I'm noticing a distinct pattern of the Devs ignoring the question we're all asking, why the heck did it take a year and a half for you to notice this?? We put faith in you providing security, this incident clearly undermines that faith.
:mad: just tried logg in got unable to veryfie account so hed to forum's get told have to reset password buy the forget password link (ok ?)
first way took me to the pwe account which i dont have so whent the other way to cryptic account n follow the link's n get put streight back to the web site ?
wat give's , is evrything broken now
if u want me to reset my password buy the forget password link then let me doit n not keep sendin me back to the sto main website page
Not that anyone will read this, but the info IS on the "front page." Not of the GAME site - but of CRYPTIC's site. Just click on the link Brandon provided in the very first post of this thread. It will take you to the news release from last evening. If you see Cryptic's site, in big red letters (and boxed) there's a warning about the breach. This was there last night and was the same release that Massively used to report from last night.
Oh, and the CC info that was stored - does not appears to be "complete" numbers as per the announcement.
I hate hackers with the fire of a gazillion burning suns.
That is exactly what I'm experiencing. When I click the "forgot password" link It takes me to the PWE page which of course doesnt recognize my email so it wont send me a new password.
I'm noticing a distinct pattern of the Devs ignoring the question we're all asking, why the heck did it take a year and a half for you to notice this?? We put faith in you providing security, you already store CCV numbers which is illegal to do so, but we ignore that because we have said faith in your security, this incident clearly undermines that faith.
Oooh, this is not something I had known!
After a bit of digging, I found some internet lawyers who say, it's not illegal in the local/state/federal sense but it is a violation of the merchant agreements of MC and Visa, and probably AmEx. The problem is that everyone and their brother on the net with a virtual storefront (probably) stores CCVs. And the credit card companies may or may not pursue that; it's pretty much up to them.
I realize this incident is a major headache for Cryptic, but I've been learning all SORTS of cool stuff about credit card numbers!
Not that anyone will read this, but the info IS on the "front page." Not of the GAME site - but of CRYPTIC's site. Just click on the link Brandon provided in the very first post of this thread. It will take you to the news release from last evening. If you see Cryptic's site, in big red letters (and boxed) there's a warning about the breach. This was there last night and was the same release that Massively used to report from last night.
Oh, and the CC info that was stored - does not appears to be "complete" numbers as per the announcement.
I hate hackers with the fire of a gazillion burning suns.
No, but they stored enough numbers that anyone with a little bit of patience and an understanding of the anatomy of credit card numbers (which is as easy as doing a Google search) could easily fill in the blanks. Leaving only 6 digits out of a card number is not a hard challenge for anyone with a half decent computer. And you DON'T need the verification number off the back of the card to still use it in many settings.
V-Mink someone should dress like your avatar and do the tongue face at Cryptic's Headquarters to scare them to provide better support to us and the game!
Stupid Cryptic you make look bad! Boga Boga Boooga! As Courage the Cowardly Dog's owner did
After a bit of digging, I found some internet lawyers who say, it's not illegal in the local/state/federal sense but it is a violation of the merchant agreements of MC and Visa, and probably AmEx. The problem is that everyone and their brother on the net with a virtual storefront (probably) stores CCVs. And the credit card companies may or may not pursue that; it's pretty much up to them.
I realize this incident is a major headache for Cryptic, but I've been learning all SORTS of cool stuff about credit card numbers!
Actually storing and ability to regurgitate a complete CCN numbers IS a breach of US Federal law under laws similar to HIPPA, but note the word "complete" ; it's why when you get a receipt from ANYone - the number isn't printed on the receipt any more, and if it does contain a number, it's only a partial.
No, but they stored enough numbers that anyone with a little bit of patience and an understanding of the anatomy of credit card numbers (which is as easy as doing a Google search) could easily fill in the blanks. Leaving only 6 digits out of a card number is not a hard challenge for anyone with a half decent computer. And you DON'T need the verification number off the back of the card to still use it in many settings.
True!
It's why it's SO DANG IMPORTANT to assure your passwords for your CC acct are changed and are different from PWs used for anything else.
In the Cryptic game launcher my password didn't work so I went to the help pages. You have to log in there but I couldn't so I selected 'forgot password' and then entered my email. After that an email was already in my inbox by the time I'd logged in there and I followed the link and successfully added the new password. After that the launcher accepted it and I'm back in the game.
