any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) and California Civ. Code s. 1798.82(f))
that is where.
And instead of "lawyering up" as you put it, I attempted to ask the person I thought would help me, IE the CM, the Community Manager, because I want to know, without, causing undue hassle for them. trust me if I wanted to "'lawyer up" I wouldn't have bothered with asking here first, that, would be pointless.
So, once again, I ask, have they complied with the requirement? You claim knowledge of them doing so, I'm asking you, since you claim to know, can you please provide a link? The only source I have indicates they have not, but that source may not be up to date. you appear to have knowledge that I do not, so please do share that knowledge.
Thank you.
So your assuming 500 California residence had there account breached?
Just a word of warning to anyone who has clicked the 'reset password' link and doesn't appear to receive a reset password email:
CHECK YOUR SPAM FOLDER.
For some reason the original email went into my google inbox, but the reset password emails went into my spam folder instead, which is hidden.
I've spent the better part of 10 hours waiting for my reset password email, before I realised what was happening.
This also happened to me. I happened to have noticed that my spam count went up by 1 when I was expecting the email and checked right away, but it's definitely an issue.
Oh and for the record, I'm not 100% sure this apllies but it MAY and if it does, they're in violation
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) E-mail notice when the person or business has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business maintains
one.
Oh and for the record, I'm not 100% sure this apllies but it MAY and if it does, they're in violation
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) E-mail notice when the person or business has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business maintains
one.
At this point, you're grasping for anything that will make your demands reasonable. They were originally reasonable but not in this media or context. If you want to discuss legal matters, you do so with legal counsel and representatives. Forums are not acceptable notice in a court of law. Lawyers, however, are.
No forum representative is qualified to answer any legal questions. You're barking up the wrong tree and trying to justify it desperately. I agree with your intention, but your actions toward that end are badly handled. Sound familiar?
So your assuming 500 California residence had there account breached?
I assume nothing, I am inquiring to find out if they had to comply with that requirement, which would imply that happened. Also consider this, I know of 5 folks who have received the email. it is entirely possible that 495 other California residents have as well. . Also consider this, it is entirely possible that any of the staff from launch who played the game during that time, has suffered this as well, and they are, or were California residents. 500 isn't a hard number to reach. Rent a Center had to publish a notice, due to a singular store being vandalized, so it is possible.
if the link sends you to the main page, you need to log out of the forums. it will then sends you to a page where you enter your e-mail. it will send you a mail with a new link and then you can enter your new password.
Increased security checks and vigilant customer service revealed a pattern of account hacking that suggested an unauthorized access, which upon further investigation and analysis, apparently occurred in December 2010. As soon as this pattern became clear, Cryptic reset passwords on all affected accounts.
A few problems with this:
Why weren't your computer security protocols updated more than once every 18 months?
Second you're not particularly vigilant if it took over a year and a half to find a breach. Also, a pattern? A pattern occurs over time, that would suggest that you saw hacking (being vigilant means you noticed it quickly) and allowed it to continue without making an effort to stop it until you saw a pattern.
I know you're copy/pasting what they tell you to Bran (because Stormshade is doing the same on CO forums) could you relay to them that we want more details about what was stolen and how and why it took so long. Saying that you just noticed it while upgrading doesn't explain why you never upgraded security before now and also doesn't explain why this JUST HAPPENS to coincide with a large-scale public notification of an account being TRIBBLE (STOked) along with months of threads here and there with people saying their accounts were TRIBBLE.
Because to some of us it sounds like your security personnel were asleep until a public community figure pointed out that his account had been TRIBBLE and you went to the effort to look in-depth into it. Which doesn't say a lot for all the other people that got TRIBBLE if it wasn't until a public community figure that someone looked beyond the surface on this issue.
At this point, you're grasping for anything that will make your demands reasonable. They were originally reasonable but not in this media or context. If you want to discuss legal matters, you do so with legal counsel and representatives. Forums are not acceptable notice in a court of law. Lawyers, however, are.
No forum representative is qualified to answer any legal questions. You're barking up the wrong tree and trying to justify it desperately. I agree with your intention, but your actions toward that end are badly handled. Sound familiar?
Sorry but I'm not barking up anything, I'm posting a legal requirement, which they may or may not be subject to.
