Sign in to follow this  
Followers 0

FAQ on Lotro forums with regard to breach

18 posts in this topic

Posted · Report post

Released half an hour ago (apologies for the loss of formatting)

Security FAQ

What happened?

Recently, we became aware of a compromise of the LOTRO forum database

Were my payment details or credit card number exposed?

No payment information was contained within the forum DB

How did it happen?

A bug in our forum code allowed unauthorized access to the forum database.

What did you do about it?

We turned off the forums and conducted a full analysis of the issue. As part of our review we brought in experts to help address any findings. We were able to find and fix the bug and took specific additional actions to further strengthen the security of our web applications.

Why didn't I hear about this sooner?

Rather than speculating, we wanted to fully understand the situation before communicating details to our players.

I received an email regarding LOTRO from BlueHornet with links to the MyAccount page instructing me to change my password. Is this email legitimate?

We have sent emails to all players informing them of the security issue and suggesting appropriate action for their particular accounts. If you ever have concerns about whether any communications are not legitimate, you should contact customer support.

My email didn't say to change my password; it said it had been changed. Why?

Out of an abundance of caution we've reset the passwords of a small number of players. These players have received an email notifying them of this change and how to recover their accounts.

Why were there two emails?

Emails were tailored to each account situation. The most important message from both communications was to change your password to one that is strong, unique, and hard to guess.

How do I pick a strong password?

DO

EXAMPLE

Use a pass phrase instead of a password

England won the World Cup in 1966!

Use the first letter of each word in a phrase you can remember, then mix in some numbers and symbols

EwthWCi66!

Write down a clue that will help you remember your password, but won't help someone else guess it

Major sporting event

DON'T

EXAMPLE

Use your name, birthday, or other personal information

Heather2

Use sequential or repeating combinations

123456, qqqqqq

Use a password that is a complete word in any language because some hackers search for every word in the dictionary

LOTRO1

Replace letters in a common word with other characters. Hackers know this trick!

Passw0rd

Use the same password for all accounts

Share this post


Link to post
Share on other sites

Posted · Report post

Ridiculous. A bug in the forum code?

Fortunately, I don't believe one word of that spin.

Share this post


Link to post
Share on other sites

Posted · Report post

It sounds to me like they are trying to 'appear' to be taking the right steps while not actually doing so.

Another 'Déception de la Turbine'

The basic question remains - could hackers see our account information?

I haven't actually seen the screenshots of the account and forum information being accesible. Can anyone point me to them?

Share this post


Link to post
Share on other sites

Posted · Report post

I haven't actually seen the screenshots of the account and forum information being accesible. Can anyone point me to them?

http://apload.de/bild/143944/unbenannt378T5V.png

http://ic.tweakimg.n.../1318413012.png

http://ic.tweakimg.n.../1318414425.png

There are no more valid screenshots.

Share this post


Link to post
Share on other sites

Posted · Report post

I can't see where those screenshots show the potential for the viewing of account information, admittedly my German is poor at best.

Share this post


Link to post
Share on other sites

Posted · Report post

It's been blacked out.

Share this post


Link to post
Share on other sites

Posted · Report post

I'd like to point out that a bug (well, flaw or vulnerability I suppose) in the forum code (and/or backend DB permissions or stored procedures) is the most likely culprit, given the screen shots. You'll see that the guy is using Havij, which is an SQL injection tool. If the MySQL port were open on the firewall (as suggested elsewhere), you'd not be using Havij, and you wouldn't see an HTTP URL at the top of the tool (since the connection would not be over HTTP).

I'm actually (slightly) impressed that it appears the attack was only partially successful - I've read that the user had read-only access, which is good because many web app accounts have too many permissions. Give a hacker a web app account with sa access and many times they will have shell.

Share this post


Link to post
Share on other sites

Posted · Report post

Give a hacker a web app account with sa access and many times they will have shell.

Create any web app that uses the sa account for db access and frankly you should reconsider your career!

Share this post


Link to post
Share on other sites

Posted · Report post

Create any web app that uses the sa account for db access and frankly you should reconsider your career!

absolutely true :) but you might be surprised at how often it's actually done. Many admins don't have the time or experience in troubleshooting permissions issues in convoluted apps. Giving all access is a time saver, and they do not often think of the security implications.

Share this post


Link to post
Share on other sites

Posted · Report post

Were my payment details or credit card number exposed?

No payment information was contained within the forum DB

I just don't like this line. It's too ambiguous. The forum database contained ID and password for the forum. Since that's the same as the game account, it allows access to the credit card information, or am I being stupid? And it seems likely that all the data was contained in one database, which is why we only have the one key. Because if there really are two databases, then why make us use one key, they could actually give us back separate keys for both, and have that little bit of extra security. They are kind of catching themselves up in their own spin, because either there's one database, or there isn't. Having two databases accessed by one key isn't what I call secure, particularly since the nature of information contained in one database (game account) is far more volatile than the other (forum).

