Tag: security

Ubisoft Compromised, Change Your Passwords


TheDivision

This is one of those “if you’ve been affected then you likely already know about it” sort of articles. Those of you who have accounts with Ubisoft were no doubt delighted to see the following email in your inbox:

We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems. During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

If you have an Ubisoft account, either through uPlay or their other services, and you haven’t received an email, make sure to check your spam folder. Some users are reporting that the email was shelved as a suspected phishing attempt by Gmail and a couple other services. You can find out more at the link below.

(Source: FAQ)

Recent Structural Changes To MMO Fallout


stupid mouth

Hello everyone,

You may or may not be aware of MMO Fallout’s recent downtime, stemming from a concentrated attempt at breaking into our WordPress database. The attack was unsuccessful, however it brought the website down for most of the day. In response, we are making some back end changes to beef up security. The most notable change on your end is that our URLs have been drastically altered down to a simple p=[numbers] formula. With that knowledge that doing so would result in killing MMO Fallout’s ranking with search engines, we made the decision because shorter URLs will benefit our security in the long run.

I like to talk about security here every once in a while because it gives our viewers a behind the scenes look at how vile and destructive the internet can be. Now consider that MMO Fallout has no financial incentive: We sell nothing so breaching our walls would accomplish absolutely nothing. We have no customers, and as such no customer databases to break into. We have no advertisers apart from that Google Ads bit you see at the top. And still, the attempts to break into this website continue to rise every month, almost doubling with each month’s passing. These are mostly random drive-by hackings by bots that have no one at the controls and have no idea who we are.

I’ll say that again: Most of our breach attempts are almost by happenstance. I was amazed when I checked our logs one month after I installed a new security apparatus and found that there were just short of seven thousand bad login attempts between mid-April and mid-May, and well over twenty thousand 404 intrusions (this apparently indicates that someone is phishing for holes). Over thirty one thousand events logged for that one month, on a website that is famous by almost nobody’s standard, and one which admittedly just got a lot less popular since a good 75% of our traffic is based in Google/Bing/Yahoo and that was just reset.

The URL change isn’t the only thing we’ve done, and was necessary because another system we put into place actively prevents us from using long URLs for our links (long links sink ships, I hear) but I really don’t want to go into what those systems are for the sake of security. As I said in a previous post, MMO Fallout may occasionally break while we test out new systems, and I want to thank all of you for sticking with us.

With the summer on us, I am continuing work on some higher quality entertainment to bring you all.

The War Z Shutdown Following Security Breach


WarZ

OP Productions has issued a warning to its customers via email that the game and forums have been shut down temporarily following a security breach being discovered. Hackers allegedly got ahold of email addresses, encyrpted passwords, however payment information was not exposed as all payments are processed through a third party.

We have engaged outside experts and investigators to assist in our investigation of this incident and committed substantial resources to that effort. We have identified number of ways access was obtained and have enhanced our security to improve game and forum safety. We are undertaking a full review and update of our servers and the services we use and adding additional security mechanisms. In addition to this post, we are emailing all of our players just to make certain that everyone is informed and has been advised to change their passwords.

You can find the full security alert at the link below.

(Source: The War Z)

ProSiebenSat.1 Suspends Some Planetside 2 Accounts Following Server Breach


planetside2image2

ProSiebenSat.1 has posted a notice on the Planetside 2 Europe website to notify customers that an unauthorized party gained access to one of their systems. While it is unknown if data containing usernames and passwords (which are encrypted) was stolen, the publisher has taken steps to prevent unauthorized access by suspending accounts suspected of being affected by the breach.

All accounts that may have been subject to unauthorized access have received an e-mail in which we have requested the user to change their password. If you are not able to log into your game, this means that your account has been suspended for security reasons. You can reactivate your account by following the link below and creating a new password. http://www.planetside2.eu/en/forgot_password

You can read the entire post at the link below, as well as an addition email address to contact in case your account has been deactivated and you are unable to retrieve it.

(Source: Planetside 2)

Blizzard Servers Breached


Grab your authenticators and rev up the conspiracy machine. With all the server breaches that have happened over the past year or so, it seemed inevitable that Blizzard would eventually be the victim of such an attack. A security notice on Battle.net has been posting warning users that a security breach has resulted in delicate information being released.

According to the notice, encrypted passwords, security questions, email addresses, and mobile authenticator information was stolen in the breach. Mike Mohaime points out that the information leaked is not enough to recover an account, however users over the next few days will be forced to change their secret questions and mobile authenticator users will be required to update to a new version of the software.

All in all the breach was bad, but as several sites are pointing out, it could have been much worse.

(source: WoW Insider)

Blizzard Investigating Account Theft, Denied Authenticator Hacking


I know what you’re thinking: Sure, denial is exactly what someone would do when they have something to hide. Well take a moment to remember that denial is also something a person will do when they are truly innocent of the charges, so let’s not get ahead of ourselves. Coming off of the release of Diablo III was the well-expected surge in accounts being stolen and stripped clean. Some of those people also happen to have authenticators, raising suspicion as to whether or not the security method has been successfully cracked. I have good news:

Blizzard wants you to know that you are a liar, if you claim to have been hacked with an authenticator already on the account. According to Blizzard, not a single case has been filed where an authenticator was already on the account.

