Thread: Official Thread: Community Site Issues Discussion

I am in the IT Security industry. So I know that #### happens.
What counts is too keep your customers happy.

To keep worried customers in the dark is the WORST possible way to handle it!
Your only chance is to keep your customers informed. Show them that you are able to react professional.
I am really worried now that I had to realize you aren't able to deal with such a situation in a professional way.
What of my data did get disclosed? And I am not asking politely. I DEMAND an answer!

(Where does this stupid 'AUTO-SAVED' come from? I certainly didn't activate it.)

Originally Posted by Arbalister

Huh...good question...lemme see...

Nope - you're right. I never actually counted the characters in the myaccount/launcher before. It only takes 16.

Which means that howsafeismypassword.nets number isn't as good as I thought. Now it's only 193 trillion years...

A completely random password of 16 characters chosen from the set Turbine allows represents just over 100 bits of entropy.

However, 100 bits of entropy won't protect you much if your random password generator picks the following 16 completely random characters: f-e-e-b-l-e-m-i-n-d-e-d-n-e-s-s

The odds of any specific 16 character combination (including that one) appearing randomly are very slim. My point is that when protecting against an offline attack, it's still important to review random passwords for human preferences and weaknesses.

I'd really like to see a simple statement from Turbine-is everyone getting these emails or no? Do we need to deal with credit/debit card number changes, etc.? Sorry, but "If they don't say, you're fine" won't cut it. And claiming that using the same username/password for the forums and game was safe is of course now patently ridiculous.

Originally Posted by Arbalister

I don't think there's any fear of having your cc numbers exposed - you can't pull it up yourself from the myaccount.turbine.com site. All it shows is the last 4 digits.

Which doesn't necessarily mean the whole string isn't in their DB. I mean, they manage to charge the cards somehow.

Originally Posted by Hrodberht

I'd really like to see a simple statement from Turbine-is everyone getting these emails or no? Do we need to deal with credit/debit card number changes, etc.? Sorry, but "If they don't say, you're fine" won't cut it. And claiming that using the same username/password for the forums and game was safe is of course now patently ridiculous.

I don't think there's any fear of having your cc numbers exposed - you can't pull it up yourself from the myaccount.turbine.com site. All it shows is the last 4 digits.

Given this security.... debacle....

Can we FINALLY get authenticators for our accounts?

Even if it gives whoever's hacking a serious speed bump, I'd rather have the ability to throw an obstacle in front of them than not.

Originally Posted by Arbalister

I don't think there's any fear of having your cc numbers exposed

Well, that depends on how they're stored (and of course, whether that data was exposed at all). vB forum passwords are stored with a one-way hashing algorithm, hopefully with a custom "salt" applied so it's quite a bit harder to crack. Turbine has it's own "unified login", so they might store it differently, but that general approach is sound.

CC info has at least the potential to be easier to crack than any decent passwords because the range of possible values for a given length are much smaller. It all depends on what sort of encryption they use, what additional algorithms are layered in, etc. This is why they need to let people know if that sort of data was lost. Heaven help them if players start taking it in the shorts with their CC companies and they didn't warn anyone. That could easily turn a mess into a full-blown disaster, and they obviously don't want that sort of event to happen at any time. (But especially not just before the largest MMO in the past 7 years is getting ready to ship...)

Now that things are supposed to be closed up tight, the best policy is full disclosure IMO.

Khafar

Originally Posted by Khafar

Well, that depends on how they're stored (and of course, whether that data was exposed at all). Forum passwords are stored with a one-way hashing algorithm, hopefully with a custom "salt" applied so it's quite a bit harder to crack.

CC info has at least the potential to be easier to crack than any decent passwords because the range of possible values for a given length are much smaller. It all depends on what sort of encryption they use, what additional algorithms are layered in, etc. This is why they need to let people know if that sort of data was lost. Heaven help them if players start taking it in the shorts with their CC companies and they didn't warn anyone. That could easily turn a mess into a full-blown disaster, and they obviously want that sort of event to happen at any time. (But especially not just before the largest MMO in the past 7 years is getting ready to ship...)

