Forgot your password?
typodupeerror
Security Games IT

Trion Worlds' Rift Account Database Compromised 88

Posted by Soulskill
from the level-up-your-firewall-skill dept.
New submitter Etrahkad writes "Trion Worlds, publisher of MMORPG Rift, has announced that somebody broke into one of their databases and gained access to user information. First Sony and now Rift... my identity has probably been stolen several times over, now. From the e-mail: 'We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards. ... there is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way." Are game companies not concerned with preventing these attacks?"
This discussion has been archived. No new comments can be posted.

Trion Worlds' Rift Account Database Compromised

Comments Filter:
  • Yay (Score:5, Insightful)

    by dlb (17444) on Friday December 23, 2011 @02:11PM (#38473528)

    To the cloud...

    • by jhoegl (638955)
      Shouldnt this be modded hilarious?
      Im pretty sure it should.
      • by Anonymous Coward

        It's implied by "To the cloud..." being marked as "Insightful"

  • Prevention (Score:5, Insightful)

    by grommit (97148) on Friday December 23, 2011 @02:13PM (#38473546)
    Granted, it could be a simple ROT13 but the mere fact that the passwords were "encrypted" and that the data didn't contain the entire credit card number indicates that the company or somebody inside the company at least put a little bit of effort into securing the data. Unfortunately, securing data is hard and it only takes one oversight to make it vulnerable. The true test will be what the company does now that the breach has occurred.
    • Re:Prevention (Score:5, Informative)

      by tguyton (1001081) <`ten.htuoslleb' `ta' `notyug_t'> on Friday December 23, 2011 @02:20PM (#38473670)
      The entire email from Trion:

      We recently discovered that unauthorized intruders gained access to a Trion Worlds account database. The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.

      There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way. We have already taken further action to strengthen our systems, even as we, with external security experts, continue to research the extent of the unauthorized access.

      You will notice on your next log in to our website that you will be required to change your password, and existing Mobile Authenticator users will also need to reconnect their Authenticator. When you log in, you will be prompted to provide a new password, security questions and answers, and be given the option to connect your account to our Mobile Authenticator to enhance your account’s security.

      If you have used your username and password for other accounts, especially financial accounts or accounts with personal information, we suggest you change your passwords on those accounts as well. We recommend that you carefully review your statements, account activity, and credit reports to help protect the security of those accounts. If you need information on how to obtain your credit report or believe any such accounts have been breached, please visit www.trionworlds.com/AccountNotification for more information.

      You should have continued, uninterrupted access to RIFT, and we do not anticipate any disruptions to your playing time.

      Nevertheless, if you own the RIFT game, you will be granted three (3) days of complimentary RIFT game time once you update your password and security questions.

      Additionally, once you update your account and set a new password, your account will be granted a Moneybags’ Purse, which increases your looted coin by 10%, even if you have not yet purchased RIFT.

      Please log in to https://rift.trionworlds.com/ [trionworlds.com] (and we recommend that you copy and paste this link into your browser to access the site) to update your password, security questions and Authenticator.

      We apologize for any inconvenience this may have caused you. If you have further questions, please visit our website, www.trionworlds.com/AccountNotificationFAQ.

      – The Trion Worlds Team

      Trion's been pretty good about security from what I've seen, and I definitely appreciate them being upfront about the breach. Giving people a few days of game play and shinies will probably generate some good will as well.

    • Re: (Score:3, Insightful)

      by Derekloffin (741455)
      Passwords should actually be hashed and preferably hashed and salted, not encrypted, but points for at least trying.
      • by mlts (1038732) *

        I can't remember the standard for this, but passwords shouldn't just be hashed and salted, but run through a number of rounds to slow down brute forcing.

        Even better, why can't there be dedicated appliances like hardware HSMs for public/private key encryption that companies can use to store account password hashes there? This way, an intruder would have to have physical access to the box in order to extract the hashes.

        • Yes, there are quite a few things to keep in mind for password hashing, when it comes to cryptography and hashing, it's always best to go with solutions which have been thought up by people who are properly familiar with the subject. Only fools try think up their own scheme and don't get it critically reviewed by peers first.

