Thread: Official Thread: Community Site Issues Discussion

Originally Posted by Thorsvin

... And the white hat hacker that exposed this vulnerability to the public. Screenshots have been posted elsewhere to show that he had access to everything and as a result Turbine acted on this information by taking down ALL turbine forums and not just this LOTRO forum.

There's no such thing as a "white hat hacker" that "exposes vulnerability to the public." Sorry. That's not a hero. If he wanted to be truly heroic about it, it would have kept it private.

I just hope officials start responding to this thread with more info. This is a very serious issue and silence shouldn't be an option for Turbine.

Originally Posted by Thorsvin

... And the white hat hacker that exposed this vulnerability to the public. Screenshots have been posted elsewhere to show that he had access to everything and as a result Turbine acted on this information by taking down ALL turbine forums and not just this LOTRO forum.

This^^^

The hacker contacted Turbine about their security hole by Email and the forums. They ignored him just as they ignored everyone else saying that linking forum to game accounts is unsafe.

Originally Posted by Arbalister

There's no such thing as a "white hat hacker" that "exposes vulnerability to the public." Sorry. That's not a hero. If he wanted to be truly heroic about it, it would have kept it private.

If it wasen't for him we would still be stuck with a unsecure system where anyone could get their information stolen at any time. It was only when the "white hat" hacker posted screenshots of Turbines databases that Turbine took the forums offline. He posted images that showed he had access to over a million accounts across 2 databases. He stated it was to do with a door left open since migration. Would you be happy if that door was still open?

I don't think its any coincidence that some news sites/blogs and forums have made posts regarding a large increase in the amount of lotro accounts that have been compromised by hackers. I do not believe in coincidences or that games companys tell end users when their information has been left unsecure. Every time you read about it in the news the games companys admit nothing till a hacker uploads their database. That doesen't inspire confidence at all.

Originally Posted by Arbalister

There's no such thing as a "white hat hacker" that "exposes vulnerability to the public." Sorry. That's not a hero. If he wanted to be truly heroic about it, it would have kept it private.

He did not expose the vulnerability beyond some very general descriptions and did not give any information to the public on how to exploit it. He apparently did share those details with Turbine. As far as I'm concerned he did kept it private enough to ensure no additional damage was done, but public enough to make sure Turbine would do something. He did it right as far as I'm concerned and all of our information is safer now because of his actions.

Originally Posted by Arbalister

There's no such thing as a "white hat hacker" that "exposes vulnerability to the public." Sorry. That's not a hero. If he wanted to be truly heroic about it, it would have kept it private.

He kept is private for a day or so and Turbine did nothing so he made a post about it which then resulted in some action by Turbine

Originally Posted by cossieuk

He kept is private for a day or so and Turbine did nothing so he made a post about it which then resulted in some action by Turbine

And yet, all they took down was the forums.

They didn't take down the game, or the myaccount pages.

Remember when Sony was hacked? PSN was *gone* totally.

Posting screenshots of an exploit does *nothing* productive except a) let every hacker that sees the post know that there's a potential for mayhem, and b) force the company - whatever company - to take action before they have a chance to actually analyse the threat.

It's not *noble* to post it in public. It's akin to throwing a temper tantrum, because they didn't instantly cave to your will. Period.

If the guy *truly* had noble intention, he would have presented his evidence, explained the exploit, suggested a fix...and then kept it to himself.

There *are* white hat hackers out there. Someone that posts it all publicly does not fit that definition.

Originally Posted by Arbalister

And yet, all they took down was the forums.

They didn't take down the game, or the myaccount pages.

Remember when Sony was hacked? PSN was *gone* totally.

Posting screenshots of an exploit does *nothing* productive except a) let every hacker that sees the post know that there's a potential for mayhem, and b) force the company - whatever company - to take action before they have a chance to actually analyse the threat.

It's not *noble* to post it in public. It's akin to throwing a temper tantrum, because they didn't instantly cave to your will. Period.

If the guy *truly* had noble intention, he would have presented his evidence, explained the exploit, suggested a fix...and then kept it to himself.

There *are* white hat hackers out there. Someone that posts it all publicly does not fit that definition.

The forums are obviously the weak link in the chain that leads to the account database. They should of took the forums offline as soon as the hacker had emailed them. There is no good reason to leave security hole open. Leaving the forums up to make it look like theres no security hole in the forums and putting the entire Lotro community at risk is wrong period.

