I tried that already through the e-mail notification Cryptic sent me. It went straight to the STO homepage. I'll try what you've suggested, but i've already submitted a ticket on the issue to PWE so if it doesn't work I'll have an answer in 3-4 business days.
If you went straight to the STO page, this means you are still logged in to the forums and their site. Log out. Close pages. Click link in email. Tada.
Failing that, at the login screen for your account, you can select which type of account you have after clicking on the "Forgot Password" link. Also with the TADA!
I tried that already through the e-mail notification Cryptic sent me. It went straight to the STO homepage. I'll try what you've suggested, but i've already submitted a ticket on the issue to PWE so if it doesn't work I'll have an answer in 3-4 business days.
Sorted now. Now i have to close the ticket I sent. Oh the bureaucracy of it! :rolleyes:
OK...I have to create a PWE account to close the ticket?! This is getting ridiculous! *hits himself over the head with a cricket bat*
I don't have to much a problem with the hacking thing, beyond it happens and expecting a company to take appropriate steps afterwards, no system infallible.
However I am dismayed at Cryptics responce, after taking a year and half they announced it on the cryptic studios website. Send an email not even stating the real problem, and it is still not yet a news report up on the STO site...brushing under the carpet much? We all know what happened, now make amends for it, be honest, improve your security and most of all be honest with all customers!.
The response has just been unacceptable to such a serious breach of data.
If you are having trouble logging into your account, your accounts password may have been locked during our account server maintenance today. You can recover your password via the forgot password link on the official Star Trek Online or Champion Online websites:
For full details on why accounts were locked today, please read the notification here.
Apologies for the inconvenience.
Customer Service
Cryptic Studios
The Data Protection Directive (officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union directive which regulates the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. On 25 January 2012, the European Commission unveiled a draft European Data Protection Regulation that will supersede the Data Protection Directive
Third countries is the term used in EU legislation to designate countries outside the European Union. Personal data may only be transferred to third countries if that country provides an adequate level of protection. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that the recipient will comply with the data protection rules.
US-EU Safe Harbor is a streamlined process for US companies to comply with the EU Directive 95/46/EC on the protection of personal data.
Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to prevent accidental information disclosure or loss. US companies can opt into the program as long as they adhere to the 7 principles outlined in the Directive.
The process was developed by the US Department of Commerce in consultation with the EU.
Notice - Individuals must be informed that their data is being collected and about how it will be used.
Choice - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
Onward Transfer - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
Security - Reasonable efforts must be made to prevent loss of collected information.
Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
Enforcement - There must be effective means of enforcing these rules.
Given that Cryptic has EU customers. I would like to know what Cryptic is doing to take reasonable efforts to prevent loss of information.
Because I am very dismayed that it has taken 18 months to find such a breach.
Given that Cryptic has EU customers. I would like to know what Cryptic is doing to take reasonable efforts to prevent loss of information.
Because I am very dismayed that it has taken 18 months to find such a breach.
I think this has been covered several times over and over in this topic, 18 months to find it is embarrasing yes but who's to say there isn't a company out there who has had a problem for long and not yet found it? It depends on the skill of the person inflitrating and verious other issues.
The unauthorized access included user account names, handles, and encrypted passwords for those accounts. Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database. All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident.
Encryption Protect data. Original data can be obtained if we know the key and encryption algorithm used. Hashing Protect data. Nearly impossible to crack/hack to the original data.
Encryption Protect data. Original data can be obtained if we know the key and encryption algorithm used. Hashing Protect data. Nearly impossible to crack/hack to the original data.
Big difference.
I'm not sure where you are getting your definitions but everywhere I have looked says hashing is a form of encryption. When someone says they encrypt passwords, they are usually talking about a hashed password.
A weak hashed password can be cracked with relitive ease, unless it's salted and the salt isn't known.
What you are doing is making an assumption that the word encypted implies a form of encryption other than hashing, in plain English, the average person isn't going to have an idea of what hashing means but they understand encryption.
Continue to speculate for me, what form of encryption do you think was used? What would you recommend?
I'm not sure where you are getting your definitions but everywhere I have looked says hashing is a form of encryption. When someone says they encrypt passwords, they are usually talking about a hashed password.
A weak hashed password can be cracked with relitive ease, unless it's salted and the salt isn't known.
What you are doing is making an assumption that the word encypted implies a form of encryption other than hashing, in plain English, the average person isn't going to have an idea of what hashing means but they understand encryption.
