|Warning:||This article is only intended to give examples and educate users about hacking. Please do not attempt anything in this article, as it could lead to alerts or a ban.|
Hacking in computer science terminology is tampering of another individual or company's (or one's own) software, computers, or databases. Scratch currently has no history of any hacking in this context.
However, its mainstream use on Scratch usually refers to when a Scratcher's account information (i.e. their username and password) is obtained by a "hacker" and gains unauthorized access to that account. This can become problematic, as the hacker can delete projects and do inappropriate behavior to get the account banned. Such instances are often easily prevented.
|Note:||The term hacking from here on will refer to the methods used to exploit account information.|
- Main article: Phishing
Sometimes others trick users into giving their private information away (such as a password) — this is called phishing.
UserA is on Scratch and they made a project which links to a website which requests the visitor's Scratch password for followers. UserB is new and does not know much about hacking and gives away their Scratch password to UserA. UserA can use this information to gain unauthorized access to UserB's account.
Although hacking is used as a broad term, there are often cases of alleged hacking that aren't considered so:
- Main article: kaj
- See also: List of Misconceptions about Scratch#kaj
There have been rumors that kaj once hacked or stole another account. kaj is sometimes used to symbolize hacking. People have also made fake accounts claiming to be kaj; such accounts get banned. However, kaj never hacked or stole accounts; they only claimed to destroy Scratch due to wanting more views.
- Main article: JSON Tutorial
Some users refer to modifying the JSON code of a project as "hacking", however, it is not a method of exploiting personal information. This is editing a project without using the online or offline editors.
In this context, hacking refers to unauthorized modifications made to the Scratch code — modifying the JSON in order to implement features never possible in the normal editor, such as placing variables inside of dropdowns.
The Scratch Team partially discourages doing so because it could confuse new users.
Hacking Cloud Variables
Hacking of cloud variables often happens when a popular project has a highscore. This is usually done by connecting to the cloud server with other programming languages like Python, because Cloud Data shuts down when the editor is opened by someone other than the creator of the project. There are multiple methods for this, but not all are hacking.
Leaving Accounts Logged In
A common mistake users make is to accidentally leave their Scratch account logged in on a public computer, such as in a school or library computer. Other people will then find that there is an account logged in and use it inappropriately, resulting in a ban. While this often is dubbed as "hacking", such an instance is generally not considered so since it is easily preventable by the user, as logging into an account will log it out everywhere else not on the same network.
Stealing account information requires exploiting passwords and other information through an encrypted database. This would be considered hacking.
If an account is hacked
If in the case that an account is hacked, the Scratcher in question should use the Contact Us link in the footer of the website. They then should get in contact with the Scratch Team and tell them what has happened, and the Scratch Team will do their best to keep the hacked account safe. When sending a message, the following should be included:
- The username of the hacked account
- The user who hacked the account (if known and fully certain)
- Ways the Scratch Team can contact the owner of the hacked account
- If the password has already been changed (if possible)
- Any other information the Scratch Team needs to know
If the user with the hacked account can still log in, it is advisable to change the password so the account is no longer accessible to the hacker.
Account Security Tips
While some cases of account theft are not preventable by the user themselves, Scratch offers many different ways to protect accounts.
- Log out when you're finished using Scratch, especially when using a public or shared device.
- Use a strong password, and do not share it with anyone else. For tips on how to create a strong password, see Password#Ways to Make a Strong Password. Make sure that the password is not too long, but not too short. Do not make passwords easy to guess, such as setting it "password", the username or even a birthday. Change passwords every few months for maximum protection. Write down passwords and keep it in a safe place to prevent getting locked out.
- Be careful when entering sensitive information on the site. If something sounds too good to be true, it probably is. Scratch will never ask for your username or password, unless logging in, emptying trash, changing the studio host, or deleting your account.
- If a user trying to hack an account is found, report it to the Scratch Team immediately.
- Be sure that you have a parent or guardian's email linked to your account. Having an email linked to your account will make it much more easy to retrieve a stolen account.
- Lightnin. (13/9/2012). "Some people create websites / software just to steal passwords - this is called “Phishing”." projects:2778121
- Lightnin. (4/2/2013). "[When anyone who doesn't know what you've done (or how you've done it) tries to view your project, they won't be able to understand your scripts" post:10418
- If you look at the cloud data of any of griffpatch's projects you might see that there is some suspicious data in the cloud. This is a result of cloud variable hacking.
- The other methods are known, but are not mentioned as they are considered cheating.