Jump to content
LOTROCommunity

Official forums down


Rosiebelle
 Share

Recommended Posts

Edit: And now they've added a flash lottery too so maybe they are trying to drown out the noise.

Eventually they could not fix the issue soon, because they are not hosting a vBulletin out of the box.

Link to comment
Share on other sites

Looks like Turbine is finally paying the price for rushing a new community site, launch it half-working and then never polish it up. Deserved^3.

Who wants to take a bet whether the encrypted passwords were salted or not?

And you know what the best part is?

Best part, or "best" part? I think "best" part is that we suffer from their failures. Best part would be jobs lost and new people hired as well as new modus operandi. Wishful thinking of course.

Link to comment
Share on other sites

Unsalted passwords? I guess I shouldn't be surprised, the fact that this hole exists in the first place is informative of their security practises in general. Tell me they were in md5 too? - I guess they were, if someone's been able to figure that they're unsalted.

If I were made an unsalted password storage, my boss no doubt would come around and slap me around with my keyboard. But since we use Cake framework, salting comes built in already...

Link to comment
Share on other sites

Weeeell, the guy who found out about the leak said, that this problem has been around since the migration, which makes me wonder, if he tried to hack the Codemasters-servers as well (or how does he know, that this leak appeared with the migration?).

Link to comment
Share on other sites

Even if this is all blown out of proportion and nothing too bad has happened (although I'm not disposed to think that), shouldn't dear old Turbine not move heaven and earth to deal with this and to publicly allay customers fears?

Haven't they had enough PR disasters in the last 18 months?

It would be nice to blog about something different for a change:

Forum Maintenance?

Link to comment
Share on other sites

Turbine has the most downtime on their forums of any company I've ever seen on the internet. They should just give it up. There is incompetence somewhere. Not sure if it's just the forums or if it's a deliberate take down to cover up some other issues. Im glad that when I bought a TP bundle I used a temporary credit card number. I didn't trust them then and I'm glad I didn't!

Link to comment
Share on other sites

We have identified a potential issue in the forum system. As a precautionary measure we have disabled our forums while we investigate. We will bring the forums back online when we complete our work. We thank you for your patience.

Please follow us on Twitter @LOTRO or like us on Facebook to receive updates during the maintenance.

That's a different message than this morning isn't it?

Link to comment
Share on other sites

You know, the fact that Turbine has ignored this danger since they first tied the forums to actual game accounts despite repeated warnings over and over again from their players is bad enough. But, then to find out that their data has been open for public access all this time on top of it all is absolutely stunning. It's almost unbelievable that they would be this careless with their customers' data. It goes well beyond incompetence. Well beyond.

Comparisons to the carelessness of Sony in how they handled their customers' sensitive information is appropriate, in my humble opinion. This ranks right up there with that.

When I read your post I (for some strange reason) thought of a quote from the Black Adder goes Forth series - Private Plane episode.

Melchett: If nothing else works, a total pig-headed unwillingness to look facts in the face will see us through.

Link to comment
Share on other sites

If a password leak (encrypted or not) has occurred they might be obligated by law to disclose this to affected customers.

While the laws around this are in development Massachusetts is quite a bit jumpier about consumer protection. They might be in hot water if they skip that.

Link to comment
Share on other sites

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

Link to comment
Share on other sites

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

Scold yourself, rather. Just because forum topics and posts on the official site have been hidden from public view doesn't mean that Turbine has not been consistently warned of their vulnerabilities by the player base. Our reaction is largely a "told you so" sort of reaction.

Link to comment
Share on other sites

@Pepys

I'm sorry but it is their responsibility to have a secure system. I don't care whose feelings are hurt if my personal financial information are exposed because they have a buggy system (seems like ALL their systems are buggy). At some point they need to release information on what possible security impacts may have occurred. The ONLY legitimate reason they haven't yet is because they are still trying to assess what the impact was. Any other reason is just them covering their ass. This is not singling them out, this is many companies have had security breaches recently. Some have kept quiet deliberately putting other people at risk just so they can cover it up. That is unacceptable.

