I have some personal news to announce that isn’t so good for me. Last Friday, I was contacted by a person claiming to be a white hat and in control of the account I use on Slack for communicating about NEM which they claimed to have brute forced. Said white hat provided proof, and among which they had gained a database dump from the former forum which was stored in the “my files” section of Slack. This database dump had among other things login names, login emails, and IPs associated with accounts logins, but fortunately not passwords. To be clear, this is the database dump from the old “ournem” forum and not the current one. Additionally, the security breach was limited only to my Slack account.
We at NEM value security, and if there is a problem, we like to know. Because the white hat sent me a message personally to inform me of the incident and didn’t try to cause any malicious problems, the NEM team has agreed to voluntarily give him a bounty. Furthermore, we are setting up an account to pay for additional bounties for anybody else that can find security problems.
None of my other accounts were to my knowledge compromised as I usually use a password manager and 2-factor although that one account in question did have a weak password (8 characters all small letters and no 2-factor. This was my fault and I take responsibility for it.) Furthermore and more importantly, at no point have any NEM funds been hacked, nor are in any danger. We have a strict policy of holding funds in multisig accounts which has proven to be quite safe.
NEM has a growing presence in the media and growing market capitalization. This positive attention will also come with some negative attention too, not all will be as nice as the most recent white hat. We encourage that anybody who was on the old forum to change passwords as well as for all Nemsters to use a password manager with strong passwords and 2-factor authorization where possible.