Continue to speculate for me, what form of encryption do you think was used? What would you recommend?
Encryption does not mean hashing. And as far as what the heck they're doing, ask them. I've already done that and only have crickets to show for it.
I could go on with other sources that discribe hashing as a form of encryption, which is probably the way it has been used in the notice because as I said before, the average person wouldn't know what "hashed password" means but would know what "encrypted password" means.
Compaines generally write things in a way the majority of it's consumers understand.
I could go on with other sources that discribe hashing as a form of encryption, which is probably the way it has been used in the notice because as I said before, the average person wouldn't know what "hashed password" means but would know what "encrypted password" means.
Compaines generally write things in a way the majority of it's consumers understand.
Do you have proof that they were hashing? Encryption does not mean hashing, I repeat, it does not mean hashing. After what has happened, and if one is going to assume anything, it should be on the side of caution.
Do you have proof that they were hashing? Encryption does not mean hashing, I repeat, it does not mean hashing. After what has happened, and if one is going to assume anything, it should be on the side of caution.
Can you prove that they didn't hash the passwords? I doubt it.
There's no point guessing what happend, what's done is done.
Its really only the fact that this first appeared on teh radar in 2010 that bothers me and wasn't made public to those at risk until now..
It's because they didn't realize it had occured until now. There's no magic piece of software they ran like Hijack This or Malware Bytes that subddenly popped up a message "Your database has been TRIBBLE..."; they used forensic security procedures (probably had a few independent people analyzing various logs and other data - and as soon as they saw a pattern that indicated they had a breach, they took action as they saw fit. It didn't appear on the radar in 2010 - they just discovered it yesterday - and then using what they found, determined when the breach occured.
There's no one piece of software that will just point this out as the hackers that do this type of thing take great care to make whatr they've done hard to discover; as once it is discovered, the data they recovered is useless to them.
For every instance lie this that is discovered there are probably a high number that have still happened and gone un-noticed; across ANY online service you can name regardless of who is running it. Most hacking is discovered AFTER the fact, IE - a user logs in and finds things not as he left them; and notifies the provider, etc; and action is taken.
Again, there were probably a number of accounts thet were TRIBBLE due to this breach; but there are also OTHER accounts that were TRIBBLE due to the trojan/keylogger ad that was running (without their knowledge) on the STO Wiki site - and even after this incident; there will be other Cryptic/PWE accounts TRIBBLE by a variety of methoids. -- Welcome to this internet.
That doesn't absolve Cryptic of their responsability in all this, but to somehow think EVERY incident of STO account hacking since December 2010 is because of this breach is baive. As long as there is money to be made (via the oiutside selling of EC, etc.) - hackers will continue to target STO as well as ANYMMO that has a community willing to pay outside groups real cash for virtual items.
Today:
STO accounts will be TRIBBLE
CO accounts will be TRIBBLE
SWToR accoiunts will be TRIBBLE
WoW accounts will be TRIBBLE
EVE Online accounts will be TRIBBLE...etc.
BOTH the company who develops and manages the game; and the player who plays said game have a responsability to do what they can to safeguard account access. The players need to choose more secure passwords (and something NOT related to you in any way is best - EG don't use some variation of the name of a pet you own, your birthday, etc; OR use the same password across multiple accounts); and the gane developer is responsible for employing measures such as encrypting and hashing important information and using secure protocols, and keeping them updated/patched, etc.
BUT - even with all this; a good hacker will still:
- Find a way to get the data they want.
- Do all they can to hide/bury the fact they obtained said data.
Tjhat why there are entire companies whose sole business is to craete new and better security protocols and uddate and change them as the hackers find ways past them (which they unfortunately always will.)
There is no such thing as a 100% hack proof system - oncer it is online and available via a VLAN or the internet. It just doesn't exist. So far, no matter what is developed as a defense, it is eventually 'TRIBBLE'; and it's been that way ever since computers were first networked together.
This thread was provided to provide resources on how to get help if you are having trouble logging in, that's why the title is what it is
Except you're closing any and all threads remotely related to this security breach and the community's reaction to it, to this thread. Which is ambiguously titled, and less than useful as a means to get help, since ALL community commentary is being funneled here and drowning out anything help-focused.
And I will reiterate what other people keep saying; This is serious news, and should be broadcasted to the community in venues other than a misleading thread and a spam-folder e-mail to a fraction of the community.
Front-page it. Put out a community-wide e-mail.
Stop trying to brush it under the rug; it's not going to work, and is only making your image problem worse by continuing to try.
