TMX Security Breach

Greetings TrackMania Exchange users,

We regret to inform you that security was compromised on united.tm-exchange.com

We can also assume that security may have been compromised on these sites:

• original.tm-exchange.com
• sunrise.tm-exchange.com
• nations.tm-exchange.com
• tmnforever.tm-exchange.com

The attackers may have accessed:

• All email addresses
• Salted hashes of passwords
• IP addresses
• Private Messages
• PayPal donation amounts (2010 to 2016)
• PayPal transaction ids (2010 to 2016)

No PayPal emails though.

If you have an account on one or more of these TrackMania Exchange sites, make sure you're not using the same password on other sites. If you do, change your password immediately.

We'll also evaluate additional ways to inform users about the breach, including through a direct email.

The TMX sites mentioned above use code first introduced in 2004 and were then built up over the years as new sites were introduced. Unfortunately, there's only so much we can do to secure these old sites while continuing to use the old codebase. They were already being held together with bailing wire and chewing gum, as it were.

Why not put the sites online again?

We simply can't in good conscience put the sites online again when we can't be sure of additional vulnerabilities.

Therefore, we've decided to take the time and properly create new websites for the old exchanges.

Data from the old sites (tracks, replays, awards, comments, etc.) will be imported to the new sites.

What about using the codebase from the newer ManiaExchange sites for the old sites?

We considered this, but the databases are structured very differently.

Making new sites will also allow us to introduce modern security features like two-factor authentication, which will lower the risk of a moderators account being compromised if their password is. It'll also allow us to tighten what data individual staff members have access to.

However, creating new sites will not happen overnight. So you can expect an extended outage. This most likely means weeks before minimal site functionality is back. It may even be read-only at first. It will probably be months before we reach some level of normality again.

We thank you for your patience during this transitional period.

If you use our newer sites for ShootMania, TrackMania 2, and Trackmania (2020) at mania.exchange we recommend enabling Two Factor Authentication (2FA) for your account. You can do that through the account portal at account.mania.exchange under the section "Two-Step Auth".