For those "confused":
Background knowledge required:
Key.dat files are the result of a formula that takes your key and several computer specs (including netwok properties I believe) of the machine it is generated on. This is an intentional security measure implemented by Badspot so a malicious user cannot simply copy and paste your key.dat file into their own Blockland folder to authenticate as you.
It is possible to find out how your computer's specs influenced the formula if you have both a key and its respective key.dat file. This was proven by Trinick and used to aid several users on the Help board in recovering an old key they still
had the key.dat file of, as well as a known key and corresponding key.dat file generated on the same computer as the other key.dat file.
The characters ".." (two periods/full stops) represent "up a directory" in file path syntax.
Conclusions you can draw:
The directory traversal attack or whatever mentioned in the quoted post below was most likely a simple use of a relative file path to access other Blockland folders on the single FTP server CBM host uses. Obviously, this is a security flaw, as you should not be able to access other users files, but it is what it is.
My server was hacked and exploited with a directory traversal attack according to my source (which has since been fixed) and they got the key.dat files,
Now, you'll note I only quoted part of his post. He then goes on to say "but they were unable to get the full keys." You can ignore this, because the situation is that
they either got none of the key or they got the whole key, and clearly they have a part of it as proven by several users who actually own the keys posting confirmation in this thread.
And, if you made note of the part I bolded earlier in this post, it is entirely possible for them to have the whole key. I mentioned you need three criteria to extract a key from a key.dat file:
1) The target key.dat file -- Obtained through the poor security Cowboy6 mentioned
2) A known key
3) A key.dat generated from the known key on the same machine as the target key.dat file
To fulfill #2 and #3, the malicious user simply signed up for CBM host. Of course, they know their own key. Upon authenticating their Blockland install on CBM, they can also access the key.dat file that was generated in the folder of their server.
I've said "malicious user" because I haven't read the replies in detail and don't care to, so if you know conclusively who owns the image in the OP then you can just substitute in their name and consider them guilty. It is not by some hacking miracle that this was possible, which apparently a lot of people were having trouble believing. Anyone passing of the event as a non-issue is most likely involved, whether directly or just not wanting their friends who were involved to be punished.
Probable question:
If the criteria to reverse a key.dat file is so easy to fulfill, why hasn't this been exploited before? The big one is #3. You need the same computer as your target. Not same model, same
computer. Like they'd have to come to your house and play Blockland, at which point the security of a single file on your computer is the least of your problems. Or, as was shown in this instance, share a (remote) computer without any guaranteed trust between the users.
tl;dr read the line that starts with the
