The most popular speedrunning website, Speedrun.com, has reverted all its rankings to their April 1 state after a security breach left many leaderboards at risk of tampering. After a similar issue in November 2018, the site’s owner is considering strengthened security measures to prevent future breaches.
Speedrun.com is the place to go for a game’s latest world record or tips on how to break into its speedrunning scene. Speedrunning, the act of trying to beat a video game as quickly as possible under set conditions, relies on well-maintained records to track the best times and allow runners to catalog their personal bests. Users can create their own accounts to upload videos of their runs, which are then verified by moderators who add them to an overall leaderboard.
In a forum statement this week, a member of the site’s moderation team announced that key moderation accounts had been compromised. Leaderboards for major games like The Legend of Zelda and Super Mario World were vandalized and altered, forcing the site to revert all their records back to April 1, the last known uncompromised state of the website. Speedrunners who have achieved personal best and new records will need to submit their times again.
“A few game moderator accounts were compromised on April 1, in a very similar manner to what happened back in November,” staff member kirkq said in a forum post. “About 3 to 5 accounts moderating prominent boards World were compromised. The cause is still understood to be a few users using or reusing passwords that were compromised from other sites years ago.”
Speedrun.com dealt with a similar breach in November 2018. The staff concluded that the passwords for numerous accounts were stolen as part of a massive 2015 database dump of emails and passwords for the Xsplit Broadcaster, a customizable live-streaming program popular with speedrunners and Twitch streamers. These databases are often used for “credential stuffing,” a process where the password is attempted on as many sites as possible in an effort to gain access to accounts. After that breach, the staff rolled back the site’s data by multiple days. Users were asked to use passwords that they hadn’t used on the breached sites, but it seems some people didn’t follow that advice.
“It is our understanding that every compromised account reused a password that was previously used on a compromised website,” site owner Peter Chase told Kotaku via email. “We recognize that the site needs to do more to protect against this form of account compromise, so we’re working on implementing additional protections for the small number of users vulnerable to this form of compromise.”
The site’s moderators and staff are now actively looking into implementing two-factor authorization to the site. It is possible that this extra security measure will be mandatory for all moderators.
“The data on the 15,000 boards is only as protected as the least protected user, so the site needs to do more to protect the least protected user,” Chase said.