In every single case where a games companys security has been flawed they have done nothing till a hacker provided proof of a security breach. Both Sony and Trion "Rift" didn't fix their security issues till weeks or months after people people had already been hacked. The same goes for Turbine.

The community has been telling Turbine to increase security for over a year. The Lotro community has been telling Turbine to seperate forum and game accounts for over a year. This led to many threads locked and posts deleted. Nothing done at all. The hacker contacted Turbine directly and heard nothing back from them about the issue. We always hear nothing and get told everythings fine. That our information is safe. Well our information wasen't safe and we have every reason to believe that its not been safe since the end of may.

It was ONLY when proof was provided on the interwebs that any games company has taken action or admited that personal information had been compromised. First Sony then Trion and Now Turbine despite all the best efforts of this community to highlight the need for added security measures.

Why should we trust any games company at this point to take action in private when they only ever take action when a hacker uploads proof that customer information is not secure?

Originally Posted by Damian6988

Seriously though, what difference does it make if they get in the back door or the front door, if they can still get into your bedroom and dig around in your underwear drawer?

It makes a difference, because as soon as the forums went down, they could not get in using the back door anymore. If the forums are hacked, that doesn't mean all other apps, like game-login and lottery software are hacked too. So it completely normal to shut down forums while keeping other services online. It is just like real life: if you own something, it means that someone can steal it. If you live in a house, you can be burgled. It's not only the landlord's responsibility to secure your home, but also the tenant's.

After everybody changed passwords, the hackers cannot get in anymore. I changed my password again, less then a week after changing it like I always do on a regular basis. I have never been hacked in my life, just because I have an unique password/username combo for every service (1password is your friend) and my game profiles for my characters are anonymous, so you can't see which account those characters belong to. I never give my credit card information to companies, I either use paypal or I use a prepaid debit/credit card.

Yes, it sucks to be hacked, but like I said, it can happen to anybody, no matter how secure your site is. If people want to hack your site, they will eventually succeed in doing so. It's not fair to 100% blame one party. I would have liked more info, too, because some personal information is at stake. But I also see why they cannot give all the information I like to hear, because that would compromise security and encourage hackers to try find more holes.

I am interested to see what the aftermath will be. Of course I lost my trust in Turbine and won't be buying Turbine Points or get a subscription using a credit card any time soon and I'm assuming I am not the only one. This is going to hurt them financially, they know that. Therefore I'm sure they will do whatever they can to make things better, not only in the player's interest but also in their own business interest.

Originally Posted by Arbalister

There's no such thing as a "white hat hacker" that "exposes vulnerability to the public." Sorry. That's not a hero. If he wanted to be truly heroic about it, it would have kept it private.

He only went public when Turbine ignored what he was trying to tell them.

Originally Posted by Arbalister

If the guy *truly* had noble intention, he would have presented his evidence, explained the exploit, suggested a fix...and then kept it to himself.

And done what when Turbine continued to do nothing about the issue?

Originally Posted by Arbalister

Sorry, you don't know that. You have no idea how many security threats they've been notified about, and responded to, and corrected. And I don't just mean Turbine, I mean any company with an online presence. You have no idea what they do in the background. Neither do I - I only know from personal experience with the servers we maintain. One of them has been under near constant attack for the last 4 years - with one breach that was something we had to notify customers about. I personally have reconfigured, rewritten, or updated security measures on that machine on a near weekly basis, in response to changing attack vectors - as well as monitoring several automated system defenses.

We know about this one, because someone chose to splash stuff around. Is he a white hat? Or someone who's been working to get in just to prove his position that the servers aren't secure enough? I can bet that one of the things Turbine's lawyers are looking at right now is whether or not the "white hat" should be brought up on charges - most countries have laws against the misuse of computer systems.

One of the issues with attempting to charge someone (it's a federal crime in the US) is that the DOJ might take an uncomfortable (for Turbine) look at what was compromised. Two-edged sword and all.

Originally Posted by Victiswolf

In every single case where a games companys security has been flawed they have done nothing till a hacker provided proof of a security breach. Both Sony and Trion "Rift" didn't fix their security issues till weeks or months after people people had already been hacked. The same goes for Turbine.

It was ONLY when proof was provided on the interwebs that any games company has taken action or admited that personal information had been compromised. First Sony then Trion and Now Turbine despite all the best efforts of this community to highlight the need for added security measures.