Complying with the law, is reasonable in any media or context.
my actions have been 2 things, asking a question, then defending myself with the legal reasoning why I have asked them about the matter. I've only quoted the civil code to show WHY I am asking.
For all I know I'm helping them avoid legal issues, which if I am, wonderful, for all the problems I have with them, I don't wish them legal issues, when they can be avoided.
Why weren't your computer security protocols updated more than once every 18 months?
Security protocols, in the context you are describing them, are not necessarily upgraded. A protocol is an agreed upon (by interested stakeholders) set of rules to follow. It is not software - though software can follow established protocols. It is procedural rather than technical. The distinction is significant. But I'm going to go a bit further here.
Second you're not particularly vigilant if it took over a year and a half to find a breach. Also, a pattern? A pattern occurs over time, that would suggest that you saw hacking (being vigilant means you noticed it quickly) and allowed it to continue without making an effort to stop it until you saw a pattern.
You are making a lot of inferences that neither have been stated nor implied in their notice. I'm not saying they didn't drop the ball here, but you're making a lot of unfounded and incorrect assumptions and then holding them responsible for it. That's not fair, correct, or valid.
Because to some of us it sounds like your security personnel were asleep until a public community figure pointed out that his account had been TRIBBLE and you went to the effort to look in-depth into it. Which doesn't say a lot for all the other people that got TRIBBLE if it wasn't until a public community figure that someone looked beyond the surface on this issue.
Actually, knowing something of the technicals of this type of situation (since I deal with a wide variety of databases - DB2, Oracle, Mysql, MSSQL, etc), I can tell you that your assumptions are invalid. None of the vendors, and I mean none of them, follow the same methods of logging. Worse still, none of them have a standard way between them of detecting an intruder and alerting appropriate personnel.
What does this mean? Each admin has to either dig through a lot of logs, correlate that with firewall logs, and then do a significant amount of debugging. It isn't something that is practical to do frequently, often, or until suspicious activity is detected. This is why the best ROI on dealing with the potential is to separate off the database onto a different network layer and apply appropriate ACLs/firewalls to block it off on an application vs database layer. They almost certainly discovered this during the upgrade process due to either something unusual in the upgrade process or a notification during said upgrade of software that pointed out the issue.
Sure, as with a lot of things Cryptic has done lately, the communication and messaging could have been handled better. But your assumptions regarding what happened, what should have happened, and what will happen are invalid.
wonder if those of us who signed up by steam are unaffected? I didn't have to change my password, and I use steam wallet so my credit info is safe as well.
This thread was provided to provide resources on how to get help if you are having trouble logging in, that's why the title is what it is As I have posted in this thread, all affected users have been/ are being notified by email, and we have a post up here: http://www.crypticstudios.com/ and http://www.crypticstudios.com/securitynotice
Hey, Cryptic, Gmail decided your password reset emails were phishy and spam-foldered them for me, too. Seems to be happening to a lot of people. Maybe there's some way you can let Google know they're real, or something?
Hay thanks, I was wondering why I wasn't getting the password reset emails. I always forget to look in my spam file, but I reset my password last night with no problem. I guess Google must be getting a lot of Cryptic reset password emails thru their system, so it starts to think it is spam.
For all I know I'm helping them avoid legal issues, which if I am, wonderful, for all the problems I have with them, I don't wish them legal issues, when they can be avoided.
I did a bit of searching (took me about 60 seconds, I think) and found some legal counsel apparently representing Perfect World.
There is contact information on there. If they have division specific legal counsel, you may be referred to them. Either way, Cryptic almost certainly will not discuss legal matters on the forums. They're also not required to by law - no matter how it is demanded to do otherwise.
Perhaps your legal counsel can contact theirs now.
Perhaps your legal counsel can contact theirs now.
I need no counsel, I am not the one who may or may not be in compliance with the law, they are. I will await the resolution vie the channels I've chosen to use. My question was a valid one, and remains so. While they don't have to legally answer it, in this case given the incident, I would think it would be good customer service to reassure your customers that you are indeed in full compliance with the law.
But as you and I have agreed before, they do not always perform well, when it comes to customer service.
Time will tell what happens, meanwhile, for their sake, I do hope they've complied with the law, the CA AG has decided to make ID theft and information security one of her bigger concerns.
