Trion Worlds' Rift Account Database Compromised 88
New submitter Etrahkad writes "Trion Worlds, publisher of MMORPG Rift, has announced that somebody broke into one of their databases and gained access to user information. First Sony and now Rift... my identity has probably been stolen several times over, now. From the e-mail: 'We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards. ... there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way." Are game companies not concerned with preventing these attacks?"
Yay (Score:5, Insightful)
To the cloud...
Re: (Score:2)
Im pretty sure it should.
Re: (Score:1)
It's implied by "To the cloud..." being marked as "Insightful"
Prevention (Score:5, Insightful)
Re:Prevention (Score:5, Informative)
We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.
There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way. We have already taken further action to strengthen our systems, even as we, with external security experts, continue to research the extent of the unauthorized access.
You will notice on your next log in to our website that you will be required to change your password, and existing Mobile Authenticator users will also need to reconnect their Authenticator. When you log in, you will be prompted to provide a new password, security questions and answers, and be given the option to connect your account to our Mobile Authenticator to enhance your account’s security.
If you have used your username and password for other accounts, especially financial accounts or accounts with personal information, we suggest you change your passwords on those accounts as well. We recommend that you carefully review your statements, account activity, and credit reports to help protect the security of those accounts. If you need information on how to obtain your credit report or believe any such accounts have been breached, please visit www.trionworlds.com/AccountNotification for more information.
You should have continued, uninterrupted access to RIFT, and we do not anticipate any disruptions to your playing time.
Nevertheless, if you own the RIFT game, you will be granted three (3) days of complimentary RIFT game time once you update your password and security questions.
Additionally, once you update your account and set a new password, your account will be granted a Moneybags’ Purse, which increases your looted coin by 10%, even if you have not yet purchased RIFT.
Please log in to https://rift.trionworlds.com/ [trionworlds.com] (and we recommend that you copy and paste this link into your browser to access the site) to update your password, security questions and Authenticator.
We apologize for any inconvenience this may have caused you. If you have further questions, please visit our website, www.trionworlds.com/AccountNotificationFAQ.
– The Trion Worlds Team
Trion's been pretty good about security from what I've seen, and I definitely appreciate them being upfront about the breach. Giving people a few days of game play and shinies will probably generate some good will as well.
Re: (Score:3, Insightful)
Re: (Score:3)
I can't remember the standard for this, but passwords shouldn't just be hashed and salted, but run through a number of rounds to slow down brute forcing.
Even better, why can't there be dedicated appliances like hardware HSMs for public/private key encryption that companies can use to store account password hashes there? This way, an intruder would have to have physical access to the box in order to extract the hashes.
Re: (Score:2)
Yes, there are quite a few things to keep in mind for password hashing, when it comes to cryptography and hashing, it's always best to go with solutions which have been thought up by people who are properly familiar with the subject. Only fools try think up their own scheme and don't get it critically reviewed by peers first.
I use this for my PHP projects:
http://www.openwall.com/phpass/ [openwall.com]
I'm not clever enough to know for sure it's sound, but I am fairly confident it is based on the technical explanation on th
Re: (Score:2)
You don't seem to understand what you are talking about here. Extra passes of hashing wouldn't do anything that a good salt wouldn't. Running multiple encryptions to slow brute forcing is an idea where one side is not known and so having more than one pass prevents a single decode attempt from resulting in a recognizable plain text. The convention is to do it three times so that you can't simply look for a meet in the middle of a bunch of passwords encrypted once and a bunch of encrypted passwords decryp
Re: (Score:2)
Extra passes of hashing seem to help. The venerable UNIX crypt(3) did a number of rounds to make for one CPU second of calculations for each password check. TrueCrypt performs a number of rounds when hashing. Same with OS X and iOS. Of course, due to CPU power doubling as per Moore's law, using number of rounds/extra passes is a losing battle. Instead, just as mentioned above, a good salt needs to be part of the hash algorithm.