It's tempting to try and access my own information using one of these tools, just to see if I can see that. After all, I can't be accused of hacking my own information. Turbine doesn't own my name, email, or payment data, I do.

Share this post


Link to post
Share on other sites

Posted · Report post

What happened?

Recently, we became aware of a compromise of the LOTRO forum database

Were my payment details or credit card number exposed?

No payment information was contained within the forum DB

Not trying to defend Turbines actions here at all but when you put the whole faq in context (as above) it actually looks a lot less ambiguous than you are suggesting.

Share this post


Link to post
Share on other sites

Posted · Report post

The whole point about customer security doesn't hinge on forum security. I don't care what happens to that. I'm more concerned about the payment details and my credit rating. Telling me that payment details are not included on the forum database does NOT clearly state that my credit data was not available using the forum data.

I think that's why it's said like that. It sounds like an answer, but really isn't one. More like legal spin to me.

I'll be more specific.

Payment details not being in the forum data doesn't mean the payment data wasn't exposed if the forum data was used to get it. That's what they aren't addressing.

Share this post


Link to post
Share on other sites

Posted · Report post

Telling me that payment details are not included on the forum database does NOT clearly state that my credit data was not available using the forum data.

I agree with this but the question above that one does say that it was the forum database that was compromised and then the second question says the forum database doesn't contain payment information. Your right, it isn't the absolute answer, it does still leave the question as to if the forum database was the only one compromised. As I said, I'm not defending them and the FAQ is far from perfect but it is important to look at it as a whole rather than take bits out of context.

DON'T

...

Use the same password for all accounts

This bit is quite funny as this is exactly what they force us to do with our forum and game accounts.

Share this post


Link to post
Share on other sites

Posted · Report post

This post won't clear anything up specific to the breach, since we do not have any more specific information, but for those who may be interested, here goes:

Regarding payment data, it depends on their payment gateway and payment application. I have quite a bit of experience assessing companies against PCI DSS, Mass 201 CMR 17.00, Nevada NRS 603a and other data security/privacy standards and regulations. An increasing number of e-commerce and similar entities are not storing any cardholder data (remembering that the truncated first 6/last 4 numbers are not considered cardholder data). Now, there is no evidence that Turbine does NOT store this, but it IS possible that turbine isn't actually storing the full PAN --- their payment gateway may provide Turbine with a token representing the PAN to process recurring transactions, and even single (lotro store) transactions.

Who knows the actual system in place, though - all we can do is speculate, and assume (or hope) that Turbine is not breaking the 47 or so state breach notification laws and 2 state laws that specifically address cardholder data. There are still plenty of merchants that store the full PAN (AND unfortunately the sensitive authentication data like the CVV/CVC code, which they are not allowed to do) when processing recurring payments, I just don't know if Turbine is one of them.

This bit is quite funny as this is exactly what they force us to do with our forum and game accounts.

I know they were sync'd at one point, but I changed my password @ myaccount.turbine and it changed my game password. my forum password is still what it used to be (until I pressed the "Change forum password" link).

I dont know when it changed, but it appears you can de-link the passwords from each other. Now I have one password for game, and one for forums.

Share this post


Link to post
Share on other sites

Posted · Report post

I know they were sync'd at one point, but I changed my password @ myaccount.turbine and it changed my game password. my forum password is still what it used to be (until I pressed the "Change forum password" link).

I dont know when it changed, but it appears you can de-link the passwords from each other. Now I have one password for game, and one for forums.

You can "de-link" the forum login from the game/account login. I posted on this yesterday

with a workaround that is only slightly different than what was posted over on CSTM by a

player named "Joe". Post referencing the CSTM post ~and~ my version of workaround

As I mentioned in in the first post, I highly doubt that it's WAI but at least it's a way to

de-couple the forum login from the game until such time that TUrbine fixes it.

Share this post


Link to post
Share on other sites

Posted · Report post

Ridiculous. A bug in the forum code?

Fortunately, I don't believe one word of that spin.

??? Not a bug ?

How else do you think that a clearly unintended feature of their coding allowing this hack should be described ?

Share this post


Link to post
Share on other sites

Posted · Report post

Well the data might not display in the clear, but obviously they do have the data there, and if so, was it accessible using the same infiltration technique. Remember the main account site was down for some time along with the forum as well, and no explanation as yet as to why.

Share this post


Link to post
Share on other sites

Posted · Report post

Something that I have not seen elsewhere, is the mention by Turbine that passwords changed after October 11th are safe:

Turbine is concerned that a third-party recently may have attempted to access forum account information. There is no indication at this time that your account was modified or compromised. For your protection we suggest you change the password to a unique, hard to guess password not associated with any other sites or services. If you changed your password after October 11th, then you can disregard this message.

October 11th is when the forum went down.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0