I would think that would nice to no ahead of time to start the process then oops pull plug your account is screwed for days no duty event for or finsh off the chains hmm
i am on 3 colonial chains on on part 6 just dawned on me why can'[t I start 7 hmmm
wait why I remember I can't get into game great jobs how can I keep the ball rolling when can't get it
I need no counsel, I am not the one who may or may not be in compliance with the law, they are. I will await the resolution vie the channels I've chosen to use. My question was a valid one, and remains so. While they don't have to legally answer it, in this case given the incident, I would think it would be good customer service to reassure your customers that you are indeed in full compliance with the law.
But as you and I have agreed before, they do not always perform well, when it comes to customer service.
Time will tell what happens, meanwhile, for their sake, I do hope they've complied with the law, the CA AG has decided to make ID theft and information security one of her bigger concerns.
Its not a question as to the validity of your curiosity - merely as to the fact that you keep asking the same questions over and over and over in a forum where you will NEVER get an answer.
You've been told how to go find those answers. Please just go find them and put your mind to rest.
Its really only the fact that this first appeared on teh radar in 2010 that bothers me and wasn't made public to those at risk until now. It kinda makes me wonder why the long time between the concern and the reaction. Did they not wish to scare off the customerbase?
Secondly what measures are being taken to insure this does not happen or go so long between being warned of it again?
Frankly, thats my money under attack, since my credit info was in the system, and I value you such info highly and find fault with Cryptic for not making this whole debacle made known earlier so I could have taken my own measures to secure myself before now.
Ingame concerns about KDF, fed, PvP aside... this event concernes me msot as we players put a certain level of trust in Cryptic when it comes to such matters as sercurity of our important info.
Its not a question as to the validity of your curiosity - merely as to the fact that you keep asking the same questions over and over and over in a forum where you will NEVER get an answer.
You've been told how to go find those answers. Please just go find them and put your mind to rest.
I only repeated the question, when some one implied they had proof they had complied with the law, if they are required to do so. That, would have also answered my question, however so far, that hasn't proven to be the case.
I knew how to find my answer, I have already started the process to do so, but I also wanted to ask here, which I am able to do.
I do find it interesting how many folks will react to this however and how they chose to do so.
Its really only the fact that this first appeared on teh radar in 2010 that bothers me and wasn't made public to those at risk until now. It kinda makes me wonder why the long time between the concern and the reaction. Did they not wish to scare off the customerbase?
Secondly what measures are being taken to insure this does not happen or go so long between being warned of it again?
Frankly, thats my money under attack, since my credit info was in the system, and I value you such info highly and find fault with Cryptic for not making this whole debacle made known earlier so I could have taken my own measures to secure myself before now.
Ingame concerns about KDF, fed, PvP aside... this event concernes me msot as we players put a certain level of trust in Cryptic when it comes to such matters as sercurity of our important info.
While I also have concerns, they allegedly just confirmed the breach recently. Why there was a delay in *detecting* the breach is a concern, they have told us in the notice at Cryptic's site (which was posted yesterday - the saem day the emails were sent) they themselves didn't know about it until recently. It was detected, and when it was detected, the notifications were sent.
It sucks they didn't know - but that's what hackers do - they try to keep from getting caught.
I only repeated the question, when some one implied they had proof they had complied with the law, if they are required to do so. That, would have also answered my question, however so far, that hasn't proven to be the case.
I knew how to find my answer, I have already started the process to do so, but I also wanted to ask here, which I am able to do.
I do find it interesting how many folks will react to this however and how they chose to do so.
I just thought it was strange that you decided to ask a bunch of people who wouldn't be able to answer you, especially since you apparently knew how to find the answers to begin with.
try logging in when that fails hit the forgot password (or do that first ) and it will ask for a email put the email you have the game on and they will send a link where you can then change that password.
try logging in when that fails hit the forgot password (or do that first ) and it will ask for a email put the email you have the game on and they will send a link where you can then change that password.
I tried that already through the e-mail notification Cryptic sent me. It went straight to the STO homepage. I'll try what you've suggested, but i've already submitted a ticket on the issue to PWE so if it doesn't work I'll have an answer in 3-4 business days.