Sorry, you don't know that. You have no idea how many security threats they've been notified about, and responded to, and corrected. And I don't just mean Turbine, I mean any company with an online presence. You have no idea what they do in the background. Neither do I - I only know from personal experience with the servers we maintain. One of them has been under near constant attack for the last 4 years - with one breach that was something we had to notify customers about. I personally have reconfigured, rewritten, or updated security measures on that machine on a near weekly basis, in response to changing attack vectors - as well as monitoring several automated system defenses.

We know about this one, because someone chose to splash stuff around. Is he a white hat? Or someone who's been working to get in just to prove his position that the servers aren't secure enough? I can bet that one of the things Turbine's lawyers are looking at right now is whether or not the "white hat" should be brought up on charges - most countries have laws against the misuse of computer systems.

Originally Posted by CornishKnight

Old vB devs left a couple of years ago and created a new forum software which is quite impressive, even in its first release.

Yes, this was what I had in my mind when I asked that. My kin's forums (which are part of a larger gaming site) recently started using Xenfero, and I love it.

I understand these things are not simply changed out like one's purse, but in light of this I'm hoping Turbine is at least considering it.

Originally Posted by Minulinnwen

It makes a difference, because as soon as the forums went down, they could not get in using the back door anymore. If the forums are hacked, that doesn't mean all other apps, like game-login and lottery software are hacked too. So it completely normal to shut down forums while keeping other services online. It is just like real life: if you own something, it means that someone can steal it. If you live in a house, you can be burgled. It's not only the landlord's responsibility to secure your home, but also the tenant's.

After everybody changed passwords, the hackers cannot get in anymore. I changed my password again, less then a week after changing it like I always do on a regular basis. I have never been hacked in my life, just because I have an unique password/username combo for every service (1password is your friend) and my game profiles for my characters are anonymous, so you can't see which account those characters belong to. I never give my credit card information to companies, I either use paypal or I use a prepaid debit/credit card.

Yes, it sucks to be hacked, but like I said, it can happen to anybody, no matter how secure your site is. If people want to hack your site, they will eventually succeed in doing so. It's not fair to 100% blame one party. I would have liked more info, too, because some personal information is at stake. But I also see why they cannot give all the information I like to hear, because that would compromise security and encourage hackers to try find more holes.

I am interested to see what the aftermath will be. Of course I lost my trust in Turbine and won't be buying Turbine Points or get a subscription using a credit card any time soon and I'm assuming I am not the only one. This is going to hurt them financially, they know that. Therefore I'm sure they will do whatever they can to make things better, not only in the player's interest but also in their own business interest.

I don't think people are necessarily blaming Turbine for being hacked (although if the claims about them leaving the door open are true, then they are to blame). What most people are angry about is the lack of communication from Turbine (as usual). It took several days of the forums being down before they told people to change their passwords, and even then it was only on the forum and with a link to the forum on twitter/facebook. From the email we got today, this was several days after they'd closed the hole. Its now a week after they closed it, and they're only just sending out emails to people to change their passwords. Look at the message in the launcher, it could mean anything, most people won't give it a second glance.

After all this, we still haven't had any confirmation on whether or not they took credit card etc. details or not. Sapience has opened this thread 24 hours ago, and there's been no response since. Its not good enough. They have the legal responsibility to protect the information they give us, and if something happens to that information, to tell us. So far they've failed on both counts. As people say so often, a little more communication would go a long way.

Originally Posted by Gandie2

No reason to make them both the same. .

Actually there was a reason, customer requests. Before if one wished to submit an ingame ticket, one had to log on the the forum when the pop-up window appeared and people complained about it. People complained about needing a seperate log-in to access the Lorebook ingame. If Turbine went back to separate logins, I suspect there would be complaints about the "inconvenience."

Originally Posted by Amphoras

I don't think people are necessarily blaming Turbine for being hacked (although if the claims about them leaving the door open are true, then they are to blame). What most people are angry about is the lack of communication from Turbine (as usual). It took several days of the forums being down before they told people to change their passwords, and even then it was only on the forum and with a link to the forum on twitter/facebook. From the email we got today, this was several days after they'd closed the hole. Its now a week after they closed it, and they're only just sending out emails to people to change their passwords. Look at the message in the launcher, it could mean anything, most people won't give it a second glance.

After all this, we still haven't had any confirmation on whether or not they took credit card etc. details or not. Sapience has opened this thread 24 hours ago, and there's been no response since. Its not good enough. They have the legal responsibility to protect the information they give us, and if something happens to that information, to tell us. So far they've failed on both counts. As people say so often, a little more communication would go a long way.