Khafar

Exactly ^

A standard MD5 one-way hash of 8 character/numbers can be calculated by brute force on a modern GPU in 10 minutes.

Originally Posted by Bob

I just got an email through about account security. The email said my password had been reset and I needed to follow instructions to create a new one. However, my password hasn't been reset. I can still log into myaccount.turbine.com and ingame with my current password, which was changed a few days ago, the day before the reccomended password change announcement when someone notified me of the issues with security.




None of my stuff has been stolen, as of yet.
I followed the instructions, not via the email links but via the launcher link. So here's hoping everything is ok. But just to let you know, Turbine, you hadn't reset any passwords if this email was legit.

Same thing happened to me. And when I looked at the message headers, the message had not originated at Turbine. The email had links to click on. That left me wondering about a phishing attack.

I have had no such email sent to my account.

Originally Posted by Rugli

Same thing happened to me. And when I looked at the message headers, the message had not originated at Turbine. The email had links to click on. That left me wondering about a phishing attack.

If the email message originated from a host at parature.com, bluehornet.com, or playspan.com, it's probably authentic.

• Turbine uses a web-based solution from Parature for its all of its support operations.
• Turbine uses BlueHornet (from Digital River) for managing its email marketing cammpaigns and customer contact preferences.
• Turbine contacts with PlaySpan (now owned by VISA) to operate the LOTRO Store.

Edit: I do agree, however, that Turbine's failure to use a single domain under their direct control for email can be disconcerting.

Not sure if they are busy or not but I followed the instructions about changing the password and have waited quite awhile for the confirmation email and still have not received it. I can still log in to the game and forums using my old password.

I received the Reset Your Password email but I don't think its from Turbine.

... click on "Forgot your password?" You may also click this in the game launcher.
Follow the instructions on how to recover your password. A new password will be sent to this e-mail address.

Well I have not forgotten my password and it still works and I would never Click A Link to recover a password from an email...

I think someone is still poaching stuff... sort of like the constant emails I get about my Battle.net account being compromised - I have never had a Battle.net account and never played WOW....

I will change my PW but only if I initiate the connection to the account page.

Greetings!

I would suggest to everyone here... If you used the same password, with which you logged into LOTRO on other games and/or forums, that you also chang those passwords. Most people who play MMOs or post in forums get "known" around the Internet. If there is a digital-trail of your past postings / game playing, then the stolen password from Turbine WILL be tried on those other sites for access. This is just a word of caution!

I always check any email that purports to come from official sites/games. If they are genuine, then I follow their instructions.

So far, I've recieved about 100 phishing emails from Blizzard, Citibank, Jagex, NCSoft, etc. Out of the 100, only one could have been genuine...I do have an NCSoft account...but none of the others.

To check the email from "Turbine":

• Checked the full header of the email.
• From the full header, I found: Received-SPF: pass (domain of returnpath.bluehornet.com designates 216.54.194.103 as permitted sender)
• I directed my browser to http://www.networksolutions.com/whois to look up the domain of bluehornet.com
• I found the following ownership:
===> Registrant:
Digital River, Inc.
10380 Bren Road West
Minnetonka, MN 55344
US

Domain Name: BLUEHORNET.COM


Administrative Contact , Technical Contact :
Digital River, Inc.
hostmaster@digitalriver.com
10380 Bren Road West
Minnetonka, MN 55344
US
Phone: 952-253-1234
Fax: 952-253-8497

Record expires on 27-Feb-2014
Record created on 02-Mar-2005
Database last updated on 15-Oct-2006

• Digital River, Inc. are used by Turbine to download & verify the Isengard Expansion...so they are a trusted site.
• Redirected the browser to https://myaccount.turbine.com
• Followed the email instructions and clicked the "I forgot my password" to initiate the resetting of the password.
• Noticed that it only asked for my Account Name...not any email address. This is vital since phishing sites would ask for the email but Turbine is relying on the one that the account was registered with...which is stored seperate from Account Name & Password data.
• Clicked on the link to reset the password in the email received.
• Came here to the Forums to see if the password was changed. It takes a few minutes to update Turbine's servers...so the first entry didn't work. But the second try worked fine.