Comments
So your assuming 500 California residence had there account breached?
This also happened to me. I happened to have noticed that my spam count went up by 1 when I was expecting the email and checked right away, but it's definitely an issue.
(3) Substitute notice, if the person or business demonstrates that
the cost of providing notice would exceed two hundred fifty thousand
dollars ($250,000), or that the affected class of subject persons to
be notified exceeds 500,000, or the person or business does not have
sufficient contact information. Substitute notice shall consist of
all of the following:
(A) E-mail notice when the person or business has an e-mail
address for the subject persons.
(B) Conspicuous posting of the notice on the Internet Web site
page of the person or business, if the person or business maintains
one.
At this point, you're grasping for anything that will make your demands reasonable. They were originally reasonable but not in this media or context. If you want to discuss legal matters, you do so with legal counsel and representatives. Forums are not acceptable notice in a court of law. Lawyers, however, are.
No forum representative is qualified to answer any legal questions. You're barking up the wrong tree and trying to justify it desperately. I agree with your intention, but your actions toward that end are badly handled. Sound familiar?
http://forums.startrekonline.com/showpost.php?p=4184423&postcount=509
Cheers,
Brandon =/\=
You have to sign out of your account to change your password
OK, this forum merging was confusing, our posts separated for some reason
I assume nothing, I am inquiring to find out if they had to comply with that requirement, which would imply that happened. Also consider this, I know of 5 folks who have received the email. it is entirely possible that 495 other California residents have as well. . Also consider this, it is entirely possible that any of the staff from launch who played the game during that time, has suffered this as well, and they are, or were California residents. 500 isn't a hard number to reach. Rent a Center had to publish a notice, due to a singular store being vandalized, so it is possible.
http://forums.startrekonline.com/showthread.php?t=268025
if the link sends you to the main page, you need to log out of the forums. it will then sends you to a page where you enter your e-mail. it will send you a mail with a new link and then you can enter your new password.
A few problems with this:
Why weren't your computer security protocols updated more than once every 18 months?
Second you're not particularly vigilant if it took over a year and a half to find a breach. Also, a pattern? A pattern occurs over time, that would suggest that you saw hacking (being vigilant means you noticed it quickly) and allowed it to continue without making an effort to stop it until you saw a pattern.
I know you're copy/pasting what they tell you to Bran (because Stormshade is doing the same on CO forums) could you relay to them that we want more details about what was stolen and how and why it took so long. Saying that you just noticed it while upgrading doesn't explain why you never upgraded security before now and also doesn't explain why this JUST HAPPENS to coincide with a large-scale public notification of an account being TRIBBLE (STOked) along with months of threads here and there with people saying their accounts were TRIBBLE.
Because to some of us it sounds like your security personnel were asleep until a public community figure pointed out that his account had been TRIBBLE and you went to the effort to look in-depth into it. Which doesn't say a lot for all the other people that got TRIBBLE if it wasn't until a public community figure that someone looked beyond the surface on this issue.
Thanks Brandon,
I sent the link to them
Sorry but I'm not barking up anything, I'm posting a legal requirement, which they may or may not be subject to.
Complying with the law, is reasonable in any media or context.
my actions have been 2 things, asking a question, then defending myself with the legal reasoning why I have asked them about the matter. I've only quoted the civil code to show WHY I am asking.
For all I know I'm helping them avoid legal issues, which if I am, wonderful, for all the problems I have with them, I don't wish them legal issues, when they can be avoided.
Security protocols, in the context you are describing them, are not necessarily upgraded. A protocol is an agreed upon (by interested stakeholders) set of rules to follow. It is not software - though software can follow established protocols. It is procedural rather than technical. The distinction is significant. But I'm going to go a bit further here.
You are making a lot of inferences that neither have been stated nor implied in their notice. I'm not saying they didn't drop the ball here, but you're making a lot of unfounded and incorrect assumptions and then holding them responsible for it. That's not fair, correct, or valid.
Actually, knowing something of the technicals of this type of situation (since I deal with a wide variety of databases - DB2, Oracle, Mysql, MSSQL, etc), I can tell you that your assumptions are invalid. None of the vendors, and I mean none of them, follow the same methods of logging. Worse still, none of them have a standard way between them of detecting an intruder and alerting appropriate personnel.
