f13.net

f13.net General Forums => RIFT => Topic started by: Cadaverine on December 22, 2011, 06:16:14 PM



Title: Trion Worlds account database hacked
Post by: Cadaverine on December 22, 2011, 06:16:14 PM
Just got this in my email.

Quote
Dear Xxxxxx,

We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.

There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way. We have already taken further action to strengthen our systems, even as we, with external security experts, continue to research the extent of the unauthorized access.

You will notice on your next log in to our website that you will be required to change your password, and existing Mobile Authenticator users will also need to reconnect their Authenticator. When you log in, you will be prompted to provide a new password, security questions and answers, and be given the option to connect your account to our Mobile Authenticator to enhance your account’s security.

If you have used your username and password for other accounts, especially financial accounts or accounts with personal information, we suggest you change your passwords on those accounts as well. We recommend that you carefully review your statements, account activity, and credit reports to help protect the security of those accounts. If you need information on how to obtain your credit report or believe any such accounts have been breached, please visit www.trionworlds.com/AccountNotification for more information.

You should have continued, uninterrupted access to RIFT, and we do not anticipate any disruptions to your playing time.

Nevertheless, if you own the RIFT game, you will be granted three (3) days of complimentary RIFT game time once you update your password and security questions.

Additionally, once you update your account and set a new password, your account will be granted a Moneybags’ Purse, which increases your looted coin by 10%, even if you have not yet purchased RIFT.

Please log in to https://rift.trionworlds.com (and we recommend that you copy and paste this link into your browser to access the site) to update your password, security questions and Authenticator.

We apologize for any inconvenience this may have caused you. If you have further questions, please visit our website, www.trionworlds.com/AccountNotificationFAQ.

– The Trion Worlds Team


I know security is hard, and whatnot, but jesus.
 
Edit:  My favorite bit is where they say it's all good, cause they only got the first, and last, four digits of my credit card.


Title: Re: Trion Worlds account database hacked
Post by: Malakili on December 22, 2011, 08:08:24 PM
Noticed this as well.  Seems like this is happening more and more often these days.  Bleh.  On the plus side, I don't think they have any of my credit card info on file.


Title: Re: Trion Worlds account database hacked
Post by: Hawkbit on December 22, 2011, 08:19:23 PM
I was hoping to get a few days free as a non-subscriber.  I've never once received a "we've missed you, here's 7 free days to see what has changed" email from them.  

I had hopes that Trion would be a decent company, but I've been met with nothing but trouble by them.

EDIT:  Appears to have given me the three days regardless.


Title: Re: Gripes, complaints and irritations.
Post by: bhodi on December 23, 2011, 08:51:51 AM
Trion, your "Enhanced Security" password change page is a fucking checklist of WHAT NOT TO DO. Did you have some intern write this garbage?

Are you unfamiliar with security concepts that mean what you have done here is going to make people frustrated and simply either ignore the page (bad), call your customer service, (bad), or make some shit up and then write it down because no one is going to remember this (bad)?

Here are the things you have done wrong:
* Getting hacked in the first place. All that shit should be hashed. I hope you get raped by ravenous PCI wolves.
* Failing to code a more modern page instead of values that are checked when you hit submit (thus clearing the page every time)
* Absolutely retarded restrictions on passwords. (I had to EDIT MY KEEPASS GENERATED PASSWORD TO COMPLY!)
* Made the captcha so restrictive you have to get it 100% accurate, thus ensuring multiple tries
* Not allowing the same answer to multiple secret questions
* Having a fixed number of "Secret questions" and make you unable to write your own
* Forcing you to change your "Secret questions" to something you haven't used before, thus running out of your easily remembered / applicable questions


Edit: If it wasn't an actual security risk, I'd have junked this email and saved myself the 10 minutes of effort.


Title: Re: Trion Worlds account database hacked
Post by: Severian on December 23, 2011, 09:57:54 AM
Q: What did the hackers get? How much of my personal information / payment information do they have?

A: We recently discovered that unauthorized intruders gained access to a Trion Worlds account database containing information including user names, encrypted passwords, first and last names, dates of birth, email addresses, billing addresses, as well as the first and last four digits and expiration dates of customer credit cards. Importantly, there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way.

Credit card information provided to Trion is always fully encrypted with high levels of encryption. We also do not store plain text passwords. As a precaution, we are requiring customers to change their passwords on our website and encouraging them to keep an eye on their account. For the inconvenience, we’re extending customers’ subscriptions by three days and granting them a Moneybags’ Purse, which increases looted coin by 10%.

Source: http://www.trionworlds.com/en/games/account-notification-faq



Title: Re: Gripes, complaints and irritations.
Post by: dd0029 on December 23, 2011, 10:17:27 AM
What I liked is the unlisted note that your new password cannot be a recognizable variation on your previous password. That took about 6 tries and a guess to figure out.


Title: Re: Trion Worlds account database hacked
Post by: Fabricated on December 23, 2011, 10:50:09 AM
This is really becoming a problem anymore.


Title: Re: Trion Worlds account database hacked
Post by: bhodi on December 23, 2011, 10:56:59 AM
Just merged these two threads. Moved my own bitchy post in for bonus fun.


Title: Re: Trion Worlds account database hacked
Post by: rattran on December 24, 2011, 01:00:46 AM
What Bhodi said. I only did the trial after beta ended (was out of intarwebs for 2 months, by the time I got back everyone was done) and had used a random generated password, no cc info. SO I gave up resetting everything after 10 minutes and said fuck it. They have no cc info from me, the hackers can keep my account.


Title: Re: Gripes, complaints and irritations.
Post by: Sky on December 27, 2011, 07:29:01 AM
All that shit should be hashed.
Don't forget to pass the salt.

Though allowing the same answer to multiple secret questions is a security risk.
Quote
We recently discovered that unauthorized intruders gained access to a Trion Worlds account database containing information including user names, encrypted passwords, first and last names, dates of birth, email addresses, billing addresses, as well as the first and last four digits and expiration dates of customer credit cards. Importantly, there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way.
Redundant info is redundant.

On the other hand, there's really not much you can do to thwart a dedicated hack attempt. But people hate best practices. My current security gripe is that I had to cut my password in half to fit in TOR. I'm using 20-28 characters for the most part. I also base my secret questions on a friend's info, so even if you know my mom's stripper name you won't get past.

Other than actually trying to be secure, just keep an eye on your credit accounts at least every week. My cc info got stolen after buying minecraft and had a replacement card the next day, smooth transition.