          I use this for my PHP projects:
          http://www.openwall.com/phpass/ [openwall.com]

          I'm not clever enough to know for sure it's sound, but I am fairly confident it is based on the technical explanation on th

        • by AJH16 (940784)

          You don't seem to understand what you are talking about here. Extra passes of hashing wouldn't do anything that a good salt wouldn't. Running multiple encryptions to slow brute forcing is an idea where one side is not known and so having more than one pass prevents a single decode attempt from resulting in a recognizable plain text. The convention is to do it three times so that you can't simply look for a meet in the middle of a bunch of passwords encrypted once and a bunch of encrypted passwords decryp

          • by mlts (1038732) *

            Extra passes of hashing seem to help. The venerable UNIX crypt(3) did a number of rounds to make for one CPU second of calculations for each password check. TrueCrypt performs a number of rounds when hashing. Same with OS X and iOS. Of course, due to CPU power doubling as per Moore's law, using number of rounds/extra passes is a losing battle. Instead, just as mentioned above, a good salt needs to be part of the hash algorithm.

            The last part is what would be snazzy if designed -- a hardened physical box

            • by AJH16 (940784)

              Yeah, I guess I shouldn't say that it won't do anything to run multiple hashes, but you are only increasing your brute force time by the same factor as you are increasing your individual run time. That isn't a very effective security mechanism since you are only lengthening the process by O(1). It would prevent the use of rainbow tables that had been run for a single pass, but again, a good salt would do the same. The core issue is that brute forcing a hash is simply run hash on A, does result match? If

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        My guess is that the passwords were probably hashed, but the general public has no clue whatsoever what a hash is, while they have at least *heard* of encryption before. The email is meant to reassure customers that their password is "safe," rather than being some kind of engineering document on computer security.

      • "Encrypted passwords" is just a lay man's term for hashing and salting. I don't think anyone would be silly enough to use encryption for this.
      • by MBGMorden (803437)

        The general public has no idea what hashed and salted even means. In layman's terms, that IS encryption. My bet is that they were indeed hash values, NOT actually encrypted passwords, but sometimes you have to dumb-down the press releases a bit.

    • I got an email last night talking about this breach with links to reset my password and part of that involved setting up their Mobile Authenticator. They also gave everyone a bag of goodies in-game and 3 days of play time (supposed to be for active subscribers, but it appears it have activated my account for 3 days). Much better than the Sony breach where a lot of the affected people were first learning it from the news before they got their notifications.
      • by jhoegl (638955)
        Agreed, i too was surprised by their accountability and resolution process.
        I also liked that they warned users to change passwords elsewhere. It tells me they are concerned for their users.
    • by lgw (121541)

      Why have any customer information in an unencrypted database ever? Why do people still do this? Every bulk store of data of any signifcance to your business should be encrypted, full stop (and the data not of signifcance to your business should be deleted as rapidly as practical).

    • It was ROT26.
  • I wouldn't say they're not concerned with security.. but rather, they're probably the most targeted.

    • All companies are concerned with preventing attacks, but often the business is not interested in investing in security. In my experience, it's always hard to internally "sell" risk, until it becomes a reality and the brand is damaged.
    • by Xest (935314)

      To be honest I don't even think this is the first time for them, which would make this more of a story, but afaik their original leak was never admitted/publicised.

      The reason I have my suspicions this wasn't the first time is I signed up to Rift after I'd just created a new e-mail account, I gave up playing after my months trial and hadn't used the e-mail for anything else after either, about 4 months later I started getting spam on that address, and not just any spam, but phishing e-mails aimed at gamers l

  • by Kenja (541830) on Friday December 23, 2011 @02:15PM (#38473596)
    That credit card was already stolen and canceled thanks to Sony!
  • They do not have to adhere to the information standards that financial companies do... And, it's probably good.. because some of the smaller gaming companies could never afford it.

    My handy reference guide for online gaming:

    1) Change all your information to complete and utter BS. Store your BS information somewhere so you can parrot it back if you have to call support.
    2) Pay with game cards. If you can pick them up at Walmart even better. But, you can buy codes online.
    3) Nothing to lose now... So you
    • If they cant afford a robust and secure customer information database then they have no business taking people's credit cards.
      • by seebs (15766)

        Could you point to an example, anywhere of the world, of a "robust and secure" customer information database such that no breach is possible?

        Seems to me that if such a thing were possible, surely we'd have heard of it by now.

        • Fuck you and your use of the absolute 'no breach'. A large part of security is loss mitigation, and as such even if there are breaches they are anticipated and contained. There is no such thing as an impenetrable skin, its how you handle the pricks that really count.
    • by Galestar (1473827)

      2) Pay with game cards. If you can pick them up at Walmart even better. But, you can buy codes online.

