Better late than never. Unfortunately, as a result of this security breach one of my fleet member's accounts was illegally accessed and our fleet bank was wiped clean. Thankfully his account was restored, but Cryptic was unwilling to restore our fleet bank. We're a small fleet, so it hit us all pretty hard. Almost two years of effort in building up our fleet bank and it was all gone in less than 30 minutes through no fault of our own.
When did that happen? And Cryptic should give it back, plus 10% more, but they'd probably give you 100 lock boxes without keys instead.
This happened in 2010 and I changed my password THIS LAST WEEKEND!!!!! Why my account password was reset????
The link does not work (just sends me to the homepage) and the only reason I can post here is because I checked the "remember me" box last time I logged on.
seriously, i had to cover my account being TRIBBLE on stoked to really bring this to light? what a joke. Dec of 2010 and it takes almost 2 years to let customers know.... really filling me with confidence.
The unauthorized access included user account names, handles, and encrypted passwords for those accounts. Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database.
We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user.
Well, I got the email about 30 mins ago. I was worried I'dlog on and find all my stuff gone. Anyhow, I ignored the link in the email and did a password reset directly on the STO website. All appears to be well.
seriously, i had to cover my account being TRIBBLE on stoked to really bring this to light? what a joke. Dec of 2010 and it takes almost 2 years to let customers know.... really filling me with confidence.
You know it's bad when even the STOked guys are upset.....
I'm having the same problem, all the "Forgot my password" links just go to the homepage and I can't change it in the account settings because when I try to get into that, it needs my non-existent password to verify the session. I don't usually complain, but I really hope they extend today's Cure event, because I'm missing out on an opportunity to collect the EDCs I need to finish my MACO set.
Two years to fix a security flaw? You think security would be at the top of the priority list? Cryptic needs to do more, especially how bad PW's system is.
As for this password resetting...........this is me grumbling. :mad:
Authenticators are only provided by gaming companies that genuinely care more about their customers than just the bottom line on their profit and loss reports. As such, Crytpic has stated sever times that making our accounts more secure simply costs too much. Apparently their accounting team needs to speak to their customer relations team.
Oh well, when in doubt, just blame it on STOwiki.
Here's to hoping they change that attitude and can crank out an app for that. I don't need an actual key fob just an app would be fine.
Well this is just lovely. 16 months. That is completely inexcusable considering the fiasco that was Sony you should have stepped up the security a long time ago. I am astounded that you took that long to notice, what else has happened since then? And we're supposed to trust you now with our credit card information? I don't think so.
you guys really can't afford things like this to happen, its taken you to a level that i doubt anyone can get below.
Well, I got the email about 30 mins ago. I was worried I'dlog on and find all my stuff gone. Anyhow, I ignored the link in the email and did a password reset directly on the STO website. All appears to be well.
They did encrypt the password, read the 'more info' link.
Indeed. I suspect that this could have been done one of two ways, depending on the database. They could have simply used PASSWORD('yourrealpasswordhere') and it would have used a database routine to encrypt the password (but could be decrypted).
Or they could have used a function to do it (i.e. MD5 RSA, SHA128, SHA256, Blowfish, DSA, etc.). In any event, however, the password is not guaranteed to be safe even if it is encrypted. This is because anything that can be encrypted, using non-proprietary methods, can be decrypted. All it takes is time, patience, and a cracking program designed to do it. (You learn this doing system and network administration as I have.)
I suspect that it is for this reason alone that the email, even if hastily and poorly written, was sent out. They're not saying anyone has been definitely compromised. They're saying that a chance exists and it is simply best to change the password now.
Yeah thats like almost a year and a half ago.
I find this extremely disturbing.
If it takes them a year and a half to find out someone has TRIBBLE their system and gotten their hands on com players account info, how can we ever expect to turst them with anything?
I have to agree with this. frankly, its absurd to think that it took a year and a half for someone to notice that their databases were wide open. a week is a mistake, even a month could be excused - but 16 months?? thats just showing that whoever is in charge of database security is incompetent. i'm sorry but thats what it is. there are no excuses whatsoever for something like that to be allowed to go undiscovered for such a long period of time.
all I can say is thank god cryptic doesn't run a bank
and gee, I wonder what all that bs about stowiki was a few months back. i'd say they were made the scapegoat on that one.