I thought Cryptic was owned by a China-based maker of crappy games and Internet spam now? The California AG can go after them?
Cryptic is a US company even though they are owned by a Chinese company, so yes..
But why would someone report Cryptic to the CA AG?
Last I checked getting TRIBBLE was not a criminal offence for the victim. Nor is lack of patching, unintentionally allowing an exploit, not even just plan bad IT. So I do not know why the AG would get involved against Cryptic considering they have done nothing intentionally criminal and were a victim of this breach as well.
I am still very disappointed in Cryptic. But not "report one of the victims to the cops to try and get them in trouble" kind of disappointed.
A lot of assumptions being made in this thread, but for the people equating this announcement with "stolen" in-game items (fleet banks and the like), all I can say is:
If that was really the goal of this breach then you should be thanking your local deity. Losing make-believe pixels in a virtual environment sucks, but I'm worried about real-world issues like my name and CC info falling into the wrong hands.
I had been trying to log into STO for a day or so but couldn't due to the sudden maintenance and then my password had been reset. Checking the forums, I found out why.
Anyway I did the password reset request from the main Cryptic page like a lot of people, but it wouldn't work for me. The reason was because I also happen to have a Perfect World account for another game, and it never seemed like any good reason to combine them (I still don't think so). And by happenstance, of the 2-3 email addresses I use, they happened to use the same one. So the Password Change Request kept thinking I wanted to change my Perfect World account.
However ... by using the link posted on the first message of this thread, it worked. So anyone still having that issue - use the OP's link!
PS. Well, it got me logged into here ... I haven't actually tried it in-game yet.
It's why it's SO DANG IMPORTANT to assure your passwords for your CC acct are changed and are different from PWs used for anything else.
It's the nature of eCommerce now - sadly.
Passwords, certainly, change those. But, only partial CC information would have been obtained. They are and were required by US law to obscure most of the number - and have. If you want to change it, go ahead. The likelyhood, however, that it was exploited is significantly lower than the likelyhood your password was.
If your information was to have been exploited, it almost certainly would have been before today as it was acquired 16 months ago. Vigilance is one thing. Rampant paranoia is another. Be mindful of the line.
This is EXTREMELY disturbing... Please give us full details and especially since some of our credit information was possibly accessed. Thank you!!! :eek:
As I've mentioned in the thread:
We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user. It is possible that the intruder was able to access additional account information, but we have no evidence of this. If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed.
Just a bit of information for those who live in the sate of California, you can file an AG complaint against them about this. As of the time I checked the site for data breaches, Cryptic, had not, filed a report.
I'm not a happy camper, not in the least, and I'm not happy with how little information we have on this. Why is this NOT on the front page? why is the title of this thread so misleading?
Answers I'd like to see.
As I've mentioned in this thread:
All affected accounts have been password reset. Only the legitimate owner of the email account used to register a Cryptic account will be able to reset the password. Emails to all affected users are being sent out over the coming hours, and if you do not receive one within 48 hours, your account was not affected. Cryptic treats your privacy and account security seriously, and is taking proactive steps to ensure that all accounts are secure.
While we appreciate that Cryptic acted the second it discovered this hacking, I think the question many of us have is how it took a year and a half to find that the hacking had happened (and ceased). I.T. security, these days, is paramount. This action suggests that there was inadequate I.T. security protocols for at least a year and a half before it was detected and dealt with. Up to a month is believable, but a year and a half? Thats a real big problem in the I.T. security systems reliability and data access integrity. Users could have had the most airtight password and from what it sounds the hackers would have had access to it.
What is Cryptic going to do to increase its data systems integrity and speed up its ability to detect and deal with a failure that comprimises its I.T. security?
As I've mentioned in this thread:
Increased security checks and vigilant customer service revealed a pattern of account hacking that suggested an unauthorized access, which upon further investigation and analysis, apparently occurred in December 2010. As soon as this pattern became clear, Cryptic reset passwords on all affected accounts.
Cryptic has much to answer for about this. But hate on Cryptic for the RIGHT reasons.
(hate) and (right reasoning) --> OXYMORONIC
The simple fact is there is no excuse...none. Management's actions and decisions are inexcusable and deplorable. They made a risk call and failed. Now they (and all the stakeholders) must pay the price.
I'm noticing a distinct pattern of the Devs ignoring the question we're all asking, why the heck did it take a year and a half for you to notice this?? We put faith in you providing security, you already store CCV numbers which is illegal to do so, but we ignore that because we have said faith in your security, this incident clearly undermines that faith.