The last part is what would be snazzy if designed -- a hardened physical box
Re: (Score:2)
Yeah, I guess I shouldn't say that it won't do anything to run multiple hashes, but you are only increasing your brute force time by the same factor as you are increasing your individual run time. That isn't a very effective security mechanism since you are only lengthening the process by O(1). It would prevent the use of rainbow tables that had been run for a single pass, but again, a good salt would do the same. The core issue is that brute forcing a hash is simply run hash on A, does result match? If
Re: (Score:2)
Yeah, I guess I was just saying all the same things can be done with the DB server and signed certs and encrypted DBs directly. You can make it so that it counts only wrong attempts and resets at the end of the day. You could even set a duration to lock it out for. You're still at a lower point in the stack since the web server is still having to call out to the DB server. Effectively, from a security stand point, if you were to put the schema on a different DB server, it would be doing the exact same t
Re: (Score:2)
No, it is O(1) because if you run it twice, it multiplies an O(x) process by O(1) leaving you still with an O(x) process. You were close to correct, but forgot that your brute force started as O(x) so their is no order of computational difficulty gained.
Re: (Score:2, Insightful)
My guess is that the passwords were probably hashed, but the general public has no clue whatsoever what a hash is, while they have at least *heard* of encryption before. The email is meant to reassure customers that their password is "safe," rather than being some kind of engineering document on computer security.
Re: (Score:1)
Re: (Score:3)
The general public has no idea what hashed and salted even means. In layman's terms, that IS encryption. My bet is that they were indeed hash values, NOT actually encrypted passwords, but sometimes you have to dumb-down the press releases a bit.
Re: (Score:2)
Re: (Score:2)
I also liked that they warned users to change passwords elsewhere. It tells me they are concerned for their users.
Re: (Score:2)
Why have any customer information in an unencrypted database ever? Why do people still do this? Every bulk store of data of any signifcance to your business should be encrypted, full stop (and the data not of signifcance to your business should be deleted as rapidly as practical).
The trouble is... (Score:2)
I wouldn't say that (Score:1)
I wouldn't say they're not concerned with security.. but rather, they're probably the most targeted.
Re: (Score:1)
Re: (Score:2)
To be honest I don't even think this is the first time for them, which would make this more of a story, but afaik their original leak was never admitted/publicised.
The reason I have my suspicions this wasn't the first time is I signed up to Rift after I'd just created a new e-mail account, I gave up playing after my months trial and hadn't used the e-mail for anything else after either, about 4 months later I started getting spam on that address, and not just any spam, but phishing e-mails aimed at gamers l
Jokes on them! (Score:5, Funny)
They're gaming companies not banks... (Score:2)
My handy reference guide for online gaming:
1) Change all your information to complete and utter BS. Store your BS information somewhere so you can parrot it back if you have to call support.
2) Pay with game cards. If you can pick them up at Walmart even better. But, you can buy codes online.
3) Nothing to lose now... So you
Re: (Score:1)
Re: (Score:2)
It's also worth it to point out that many of the systems everyone assumes are perfectly secure have already been breached. The attackers were just better at the task and no one is aware that it happened yet.
Re: (Score:2)
If you encrypt all data at rest, you make is significantly harder for an attacker to get anything you'll have to care about.
And any sort of client-server game, especially an MMO, must care about security or it won't survive the waves of client hacks (witness APB, shortest-lived MMO ever). If you're already paying someone to think about security, it's pretty sad not to do the basics for your backend too.
Re: (Score:3)
I have to call bull shit on this. I've worked on a number of corporate networks and can safely say that trying to integrate some of the system's I've seen up to PCI compliance would be virtually impossible without simply using an external service to track the information and then write some other interface to relay the necessary authorizations to the rest of the system, which in many cases runs in to performance issues and/or won't work smoothly (or at all) with existing systems. Perhaps many companies ca
Re: (Score:2)
Re: (Score:2)
Could you point to an example, anywhere of the world, of a "robust and secure" customer information database such that no breach is possible?
