Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trion Worlds' Rift Account Database Compromised

Posted by Soulskill on from the level-up-your-firewall-skill dept.

New submitter Etrahkad writes "Trion Worlds, publisher of MMORPG Rift, has announced that somebody broke into one of their databases and gained access to user information. First Sony and now Rift... my identity has probably been stolen several times over, now. From the e-mail: 'We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards. ... there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way." Are game companies not concerned with preventing these attacks?"

14 of 88 comments (clear)

  1. Yay by dlb · · Score: 4, Insightful

    To the cloud...

  2. Prevention by grommit · · Score: 5, Insightful

    Granted, it could be a simple ROT13 but the mere fact that the passwords were "encrypted" and that the data didn't contain the entire credit card number indicates that the company or somebody inside the company at least put a little bit of effort into securing the data. Unfortunately, securing data is hard and it only takes one oversight to make it vulnerable. The true test will be what the company does now that the breach has occurred.

    1. Re:Prevention by tguyton · · Score: 5, Informative
      The entire email from Trion:

      We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.

      There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way. We have already taken further action to strengthen our systems, even as we, with external security experts, continue to research the extent of the unauthorized access.

      You will notice on your next log in to our website that you will be required to change your password, and existing Mobile Authenticator users will also need to reconnect their Authenticator. When you log in, you will be prompted to provide a new password, security questions and answers, and be given the option to connect your account to our Mobile Authenticator to enhance your account’s security.

      If you have used your username and password for other accounts, especially financial accounts or accounts with personal information, we suggest you change your passwords on those accounts as well. We recommend that you carefully review your statements, account activity, and credit reports to help protect the security of those accounts. If you need information on how to obtain your credit report or believe any such accounts have been breached, please visit www.trionworlds.com/AccountNotification for more information.

      You should have continued, uninterrupted access to RIFT, and we do not anticipate any disruptions to your playing time.

      Nevertheless, if you own the RIFT game, you will be granted three (3) days of complimentary RIFT game time once you update your password and security questions.

      Additionally, once you update your account and set a new password, your account will be granted a Moneybags’ Purse, which increases your looted coin by 10%, even if you have not yet purchased RIFT.

      Please log in to https://rift.trionworlds.com/ (and we recommend that you copy and paste this link into your browser to access the site) to update your password, security questions and Authenticator.

      We apologize for any inconvenience this may have caused you. If you have further questions, please visit our website, www.trionworlds.com/AccountNotificationFAQ.

      – The Trion Worlds Team

      Trion's been pretty good about security from what I've seen, and I definitely appreciate them being upfront about the breach. Giving people a few days of game play and shinies will probably generate some good will as well.

    2. Re:Prevention by Derekloffin · · Score: 2, Insightful

      Passwords should actually be hashed and preferably hashed and salted, not encrypted, but points for at least trying.

    3. Re:Prevention by mariasama16 · · Score: 2

      I got an email last night talking about this breach with links to reset my password and part of that involved setting up their Mobile Authenticator. They also gave everyone a bag of goodies in-game and 3 days of play time (supposed to be for active subscribers, but it appears it have activated my account for 3 days). Much better than the Sony breach where a lot of the affected people were first learning it from the news before they got their notifications.

    4. Re:Prevention by mlts · · Score: 2

      I can't remember the standard for this, but passwords shouldn't just be hashed and salted, but run through a number of rounds to slow down brute forcing.

      Even better, why can't there be dedicated appliances like hardware HSMs for public/private key encryption that companies can use to store account password hashes there? This way, an intruder would have to have physical access to the box in order to extract the hashes.

    5. Re:Prevention by Anonymous Coward · · Score: 2, Insightful

      My guess is that the passwords were probably hashed, but the general public has no clue whatsoever what a hash is, while they have at least *heard* of encryption before. The email is meant to reassure customers that their password is "safe," rather than being some kind of engineering document on computer security.

    6. Re:Prevention by MBGMorden · · Score: 2

      The general public has no idea what hashed and salted even means. In layman's terms, that IS encryption. My bet is that they were indeed hash values, NOT actually encrypted passwords, but sometimes you have to dumb-down the press releases a bit.

      --
      "People who think they know everything are very annoying to those of us who do."-Mark Twain
  3. Jokes on them! by Kenja · · Score: 5, Funny

    That credit card was already stolen and canceled thanks to Sony!

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  4. They're gaming companies not banks... by mindmaster064 · · Score: 2

    They do not have to adhere to the information standards that financial companies do... And, it's probably good.. because some of the smaller gaming companies could never afford it.

    My handy reference guide for online gaming:

    1) Change all your information to complete and utter BS. Store your BS information somewhere so you can parrot it back if you have to call support.
    2) Pay with game cards. If you can pick them up at Walmart even better. But, you can buy codes online.
    3) Nothing to lose now... So you don't care if they are hacked.

    Just my 2 cents.

    1. Re:They're gaming companies not banks... by AJH16 · · Score: 2

      I have to call bull shit on this. I've worked on a number of corporate networks and can safely say that trying to integrate some of the system's I've seen up to PCI compliance would be virtually impossible without simply using an external service to track the information and then write some other interface to relay the necessary authorizations to the rest of the system, which in many cases runs in to performance issues and/or won't work smoothly (or at all) with existing systems. Perhaps many companies can do it easily, but for many it is a very difficult and expensive process necessarily due to how their systems operate.

      That said, I see it as less of an excuse for a software developer as they can write their own systems.

      --
      AJ Henderson
  5. Steam by thesinfulgamer · · Score: 4, Informative

    Steam got hacked as well. http://www.forbes.com/sites/danielnyegriffiths/2011/11/10/steam-hacked-newell-watch-your-credit-card/

  6. assuming virtual world identity by circletimessquare · · Score: 2

    leads to losing real world identity

    literally and figuratively

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  7. Re:I like how they handle this stuff... by lgw · · Score: 2

    They stored unencypted customer information. That's the opposite of doing it right. Their reaction after the fact was classy, but they failed on the technical side.

    --
    Socialism: a lie told by totalitarians and believed by fools.