NEVER TRUST. Never trust anyone.
Never trust anyone on the internet.
Never trust anyone on the internet...EVER.
1. Never use a REAL credit card. (SafePay, CreditSafe, ShopSafe, PreCred, etc).
2. Use disposable (pre-pay) credit cards.
3. Use Play Time cards you can buy in brick-n-mortar stores.
4. Buy LifeTime memberships (pay with 1 or 2 above).
Cryptic is a US company even though they are owned by a Chinese company, so yes..
But why would someone report Cryptic to the CA AG?
Last I checked getting TRIBBLE was not a criminal offence for the victim. Nor is lack of patching, unintentionally allowing an exploit, not even just plan bad IT. So I do not know why the AG would get involved against Cryptic considering they have done nothing intentionally criminal and were a victim of this breach as well.
I am still very disappointed in Cryptic. But not "report one of the victims to the cops to try and get them in trouble" kind of disappointed.
actually they've possibly violated some standards and practices of industry, and if they don't report the issue to the CA AG, as required by (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) then they will indeed be in violation of the law.
And as for why report them? Because quite simply, due to the length of time it took them to detect this, and how little and how poorly they've notified those effected. A singular poorly worded email that many have had sent to a spam box due to its similarity to a phishing attempt. the lack of any information on the main page, or the launcher as well.
It has nothing to do with the "victim" and everything to do with how little and how poorly they've handled it.
As a trained ethical hacker the answer is actually quite simple, once a hacker gets in they try to avoid doetection. The simple fact is hackers often don't brute force their way in they hit up sites like Archive.org and look at the site history, dumpster dive, and basicly solcial enginer so they can walk into a office convincing enough to be belive their a employee, plant their hack and walk out. You never knew you were TRIBBLE for a year because it was a "inside job" 99% of the time.
You don't ever HAVE to link your Cryptic acct with a PWE account...who told you you did? They lied...
Mine is still just a Cryptic account. No problems...
they will require it eventually. they already made that pretty clear
If you want to be mad at someone, be mad at Atari for treating Cryptic like a piece of Targ excrement while they owned them. Don't be mad at Cryptic. Heck
what? this incident involved cryptic not atari. there is no reason whatsoever why this should have been allowed to go unnoticed for as long as it did. do you know what would have happened if cryptic had been running a bank instead of an mmo and that happened?
be thankful to Perfect World for once, since the only reason it was probably discovered this recently was PWE increasing their funding to have a proper security team.
i've seen no evidence of that.
Just a bit of information for those who live in the sate of California, you can file an AG complaint against them about this. As of the time I checked the site for data breaches, Cryptic, had not, filed a report.
I'm not a happy camper, not in the least, and I'm not happy with how little information we have on this. Why is this NOT on the front page? why is the title of this thread so misleading?
Answers I'd like to see.
this. and anyone can file such a report, not just those living in california, as its a california based company. last time I checked cryptic was required by law to report the hacking incident to the state attorney general. i've seen no evidence anywhere that they have done so, and that concerns me
I thought Cryptic was owned by a China-based maker of crappy games and Internet spam now? The California AG can go after them?
PWE is a china based company. cryptic is a subsidiary based in california. the attorney general can go after any business based in the state they are in. PWE may be the parent company but cryptic is still a company
But why would someone report Cryptic to the CA AG?
Last I checked getting TRIBBLE was not a criminal offence for the victim
correct. being TRIBBLE is not a criminal offense for the victim. however, a company not reporting it is. whether they do that remains to be seen. I would hope they're smart enough to be aware of that
actually they've possibly violated some standards and practices of industry, and if they don't report the issue to the CA AG, as required by (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) then they will indeed be in violation of the law.
And as for why report them? Because quite simply, due to the length of time it took them to detect this, and how little and how poorly they've notified those effected. A singular poorly worded email that many have had sent to a spam box due to its similarity to a phishing attempt. the lack of any information on the main page, or the launcher as well.
It has nothing to do with the "victim" and everything to do with how little and how poorly they've handled it.
this. and the email was sent to my spam folder as well. frankly I assumed it was a phishing attempt and only realized it wasn't when I checked the posts here.
The simple fact is there is no excuse...none. Management's actions and decisions are inexcusable and deplorable. They made a risk call and failed. Now they (and all the stakeholders) must pay the price.