When did that happen? And Cryptic should give it back, plus 10% more, but they'd probably give you 100 lock boxes without keys instead.
His account was illegally accessed about two weeks ago. We spent about 4 hours of our free time going through his computer to make sure that there wasn't a keylogger hidden somewhere in his system and we couldn't find a single thing. We were clueless as to how it could have happened ... until now.
I remember all the accounts being compromised a month or so back. And everyone swearing up and down it was all STOwiki's fault.
Except for the fact that there were plenty of people affected who didn't use STOwiki.
But no, I got shouted down, and everyone swore there was no problem at all with Cryptic's security.
Except, appearently, that they'd been wide-open for a year and a half, and never noticed.
So glad I have lifetime access to having my info stolen, but not, y'know, game content. That all costs extra.
If I recall, there were Cryptic representatives in that topic swearing up and down that it was a Curse Gaming Network issue and not something on their end. Despite people pointing out that they had never been to any of the Curse affiliated sites, and they had done many scans of their computer and found no evidence of a keylogger or other malicious software.
That is really infuriating.
It also convinced me to remove the credit card info I have with my accounts. Not going to do business with a company that can't keep their ducks in order. The timing of it, with them swearing the breaches were external and not internal, along with the many other concerning issues that have taken place lately, is just the final nail in a very well sealed coffin.
Indeed. I suspect that this could have been done one of two ways, depending on the database. They could have simply used PASSWORD('yourrealpasswordhere') and it would have used a database routine to encrypt the password (but could be decrypted).
Or they could have used a function to do it (i.e. MD5 RSA, SHA128, SHA256, Blowfish, DSA, etc.). In any event, however, the password is not guaranteed to be safe even if it is encrypted. This is because anything that can be encrypted, using non-proprietary methods, can be decrypted. All it takes is time, patience, and a cracking program designed to do it. (You learn this doing system and network administration as I have.)
I suspect that it is for this reason alone that the email, even if hastily and poorly written, was sent out. They're not saying anyone has been definitely compromised. They're saying that a chance exists and it is simply best to change the password now.
I think we can safely assume that some folks accounts have been compromised...
Just read a few of last months Fleet Bank Thievery Threads.
It happened in 2010 but apparently they were not aware of it until recently:
So yeah, someone got some splainin' ta do...
Indeed. Discovering a security breach this long after the fact is... atypical, a bit longer than normal, but not too far off the mark. I'm glad Cryptic responded as soon as they could. I also anticipate that Cryptic will be quite forthcoming if payment information has been compromised as well; it is, after all, a legal requirement in the US and they can face severe penalties if they do not disclose that. So they are likely looking into that possibility as we speak.
I do find it troubling that the perpetrator was able to break the encryption, though without knowing what kind of encryption was used on the passwords, it's hard to tell if it's worth a sigh, an eyeroll, or pitchforks and torches.
Keeping in mind that this took place at the end of 2010, before the content drought and before the kitchen was lacking cups, I don't think there's much raeg-fuel to be had here. It's disappointing, to be certain, but any disappointment the players have is eclipsed by the embarrassment Cryptic feels. Taken on the surface, this sounds even worse than the Sony hack -- the password encryption was actually cracked by the bad guys. This sort of thing can haunt a company.
Also, it will be interesting to see what, if anything, Cryptic does for the people who have said that accounts were TRIBBLE and fleet banks wiped out.
My account was created after December 2010, so I am unsure why it was disabled. In any case, this is a good reminder as to why to use strong passwords. If the passwords were encrypted, then a strong password should still be pretty safe even if it were stolen.
At Cryptic Studios, your privacy and security is important. As part of our ongoing efforts to monitor and enhance security, we recently detected evidence of an unauthorized access to one of our user databases. The unauthorized access occurred in December 2010, and evidence of this has just been uncovered due to increased security analysis.
2010?? Isn't it a little late to be telling us of the 'unauthorized access'?? LOL
It's almost as bad as the doctor saying to you "We recently detected you had leukemia on your blood work done in December 2010. We only discovered it during our 'routine' review of your records today. We're sorry if this is causing you any inconvenience since you are probably already dead.."
Comments
When did that happen? And Cryptic should give it back, plus 10% more, but they'd probably give you 100 lock boxes without keys instead.
The link does not work (just sends me to the homepage) and the only reason I can post here is because I checked the "remember me" box last time I logged on.