Come on now, Amphoras. You know of that website. Surely, you've read about it by now?

Originally Posted by chuimon

If Turbine went back to separate logins, I suspect there would be complaints about the "inconvenience."

Security versus inconvenience. Always a difficult one. However, while it's not good to hinder customers or users with security concerns, it's worse to lower the security to service convenience.

Originally Posted by chuimon

Point is, I am not too sure that many customers would accept inconvenience for security - those posting here of course, but what about the majority of customers that don't frequent the forums?

They need to be educated on why this is important. If you're going to convenience them and say, a database gets hacked with potential access to their credit card data and other important stuff, they'll also get an education, but is a "practical approach" really the best option?

edit-
dang it turbine, sync those servers with a NTP server or something. This time difference is driving me bloody crazy. This has nothing to do with "wonky servers", they're just not time synced.

Still no blue names in this thread? I know at least one has read it...

Even if it's just to say that you're investigating, the sensible response would be to post *something*. Anything. All you have right now are ectremely annoyed customers. You can't tell me that's good business sense!

Originally Posted by Rhyaehar

Security versus inconvenience. Always a difficult one. However, while it's not good to hinder customers or users with security concerns, it's worse to lower the security to service convenience.

People can be weird about convenience. I remember working at a medical facility with two trash containers side by side, one marked "Trash" and the other "Biohazard waste only". I watched a RN that I knew had a Bachelor's toss some printouts, basic office trash, into the biohazard bin. When I asked her why, she replied, "Its closer."

Point is, I am not too sure that many customers would accept inconvenience for security - those posting here of course, but what about the majority of customers that don't frequent the forums?

Originally Posted by chuimon

People can be weird about convenience. I remember working at a medical facility with two trash containers side by side, one marked "Trash" and the other "Biohazard waste only". I watched a RN that I knew had a Bachelor's toss some printouts, basic office trash, into the biohazard bin. When I asked her why, she replied, "Its closer."

Point is, I am not too sure that many customers would accept inconvenience for security - those posting here of course, but what about the majority of customers that don't frequent the forums?

well..some of the security measures suggested can be made optional instead of compulsory.

if the player does not make use of the optional measures and gets hacked on their end, they have no one to blame but themselves.

Originally Posted by Blaize_EU

Still no blue names in this thread? I know at least one has read it...

Even if it's just to say that you're investigating, the sensible response would be to post *something*. Anything. All you have right now are ectremely annoyed customers. You can't tell me that's good business sense!

aye they are actively reading and pruning.

as to why they wont give any answers to some of the questions that were politely asked...who knows.

I changed my password after the forums were taken down. I use KeePass to generate complex high bit-depth passwords. Little good that did since I'm logging into the forums with my old password.

I don't know what to say without coming off as rude, but I'm not a happy camper at all. I find this inexcusable.

I was hoping the old forum software would have been scrapped. I don't need fancy forum software and the myLotRO site is still sluggish compared to other gaming sites. Please just scrap the social network you were trying to create and make a lean clean website that is responsive and delivers information. I don't care if we have a unified login or not. Most of my other gaming sites use unified login, but they also have better security features.

Please provide a way for us to remove our payment information without calling you.

Originally Posted by VoronturEU

Come on now, Amphoras. You know of that website. Surely, you've read about it by now?

I have read about it. While it seems likely, it may not be true/have gotten confused in the translation. If it didn't happen the way it has been made out, then they may not necessarily be 100% to blame.

Originally Posted by Amphoras

I have read about it. While it seems likely, it may not be true/have gotten confused in the translation. If it didn't happen the way it has been made out, then they may not necessarily be 100% to blame.

Its worth mentioning that many of the mods and other users for said site speak fluent German and English, I doubt there was anything lost in translation that wasn't corrected.

Originally Posted by Arbalister

Sorry, you don't know that. You have no idea how many security threats they've been notified about, and responded to, and corrected. And I don't just mean Turbine, I mean any company with an online presence. You have no idea what they do in the background. Neither do I - I only know from personal experience with the servers we maintain. One of them has been under near constant attack for the last 4 years - with one breach that was something we had to notify customers about. I personally have reconfigured, rewritten, or updated security measures on that machine on a near weekly basis, in response to changing attack vectors - as well as monitoring several automated system defenses.