What does this mean? Each admin has to either dig through a lot of logs, correlate that with firewall logs, and then do a significant amount of debugging. It isn't something that is practical to do frequently, often, or until suspicious activity is detected. This is why the best ROI on dealing with the potential is to separate off the database onto a different network layer and apply appropriate ACLs/firewalls to block it off on an application vs database layer. They almost certainly discovered this during the upgrade process due to either something unusual in the upgrade process or a notification during said upgrade of software that pointed out the issue.
Sure, as with a lot of things Cryptic has done lately, the communication and messaging could have been handled better. But your assumptions regarding what happened, what should have happened, and what will happen are invalid.
The same thing happened to me, until I logged out of the forums. As soon as I logged out the link took me to the correct page instead of the homepage.
Again, the title and content of the first post completely gloss over the very reason WHY we're having our passwords reset.
Hay thanks, I was wondering why I wasn't getting the password reset emails. I always forget to look in my spam file, but I reset my password last night with no problem. I guess Google must be getting a lot of Cryptic reset password emails thru their system, so it starts to think it is spam.
Again thanks
I did a bit of searching (took me about 60 seconds, I think) and found some legal counsel apparently representing Perfect World.
http://m.reedsmith.com/video-games--interactive-entertainment-practices/
There is contact information on there. If they have division specific legal counsel, you may be referred to them. Either way, Cryptic almost certainly will not discuss legal matters on the forums. They're also not required to by law - no matter how it is demanded to do otherwise.
Perhaps your legal counsel can contact theirs now.
I need no counsel, I am not the one who may or may not be in compliance with the law, they are. I will await the resolution vie the channels I've chosen to use. My question was a valid one, and remains so. While they don't have to legally answer it, in this case given the incident, I would think it would be good customer service to reassure your customers that you are indeed in full compliance with the law.
But as you and I have agreed before, they do not always perform well, when it comes to customer service.
Time will tell what happens, meanwhile, for their sake, I do hope they've complied with the law, the CA AG has decided to make ID theft and information security one of her bigger concerns.
i am on 3 colonial chains on on part 6 just dawned on me why can'[t I start 7 hmmm
wait why I remember I can't get into game great jobs how can I keep the ball rolling when can't get it
you guys are the developers you tell me
Its not a question as to the validity of your curiosity - merely as to the fact that you keep asking the same questions over and over and over in a forum where you will NEVER get an answer.
You've been told how to go find those answers. Please just go find them and put your mind to rest.
Secondly what measures are being taken to insure this does not happen or go so long between being warned of it again?
Frankly, thats my money under attack, since my credit info was in the system, and I value you such info highly and find fault with Cryptic for not making this whole debacle made known earlier so I could have taken my own measures to secure myself before now.
Ingame concerns about KDF, fed, PvP aside... this event concernes me msot as we players put a certain level of trust in Cryptic when it comes to such matters as sercurity of our important info.
I only repeated the question, when some one implied they had proof they had complied with the law, if they are required to do so. That, would have also answered my question, however so far, that hasn't proven to be the case.
I knew how to find my answer, I have already started the process to do so, but I also wanted to ask here, which I am able to do.
I do find it interesting how many folks will react to this however and how they chose to do so.
While I also have concerns, they allegedly just confirmed the breach recently. Why there was a delay in *detecting* the breach is a concern, they have told us in the notice at Cryptic's site (which was posted yesterday - the saem day the emails were sent) they themselves didn't know about it until recently. It was detected, and when it was detected, the notifications were sent.
It sucks they didn't know - but that's what hackers do - they try to keep from getting caught.
I just thought it was strange that you decided to ask a bunch of people who wouldn't be able to answer you, especially since you apparently knew how to find the answers to begin with.
That makes me a sad panda...
Have you tried logging out and click on them?
try this
https://support.crypticstudios.com/user/login
try logging in when that fails hit the forgot password (or do that first ) and it will ask for a email put the email you have the game on and they will send a link where you can then change that password.
I tried that already through the e-mail notification Cryptic sent me. It went straight to the STO homepage. I'll try what you've suggested, but i've already submitted a ticket on the issue to PWE so if it doesn't work I'll have an answer in 3-4 business days.