NEVER TRUST. Never trust anyone.
Never trust anyone on the internet.
Never trust anyone on the internet...EVER.
1. Never use a REAL credit card. (SafePay, CreditSafe, ShopSafe, PreCred, etc).
2. Use disposable (pre-pay) credit cards.
3. Use Play Time cards you can buy in brick-n-mortar stores.
4. Buy LifeTime memberships (pay with 1 or 2 above).
Safe-play.
Everyone is infected, vile, corrupt.
Never Trust.
Your right you can't defend the indefensible, BranFlakes thanks for telling us, better late then never, but what about those who signed up after 2010 like me! There have been several breaches according to your self quote so whats the whole story and tell us without citing the OP you posted and quite frankly that's a sign its far worse than what your telling us because the OP was very vague, with all the years past and yet not telling the community you OWE us that at least.
Originally Posted by Kyuui View Post
Just a bit of information for those who live in the sate of California, you can file an AG complaint against them about this. As of the time I checked the site for data breaches, Cryptic, had not, filed a report.
I'm not a happy camper, not in the least, and I'm not happy with how little information we have on this. Why is this NOT on the front page? why is the title of this thread so misleading?
I've read that, and it still doesn't answer my questions. a Singular poorly worded email, is that all your going to do?
are you going to comply with California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a) as required by law?
Why is this NOT on the front page?
why is the title of this thread so misleading? and it HAS been stated at least once in the thread that someone thought it was for routine issues, not the result of a hacking.
These are things we should have answers for, and you should be doing. bad things can happen to folks because of this, and to be honest, your treating it like its a ho hum event, at least to this customer.
Dam you Cryptic! I almost got a heart attack when I saw that email! At least you could had send a email explaining that, not that someone tried to log in with my password and my account was compromised.
Apart from the obvious sixteen month delay between incident and disclosure, this shambolic affair raises plenty of concerns.
Were all the recently TRIBBLE accounts registered before December 2010? If some compromised accounts were registered after this date, then there may be a second vulnerability - either at Cryptic or on third-party sites as originally assumed.
How did the audit proceed? On a day by day basis moving forward from 2008? Or backward from 2012? If the former, then there may still be future undiscovered incidents affecting newer accounts.
When was the exploit closed? Has it been left open until now (potentially compromising more accounts), or was it closed off via other means? (Patching a vulnerability as part of regular server maintenance, for example.)
The incident happened either around the time of or just before the big merge with Atari's backend system. This means everyone who played in the first half of 2011 has a mirrored account at www.atari.com and www.testdriveunlimited2.com. These will also be compromised unless passwords were changed on the Atari sites after the demerger.
Is the incident related to the spreadsheet leak that Atari experienced in December 2011?
My real first and last name.
My birthdate.
My full credit card number.
My login name.
My password.
I am extremely disappointed in Cryptic. :mad:
Only ten digits of your credit card may have been compromised. If that data is compromised then so is your billing address. Given your previously documented experience with the community; I can sympathise with the concern that 'bad people' have access to personal information they have no right to. Were I in your position, I'd be more than disappointed.
It's a lot easier to get a new credit card than it is a new name, address and date of birth.
No, but they stored enough numbers that anyone with a little bit of patience and an understanding of the anatomy of credit card numbers (which is as easy as doing a Google search) could easily fill in the blanks. Leaving only 6 digits out of a card number is not a hard challenge for anyone with a half decent computer. And you DON'T need the verification number off the back of the card to still use it in many settings.
That's a 1 in 1,000,000 chance of guessing the right set of digits. Slightly worse odds than pulling a D'Kora.
However, the final digit of the number is a checksum. This means only the guesses that work out correctly need to be tried. I'm not familiar with the algorithm; nor do I recommend anyone go looking; but this information would substantially reduce the possible matches.
Derived CC numbers are usually tested by small charitable donations. It wouldn't hurt to check to see if a dollar or two has gone out that way. Charities are targetted as they are under less scrutiny than the bigger players, as well as being staffed by volunteers who don't have the financial training to question where the money's coming from. And who really complains about a surprise donation to a worthy cause?
Until we hear further; we can only hope this partial CC information has not been compromised, despite the official warning to the contrary.
Comments
first way took me to the pwe account which i dont have so whent the other way to cryptic account n follow the link's n get put streight back to the web site ?
wat give's , is evrything broken now
if u want me to reset my password buy the forget password link then let me doit n not keep sendin me back to the sto main website page
Oh, and the CC info that was stored - does not appears to be "complete" numbers as per the announcement.