Seems to me that if such a thing were possible, surely we'd have heard of it by now.
Re: (Score:1)
Re: (Score:2)
2) Pay with game cards. If you can pick them up at Walmart even better. But, you can buy codes online.
I generally pay with Paypal (commence Paypal is evil etc etc) to avoid having my cc# floating around the interwebs. With Paypal they are not authorized to re-bill (unless you tell Paypal to setup a subscription), and if the servers are compromised, identity thefts can't do all that much with just your email address (assuming you keep your email account secure).
Granted, not as secure as game cards, but just as convenient as entering your cc#, and 100x as secure as THAT.
Re: (Score:2)
"1) Change all your information to complete and utter BS."
+2. I wish companies would give up asking me about my first girlfriend, where I was born and crap like that.
First, if they store these answers, well guess what, when next database gets cracked means bad guys have this info. Of course anyone who knows me or can use google can probably figure this out anyway.
Would be better if each company just asked secret answer 1,2 and 3 instead of personal information I can't change when it gets loose in the world
Re: (Score:2)
Yeah, I always use fake datas for these. Why do they need my real datas? I wished game cards came in bundled as discounts to be cheaper.
Steam (Score:4, Informative)
Finally installed a random password generator (Score:2)
I used to use a "throwaway" password for most sites, that I used for a lot of things. Over the past 10 years I realized that a single password was leaving me vulnerable, so I just started using a password gen plugin [google.com] in chrome and that seems easy enough to use. I don't even bother writing down the password, I figure if I need it again, I'll just use the password recovery down the road.
Re: (Score:1)
Obligatory xkcd:
https://www.xkcd.com/936/ [xkcd.com]
Re: (Score:2)
I'm less interested in remembering a password than I am using the same one for each site. It's been proven that it's far easier to hack a database than it is to crack a password. The less connection there is between my password on cnn.com (that I never use) and my bank password (that I use weekly), the better.
assuming virtual world identity (Score:3)
leads to losing real world identity
literally and figuratively
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
...meanwhile at a board of directors meeting at the Cheesecake Factory...
"Can we change the color of our logo?"
"Absolutely. And we've already hired a consulting company at $700/hour to determine the best possible shade of fuchsia. They estimate it'll take them about 3 weeks."
Re: (Score:2)
Really, that's literally the fifth time this year. (Score:2)
That is now the fifth time I've had someone manage to fubar and let a DB with my information get out there in the last 6 months or so. I'm literally running out of ways to manipulate my passwords to maintain a unique and secure, but rememberable password. If you just lost my previous password, do you really think I want to have to invalidate the entire approach to passwords I was using and then use one of my more secure techniques with your system (thanks to the even more absurd password requirements) and
Re: (Score:2)
This is why I use software to generate and store passwords. It's a risk, but it's a smaller risk than I would be taking otherwise.
And... TOR's a great game, doubtless, but are you seriously telling us you think EA is going to be more secure?
Re: (Score:2)
Yes, if only because they have written their authentication system as part of a much larger system to be shared with both a) a store and b) multiple development shops. The amount of effort that in theory should have gone in to their authentication system is much higher, so I would hope it is more securely held as a result.
Re: (Score:2)
Re: (Score:2)
Why exactly should I be changing my password every six months? Does it somehow magically become a pumpkin or mysteriously leak itself? I use a series of several different systems to generate passwords (with different security levels for each system of use) that would not be easily guessed unless you knew the underlying system. This both ensures that passwords are not shared and that it is not easy to compromise other passwords if one is compromised. The main reasons for changing a password every six mont
Re: (Score:2)
1) From your statements its obvious you're assuming the threat is only external, or only code based, or only protocol driven, etc. A "software developer and security
Re: (Score:2)
My bank account is successfully protected by a 4-digit PIN that never changes. If you write a system which requires more from your users than remembering a 4-digit unchanging password, you're doing it wrong.
