and a couple of Xbox LIVE friends making a server. Thank the lord we have an in-game history of all our donors.

 

That's all we have for now, folks! I've attached a few links for anyone who wants to read more into the whole thing. It's kind of interesting and also amazing how MinecraftMarket survived as long as it did with all the security issues it had.

 

SpigotMC Thread: https://www.spigotmc.org/threads/the-end-of-minecraftmarket.325070

CU Donation Store on Wayback Machine: https://web.archive.org/web/20171119204320/http://donate.chaoticunited.net:80/
New donation store: http://donate.chaoticunited.net/

MinecraftMarket Website on Wayback Machine: https://web.archive.org/web/20180614135628/https://minecraftmarket.com/