Hope this helps and isn't just another "Wall of Blah"!

TQQdles™,

Dolnor Numbwit
Eternal Newbie
Satine's Web Browser

Originally Posted by Victiswolf

A few of my Lotro kin and friends have been looking online for information on the security issue. There are forum posts and blog/news sites saying that the hole in security has been there ever since EU migration or possibly longer. Has the security hole been there since EU migration or could it have been there longer? (ie vbulletin security issue)

According to them same posts it was said that the person who pointed out the security flaw had access to 1 million accounts. Is this true? and if so will everyone be contacted by email?

Other people on lotro facebook mentioned that your suppose to inform everyone if their information could of been accessed without our or your knowledge. Will you be contacting everyone who could of had their private information stolen or just the people who had their accounts raided by hackers?

What exact information was accessed? and are you certain you know how many accounts or which accounts had their information stolen?

If i have credit card information saved on my account do i need to cancel my card? Did the breach give them access to credit card information?

Is there any chance we can get extra security on our accounts such as coin lock or a authentication system that could be accessed by phone?

Are the players who got hacked going to have their gear restored?

In light of this issue are we going to see are forum accounts removed from a lotro accounts so we can better protect our player account information with different passwords? (as other posters have pointed out shared passwords between forum and game accounts is not wise as forums are far easyier to hack)

Many of us would like better security on our accounts. Will Turbine be having a open discussion with the community as to what security measues can be implemented?

There are posts that say vbullintin is not fully secure from hackers. Is this true and if so will this be addressed?

This really sums up all questions I have about this incident, thank you Victiswolf for this.

Now the only thing we need is to get ANSWERS from the Turbine staff - is there anybody from Turbine present who is monitoring this thread and can give answers to the questions asked above?

I hardly think this subject needed more confusion. but we now have at least two different emails being sent to some, but not all, players. FWIW, my email came from newsletter.turbine.com.

If this post can make it through my TARDIS and onto the thread I hope this helps. I know I haven't been playing LotRO for very long, bout a year now, but I still think I have a relationship with Turbine. They lured me in to one of the most addictive games I have ever played then stole my life away. I have given them far more money than I care to admit, and for that I feel like I deserve something. I understand there are security concerns, but I can't fully buy that. The perpetrators of this attack clearly know what they did, and when they saw the forums down they must have realized it was in response to the attack. One of the most annoying aspects for me was that right when the forums went down Turbine fed us some bogus story about maintenance. Telling us that there had been an attack couldn't have hurt, clearly they weren't going to scare the attackers away. The internet is a unique place where it is much easier to get closer to true anonymity, and for that reason I believe that those we put our trust in, in this case Turbine, need to put forth extra effort into transparency. I am not expecting Turbine to tell us everything, especially not what they plan to do for extra security or to find the attackers, but they can tell us what has already happened, what has been possibly exposed so as to let us, the consumer, make educated decisions about what to do about our own private information.
Thank you for listening to all that,
Hang

The launcher needs to be more clear that the issue doesn't only affect 'forum users' (ie people who actively use the forum) but that everyone who has a turbine account should be changing their password.

A couple of things.

1. I haven't seen one post by a blue name in this thread. I'm wondering if they are just letting us blow steam and forget about it.

2. This forum is still in beta.

3. It's still the same damn forum in spite of all that happened.

4. Information from Turbine has been nil.

5. Issue number one deserves to be read again. It just seems to me that they are just letting us rant about the forum and not responding just like they have done for the last 13 months. It really disgusts me. Very poor customer service. Right now with what happened I cannot recommend this game to anyone. I never thought I would hear myself say that.

