Jump to content


Photo

FAQ on Lotro forums with regard to breach


  • Please log in to reply
17 replies to this topic

#1 Wicked

Wicked

    Member

  • Members
  • PipPipPip
  • 32 posts

Posted 19 October 2011 - 02:39

Released half an hour ago (apologies for the loss of formatting)

Security FAQ

What happened?
Recently, we became aware of a compromise of the LOTRO forum database

Were my payment details or credit card number exposed?
No payment information was contained within the forum DB

How did it happen?
A bug in our forum code allowed unauthorized access to the forum database.

What did you do about it?
We turned off the forums and conducted a full analysis of the issue. As part of our review we brought in experts to help address any findings. We were able to find and fix the bug and took specific additional actions to further strengthen the security of our web applications.

Why didn't I hear about this sooner?
Rather than speculating, we wanted to fully understand the situation before communicating details to our players.

I received an email regarding LOTRO from BlueHornet with links to the MyAccount page instructing me to change my password. Is this email legitimate?

We have sent emails to all players informing them of the security issue and suggesting appropriate action for their particular accounts. If you ever have concerns about whether any communications are not legitimate, you should contact customer support.

My email didn't say to change my password; it said it had been changed. Why?

Out of an abundance of caution we've reset the passwords of a small number of players. These players have received an email notifying them of this change and how to recover their accounts.

Why were there two emails?

Emails were tailored to each account situation. The most important message from both communications was to change your password to one that is strong, unique, and hard to guess.

How do I pick a strong password?

DO

EXAMPLE
Use a pass phrase instead of a password

England won the World Cup in 1966!

Use the first letter of each word in a phrase you can remember, then mix in some numbers and symbols

EwthWCi66!

Write down a clue that will help you remember your password, but won't help someone else guess it


Major sporting event

DON'T

EXAMPLE

Use your name, birthday, or other personal information

Heather2

Use sequential or repeating combinations

123456, qqqqqq

Use a password that is a complete word in any language because some hackers search for every word in the dictionary

LOTRO1

Replace letters in a common word with other characters. Hackers know this trick!

Passw0rd


Use the same password for all accounts


  • 0

#2 LordVorontur

LordVorontur

    Banned

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 4,357 posts
  • Server:Snowbourn
  • Kinship:Elves of Imladris

Posted 19 October 2011 - 08:44

Ridiculous. A bug in the forum code?
Fortunately, I don't believe one word of that spin.
  • 0

Hir i Meigol Bruinen
High Council Member of the EoI

Of the Exiles of the Hidden City

Meigol Bruinen, Uncle Seregnin's Misguided Children

Curse the name of Maeglin, the Treacherous Villain, forever, may he rot in the Halls of Mandos for all time...

 

http://www.swtor.com/r/XWNQXP


#3 Mockingbird

Mockingbird

    Not to be killed

  • Members
  • PipPipPipPipPipPip
  • 278 posts
  • Server:Gilrain

Posted 19 October 2011 - 09:29

It sounds to me like they are trying to 'appear' to be taking the right steps while not actually doing so.

Another 'Déception de la Turbine'

The basic question remains - could hackers see our account information?

I haven't actually seen the screenshots of the account and forum information being accesible. Can anyone point me to them?
  • 0

#4 Agra

Agra

    Experienced Spammer

  • Moderators
  • 784 posts
  • Twitter:@lux_lotro
  • Location:Myrthenhof 6, Weinhall, Auenland
  • Server:Morthond
  • Kinship:Lux aeterna

Posted 19 October 2011 - 10:38

I haven't actually seen the screenshots of the account and forum information being accesible. Can anyone point me to them?

http://apload.de/bil...nannt378T5V.png
http://ic.tweakimg.n.../1318413012.png
http://ic.tweakimg.n.../1318414425.png
There are no more valid screenshots.
  • 0
LotRO Serverstatus Widget für deine Webseite: http://lux-hdro.de/serverstatus.php
LotRO Serverstatus Sidebar Gadget: http://lux-hdro.de/download.php
LotRO Serverstatus RSS: http://lux-hdro.de/s...rstatus-rss.php
LotRO MP Signaturgenerator: http://lux-hdro.de/mp-signatur.php
LotRO Online Signaturgenerator: http://lux-hdro.de/signatur.php

#5 Laurinaohtar

Laurinaohtar

    Forum Furniture

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 2,199 posts
  • Location:here
  • Server:Snowbourn
  • Kinship:Council Of The West

Posted 19 October 2011 - 10:52

I can't see where those screenshots show the potential for the viewing of account information, admittedly my German is poor at best.
  • 0

This is a serious discussion


Runesi


Play War Thunder


#6 LordVorontur

LordVorontur

    Banned

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 4,357 posts
  • Server:Snowbourn
  • Kinship:Elves of Imladris

Posted 19 October 2011 - 11:04

It's been blacked out.
  • 0

Hir i Meigol Bruinen
High Council Member of the EoI

Of the Exiles of the Hidden City

Meigol Bruinen, Uncle Seregnin's Misguided Children

Curse the name of Maeglin, the Treacherous Villain, forever, may he rot in the Halls of Mandos for all time...

