As you may have heard, Town of Salem, another game also inspired from the games Mafia and Werewolf, recently got hacked. For a while I have been wanting to join Throne of Lies but this recent event has made me think about the security. What security does Throne of Lies use? How do they hash passwords, do they store payment information, and so on. Basically my question is, how vulnerable is it to being hacked and if it were hacked what would be the extent of the damage?
1 Like
Everything is done through steam, including in-game logins. It’s as secure as steam is secure.
11 Likes
Plus it is $10 an account, which seems hefty at first, but it guarentees little to none bots, and gamethrowers.
Better for player experience as well.
2 Likes
The ToS passwords in particular being hacked isn’t a big deal either as long as you’re using even semi-decent passwords. The hackers only got the hashed passwords, which means that unless you’re extremely unlucky you have enough time to change your password on your account. As long as you aren’t using the same one in more than one place you’ll be all set on that front.
2 Likes
I’d say that’s a bit of an over-politeness to them however. The passwords were “encrypted” with MD5… which in short, is a very obsolete, extremely vulnerable method of encryption, that technically isn’t even considered encryption by modern standards, Security experts started advising people not to use it in 1996 https://en.wikipedia.org/wiki/MD5
In 1996, a flaw was found in the design of MD5. While it was not deemed a fatal weakness at the time, cryptographers began recommending the use of other algorithms, such as SHA-1, which has since been found to be vulnerable as well.[25] In 2004 it was shown that MD5 is not collision-resistant.[26] As such, MD5 is not suitable for applications like SSLcertificates or digital signatures that rely on this property for digital security. Also in 2004 more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable; specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum.[6][27] Further advances were made in breaking MD5 in 2005, 2006, and 2007.[28] In December 2008, a group of researchers used this technique to fake SSL certificate validity.[23][29]
As of 2010, the CMU Software Engineering Institute considers MD5 “cryptographically broken and unsuitable for further use”,[30] and most U.S. government applications now require the SHA-2 family of hash functions.[31] In 2012, the Flame malware exploited the weaknesses in MD5 to fake a Microsoft digital signature.
All that being said, orange’s advice is very good. Don’t re-use the same password, as security breaches are going to happen in something you use, unless you just never use or play anything. Use different passwords for everything. Personally I’d reccomend you check out keepass as a password manager. It’s open source, saves the password on YOUR computer (so no risk of any other service getting compromized), I’d suggest doing both a keyfile and a password on it. (basically you can copy the key file to all the devices you want to use it with, there’s android, mac, windows, linux and ios clients), then you can save your actual database in a dropbox, google drive, nextcloud whatever you want to access it from everything (the database is completely useless without having both the keyfile and the password). Then you can use it to generate lots of long complex passwords to use unique ones on every page.
1 Like
Actually the funny thing is it turns out BMG was hacked due to an admin not using unique passwords
So uh, yeah, do that and you’ll be fine in the end.
Also if you haven’t changed your password by now, then yes I agree it’s safe to assume it’s cracked. But even though MD5 isn’t super safe it still takes time, and with almost eight million hashes to crack you probably had enough time to change your password before they were done. 
yeah, just rough time expectancy, a bit over 1/4th of them were cracked as of jan 5th according to bleepingcomputer
*edit, that’s just what the good guys have done after being informed of the breach… bad-guys would have had a huge head start as if I recall, BMG was too busy on christmas vacation to announce it for a week or so)
1 Like
Does Throne of Lies store payment info?
No, payment for the game AND for GP is all done through steam.
We store no passwords nor any payment info at all! 100% secure
4 Likes
Well more accurately, steam is the only thing that could be hacked to give more than say your in game chat logs/friends list etc…
If you use steam… you are equally vulnerable or safe with or without playing ToL. (Just saying ignoring that steam itself in theory could be a risk in and of itself, while having both a good budget, and a far better track record than most online companies, I still say the possibilities should always be pointed out, and 100% statements are dangerous to make)
1 Like
Also worth noting
ToS wasn’t hacked
Their forums were hacked
If you have an account on the forums here you’re already as vulnerable as you were on ToS lol
1 Like