Originally Posted by 0rdinary0wl

I have had no such email sent to my account.

Who, what? Bah! Nope they haven't sent me an e-mail, to my ONly account (yet?) either...
/Disappointed.
But PBS would like me to donate.

Originally Posted by Nymphonic

A couple of things.

1. I haven't seen one post by a blue name in this thread. I'm wondering if they are just letting us blow steam and forget about it.

4. Information from Turbine has been nil.

5. Issue number one deserves to be read again. It just seems to me that they are just letting us rant about the forum and not responding just like they have done for the last 13 months. It really disgusts me. Very poor customer service. Right now with what happened I cannot recommend this game to anyone. I never thought I would hear myself say that.

This.

...............

Saying that turbine didn't contact individuals via mail is simply not true.

I haven't been aware of this whole incident until I received an email by turbine that they locked my account since it might have been abused due this issue.
The help desk has been friendly. Yet it had been already to late. My Chars had been stolen and the house was sold (and retaken :-( ).

I cant say that turbine isn't helping me. No it seams they are friendly and trying to solve the issue. even so i dont think i will get the same house again since someone else moved in...
But lets not forget .. this is only a game..

I would just like to advice people not only to change there passwords at turbine but at other sites as well.

As for turbine i would love to see something they use over at blizzard (wow). There your account is secured with a 3rd party token.Its like a one-time password that changes every 2 min.

Just a couple of minutes ago I finally got an email advising me to change my password, this being the one from newsletter.turbine.com. Since I had changed my password after the 11th, I'm not worried about it anymore, but this does show Turbine is rolling out emails now, probably to everyone with a LOTRO account. It is simply taking time to get all of them sent.

Originally Posted by Nymphonic

A couple of things.

1. I haven't seen one post by a blue name in this thread. I'm wondering if they are just letting us blow steam and forget about it.

I'd cut them some slack on that- after all, this thread was started last night, and its still early EST. Let them at least wake up

Originally Posted by Nymphonic

2. This forum is still in beta.

Been that way for quite awhile now.. Hmmmm- hope they change that, soon.

Originally Posted by Des1

I'd cut them some slack on that- after all, this thread was started last night, and its still early EST. Let them at least wake up



.

Ooooh ok, if you insist!

Originally Posted by Arbalister

I don't think there's any fear of having your cc numbers exposed - you can't pull it up yourself from the myaccount.turbine.com site. All it shows is the last 4 digits.

Turbine is not allowed to display your full credit card number anywhere (semi-)public for security reasons. Nor is any other website really. Simply displaying the full info would make it accessible to any individual who just might happen to glance at your screen while you've gone to get coffee or something. You can be sure that if someone indeed got into their database with credit card data, they have the full info.

The only reason I know what's going on is that I'm a member of "that other site". I've warned my kinnies who don't use this forum that they should change their passwords but a lot are sceptical about my info as they've heard nothing off Turbine and don't use these forums often. I don't think that simply emailing those who Turbine *think* have been affected is enough: an email should be going out to *all* users.

As for keeping us updated during the days the forums were down, all I saw on Twitter were ads for competitions :S Not ideal when you're wondering if your password and account is safe...

I find it very bad customer service for Turbine not to have immediatly advised all players to change their passwords as soon as they were made aware of unauthorized access to the accounts database.

I would hope that in light of this issue as you are liking to call it, then you will revert back to having different passwords for the forums and game logins. This has been requested numerous times. The events of the past week have proved that your forums are not safe as you have stated in reply to these requests.

Lets also hope that you have done full checks on the forums to ensure that you did not leave any other doors open. If you are planning on sending me one of those emails regarding this be sure to include in it a list of all my details that have been compromised. Will save you some work in the long run

I must say this is the most amateurish and inept forum handling and coding I have seen in quite some time. Beta after HOW many years? GTC VIP upgrades just working recently.. From the underhanded censorship through turning posts "invisible" but for the original poster, to the abysmal handling of vital information and outright dangers of identity theft to the users. I´m glad this catastrophe led me to the "other" Lotro forum. This will be the last time I have logged in here.