I hate hackers with the fire of a gazillion burning suns.
according to the AG web site, yes. I believe its a state law requirement.
Oooh, this is not something I had known!
After a bit of digging, I found some internet lawyers who say, it's not illegal in the local/state/federal sense but it is a violation of the merchant agreements of MC and Visa, and probably AmEx. The problem is that everyone and their brother on the net with a virtual storefront (probably) stores CCVs. And the credit card companies may or may not pursue that; it's pretty much up to them.
I realize this incident is a major headache for Cryptic, but I've been learning all SORTS of cool stuff about credit card numbers!
No, but they stored enough numbers that anyone with a little bit of patience and an understanding of the anatomy of credit card numbers (which is as easy as doing a Google search) could easily fill in the blanks. Leaving only 6 digits out of a card number is not a hard challenge for anyone with a half decent computer. And you DON'T need the verification number off the back of the card to still use it in many settings.
Stupid Cryptic you make look bad! Boga Boga Boooga!
Actually storing and ability to regurgitate a complete CCN numbers IS a breach of US Federal law under laws similar to HIPPA, but note the word "complete" ; it's why when you get a receipt from ANYone - the number isn't printed on the receipt any more, and if it does contain a number, it's only a partial.
Although others may have gotten one, I didn't (from the auto-send). Something else to look into.
True!
It's why it's SO DANG IMPORTANT to assure your passwords for your CC acct are changed and are different from PWs used for anything else.
It's the nature of eCommerce now - sadly.
Cryptic is a US company even though they are owned by a Chinese company, so yes..
But why would someone report Cryptic to the CA AG?
Last I checked getting TRIBBLE was not a criminal offence for the victim. Nor is lack of patching, unintentionally allowing an exploit, not even just plan bad IT. So I do not know why the AG would get involved against Cryptic considering they have done nothing intentionally criminal and were a victim of this breach as well.
I am still very disappointed in Cryptic. But not "report one of the victims to the cops to try and get them in trouble" kind of disappointed.
If that was really the goal of this breach then you should be thanking your local deity. Losing make-believe pixels in a virtual environment sucks, but I'm worried about real-world issues like my name and CC info falling into the wrong hands.
Anyway I did the password reset request from the main Cryptic page like a lot of people, but it wouldn't work for me. The reason was because I also happen to have a Perfect World account for another game, and it never seemed like any good reason to combine them (I still don't think so). And by happenstance, of the 2-3 email addresses I use, they happened to use the same one. So the Password Change Request kept thinking I wanted to change my Perfect World account.
However ... by using the link posted on the first message of this thread, it worked. So anyone still having that issue - use the OP's link!
PS. Well, it got me logged into here ... I haven't actually tried it in-game yet.
Passwords, certainly, change those. But, only partial CC information would have been obtained. They are and were required by US law to obscure most of the number - and have. If you want to change it, go ahead. The likelyhood, however, that it was exploited is significantly lower than the likelyhood your password was.
If your information was to have been exploited, it almost certainly would have been before today as it was acquired 16 months ago. Vigilance is one thing. Rampant paranoia is another. Be mindful of the line.
As I've mentioned in the thread:
Cheers,
Brandon =/\=
As I've mentioned in this thread:
There is a post here you may have missed: http://www.crypticstudios.com/securitynotice
Cheers,
Brandon =/\=
As I've mentioned in this thread:
Cheers,
Brandon =/\=
The simple fact is there is no excuse...none. Management's actions and decisions are inexcusable and deplorable. They made a risk call and failed. Now they (and all the stakeholders) must pay the price.
NEVER TRUST.
Never trust anyone.
Never trust anyone on the internet.
Never trust anyone on the internet...EVER.
1. Never use a REAL credit card. (SafePay, CreditSafe, ShopSafe, PreCred, etc).
2. Use disposable (pre-pay) credit cards.
3. Use Play Time cards you can buy in brick-n-mortar stores.
4. Buy LifeTime memberships (pay with 1 or 2 above).
Safe-play.
Everyone is infected, vile, corrupt.
Never Trust.
actually they've possibly violated some standards and practices of industry, and if they don't report the issue to the CA AG, as required by (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) then they will indeed be in violation of the law.