While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

On the other hand, you can rest assured that the Blizzard servers have not been breached. And once again to the paranoid conspiracy theorists who think Blizzard compromises/sells accounts to scam/scare users into buying authenticators, you are still wrong.

(Source: Blizzard Forums)

Mortal Online Wasn't Hacked


Here at MMO Fallout, I’ve developed a pet peeve over the distinct difference between being hacked and having an account breached. Hacking requires some amount of technical prowess to accomplish, such as exploiting a vulnerability in an sql database to retrieve a list of passwords, or in the case of NCSoft back a couple of years, using an exploit in the client to log into a random person’s character and steal their items. When someone breaches an account by way of keylogger, guessing the password, or having access to an account with higher privileges, the account was compromised, not hacked.

In the case of Mortal Online, yesterday a player obtained access to a GM account and went wild on the server, deleting structures and altering some player’s accounts. It’s important to note that the person was not able to access payment details, and apparently the extent of the damage was destroyed assets, some players had their passwords changed, and some players were banned.

So Star Vault, as they announced, had a “security breach,” but the company was not hacked as some outlets are reporting. I just want to reinforce this difference because with the recent hacking at Steam, Square, Sony, etc, the announcement that a company has been hacked is just another fear of one’s credit details being stolen.

The more you know.

(Source: Star Vault)

Mortal Online Wasn’t Hacked


Here at MMO Fallout, I’ve developed a pet peeve over the distinct difference between being hacked and having an account breached. Hacking requires some amount of technical prowess to accomplish, such as exploiting a vulnerability in an sql database to retrieve a list of passwords, or in the case of NCSoft back a couple of years, using an exploit in the client to log into a random person’s character and steal their items. When someone breaches an account by way of keylogger, guessing the password, or having access to an account with higher privileges, the account was compromised, not hacked.

In the case of Mortal Online, yesterday a player obtained access to a GM account and went wild on the server, deleting structures and altering some player’s accounts. It’s important to note that the person was not able to access payment details, and apparently the extent of the damage was destroyed assets, some players had their passwords changed, and some players were banned.

So Star Vault, as they announced, had a “security breach,” but the company was not hacked as some outlets are reporting. I just want to reinforce this difference because with the recent hacking at Steam, Square, Sony, etc, the announcement that a company has been hacked is just another fear of one’s credit details being stolen.

The more you know.

(Source: Star Vault)

Community Concerns: How Should Security Be Rated?


In case you hadn’t noticed, Week in Review (much like Month in Review before it) is going the way of the dodo. I’d rather utilize my Sundays to discuss more meaningful topics to MMO Fallout than the metaphorical digging from the trash bin I did in past months. I always have something in the works to make MMO Fallout less of a news source and more of an information database, to make my articles less time-based (less likely to be outdated) while at the same time staying relevant and interesting.

My current project is to discuss and rate the security on a company by company basis, which I will be doing hopefully in each Sunday’s editorial. I can guarantee an editorial every Sunday, but not that it will be on security, because some of the questions I will be asking need direct information from customer support, and we all know how fast they generally respond.

If I don’t bring this up now, someone will point it out: Yes, I am including actual security breaches in the analysis.

1. Prevention

How well do publishers prevent an account from being broken into in the first place?

  • Authenticators (either dongle or app form)
  • On-screen PIN (clicked with mouse, sends encrypted message, not through keyboard)
  • Computer recognition (Only recognized computers may log in)
  • IP recognition (If an account suddenly logs in from another country, it is locked)

2. Recovery

Once the account is stolen, how is the process?

  • How long does it take an account to lock down?
  • What damage can be done while the active account is moving about?
  • Can the thief plant information to later use to steal back the account?
  • etc.

3. Cleanup

Once the account is returned to its rightful owner.

  • Compensation (does the company return lost items/characters)

This isn’t the entire list of questions I’ll be taking into account, but it is rather comprehensive. Hopefully I can get some of these developers to get on board and help me out.

Rift: Authenticator Now Available for iOS


Rift has been at the top of my security hitlist for a couple weeks now, ever since Trion announced the release of Coin Lock, a security feature that, by their own admission, did little to improve security. Rather, in my own suggestions, I have always praised the mobile authenticators, noting that although they are not foolproof, they subscribe to the most pressing issue in account security: distancing the account from the computer, and when dealing with account theft, nothing accessible through the computer should be used. This means nothing sent to emails, dynamic codes, and more.

The Rift authenticator has been available on the Android devices for a while now, with promise that the app would come to iTunes in some fashion. Today, Trion announced that the security app is now available. The Rift Authenticator goes for a whole $0.00 (USD) and works on the iPhone, iPod Touch, and iPad, and requires OS 3.0 or higher to install.

The authenticator is easy to set up. Simply install it, head over to riftgame.com, log in, enter the authenticator code you are given, and voila. You are required to answer a secret question to add the authenticator, which will hopefully work to stop account theives from adding their own authenticator to an unprotected account (as was an issue with World of Warcraft).

As for the app itself, you are given a handy meter showing how much time is left before the code is no longer useful. The code changes every 30 seconds, and is 8 numbers long.

Posted from my iPad. For the sake of not-very-funny humor.