On the backend, encrypt all data at rest, and do your best to detect intrusions, and you'll be doing quite well by today's standards. So few businesses even take those simple steps - it's pathetic, really.
Re: (Score:2)
I will add two things to that. The system needs to limit unauthorized attempts before locking out, such that it is immune to brute force and the data needs to be internally isolated such that it can only be accessed internally (if absolutely necessary) by two or more individuals both mutually authorizing the access. Take your root of trust, make it as simple as possible, defend it as much as possible and build everything off of that root of trust in as simple and straight forward of a way as humanly possi
Re: (Score:2)
Ok, well I can see you clearly are not a security professional (or not a good one) as your risk assessment doesn't even make sense. I shall respond to each point directly.
1) I did not say anything that would indicate that I do not believe internal threats exist. They account for something like 80% of breaches. For passwords, changing them every six months doesn't help against internal attacks unless the person has left the company and the company failed to notice or notify about the breach. As for my su
I like how they handle this stuff... (Score:2)
Disclaimer: I'm a pretty big RIFT fan. (I post there as the_real_seebs.)
Database compromises happen, and Trion's a newish company that has a lot of customers, and is thus a very good target.
This is the second security problem Trion has ever had, and the only one that made it possible to leak any personal information. (The first was an authentication hole that let you log in to game servers on arbitrary accounts without name or password -- but did not disclose the account name to you.) In each case, they
Re: (Score:3)
They stored unencypted customer information. That's the opposite of doing it right. Their reaction after the fact was classy, but they failed on the technical side.
Re: (Score:2)
Do we actually know that they [b]stored[/b] unencrypted information, or only that attackers were able to extract it in some way?
Except for passwords, customer information [b]must[/b] be at least temporarily in a decrypted form to be used. That means that there exists a way to decrypt it. So if that were compromised, you could get decrypted data even though the [b]storage[/b] was encrypted.
Not saying the storage was encrypted, just pointing out that the extraction of unencrypted data doesn't prove that it
Re: (Score:2)
You're right of course, but the bar is lower than you think. Most companies don't even bother to encrypt all data at rest. If they did, then as you point out there'd be a different kind of attack that was common - but that attack is a lot harder, as you need to actually understand the target, not merely get root on one server somewhere in their datacenter.
Punative damages (Score:2)
Re: (Score:2)
Sure, they can fund the game for a subscription fee of $15/month.
But the fee to use credit card transactions for the subscription is $40/month.
Re: (Score:2)
If you believe that "secure" means "a breach cannot happen", you fail to understand security. Companies should be held to the standard of having taken measures to secure customer data that a typical security geek would recommend - the same standard that's used for holding companies responsible for physical security and safety.
Re: (Score:2)
Re: (Score:2)
Oh, I think high profile class aciton lawsuits are exactly the way to fix the problem. Companies need to see info security as the same level of risk as an unlit parking lot or a safety hazard in the work environment - it's cheaper to have someone who's job it is to prevent such things than it is to pay the lawsuits.
Re: (Score:2)
first and last four digits ? (Score:1)
Why the first and last four ?
On the web site, the payment methods only display the last four. Are you telling me they kept the first four "just in case" ?
One could hope they store the last 4 four digits separately, and the full one in a place that can only be written and not read by the web site systems. But then, one could hope the one(s) responsible for this understand the basics of security.
And then again ... first and last four ? How so ?
A) 1234-XXXX-XXXX-5678 ? Waste of space ? Really ?
B) 12345678 ? T
Re: (Score:2)
Best guess - probably for Customer Service. If you can hack the account website, you can see the last-four (which is there for the customer to know which card is attached to the account). When someone calls in to get an account changed in some fashion, CS can ask for the first-four to verify your identity. They shouldn't have access to password (presumably one-way hashed and salted) or secret question answers (which can be changed via the website anyway), so that won't work for easy ID verification. Dro