 

http://www.swtor.com/r/XWNQXP


#7 blahblahblahblah

blahblahblahblah

    New member

  • Members
  • Pip
  • 4 posts

Posted 19 October 2011 - 14:24

I'd like to point out that a bug (well, flaw or vulnerability I suppose) in the forum code (and/or backend DB permissions or stored procedures) is the most likely culprit, given the screen shots. You'll see that the guy is using Havij, which is an SQL injection tool. If the MySQL port were open on the firewall (as suggested elsewhere), you'd not be using Havij, and you wouldn't see an HTTP URL at the top of the tool (since the connection would not be over HTTP).

I'm actually (slightly) impressed that it appears the attack was only partially successful - I've read that the user had read-only access, which is good because many web app accounts have too many permissions. Give a hacker a web app account with sa access and many times they will have shell.
  • 0

#8 Laurinaohtar

Laurinaohtar

    Forum Furniture

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 2,199 posts
  • Location:here
  • Server:Snowbourn
  • Kinship:Council Of The West

Posted 19 October 2011 - 14:30

Give a hacker a web app account with sa access and many times they will have shell.


Create any web app that uses the sa account for db access and frankly you should reconsider your career!
  • 0

This is a serious discussion


Runesi


Play War Thunder


#9 blahblahblahblah

blahblahblahblah

    New member

  • Members
  • Pip
  • 4 posts

Posted 19 October 2011 - 14:32

Create any web app that uses the sa account for db access and frankly you should reconsider your career!



absolutely true :) but you might be surprised at how often it's actually done. Many admins don't have the time or experience in troubleshooting permissions issues in convoluted apps. Giving all access is a time saver, and they do not often think of the security implications.
  • 0

#10 Jackalope

Jackalope

    Junior Forum Furniture

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,442 posts

Posted 19 October 2011 - 15:30

Were my payment details or credit card number exposed?
No payment information was contained within the forum DB

I just don't like this line. It's too ambiguous. The forum database contained ID and password for the forum. Since that's the same as the game account, it allows access to the credit card information, or am I being stupid? And it seems likely that all the data was contained in one database, which is why we only have the one key. Because if there really are two databases, then why make us use one key, they could actually give us back separate keys for both, and have that little bit of extra security. They are kind of catching themselves up in their own spin, because either there's one database, or there isn't. Having two databases accessed by one key isn't what I call secure, particularly since the nature of information contained in one database (game account) is far more volatile than the other (forum).

It's tempting to try and access my own information using one of these tools, just to see if I can see that. After all, I can't be accused of hacking my own information. Turbine doesn't own my name, email, or payment data, I do.
  • 0
How did buying a lifetime account become a free ride, and an example of not supporting Turbine? That money left my pocket and they took it. Free it was not.

#11 Laurinaohtar

Laurinaohtar

    Forum Furniture

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 2,199 posts
  • Location:here
  • Server:Snowbourn
  • Kinship:Council Of The West

Posted 19 October 2011 - 15:41

What happened?
Recently, we became aware of a compromise of the LOTRO forum database

Were my payment details or credit card number exposed?
No payment information was contained within the forum DB


Not trying to defend Turbines actions here at all but when you put the whole faq in context (as above) it actually looks a lot less ambiguous than you are suggesting.
  • 0

This is a serious discussion


Runesi


Play War Thunder


#12 Jackalope

Jackalope

    Junior Forum Furniture

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,442 posts

Posted 19 October 2011 - 15:44

The whole point about customer security doesn't hinge on forum security. I don't care what happens to that. I'm more concerned about the payment details and my credit rating. Telling me that payment details are not included on the forum database does NOT clearly state that my credit data was not available using the forum data.

I think that's why it's said like that. It sounds like an answer, but really isn't one. More like legal spin to me.

I'll be more specific.

Payment details not being in the forum data doesn't mean the payment data wasn't exposed if the forum data was used to get it. That's what they aren't addressing.
  • 0
How did buying a lifetime account become a free ride, and an example of not supporting Turbine? That money left my pocket and they took it. Free it was not.

