Welcome, Guest. Please login or register.
March 27, 2017, 01:29:00 PM

Login with username, password and session length

Search:     Advanced search
Donate! | Subscribe! | Shop: Amazon

***DONATION DRIVE 2 HAS BEGUN:
CLICK HERE TO BURN MONEY***
*
Home Help Search Login Register
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  RIFT  |  Topic: Trion Worlds account database hacked 0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Trion Worlds account database hacked  (Read 2927 times)
Cadaverine
Terracotta Army
Posts: 1545


on: December 22, 2011, 07:16:14 PM

Just got this in my email.

Quote
Dear Xxxxxx,

We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.

There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way. We have already taken further action to strengthen our systems, even as we, with external security experts, continue to research the extent of the unauthorized access.

You will notice on your next log in to our website that you will be required to change your password, and existing Mobile Authenticator users will also need to reconnect their Authenticator. When you log in, you will be prompted to provide a new password, security questions and answers, and be given the option to connect your account to our Mobile Authenticator to enhance your account’s security.

If you have used your username and password for other accounts, especially financial accounts or accounts with personal information, we suggest you change your passwords on those accounts as well. We recommend that you carefully review your statements, account activity, and credit reports to help protect the security of those accounts. If you need information on how to obtain your credit report or believe any such accounts have been breached, please visit www.trionworlds.com/AccountNotification for more information.

You should have continued, uninterrupted access to RIFT, and we do not anticipate any disruptions to your playing time.

Nevertheless, if you own the RIFT game, you will be granted three (3) days of complimentary RIFT game time once you update your password and security questions.

Additionally, once you update your account and set a new password, your account will be granted a Moneybags’ Purse, which increases your looted coin by 10%, even if you have not yet purchased RIFT.

Please log in to https://rift.trionworlds.com (and we recommend that you copy and paste this link into your browser to access the site) to update your password, security questions and Authenticator.

We apologize for any inconvenience this may have caused you. If you have further questions, please visit our website, www.trionworlds.com/AccountNotificationFAQ.

– The Trion Worlds Team


I know security is hard, and whatnot, but jesus.
 
Edit:  My favorite bit is where they say it's all good, cause they only got the first, and last, four digits of my credit card.
« Last Edit: December 22, 2011, 07:19:08 PM by Cadaverine »

Every normal man must be tempted at times to spit on his hands, hoist the black flag, and begin to slit throats.
Malakili
Terracotta Army
Posts: 10496


Reply #1 on: December 22, 2011, 09:08:24 PM

Noticed this as well.  Seems like this is happening more and more often these days.  Bleh.  On the plus side, I don't think they have any of my credit card info on file.
Hawkbit
Terracotta Army
Posts: 4688

Like a Klansman in the ghetto.


Reply #2 on: December 22, 2011, 09:19:23 PM

I was hoping to get a few days free as a non-subscriber.  I've never once received a "we've missed you, here's 7 free days to see what has changed" email from them.  

I had hopes that Trion would be a decent company, but I've been met with nothing but trouble by them.

EDIT:  Appears to have given me the three days regardless.
« Last Edit: December 22, 2011, 09:57:33 PM by Hawkbit »
bhodi
Moderator
Posts: 6817

No lie.


Reply #3 on: December 23, 2011, 09:51:51 AM

Trion, your "Enhanced Security" password change page is a fucking checklist of WHAT NOT TO DO. Did you have some intern write this garbage?

Are you unfamiliar with security concepts that mean what you have done here is going to make people frustrated and simply either ignore the page (bad), call your customer service, (bad), or make some shit up and then write it down because no one is going to remember this (bad)?

Here are the things you have done wrong:
* Getting hacked in the first place. All that shit should be hashed. I hope you get raped by ravenous PCI wolves.
* Failing to code a more modern page instead of values that are checked when you hit submit (thus clearing the page every time)
* Absolutely retarded restrictions on passwords. (I had to EDIT MY KEEPASS GENERATED PASSWORD TO COMPLY!)
* Made the captcha so restrictive you have to get it 100% accurate, thus ensuring multiple tries
* Not allowing the same answer to multiple secret questions
* Having a fixed number of "Secret questions" and make you unable to write your own
* Forcing you to change your "Secret questions" to something you haven't used before, thus running out of your easily remembered / applicable questions


Edit: If it wasn't an actual security risk, I'd have junked this email and saved myself the 10 minutes of effort.
« Last Edit: December 23, 2011, 10:04:52 AM by bhodi »
Severian
Terracotta Army
Posts: 391


Reply #4 on: December 23, 2011, 10:57:54 AM

Q: What did the hackers get? How much of my personal information / payment information do they have?

A: We recently discovered that unauthorized intruders gained access to a Trion Worlds account database containing information including user names, encrypted passwords, first and last names, dates of birth, email addresses, billing addresses, as well as the first and last four digits and expiration dates of customer credit cards. Importantly, there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way.

Credit card information provided to Trion is always fully encrypted with high levels of encryption. We also do not store plain text passwords. As a precaution, we are requiring customers to change their passwords on our website and encouraging them to keep an eye on their account. For the inconvenience, we’re extending customers’ subscriptions by three days and granting them a Moneybags’ Purse, which increases looted coin by 10%.

Source: http://www.trionworlds.com/en/games/account-notification-faq

« Last Edit: December 23, 2011, 11:02:58 AM by Severian »
dd0029
Terracotta Army
Posts: 888


Reply #5 on: December 23, 2011, 11:17:27 AM

What I liked is the unlisted note that your new password cannot be a recognizable variation on your previous password. That took about 6 tries and a guess to figure out.
Fabricated
Moderator
Posts: 8704

~Living the Dream~


WWW
Reply #6 on: December 23, 2011, 11:50:09 AM

This is really becoming a problem anymore.

"The world is populated in the main by people who should not exist." - George Bernard Shaw
bhodi
Moderator
Posts: 6817

No lie.


Reply #7 on: December 23, 2011, 11:56:59 AM

Just merged these two threads. Moved my own bitchy post in for bonus fun.
rattran
Moderator
Posts: 3686

Unreasonable


Reply #8 on: December 24, 2011, 02:00:46 AM

What Bhodi said. I only did the trial after beta ended (was out of intarwebs for 2 months, by the time I got back everyone was done) and had used a random generated password, no cc info. SO I gave up resetting everything after 10 minutes and said fuck it. They have no cc info from me, the hackers can keep my account.
Sky
Terracotta Army
Posts: 28838

I love my TV an' hug my TV an' call it 'George'.


WWW
Reply #9 on: December 27, 2011, 08:29:01 AM

All that shit should be hashed.
Don't forget to pass the salt.

Though allowing the same answer to multiple secret questions is a security risk.
Quote
We recently discovered that unauthorized intruders gained access to a Trion Worlds account database containing information including user names, encrypted passwords, first and last names, dates of birth, email addresses, billing addresses, as well as the first and last four digits and expiration dates of customer credit cards. Importantly, there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way.
Redundant info is redundant.

On the other hand, there's really not much you can do to thwart a dedicated hack attempt. But people hate best practices. My current security gripe is that I had to cut my password in half to fit in TOR. I'm using 20-28 characters for the most part. I also base my secret questions on a friend's info, so even if you know my mom's stripper name you won't get past.

Other than actually trying to be secure, just keep an eye on your credit accounts at least every week. My cc info got stolen after buying minecraft and had a replacement card the next day, smooth transition.

Pages: [1] Go Up Print 
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  RIFT  |  Topic: Trion Worlds account database hacked  
Jump to:  

Powered by SMF 1.1.10 | SMF © 2006-2009, Simple Machines LLC