And as for why report them? Because quite simply, due to the length of time it took them to detect this, and how little and how poorly they've notified those effected. A singular poorly worded email that many have had sent to a spam box due to its similarity to a phishing attempt. the lack of any information on the main page, or the launcher as well.
It has nothing to do with the "victim" and everything to do with how little and how poorly they've handled it.
they will require it eventually. they already made that pretty clear
what? this incident involved cryptic not atari. there is no reason whatsoever why this should have been allowed to go unnoticed for as long as it did. do you know what would have happened if cryptic had been running a bank instead of an mmo and that happened?
i've seen no evidence of that.
this. and anyone can file such a report, not just those living in california, as its a california based company. last time I checked cryptic was required by law to report the hacking incident to the state attorney general. i've seen no evidence anywhere that they have done so, and that concerns me
PWE is a china based company. cryptic is a subsidiary based in california. the attorney general can go after any business based in the state they are in. PWE may be the parent company but cryptic is still a company
correct. being TRIBBLE is not a criminal offense for the victim. however, a company not reporting it is. whether they do that remains to be seen. I would hope they're smart enough to be aware of that
this. and the email was sent to my spam folder as well. frankly I assumed it was a phishing attempt and only realized it wasn't when I checked the posts here.
Your right you can't defend the indefensible, BranFlakes thanks for telling us, better late then never, but what about those who signed up after 2010 like me! There have been several breaches according to your self quote so whats the whole story and tell us without citing the OP you posted and quite frankly that's a sign its far worse than what your telling us because the OP was very vague, with all the years past and yet not telling the community you OWE us that at least.
I've read that, and it still doesn't answer my questions. a Singular poorly worded email, is that all your going to do?
are you going to comply with California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a) as required by law?
Why is this NOT on the front page?
why is the title of this thread so misleading? and it HAS been stated at least once in the thread that someone thought it was for routine issues, not the result of a hacking.
These are things we should have answers for, and you should be doing. bad things can happen to folks because of this, and to be honest, your treating it like its a ho hum event, at least to this customer.
Just a word of warning to anyone who has clicked the 'reset password' link and doesn't appear to receive a reset password email:
CHECK YOUR SPAM FOLDER.
For some reason the original email went into my google inbox, but the reset password emails went into my spam folder instead, which is hidden.
I've spent the better part of 10 hours waiting for my reset password email, before I realised what was happening.
Well at least, everything is ok.
Dont do it again!
Apart from the obvious sixteen month delay between incident and disclosure, this shambolic affair raises plenty of concerns.
Were all the recently TRIBBLE accounts registered before December 2010? If some compromised accounts were registered after this date, then there may be a second vulnerability - either at Cryptic or on third-party sites as originally assumed.
How did the audit proceed? On a day by day basis moving forward from 2008? Or backward from 2012? If the former, then there may still be future undiscovered incidents affecting newer accounts.
When was the exploit closed? Has it been left open until now (potentially compromising more accounts), or was it closed off via other means? (Patching a vulnerability as part of regular server maintenance, for example.)
The incident happened either around the time of or just before the big merge with Atari's backend system. This means everyone who played in the first half of 2011 has a mirrored account at www.atari.com and www.testdriveunlimited2.com. These will also be compromised unless passwords were changed on the Atari sites after the demerger.
Is the incident related to the spreadsheet leak that Atari experienced in December 2011?
Only ten digits of your credit card may have been compromised. If that data is compromised then so is your billing address. Given your previously documented experience with the community; I can sympathise with the concern that 'bad people' have access to personal information they have no right to. Were I in your position, I'd be more than disappointed.
It's a lot easier to get a new credit card than it is a new name, address and date of birth.
Nevertheless...
That's a 1 in 1,000,000 chance of guessing the right set of digits. Slightly worse odds than pulling a D'Kora.
However, the final digit of the number is a checksum. This means only the guesses that work out correctly need to be tried. I'm not familiar with the algorithm; nor do I recommend anyone go looking; but this information would substantially reduce the possible matches.
Derived CC numbers are usually tested by small charitable donations. It wouldn't hurt to check to see if a dollar or two has gone out that way. Charities are targetted as they are under less scrutiny than the bigger players, as well as being staffed by volunteers who don't have the financial training to question where the money's coming from. And who really complains about a surprise donation to a worthy cause?
Until we hear further; we can only hope this partial CC information has not been compromised, despite the official warning to the contrary.
I wonder if that's what Dan's Free-Lobi-Crystal event is all about?