Slashdot Mirror
BioWare's Neverwinter Nights Forum Server Hacked
garatheus writes "The folks at EA/BioWare sent out an email this morning (GMT +2) outlining that their older Neverwinter Nights forums had been hacked, with a fair amount of user information stolen from the database — the likes of user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates. They do go on to say that 'no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers.' There's no pointing of fingers as to who might have done the compromising, though."
Forum access and titles (NWN Owner, etc.) that showed up required the entry of CD keys to add to your list of owned games.
On old BioWare forums you had "registered owner" status for accounts. At the same time, this served as a backup for cd-keys of sorts: they were retrievable by the user.
...strange thing I have never played Neverwinter Nights, nor have I ever signed up on those forums. I believe everyone with an EA account for any game must have received this e-mail. Nice to at least see a company do a full disclosure quickly after a breach, rather than sitting on the info for a few weeks whole they "assess the damage".
"I hope you know how very lucky you are to know me, because I am so incredibly incredible."
I got the email this morning but for the life of me don't know why. I'd never played nor heard of Neverwinter before I got the email.
Email below...
"We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers’ data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from these forum accounts on the system may have been compromised, as well as other information (if any) that you may have associated with your EA Account. In an abundance of caution, we have changed your password to ensure account security. Please visit this (link deleted) to reset your password immediately.
If your link has expired, click here to generate a new email.
We take the security of your information very seriously and regret any inconvenience this may have caused you. If your username, email address and/or password on your EA account are similar to those you use on other sites, we recommend changing the password at those sites as well. We advise all of our fans to always be aware of any suspicious emails or account activity and report any suspicious emails and account activity to Customer Support at 1-877-357-6007.
If you have questions, please visit our FAQ at http://support.ea.com/app/answers/detail/a_id/5367/ or contact Customer Support at the phone number above.
Aaryn Flynn
Studio GM, BioWare Edmonton
VP, Electronic Arts"
I generated a unique e-mail address for Bioware forums way back when NWN first came out. I started getting spam on that address in the last couple of weeks. So it's likely this didn't happen in the last couple of days.
I got the e-mail from Bioware about the breach only yesterday.
NWN1 is one of the few games that actually didn't suck. Bioware yanked all DRM except the CD key needed to get to use the multiplayer servers (which is perfectly acceptable), and supported the game for a very long time with not just fixes, but additional content.
It is sad to see this hacked -- one could easily get thousands of hours of entertainment with NWN1 just due to well written player made modules.
I wish the hackers could have nailed some game company that puts out crap instead of a game which has aged quite well and is actually still worth playing.
The forum was technically shut down, but remained available for archival purposes. Over the years there was a lot of information gathered and made available on that site. You could still find most of your answers to NWN there. But you are correct, some, if not all, of the information should have been scrubbed from the site.
NWN was one of my favorite games, and one of the few I bothered to register on forums for. There was a lot of high-quality user generated content that was available. I was in their system, with CD keys, name, partial address, phone, (fake) DOB, etc.
About two months ago I decided to "clean up" my presence on the internet. Among other efforts, I went thru my mail archives for the last 7 years looking for references to anywhere I had created an account, posted messages, or had an identifiable presence.
Next, I created an anonymous, free Hushmail account. Just for paranoia's sake, I used a random proxy whenever I logged in there. I then logged in to every site that I had record of having an account on, recovering passwords if necessary. This included NWN forums.
Once back in, I changed all the login information to bogus info. Incorrect addresses, phony phone number, wrong dates of birth, random passwords and the disposable Hushmail e-mail address. Most sites needed confirmation on e-mail, so you just can't make something up.
The few sites that allowed it, I then deleted or disabled the account. Those that didn't are forever beyond my reach with false info and not tied to my e-mail address.
Only three remain, including Slashdot and GMail. I'm working on replacing GMail, and Slashdot I'll keep since it never had and valid personal info other than my e-mail (GMail) address.
Checking Hushmail shows I got a copy of the letter from EA, proving my efforts paid off. All the info is bogus. After July, waiting just to make sure I didn't miss anything, I'll let the Hushmail account expire and be purged.
My identifiable presence on the Internet will be only what I want it to be. With a little effort, privacy *can* be maintained regardless of what Messrs. Zuckerberg and Brin say.
Learning HOW to think is more important than learning WHAT to think.
Secret questions are one of my biggest bug bears - especially when so many sites use them as a way to, for instance, reset your account email address. 99% of the questions seem to be the same across multiple sites. In a very few occasions I've seen the option to create your own challenge and response, this seems to be a much more sane option as you can literally create a unique question (or set of questions) for every site, and you can tailor them to be far more difficult to guess (mother's maiden name must be relatively trivial to track down for most folks these days).