921 replies to this topic

[Valandir]

according to "freundlich": Since migration.
But I/we don't know, if that is true.

[Rarehero]

Weeeell, the guy who found out about the leak said, that this problem has been around since the migration, which makes me wonder, if he tried to hack the Codemasters-servers as well (or how does he know, that this leak appeared with the migration?).

[freundlich]

Rarehero, on 12 October 2011 - 18:33, said:

if he tried to hack the Codemasters-servers as well (or how does he know, that this leak appeared with the migration?).

no

after the migration turbine needs to expanding the forum with other languages (german, france).
and there was the flaw.

[Moderate Peril]

Even if this is all blown out of proportion and nothing too bad has happened (although I'm not disposed to think that), shouldn't dear old Turbine not move heaven and earth to deal with this and to publicly allay customers fears?

Haven't they had enough PR disasters in the last 18 months?

It would be nice to blog about something different for a change:

Forum Maintenance?

[Arkenstone]

Turbine has the most downtime on their forums of any company I've ever seen on the internet. They should just give it up. There is incompetence somewhere. Not sure if it's just the forums or if it's a deliberate take down to cover up some other issues. Im glad that when I bought a TP bundle I used a temporary credit card number. I didn't trust them then and I'm glad I didn't!

[Ingaras]

Quote

We have identified a potential issue in the forum system.  As a precautionary measure we have disabled our forums while we investigate.  We will bring the forums back online when we complete our work.  We thank you for your patience.

Please follow us on Twitter @LOTRO or like us on Facebook to receive updates during the maintenance.

That's a different message than this morning isn't it?

[Trinsec]

Jup, it just updated.

[1813]

Spheric, on 12 October 2011 - 17:04, said:

You know, the fact that Turbine has ignored this danger since they first tied the forums to actual game accounts despite repeated warnings over and over again from their players is bad enough. But, then to find out that their data has been open for public access all this time on top of it all is absolutely stunning. It's almost unbelievable that they would be this careless with their customers' data. It goes well beyond incompetence. Well beyond.

Comparisons to the carelessness of Sony in how they handled their customers' sensitive information is appropriate, in my humble opinion. This ranks right up there with that.

When I read your post I (for some strange reason) thought of a quote from the Black Adder goes Forth series - Private Plane episode.

Melchett: If nothing else works, a total pig-headed unwillingness to look facts in the face will see us through.

[Darmokk]

If a password leak (encrypted or not) has occurred they might be obligated by law to disclose this to affected customers.

While the laws around this are in development Massachusetts is quite a bit jumpier about consumer protection. They might be in hot water if they skip that.

[cossieuk]

I like how they claim to have found a potential issue

[Darmokk]

cossieuk, on 12 October 2011 - 20:01, said:

I like how they claim to have found a potential issue

Yeah and the issue is the guy who "hacked" them

[LordVorontur]

I've changed all passwords related to lotro, be it accounts or forum logins, by using the myaccount website.

[Dalthalion]

Here's a question about that, though.  Since Turbine hasn't resolved the matter, how can we be certain that it's safe to change your passwords?

[Pepys]

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

[Dalthalion]

Pepys, on 12 October 2011 - 20:58, said:

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

Scold yourself, rather.  Just because forum topics and posts on the official site have been hidden from public view doesn't mean that Turbine has not been consistently warned of their vulnerabilities by the player base.  Our reaction is largely a "told you so" sort of reaction.

[Arkenstone]

@Pepys

I'm sorry but it is their responsibility to have a secure system. I don't care whose feelings are hurt if my personal financial information are exposed because they have a buggy system (seems like ALL their systems are buggy). At some point they need to release information on what possible security impacts may have occurred. The ONLY legitimate reason they haven't yet is because they are still trying to assess what the impact was. Any other reason is just them covering their ass. This is not singling them out, this is many companies have had security breaches recently. Some have kept quiet deliberately putting other people at risk just so they can cover it up. That is unacceptable.

Ultimately everyone is responsible for their own security so I do hope others update their passwords and personal information that turbine holds. Unfortunately there doesn't seem to be a way to remove your credit card info from Turbine's website (probably calling them will help?). Thank fully the temporary card I used already expired but they have my address. I can't remove it or even put a fake address because it won't match the billing address on my expired card therefore won't' update. The only way for me to change my address is to provide another credit card # that matches that address....

[Ingaras]

Pepys, on 12 October 2011 - 20:58, said:

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

If the leak is indeed as described here, it's a mistake along the lines of not only leaving the back door open, but having removed all the locks on the door and then being surprised someone could walk in. If an MMO company (who know they're often targets for hacks) makes a mistake like that I believe it's quite fair to tell them that they screwed up big time. Especially if they've been told repeatedly that there's room for improvement of security (NOT the same pw for game/forum accounts, 2-factor auth options). As for communication I can quite understand that they're not willing to provide details, but the least they could do is either firmly deny that there is an issue or if there is make known that you're aware of it and working on it (and what you expect your customers to do, as they're keen on telling that account security is our problem). Although if they're really doing all they can the first they'd have done is remove all possible ways to use the leak, so information about it coming out wouldn't do too much harm anyway. To be fair: the updated statement is a good start.

[Spheric]

Pepys, on 12 October 2011 - 20:58, said:

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

First, let me say that keeping silent at this point does nothing whatsoever to increase security on their forums. What is more likely happening is that they understand the PR nightmare they may have on their hands and have ordered silence on the matter from all personnel until they can cobble together an official statement.

But, since no official statements have been forthcoming after more than twenty-four hours, I believe they are completely blowing it. Any fool can understand that this is the type of situation that requires PR management from the outset. Just like the security issues themselves, this will not go away just because they refuse to discuss it. In fact, it is likely to become worse because of that.

Sure, they are probably reticent to discuss it since what has happened here is highly likely to be unconscionable. If it's bad enough, they may even be hanging out there liability-wise, which is generally a very good reason to keep one's mouth shut. But, they have a duty both morally and legally to inform their customers if there is a danger that their personal information has been compromised.

Is it possible that they believe they can just issue a single statement once the forums are back online and call it a day? If so, I believe they may be in for a very rude awakening.

[Valandir]

the screenshots and stuff provided to me...
they all lead to one conclusion
(and I still canNOT believe that it is true):

Turbine's databases allowed ANONYMOUS access - read-only, but still.... WTF?

(Disclaimer: I don't know that for sure. I have not tested it myself. It's just what I believe right now... reasonable suspicion - kinda.)

[Mockingbird]

Pepys, on 12 October 2011 - 20:58, said:

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

*If* the forums are down due to security issues then it is unfair of *them* to put their customers information at risk in this way. I will not pretend to be familiar with security issues, however it is Turbine's responsibility to put necessary resources into protecting the data they hold about each and every customer.

Furthermore, I would question why the original poster who expressed these security issues directly to Turbine did not trigger any immediate investigation. Telling customers that they are closing a potential security breach that has been discovered may not be great for instilling confidence but it would not be sufficient information to get through to 'those who would do harm' - they don't need to give customers specific details. If they did want to instill confidence perhaps they should respond more proactively to customers who express concerns about potential security issues...

I doubt the majority of people here are the the same players cosying up regarding goodies and free stuff... are you sure you are scolding the right people?