Ultimately everyone is responsible for their own security so I do hope others update their passwords and personal information that turbine holds. Unfortunately there doesn't seem to be a way to remove your credit card info from Turbine's website (probably calling them will help?). Thank fully the temporary card I used already expired but they have my address. I can't remove it or even put a fake address because it won't match the billing address on my expired card therefore won't' update. The only way for me to change my address is to provide another credit card # that matches that address....

Link to comment
Share on other sites

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

If the leak is indeed as described here, it's a mistake along the lines of not only leaving the back door open, but having removed all the locks on the door and then being surprised someone could walk in. If an MMO company (who know they're often targets for hacks) makes a mistake like that I believe it's quite fair to tell them that they screwed up big time. Especially if they've been told repeatedly that there's room for improvement of security (NOT the same pw for game/forum accounts, 2-factor auth options). As for communication I can quite understand that they're not willing to provide details, but the least they could do is either firmly deny that there is an issue or if there is make known that you're aware of it and working on it (and what you expect your customers to do, as they're keen on telling that account security is our problem). Although if they're really doing all they can the first they'd have done is remove all possible ways to use the leak, so information about it coming out wouldn't do too much harm anyway. To be fair: the updated statement is a good start.

Link to comment
Share on other sites

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

First, let me say that keeping silent at this point does nothing whatsoever to increase security on their forums. What is more likely happening is that they understand the PR nightmare they may have on their hands and have ordered silence on the matter from all personnel until they can cobble together an official statement.

But, since no official statements have been forthcoming after more than twenty-four hours, I believe they are completely blowing it. Any fool can understand that this is the type of situation that requires PR management from the outset. Just like the security issues themselves, this will not go away just because they refuse to discuss it. In fact, it is likely to become worse because of that.

Sure, they are probably reticent to discuss it since what has happened here is highly likely to be unconscionable. If it's bad enough, they may even be hanging out there liability-wise, which is generally a very good reason to keep one's mouth shut. But, they have a duty both morally and legally to inform their customers if there is a danger that their personal information has been compromised.

Is it possible that they believe they can just issue a single statement once the forums are back online and call it a day? If so, I believe they may be in for a very rude awakening.

Link to comment
Share on other sites

the screenshots and stuff provided to me...

they all lead to one conclusion

(and I still canNOT believe that it is true):

Turbine's databases allowed ANONYMOUS access - read-only, but still.... WTF?

(Disclaimer: I don't know that for sure. I have not tested it myself. It's just what I believe right now... reasonable suspicion - kinda.)

Link to comment
Share on other sites

TBH I find it rather unfair to rant against Turbine in these cases.

First: I am completely convinced that they do what they can to solve the issue. Second: if we aren't informed the way you all want to have it, please consider if this may be for security reasons. The less informations WE get, the less informations get through to those who may do harm.

And last not least: as long as Turbine/Codemasters give free stuffies and goodies and what not, I read lots of *thanks* and *hugs* and *luv ya*'s for the devs. But the moment any problem occurs, the community turns bad immediately calling them incompetent, and what not.

*scolds all*

*If* the forums are down due to security issues then it is unfair of *them* to put their customers information at risk in this way. I will not pretend to be familiar with security issues, however it is Turbine's responsibility to put necessary resources into protecting the data they hold about each and every customer.

Furthermore, I would question why the original poster who expressed these security issues directly to Turbine did not trigger any immediate investigation. Telling customers that they are closing a potential security breach that has been discovered may not be great for instilling confidence but it would not be sufficient information to get through to 'those who would do harm' - they don't need to give customers specific details. If they did want to instill confidence perhaps they should respond more proactively to customers who express concerns about potential security issues...

I doubt the majority of people here are the the same players cosying up regarding goodies and free stuff... are you sure you are scolding the right people?

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...