Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ragnarok Online Hacked, User Data Leaked

Posted by simoniker on from the more-mmorpg-hacking-pain dept.

Thanks to GameSpot for their article indicating a major hacking incident on the PC MMORPG Ragnarok Online. According to the piece, developers Gravity initially "..reacted by rolling back the game's data a day, as a number of users had created items with game-master privileges", but then the problem worsened and revealed an apparent server-side hack, as opposed to the client-side hacking of Shadowbane, as "...a full list of user IDs and passwords was leaked to the general public... allowing anybody to gain access to any user account." There's also a very informative post on the GameFAQs messageboards detailing the spread of the 'user.txt' file around messageboards and P2P networks. The official Ragnarok site currently only has a form for players to reconfirm their identities via email, and has offered no official statement.

11 of 28 comments (clear)

  1. eh? by The+J+Kid · · Score: 3, Funny

    What no link to the user.txt?

    Is this the same Slashdot that linked to the DoomIII Alpha, that we know and love?

    =P

    --
    Moderation: +4. Modded 70% Funny and 30% Overrated. 100% Saturated.
    1. Re:eh? by syukton · · Score: 2, Funny

      Oh, don't be silly.

      It should be a link to a .torrent file; duh. ;)

      --
      Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
  2. wtf? why?! by Lord+Bitman · · Score: 4, Insightful

    Uhm.. excuse me, but why would the passwords be storedin plain text? Is there something I'm missing here, or are MD5 and crypt's weaknesses so completely crippling that it's better to just store passwords as they are typed in?

    --
    -- 'The' Lord and Master Bitman On High, Master Of All
    1. Re:wtf? why?! by ErnieD · · Score: 2

      That's the first thing I wondered myself. How could they be so completely amateur as to store plaintext passwords in a database that was apparently not secured from outside access. A database like this should have NO REASON for any kind of outside world contact, ESPECIALLY with the sensitive content stored within. And the fact that they AREN'T SURE whether credit card info was compromised or not is even more amazing. Sounds like someone needs to teach these guys what log files are. Don't think I'd ever trust anything with this company from now on, especially personal information.

    2. Re:wtf? why?! by lightspawn · · Score: 2, Funny

      ? Is there something I'm missing here, or are MD5 and crypt's weaknesses so completely crippling that it's better to just store passwords as they are typed in?

      Dude, MD5 is, like, so 90's.

      All the cool kids use SHA.

  3. so you can email them back on request by DrSkwid · · Score: 3, Insightful

    why would the passwords be storedin plain text?

    because paging a sysop to give you a new password is too much trouble

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
    1. Re:so you can email them back on request by LordLucless · · Score: 3, Insightful

      Who needs to page a sysop?

      Automated password generation ain't hard. I stick it on every website I do that uses a password-based login system.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  4. Ha! by Schezar · · Score: 3, Interesting

    I used to play this back when they first put up an English server. The game is absolutely beautiful, both graphically and musically.

    Playing the game, however, was worthless. You know most MMORPGs, where you hit the rats with your little stick until you get enough XP to use the bigger stick to hit the bigger rats until you get enough XP to get the...

    Rag is just like that, only with -nothing- else to do. The chat interface was practically useless, and party system didn't work so well. The only reason I played it as long as I did (about two weeks) was the fact that the game itself is pretty enough to distract you from the fact that the gameplay is.. well, useless. Not fun.

    On another note, I have a few friends who still play the game off and on. Funny how I remember their usernames... If -only- I knew their passwords....

    --
    GeekNights!
    Late Night Radio for Geeks!
  5. Actually by dr+ttol · · Score: 3, Interesting

    The RO server is 31MB. I know this because I know someone that got into their system using the SQL exploit (this was a month before Slammer used the same technique). He retrieved the actual server software and released this on the net so that anyone could emulate the server (if you had 1GB+ ram). He has done a lot to the RO folks, and I wouldn't be surprised if it was him that did it.

  6. Re:Online game companies will learn from this exam by Schezar · · Score: 2, Interesting

    The US isn't their market: Korea is. RO was a flash-in-the-pan money grab in the US. Korea is where their long-term income originates.

    --
    GeekNights!
    Late Night Radio for Geeks!
  7. Re:Glad to see it happen by Tyrdium · · Score: 3, Interesting

    Yeah, I played ROi for a month or so and loved the game itself, and was planning on paying for it. I was about to send in my money, but decided otherwise. They've done tons of stuff to piss people off, and they don't seem to care at all about actually keeping customers. They've had tons of lag issues, they had a big problem with the payment system, they rolled back the characters right after issuing a statement that they wouldn't roll them back, ad nauseum. The forums (before they put this thing up) were awful. Everybody was constantly in an outrage about ROi. Not to mention the fact that it takes 6 months for a feature currently in one of the Asian ones to get put in ROi. Did I mention the fact that the English translation utterly, utterly sucks? Think even worse than Zero Wing. Yeah.