      I generally pay with Paypal (commence Paypal is evil etc etc) to avoid having my cc# floating around the interwebs. With Paypal they are not authorized to re-bill (unless you tell Paypal to setup a subscription), and if the servers are compromised, identity thefts can't do all that much with just your email address (assuming you keep your email account secure).

      Granted, not as secure as game cards, but just as convenient as entering your cc#, and 100x as secure as THAT.

    • "1) Change all your information to complete and utter BS."

      +2. I wish companies would give up asking me about my first girlfriend, where I was born and crap like that.

      First, if they store these answers, well guess what, when next database gets cracked means bad guys have this info. Of course anyone who knows me or can use google can probably figure this out anyway.

      Would be better if each company just asked secret answer 1,2 and 3 instead of personal information I can't change when it gets loose in the world

    • by antdude (79039)

      Yeah, I always use fake datas for these. Why do they need my real datas? I wished game cards came in bundled as discounts to be cheaper.

  • I used to use a "throwaway" password for most sites, that I used for a lot of things. Over the past 10 years I realized that a single password was leaving me vulnerable, so I just started using a password gen plugin [google.com] in chrome and that seems easy enough to use. I don't even bother writing down the password, I figure if I need it again, I'll just use the password recovery down the road.

    • Obligatory xkcd:

      https://www.xkcd.com/936/ [xkcd.com]

      • by Hadlock (143607)

        I'm less interested in remembering a password than I am using the same one for each site. It's been proven that it's far easier to hack a database than it is to crack a password. The less connection there is between my password on cnn.com (that I never use) and my bank password (that I use weekly), the better.

  • leads to losing real world identity

    literally and figuratively

    • by Feyshtey (1523799)
      They didnt breach the database that contains your Rift character's credit card info and billing address...
  • That is now the fifth time I've had someone manage to fubar and let a DB with my information get out there in the last 6 months or so. I'm literally running out of ways to manipulate my passwords to maintain a unique and secure, but rememberable password. If you just lost my previous password, do you really think I want to have to invalidate the entire approach to passwords I was using and then use one of my more secure techniques with your system (thanks to the even more absurd password requirements) and

    • by seebs (15766)

      This is why I use software to generate and store passwords. It's a risk, but it's a smaller risk than I would be taking otherwise.

      And... TOR's a great game, doubtless, but are you seriously telling us you think EA is going to be more secure?

      • by AJH16 (940784)

        Yes, if only because they have written their authentication system as part of a much larger system to be shared with both a) a store and b) multiple development shops. The amount of effort that in theory should have gone in to their authentication system is much higher, so I would hope it is more securely held as a result.

    • by Feyshtey (1523799)
      If your biggest worry is coming up with a new password and remembering it then frankly, suck it up. You should be changing it every 6months at a minimum anyway. You shouldnt even be using the same password for everything either. They should all be unique. There are a number of free applications that will encrypt and store passords. You can put them in the notes of your smartphone. You can write a bs note to your girlfriend that contains hints to yourself to remind you what the password is and stick it in yo
      • by AJH16 (940784)

        Why exactly should I be changing my password every six months? Does it somehow magically become a pumpkin or mysteriously leak itself? I use a series of several different systems to generate passwords (with different security levels for each system of use) that would not be easily guessed unless you knew the underlying system. This both ensures that passwords are not shared and that it is not easy to compromise other passwords if one is compromised. The main reasons for changing a password every six mont

        • by Feyshtey (1523799)
          If you are indeed a "software developer and security professional", I truly hope that I am not a consumer of the products you build. Many of your statements show a very cavalier (or ignorant) attitude about systems security that borders on negligent. Of course, that kind of attitide might well be at the root of these types of penetrations...

          1) From your statements its obvious you're assuming the threat is only external, or only code based, or only protocol driven, etc. A "software developer and security
          • by lgw (121541)

            My bank account is successfully protected by a 4-digit PIN that never changes. If you write a system which requires more from your users than remembering a 4-digit unchanging password, you're doing it wrong.

            On the backend, encrypt all data at rest, and do your best to detect intrusions, and you'll be doing quite well by today's standards. So few businesses even take those simple steps - it's pathetic, really.

            • by AJH16 (940784)

              I will add two things to that. The system needs to limit unauthorized attempts before locking out, such that it is immune to brute force and the data needs to be internally isolated such that it can only be accessed internally (if absolutely necessary) by two or more individuals both mutually authorizing the access. Take your root of trust, make it as simple as possible, defend it as much as possible and build everything off of that root of trust in as simple and straight forward of a way as humanly possi

          • by AJH16 (940784)

            Ok, well I can see you clearly are not a security professional (or not a good one) as your risk assessment doesn't even make sense. I shall respond to each point directly.

