The most popular speedrunning website, Speedrun.com, has reverted all its rankings to their April 1 state after a security breach left many leaderboards at risk of tampering. After a similar issue in November 2018, the siteās owner is considering strengthened security measures to prevent future breaches.
Speedrun.com is the place to go for a gameās latest world record or tips on how to break into its speedrunning scene. Speedrunning, the act of trying to beat a video game as quickly as possible under set conditions, relies on well-maintained records to track the best times and allow runners to catalog their personal bests. Users can create their own accounts to upload videos of their runs, which are then verified by moderators who add them to an overall leaderboard.
In a forum statement this week, a member of the siteās moderation team announced that key moderation accounts had been compromised. Leaderboards for major games like The Legend of Zelda and Super Mario World were vandalized and altered, forcing the site to revert all their records back to April 1, the last known uncompromised state of the website. Speedrunners who have achieved personal best and new records will need to submit their times again.
āA few game moderator accounts were compromised on April 1, in a very similar manner to what happened back in November,ā staff member kirkq said in a forum post. āAbout 3 to 5 accounts moderating prominent boards World were compromised. The cause is still understood to be a few users using or reusing passwords that were compromised from other sites years ago.ā
Speedrun.com dealt with a similar breach in November 2018. The staff concluded that the passwords for numerous accounts were stolen as part of a massive 2015 database dump of emails and passwords for the Xsplit Broadcaster, a customizable live-streaming program popular with speedrunners and Twitch streamers. These databases are often used for ācredential stuffing,ā a process where the password is attempted on as many sites as possible in an effort to gain access to accounts. After that breach, the staff rolled back the siteās data by multiple days. Users were asked to use passwords that they hadnāt used on the breached sites, but it seems some people didnāt follow that advice.
āIt is our understanding that every compromised account reused a password that was previously used on a compromised website,ā site owner Peter Chase told Kotaku via email. āWe recognize that the site needs to do more to protect against this form of account compromise, so weāre working on implementing additional protections for the small number of users vulnerable to this form of compromise.ā
The siteās moderators and staff are now actively looking into implementing two-factor authorization to the site. It is possible that this extra security measure will be mandatory for all moderators.
āThe data on the 15,000 boards is only as protected as the least protected user, so the site needs to do more to protect the least protected user,ā Chase said.