Well, I got an email this morning from Turbine Support advising me to change my password. How many of you are getting the same?

I'm assuming they have added something to the launcher advising people to change there passwords for those that don't visit the forums (I haven't logged in this morning so it may already be there!)

Originally Posted by GV-Tanith

Well, I got an email this morning from Turbine Support advising me to change my password. How many of you are getting the same?

I haven't yet, although I had already changed my password after being advised of the issues on "other site" (is that the official name for it now?)

Originally Posted by Runesi_EU

I'm assuming they have added something to the launcher advising people to change there passwords for those that don't visit the forums (I haven't logged in this morning so it may already be there!)

The only text on the launcher is an advice to click a link regarding forum updates. I know lots of people in my kin don't read these forums and don't care about reading up on forum updates either. They all missed the important information contained in that message simply because they did not think it was anything that concerned them.
The advice to change passwords would reach many more players if it was directly stated in the launcher in stead of referred to via a link regarding forum issues. Most* players don't even know their forum accounts are linked to their game passwords.

*where "most" is a number of 9:1 players in my kinship.

Originally Posted by Sapience

We ask our players to please direct all comments and discussion related to the recent community site issues to this thread.

From your statement about this:

We take all potential issues seriously

So, how seriously do you consider it?

As I understand it, Turbine were told, privately, under the "responsible reporting" principle about a huge security flaw ..and you did NOTHING until the person who discovered it despaired of your taking any action and posted publicly about it, at which time you took the forums down.

Is that taking is 'seriously'?

Not to me it isn't, it's taking notice only when it becomes a PR embarrassment.

Received an email from newsletter@turbine.com.
Some of the grammar is a bit dodgy and anyway all my passwords have been changed so no reason to click any links.

Just wanted to know, if this is a legitimate email or a Phishing email.

Originally Posted by Boraxxe

...I used my old password.
Guess what? Here I am.

Hey Lotro Forums site maintenance/security folks... there is a problem here.

*waves to the forum maintenance/security hobbits in charge*


I changed my passwords 3 days ago when the forums went down.

I have a new password and I have been using it for the game for the past 3 days.

The forums were back up during my night.

This morning I was able to log in on the Forums with my old password( the one I changed a few days ago)

Is this working as intended?

Thanks in advance for the support

Still running the old and new password. lol

http://www.youtube.com/watch?v=COSeM...eature=related

Originally Posted by Boraxxe

I have TWO passwords that work for the forums and only one of those will work with the game.

Some stuff still needs fixing.

*Little Update*

Same here. Both passwords old and new do work on the forums

Surely this can't be as intended...right?

Got the email recommending I change my password (which I had already done a couple of days ago).

The entire situation is a disgrace. It's not exactly a secret that kids all over the world have been showing off their hacking abilities in a very public manner lately, attacking banks, corporations, etc. to prove how inept some of the people handling security seem to be these days. Not only has Turbine revealed itself to be vulnerable to hacks, but they have handled the matter poorly, revealing no solid information to their customers. They deserve to get bad publicity for this, and I sincerely hope they do.

For those interested, got the email as well, and the old password no longer works (changed it yesterday...before I got the email). So I guess that's something. But honestly, it's getting a little ridiculous. You can't keep people in the dark like this. I realize Turbine's trying to dampen a potential PR disaster, but in doing so they're fueling another potential PR disaster.

Your customers deserve an answer to very legitimate concerns. They trusted you with their private information, and deserve to know if that information was compromised.

And really, I don't think anybody's asking too much.

*Little Update # 2*

I was timed out (?) of the Forums after I posted my previous comment in this thread.

I had to log in the forums again.

I did try the OLD password which does not work anymore.

I used the NEW password and here I am, so thank you for fixing my issue , that was really fast

*hands a cookie to the technical maintenance hobbit in charge of passwords*