This thread was provided to provide resources on how to get help if you are having trouble logging in, that's why the title is what it is As I have posted in this thread, all affected users have been/ are being notified by email, and we have a post up here: http://www.crypticstudios.com/ and http://www.crypticstudios.com/securitynotice
The only reason I know something happened is that I tried to log in to game and then came to the website to check on my password. I only happened to see this thread in the forum. I never received an email, as far as I am aware.
The only reason I know something happened is that I tried to log in to game and then came to the website to check on my password. I only happened to see this thread in the forum. I never received an email, as far as I am aware.
and the recover password is not working :mad:
As I've mentioned in this thread:
All affected accounts have been password reset. Only the legitimate owner of the email account used to register a Cryptic account will be able to reset the password. Emails to all affected users are being sent out over the coming hours, and if you do not receive one within 48 hours, your account was not affected. Cryptic treats your privacy and account security seriously, and is taking proactive steps to ensure that all accounts are secure.
That didn't answer my question, the question is, why did it take a year and a half to detect this hack, and then correct it? Thats an eternity in I.T. life.
Except you're closing any and all threads remotely related to this security breach and the community's reaction to it, to this thread. Which is ambiguously titled, and less than useful as a means to get help, since ALL community commentary is being funneled here and drowning out anything help-focused.
And I will reiterate what other people keep saying; This is serious news, and should be broadcasted to the community in venues other than a misleading thread and a spam-folder e-mail to a fraction of the community.
Front-page it. Put out a community-wide e-mail.
Stop trying to brush it under the rug; it's not going to work, and is only making your image problem worse by continuing to try.
Comments
If you went straight to the STO page, this means you are still logged in to the forums and their site. Log out. Close pages. Click link in email. Tada.
Failing that, at the login screen for your account, you can select which type of account you have after clicking on the "Forgot Password" link. Also with the TADA!
Etc. Or something.
It keeps me employed helping to catch them.
Go Get 'em !!!!!! Rawr!
Sorted now. Now i have to close the ticket I sent. Oh the bureaucracy of it! :rolleyes:
OK...I have to create a PWE account to close the ticket?! This is getting ridiculous! *hits himself over the head with a cricket bat*
So are you saying Cryptic should post a notice? Because that's what they already did and they sent an email out. They did this when they found out.
If it's not a notice you want them to post then I don't understand what you are talking about.
http://support.crypticstudios.com/startrekonline#tickets try this and then click on the "my account" button just under Cryptic Support
Hmm, better get the engineering team working on the universal translators again!
However I am dismayed at Cryptics responce, after taking a year and half they announced it on the cryptic studios website. Send an email not even stating the real problem, and it is still not yet a news report up on the STO site...brushing under the carpet much? We all know what happened, now make amends for it, be honest, improve your security and most of all be honest with all customers!.
The response has just been unacceptable to such a serious breach of data.
Given that Cryptic has EU customers. I would like to know what Cryptic is doing to take reasonable efforts to prevent loss of information.
Because I am very dismayed that it has taken 18 months to find such a breach.
One would not say that is reasonable steps!
Please remember Cryptic. YOU HAVE EU CUSTOMERS.
It would be best to just assume that none of your information is secure or ever will be. They don't seem to be hashing passwords even so...
I think this has been covered several times over and over in this topic, 18 months to find it is embarrasing yes but who's to say there isn't a company out there who has had a problem for long and not yet found it? It depends on the skill of the person inflitrating and verious other issues.
We don't know what they have or haven't done.
*sigh* http://www.crypticstudios.com/securitynotice
The unauthorized access included user account names, handles, and encrypted passwords for those accounts. Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database. All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident.
/sigh
Hashing is a form of encryption...:rolleyes:
Encryption Protect data. Original data can be obtained if we know the key and encryption algorithm used.
Hashing Protect data. Nearly impossible to crack/hack to the original data.
Big difference.
I'm not sure where you are getting your definitions but everywhere I have looked says hashing is a form of encryption. When someone says they encrypt passwords, they are usually talking about a hashed password.
A weak hashed password can be cracked with relitive ease, unless it's salted and the salt isn't known.
What you are doing is making an assumption that the word encypted implies a form of encryption other than hashing, in plain English, the average person isn't going to have an idea of what hashing means but they understand encryption.
Continue to speculate for me, what form of encryption do you think was used? What would you recommend?
Encryption does not mean hashing. And as far as what the heck they're doing, ask them. I've already done that and only have crickets to show for it.