We know about this one, because someone chose to splash stuff around. Is he a white hat? Or someone who's been working to get in just to prove his position that the servers aren't secure enough? I can bet that one of the things Turbine's lawyers are looking at right now is whether or not the "white hat" should be brought up on charges - most countries have laws against the misuse of computer systems.

In this case we do know a few important details. We know that players have been asking for better account security or a year. We know players have been asking for forums to be seperated from game accounts. If we take the hacker at his word that he emailed them and posted on the forums telling them all about the security hole. We know that Turbine didn't decide to take the forums offline after the hacker contacted them by email and on the forums.

They could of at least emailed him back right? or took the forums offline as a precaution to check this security issue out? They didn't. As a result a day or 2 later the hacker posted proof of the security hole as he believed Turbine was going to do nothing about it. Why? maybe due to the fact every hour the forum was left up was another hour that any hacker could gain access to our information.

It doesen't matter what his motives were at the time. What matters is the hole was there in the first place for months (since eu migration if you believe the hacker) and the forums were left up AFTER someone contacted them with information about the security hole. Thats what matters.

Everyone should think themselves lucky that this guy wasen't a hacker looking to sell the information although how many hackers have already found this security hole and already done that? After all anyone saying they have been hacked automatically gets blamed and reffered to customer support. Turbine has always told us that our information was secure.

A few posters have pointed out that companys or goverment organisations have to promptly inform their clients if their information was left unsecure or compromised by a third party. It's been a week and Turbine hasen't told us what information was compromised. (thats if you want to get into the legal side of the issue) More importantly we still don't know if credit card information was compromised.

I will stick to the original point as this is going off track. The most important thing right now is for clients to be informed as to exactly what personal data was compromised due to the breach and for how long. Everyone needs to be contacted with that information so they can protect themselves from fraud, raided accounts and third party credit card bills.

Originally Posted by Arbalister

Sorry, you don't know that. You have no idea how many security threats they've been notified about, and responded to, and corrected. And I don't just mean Turbine, I mean any company with an online presence. You have no idea what they do in the background. Neither do I - I only know from personal experience with the servers we maintain. One of them has been under near constant attack for the last 4 years - with one breach that was something we had to notify customers about. I personally have reconfigured, rewritten, or updated security measures on that machine on a near weekly basis, in response to changing attack vectors - as well as monitoring several automated system defenses.

We know about this one, because someone chose to splash stuff around. Is he a white hat? Or someone who's been working to get in just to prove his position that the servers aren't secure enough? I can bet that one of the things Turbine's lawyers are looking at right now is whether or not the "white hat" should be brought up on charges - most countries have laws against the misuse of computer systems.

Its incredibly difficult to try to debate this here with you arbalister as to point out the actual technical details here would obviously go against this forums rules. Perhaps you should consider setting up an account at the lotrocommunity.com for further more detailed discussion.

Originally Posted by FyreBrand

Please provide a way for us to remove our payment information without calling you.

You can raise a support ticket. I did and got the auto response asking for the details for the card to be removed, replied and the card was off my account in under a day

While we are all wondering about our security can someone tell me why we don't have those keychain fobs? They can't really be that expensive/hard to implement can they? My husband has one for work, some other games use them...

Originally Posted by megaboy

aye they are actively reading and pruning.

.

This I believe 100%. People are asking why there hasn't been any input for the last week but the truth is that in regards to the forums there really hasn't been much input since the forums changed 13 months ago, other than one of the blue names saying," The forums isn't going anywhere.". I remember that quote to this day.

I was hoping Turbine would wake up after this but I feel it's not gonna happen. I really honestly hate their style just letting complaints about the forums die down without saying a word. This time it's really biting them in the rear.

Originally Posted by Lonya

Let us not forget that all posts must remain upbeat, happy and joyful less you feel the wrath of a mod.

Clearly not true since 90% of these posts in this thread are not upbeat, happy, and joyful. Including your post. If what you say is true then your post would have gotten an infraction already.

>outdated<

Originally Posted by Lohi

I haven't played all MMOs out there, but when we did have separate logins for both forums and game Turbine was the only publisher I knew of who did this. Everyone else I played used game login for the forums (and often without even secure login). Meanwhile there were some players who actually complained about having to have two separate accounts, or who got confused when creating them (ie, a private account name ending up being the one for forums and the public name for the game login).

So I wonder if part of the reason for the change was to get rid of complaints about having 2 accounts and/or to just avoid the extra work because the other MMOs didn't require dual accounts?

I've had the same experience: all other MMOs I play use a single password.