            1) I did not say anything that would indicate that I do not believe internal threats exist. They account for something like 80% of breaches. For passwords, changing them every six months doesn't help against internal attacks unless the person has left the company and the company failed to notice or notify about the breach. As for my su

  • Disclaimer: I'm a pretty big RIFT fan. (I post there as the_real_seebs.)

    Database compromises happen, and Trion's a newish company that has a lot of customers, and is thus a very good target.

    This is the second security problem Trion has ever had, and the only one that made it possible to leak any personal information. (The first was an authentication hole that let you log in to game servers on arbitrary accounts without name or password -- but did not disclose the account name to you.) In each case, they

    • by lgw (121541)

      They stored unencypted customer information. That's the opposite of doing it right. Their reaction after the fact was classy, but they failed on the technical side.

      • by seebs (15766)

        Do we actually know that they [b]stored[/b] unencrypted information, or only that attackers were able to extract it in some way?

        Except for passwords, customer information [b]must[/b] be at least temporarily in a decrypted form to be used. That means that there exists a way to decrypt it. So if that were compromised, you could get decrypted data even though the [b]storage[/b] was encrypted.

        Not saying the storage was encrypted, just pointing out that the extraction of unencrypted data doesn't prove that it

        • by lgw (121541)

          You're right of course, but the bar is lower than you think. Most companies don't even bother to encrypt all data at rest. If they did, then as you point out there'd be a different kind of attack that was common - but that attack is a lot harder, as you need to actually understand the target, not merely get root on one server somewhere in their datacenter.

  • I'd like to see a law firm launch a class action suit against a company that has failed to take reasonable measures to protect customers data. Hell I'd go so far as to say that it's the best use of a class action lawsuit ever. AFAIK there is no effective legislation that is doing the job. All it takes is one lawsuit to set a precident right? Hell lawyers are supposed to be good at identifying this kind of opportunity so what's the deal? Are they too busy chasing ambulances?
    • by Feyshtey (1523799)
      I'd like to see the cost of any serveice that can gaurantee that a breach is not possible.

      Sure, they can fund the game for a subscription fee of $15/month.
      But the fee to use credit card transactions for the subscription is $40/month.
      • by lgw (121541)

        If you believe that "secure" means "a breach cannot happen", you fail to understand security. Companies should be held to the standard of having taken measures to secure customer data that a typical security geek would recommend - the same standard that's used for holding companies responsible for physical security and safety.

        • I do't believe anyone here expects customer information to be 100% breach free. Rather I was commenting on how some companies that are entrusted with customer information don't do enough to protect it and are not punished appropriatly when a breach occurs. I see a culture of lax security in this country which (in recent years) has resulted in some spectacular data thefts. I am not in the security business so from a consumer standpoint there does not seem to be enough punitive action to correct this. It is m
          • by lgw (121541)

            Oh, I think high profile class aciton lawsuits are exactly the way to fix the problem. Companies need to see info security as the same level of risk as an unlit parking lot or a safety hazard in the work environment - it's cheaper to have someone who's job it is to prevent such things than it is to pay the lawsuits.

  • I still want to play it, I just need a computer with more horsepower. I use a disposable, reloadable credit card for all online purchases. The thing functions just like an ATM card, you can't charge more than what's on it.

    I think the positive thing they could do moving forward is explain what steps, in general terms, they've taken to make sure this doesn't happen again. Further, there's no amount of in-game compensation they can give that would mean anything significant.

    It sucks, but at least it's been d

  • Why the first and last four ?

    On the web site, the payment methods only display the last four. Are you telling me they kept the first four "just in case" ?

    One could hope they store the last 4 four digits separately, and the full one in a place that can only be written and not read by the web site systems. But then, one could hope the one(s) responsible for this understand the basics of security.

    And then again ... first and last four ? How so ?

    A) 1234-XXXX-XXXX-5678 ? Waste of space ? Really ?
    B) 12345678 ? T

    • by Anguirel (58085)

      Best guess - probably for Customer Service. If you can hack the account website, you can see the last-four (which is there for the customer to know which card is attached to the account). When someone calls in to get an account changed in some fashion, CS can ask for the first-four to verify your identity. They shouldn't have access to password (presumably one-way hashed and salted) or secret question answers (which can be changed via the website anyway), so that won't work for easy ID verification. Dro

We are not a loved organization, but we are a respected one. -- John Fisher

Working...