High Tail Hall data breach revealed; owners say new site "MUCH more advanced"

Edited as of 17:00
HTH Studios The BBC reports the theft of user data relating to decade-old furry adult game High Tail Hall and its successors.

HaveIBeenPwned lists the disclosure of 411,755 HTH Studios accounts from August 24, including data such as:

Browser user agent details, dates of birth, email addresses, IP addresses, names, phone numbers, physical addresses, purchases, usernames

Passwords were stored as "salted" SHA-1 and MD5 hashes, which may decrease the impact of their being compromised - however, such protections are no longer considered sufficient to protect original passwords, due to the speed at which these types of hashes may be computed.

High Tail Hall, originally released on Newgrounds in July 2004, is described by its creators as:

a puzzle game where you can have erotic encounters with the surrounding characters, and work out your frustrations if you come across a particularly complex puzzle.

Trouble was reported with the payment processor on September 23. Staff member Tyvara Panther posted to the HTH blog on October 3 regarding a "temporary store downtime", stating that "no sensitive data has been compromised". Today, founder Crowchild posted to admit the prior data leak:

As of the overhaul in Oct of 2018 we are using a MUCH more advanced and stable security system. We where contacted today by twitter user @troyhunt via @haveibeenpwned claiming we had a data breach sometime in August 2018 and that files have appeared on on a popular hacking forum and included 411k unique email addresses along with physical and IP addresses, names, orders, salted SHA-1 and salted MD5 hashes. Both our internal security and web team security assures us that no financial data was compromised. I have been in contact with security, developers, legal council and law enforcement. The security and comfort of our users is the highest priority.

At this time we recommend ALL of our users update your account passwords (Just to be safe)

Flayrah also recommends changing such passwords if they have been reused elsewhere, to a version which is unique per-site.

A mid-September post gave replacement of the store and content-management system as the reason for the website and store withdrawal:

We realize it’s been two weeks since we started the website relaunch and playable games are still unavailable. Here’s what’s going on and what we’re trying to do.

Our web team is working on integrating the store and the website data so that everyone who has a Gold Subscription maintains that subscription. We’re also doing away with the key system and replacing it with a coupon system. The reason we have to change is because our web team did not create the key system and half of it was written in Dutch, so even with a translator, it’s been a nightmare to deal with for them and the best they could offer was to transfer the system to a new one created from scratch.

In addition to the subscription system problems, we are still waiting on verification from our payment processor to activate our store. We can’t turn on the store without a way to process payments. The reason it’s taking so long is the first payment processor we were trying to go with has been jerking us around for over 3 weeks, so we decided to go to a different processor one we used with the old store, so we already know the approval process. We were forced to switch processors, because one of our previous processors isn’t compatible with our updated store and the current processor we’re going with can’t transfer accounts, so we had to start a new one to go with the new store.

What we’re attempting to do for now is activate the log in for Gold members which is connected to the store information.
The reason we had to make the switch when we did, is our old system, written in Joomla, was getting an update that would have broken our website’s functionality, so our web team advised beginning the switch now.

HTH's Twitter account was also reported to have been "hacked" October 5 by someone "trying to show Crow that he needed to change his passwords".

HTH Studios LLC sells $5/month subscriptions and also has 565 Patreons, providing additional income of $4,959/month, as well as a Cafepress store. Its wiki reports the Flash version of its game was discontinued in August 2017, with the first Unity-based build of "New Cyana" released this February.


I must admit to being curious as to exactly when they knew about the data breach. The timing of the surprise website revamp (which caused inconvenience to customers) is awfully suspicious; and it takes time to contact the law, legal, developers, etc.

Interestingly, Colorado (which appears to be where HTH is based) has a new Data Protection law aimed at such breaches requiring 30-day user notification; however it's unclear whether this applies since a) the breach occurred prior to September 1, when the law came into force, and b) the data released may not constitute "personal information" as defined within the law.

They knew something had happened but where investigating the extent of the leak. Subscribers and free users had been notified before. There was also a gmail/twitter security breach about a month ago they were dealing with. Additionally the site overhaul has been in the works for a few years before all this happened.

The post that talks about the temporary store downtime is referring to an email that was accidentally sent out by our web team after we had already made the switch to the updated website. It had nothing to do with the hack, which we didn't find out about until yesterday. If the twitter breach is connected we don't know, and we were not made aware of the location of the hacked information until yesterday.

High Tail Hall a puzzle game?

I mean, that was kind of what made it stand out in 2004 to even nonfurries. You just kind of clicked a character and ducked them. I did't think picking which orifice to use counted as a puzzle.

Ducked them. Sure, auto-correct, let's go with that.

I guess they might have upped the difficulty level a little later on? Still, it's no Monster Mind.

There were hidden puzzles and zones in the flash version. There was (and still should be) a hidden portal to HTH Classic (the Newgrounds version) in the last Flash version.

Granted, over the last few years flash has been losing signifigant functionality, some of the puzzles might not be completable at this time, however that will be repaired for the Unity version.

Those were incomplete Easter Eggs in a game about fucking things where to fuck things you had to click on the thing you wanted to fuck.

Guys, you really don't understand how not being a puzzle game was (besides the furry) the defining feature of this flash.

"Wait, it's just fucking porn? I really don't have to solve shitty, half-assed puzzles or do some god-awful date sim shit and I can just skip to the porn? AND IT'S FUCKING FURRY?"

All the anime games on Newgrounds which made you play an unsolvable puzzle or slog through some interminable "storyline" (or both!) just to get some non-animated artwork were just kind of superfluous to needs after that. The original High Tail Hall flash may in fact be the greatest cultural impact furry has ever made, and that is all down to just being unashamedly porn (Green Reaper, is the High Tail Hall WikiFur article still the most visited, or did some other porn finally beat it?)

Shout out to Tail Underground, which I think actually did do it first, but it never made as big an impact because it was exclusively gay and the creator didn't have the balls to just plunk down on Newgrounds like Crowechilde did.

Also, now that we've lost Fred, this is what furry history discussion looks like, so happy fucking Thanksgiving!

It's been Babysitting Cream for a long time now, but e621's started to push past. Sergal is also very popular, as is Furry Beach Club, and, for some reason, YouTube Furry War (the "War" bit may be irrelevant). If you want more details, have a look at its Google Analytics statistics (Behaviour/Site Content, date filters at the top right.)

Why? Well, one reason could be that pornographic sites don't show up on Google with a default level of SafeSearch. People also seem to think it's a good place to put guides, since readers are often looking for an introduction anyway.

Oh, wow.

I am so sorry I asked now.

Some were incomplete Easter eggs, but there was access to HTH Classic before Flash went abandonware. But all puzzles are optional. That's always been the plan.

Well if any story was going to get the dust out of your mohawk, I suspected it was going to be this one.

Hi, I just came here to make a "hacker voice I'm in" joke, and then I forgot it because I went ape shit over seeing that the fucking BBC reported on this before we did

It was spoken about on Twitter about 2 days ago? It was on my list.

Which the last two weeks have been like... ffs fandom, at this point I'll probably record like a video for every week day over the extended weekend just to set things back to a zero point.

If things keep going this way, we'll have a "We didn't start the fire" parody by the end of the month.

I been busy, I don't see every furry twitter post, looking forward to all the videos though

I remember playing and seeing individual scenes from HTH over the years. Never realised it was such a big thing or that it was still going. It must've been when I first joined the fandom that I saw the first HTH bits. I didn't really care for them that much.