Well maybe attracting the attention of a mod isn't such a bad thing. I mean this thread has been up a day now, they must be realizing how people are feeling; still no response from anyone from Turbine. I just wish they could pretend to care. They obviously made this thread so people could voice their opinions, but it does very little if they aren't listening, and that's what it feels like right now.

Originally Posted by Lohi

Clearly not true since 90% of these posts in this thread are not upbeat, happy, and joyful. Including your post. If what you say is true then your post would have gotten an infraction already.

Try posting on the general forums about any of this. Better yet, look at how many threads have been closed and redirected to here.

This is the official thread so it does not have to follow those rules because Turbine knows many people are very upset and will vent. If they don't allow people 1 thread to vent in, they know it will result in a mass exodus. I've seen it before. The moment there was a hint that Asheron's Call 2 might be shut down, people fled in droves. Sure it did eventually end, but by the time the servers were finally pulled offline, the player base was so small we all fit on 1 server.

Originally Posted by ericolsen0106

Well maybe attracting the attention of a mod isn't such a bad thing. I mean this thread has been up a day now, they must be realizing how people are feeling; still no response from anyone from Turbine. I just wish they could pretend to care. They obviously made this thread so people could voice their opinions, but it does very little if they aren't listening, and that's what it feels like right now.

Whats the penalty for attracting a mods attention on the forums? If you get banned here does it also ban you in game? I could say a few swears in hopes that a mod would be forced to respond, but I don't want to not be able to play. ;p


Here goes....
Jimminy Crickets, it is a load of fudge that nobody has responded to our legitimate concerns. Turbine being so mum on this issue is a bunch of crabapples.

Originally Posted by WickedWitch99

It sounds nice and a lot of people think you are right. Very flawed analogy though.

Actually, it's an excellent analogy.

Originally Posted by Thorsvin

... And the white hat hacker that exposed this vulnerability to the public. Screenshots have been posted elsewhere to show that he had access to everything and as a result Turbine acted on this information by taking down ALL turbine forums and not just this LOTRO forum.

More like "an anonymous person on the Internet claiming to be a white hat hacker, and posting a heavily edited screenshot purporting to be a legitimate screenshot of a successful hack, but which actually shows very little of interest, and certainly doesn't show access to encrypted passwords or credit card info."

Oh, and this too:

Originally Posted by Lohi

The screenshots though are interesting but do we have any proof they're legit? Lotrocommunity.com is nice for getting word out early but they are also chock full of disgruntled ex-players looking for a place to flame freely. So I take info from there with a grain of salt.

Originally Posted by PublicIntoxicant

More like "an anonymous person on the Internet claiming to be a white hat hacker, and posting a heavily edited screenshot purporting to be a legitimate screenshot of a successful hack, but which actually shows very little of interest, and certainly doesn't show access to encrypted passwords or credit card info."

Oh, and this too:

So it was all just a coincidence that Turbines forums were taken offline AFTER he posted the images and that Turbine hasen't denied that credit card or other personal information hasen't been compromised. right......

Originally Posted by Reniannen

Eh, don't you think that taking the forums down every time there might be an issue would result in the forums being closed pretty much the whole year?

As for not answering, are you certain that guy was the only one to tell them about the issue?

If he provided them with the same screen shots and detailed information that he published online about the security hole then the only reason they kept the forums up was because it wasen't public knowledge. Turbine should take ANY and ALL measures to protect our private information when they are provided with proof or reasonable cause of a security issue. It would indicate that they knew about the issue or they woulden't of taken the forums offline after the images were posted. It is logical.

If someone else had informed them about the security hole then we would have to assume that Turbine kept the forums up despite knowing about it. Thats not exactly a good idea....

Look, it's commendable that they are allowing us a thread where we can discuss, vent, ask questions and debate this issue in.
It's commendable, it truly is.
What is the issue now, for a lot of us, is that we're not being informed about the severity of the breach. That we are having to rely on information from a third party site isn't good enough.
Valid questions have been asked about exactly what has been compromised, information we are all entitled to know, since it's our information to start with.

The simple fact that there is only one Community Rep post in this thread, the opening post, is not good enough.
This has no bearing on how I feel about the game, it's quality or lack thereof. But this is a 2-way street, Turbine.
We need some answers. Please, provide us with those.

I said before that the ball has been dropped. It's right there in your court, Turbine. Please pick it up. This is a great game(imho), but you can and must improve on your handling of this situation.