That ***** me off.
:mad:
It happened in 2010 but apparently they were not aware of it until recently:
So yeah, someone got some splainin' ta do...
Please read...
http://www.crypticstudios.com/securitynotice
The passwords were and are encrypted.
You know it's bad when even the STOked guys are upset.....
As for this password resetting...........this is me grumbling. :mad:
Here's to hoping they change that attitude and can crank out an app for that. I don't need an actual key fob just an app would be fine.
you guys really can't afford things like this to happen, its taken you to a level that i doubt anyone can get below.
How did you do that?
Indeed. I suspect that this could have been done one of two ways, depending on the database. They could have simply used PASSWORD('yourrealpasswordhere') and it would have used a database routine to encrypt the password (but could be decrypted).
Or they could have used a function to do it (i.e. MD5 RSA, SHA128, SHA256, Blowfish, DSA, etc.). In any event, however, the password is not guaranteed to be safe even if it is encrypted. This is because anything that can be encrypted, using non-proprietary methods, can be decrypted. All it takes is time, patience, and a cracking program designed to do it. (You learn this doing system and network administration as I have.)
I suspect that it is for this reason alone that the email, even if hastily and poorly written, was sent out. They're not saying anyone has been definitely compromised. They're saying that a chance exists and it is simply best to change the password now.
They made me reset my password yesterday...
and now again today...
Somthin' sure is fishy 'round here.
:eek:
I have to agree with this. frankly, its absurd to think that it took a year and a half for someone to notice that their databases were wide open. a week is a mistake, even a month could be excused - but 16 months?? thats just showing that whoever is in charge of database security is incompetent. i'm sorry but thats what it is. there are no excuses whatsoever for something like that to be allowed to go undiscovered for such a long period of time.
all I can say is thank god cryptic doesn't run a bank
and gee, I wonder what all that bs about stowiki was a few months back. i'd say they were made the scapegoat on that one.
His account was illegally accessed about two weeks ago. We spent about 4 hours of our free time going through his computer to make sure that there wasn't a keylogger hidden somewhere in his system and we couldn't find a single thing. We were clueless as to how it could have happened ... until now.
This is just beyond screwed up.
If I recall, there were Cryptic representatives in that topic swearing up and down that it was a Curse Gaming Network issue and not something on their end. Despite people pointing out that they had never been to any of the Curse affiliated sites, and they had done many scans of their computer and found no evidence of a keylogger or other malicious software.
That is really infuriating.
It also convinced me to remove the credit card info I have with my accounts. Not going to do business with a company that can't keep their ducks in order. The timing of it, with them swearing the breaches were external and not internal, along with the many other concerning issues that have taken place lately, is just the final nail in a very well sealed coffin.
I think we can safely assume that some folks accounts have been compromised...
Just read a few of last months Fleet Bank Thievery Threads.
Indeed. Discovering a security breach this long after the fact is... atypical, a bit longer than normal, but not too far off the mark. I'm glad Cryptic responded as soon as they could. I also anticipate that Cryptic will be quite forthcoming if payment information has been compromised as well; it is, after all, a legal requirement in the US and they can face severe penalties if they do not disclose that. So they are likely looking into that possibility as we speak.
I do find it troubling that the perpetrator was able to break the encryption, though without knowing what kind of encryption was used on the passwords, it's hard to tell if it's worth a sigh, an eyeroll, or pitchforks and torches.
Keeping in mind that this took place at the end of 2010, before the content drought and before the kitchen was lacking cups, I don't think there's much raeg-fuel to be had here. It's disappointing, to be certain, but any disappointment the players have is eclipsed by the embarrassment Cryptic feels. Taken on the surface, this sounds even worse than the Sony hack -- the password encryption was actually cracked by the bad guys. This sort of thing can haunt a company.
Also, it will be interesting to see what, if anything, Cryptic does for the people who have said that accounts were TRIBBLE and fleet banks wiped out.
You have to log out manually in order the the startrekonline.com reset password link to work.
2010?? Isn't it a little late to be telling us of the 'unauthorized access'?? LOL
It's almost as bad as the doctor saying to you "We recently detected you had leukemia on your blood work done in December 2010. We only discovered it during our 'routine' review of your records today. We're sorry if this is causing you any inconvenience since you are probably already dead.."
That worked for me. Reseted my password on CO and already reflected on STO launcher.:)