Maybe you'll have better luck.
http://computer.howstuffworks.com/encryption5.htm
Hashing appears under How Encryption Works
I could go on with other sources that discribe hashing as a form of encryption, which is probably the way it has been used in the notice because as I said before, the average person wouldn't know what "hashed password" means but would know what "encrypted password" means.
Compaines generally write things in a way the majority of it's consumers understand.
Do you have proof that they were hashing? Encryption does not mean hashing, I repeat, it does not mean hashing. After what has happened, and if one is going to assume anything, it should be on the side of caution.
Can you prove that they didn't hash the passwords? I doubt it.
There's no point guessing what happend, what's done is done.
2010 ... you have to be kidding me.
It's because they didn't realize it had occured until now. There's no magic piece of software they ran like Hijack This or Malware Bytes that subddenly popped up a message "Your database has been TRIBBLE..."; they used forensic security procedures (probably had a few independent people analyzing various logs and other data - and as soon as they saw a pattern that indicated they had a breach, they took action as they saw fit. It didn't appear on the radar in 2010 - they just discovered it yesterday - and then using what they found, determined when the breach occured.
There's no one piece of software that will just point this out as the hackers that do this type of thing take great care to make whatr they've done hard to discover; as once it is discovered, the data they recovered is useless to them.
For every instance lie this that is discovered there are probably a high number that have still happened and gone un-noticed; across ANY online service you can name regardless of who is running it. Most hacking is discovered AFTER the fact, IE - a user logs in and finds things not as he left them; and notifies the provider, etc; and action is taken.
Again, there were probably a number of accounts thet were TRIBBLE due to this breach; but there are also OTHER accounts that were TRIBBLE due to the trojan/keylogger ad that was running (without their knowledge) on the STO Wiki site - and even after this incident; there will be other Cryptic/PWE accounts TRIBBLE by a variety of methoids. -- Welcome to this internet.
That doesn't absolve Cryptic of their responsability in all this, but to somehow think EVERY incident of STO account hacking since December 2010 is because of this breach is baive. As long as there is money to be made (via the oiutside selling of EC, etc.) - hackers will continue to target STO as well as ANYMMO that has a community willing to pay outside groups real cash for virtual items.
Today:
STO accounts will be TRIBBLE
CO accounts will be TRIBBLE
SWToR accoiunts will be TRIBBLE
WoW accounts will be TRIBBLE
EVE Online accounts will be TRIBBLE...etc.
BOTH the company who develops and manages the game; and the player who plays said game have a responsability to do what they can to safeguard account access. The players need to choose more secure passwords (and something NOT related to you in any way is best - EG don't use some variation of the name of a pet you own, your birthday, etc; OR use the same password across multiple accounts); and the gane developer is responsible for employing measures such as encrypting and hashing important information and using secure protocols, and keeping them updated/patched, etc.
BUT - even with all this; a good hacker will still:
- Find a way to get the data they want.
- Do all they can to hide/bury the fact they obtained said data.
Tjhat why there are entire companies whose sole business is to craete new and better security protocols and uddate and change them as the hackers find ways past them (which they unfortunately always will.)
There is no such thing as a 100% hack proof system - oncer it is online and available via a VLAN or the internet. It just doesn't exist. So far, no matter what is developed as a defense, it is eventually 'TRIBBLE'; and it's been that way ever since computers were first networked together.
Except you're closing any and all threads remotely related to this security breach and the community's reaction to it, to this thread. Which is ambiguously titled, and less than useful as a means to get help, since ALL community commentary is being funneled here and drowning out anything help-focused.
And I will reiterate what other people keep saying; This is serious news, and should be broadcasted to the community in venues other than a misleading thread and a spam-folder e-mail to a fraction of the community.
Front-page it. Put out a community-wide e-mail.
Stop trying to brush it under the rug; it's not going to work, and is only making your image problem worse by continuing to try.
The only reason I know something happened is that I tried to log in to game and then came to the website to check on my password. I only happened to see this thread in the forum. I never received an email, as far as I am aware.
and the recover password is not working :mad:
As I've mentioned in this thread:
Make sure you are logged out, and then use the link. Also, see what I just posted above
Cheers,
Brandon =/\=
also when u do back in game watch out the BAN hammer is being swong around like crazy latey
That didn't answer my question, the question is, why did it take a year and a half to detect this hack, and then correct it? Thats an eternity in I.T. life.
It is out there already.