#13 Laurinaohtar

Laurinaohtar

    Forum Furniture

  • Members
  • PipPipPipPipPipPipPipPipPip
  • 2,199 posts
  • Location:here
  • Server:Snowbourn
  • Kinship:Council Of The West

Posted 19 October 2011 - 15:57

Telling me that payment details are not included on the forum database does NOT clearly state that my credit data was not available using the forum data.


I agree with this but the question above that one does say that it was the forum database that was compromised and then the second question says the forum database doesn't contain payment information. Your right, it isn't the absolute answer, it does still leave the question as to if the forum database was the only one compromised. As I said, I'm not defending them and the FAQ is far from perfect but it is important to look at it as a whole rather than take bits out of context.

DON'T
...
Use the same password for all accounts


This bit is quite funny as this is exactly what they force us to do with our forum and game accounts.
  • 0

This is a serious discussion


Runesi


Play War Thunder


#14 blahblahblahblah

blahblahblahblah

    New member

  • Members
  • Pip
  • 4 posts

Posted 19 October 2011 - 16:12

This post won't clear anything up specific to the breach, since we do not have any more specific information, but for those who may be interested, here goes:

Regarding payment data, it depends on their payment gateway and payment application. I have quite a bit of experience assessing companies against PCI DSS, Mass 201 CMR 17.00, Nevada NRS 603a and other data security/privacy standards and regulations. An increasing number of e-commerce and similar entities are not storing any cardholder data (remembering that the truncated first 6/last 4 numbers are not considered cardholder data). Now, there is no evidence that Turbine does NOT store this, but it IS possible that turbine isn't actually storing the full PAN --- their payment gateway may provide Turbine with a token representing the PAN to process recurring transactions, and even single (lotro store) transactions.

Who knows the actual system in place, though - all we can do is speculate, and assume (or hope) that Turbine is not breaking the 47 or so state breach notification laws and 2 state laws that specifically address cardholder data. There are still plenty of merchants that store the full PAN (AND unfortunately the sensitive authentication data like the CVV/CVC code, which they are not allowed to do) when processing recurring payments, I just don't know if Turbine is one of them.

This bit is quite funny as this is exactly what they force us to do with our forum and game accounts.



I know they were sync'd at one point, but I changed my password @ myaccount.turbine and it changed my game password. my forum password is still what it used to be (until I pressed the "Change forum password" link).

I dont know when it changed, but it appears you can de-link the passwords from each other. Now I have one password for game, and one for forums.
  • 0

#15 The_One_Pie

The_One_Pie

    Advanced member

  • Members
  • PipPipPipPip
  • 92 posts
  • Location:Middle Earth

Posted 19 October 2011 - 21:28

I know they were sync'd at one point, but I changed my password @ myaccount.turbine and it changed my game password. my forum password is still what it used to be (until I pressed the "Change forum password" link).

I dont know when it changed, but it appears you can de-link the passwords from each other. Now I have one password for game, and one for forums.


You can "de-link" the forum login from the game/account login. I posted on this yesterday
with a workaround that is only slightly different than what was posted over on CSTM by a
player named "Joe". Post referencing the CSTM post ~and~ my version of workaround

As I mentioned in in the first post, I highly doubt that it's WAI but at least it's a way to
de-couple the forum login from the game until such time that TUrbine fixes it.
  • 0

#16 Natashaelle de Scourmont

Natashaelle de Scourmont

    Advanced member

  • Members
  • PipPipPipPip
  • 68 posts

Posted 20 October 2011 - 11:03

Ridiculous. A bug in the forum code?
Fortunately, I don't believe one word of that spin.


??? Not a bug ?

How else do you think that a clearly unintended feature of their coding allowing this hack should be described ?
  • 0

#17 Jackalope

Jackalope

    Junior Forum Furniture

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,442 posts

Posted 20 October 2011 - 18:43

Well the data might not display in the clear, but obviously they do have the data there, and if so, was it accessible using the same infiltration technique. Remember the main account site was down for some time along with the forum as well, and no explanation as yet as to why.
  • 0
How did buying a lifetime account become a free ride, and an example of not supporting Turbine? That money left my pocket and they took it. Free it was not.

#18 Maelendil

Maelendil

    Advanced member

  • Members
  • PipPipPipPip
  • 86 posts

Posted 21 October 2011 - 15:38

Something that I have not seen elsewhere, is the mention by Turbine that passwords changed after October 11th are safe:

Turbine is concerned that a third-party recently may have attempted to access forum account information. There is no indication at this time that your account was modified or compromised. For your protection we suggest you change the password to a unique, hard to guess password not associated with any other sites or services. If you changed your password after October 11th, then you can disregard this message.


October 11th is when the forum went down.
  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Website sponsored by Omines Full Service Internet Bureau