Account Security Discussion

[HomeFry]

Well, Trion's done right by me, I figure the least I can do is try to be helpful.

Here here, to be honest this is the first MMO company I've seen thats been on the bar about everything.

[ManWitDaPlan]

Well, servers are back up MWTP. Please tell us the hole is sealed!

Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed.

They have to proverbially play their proverbial cards close to the chest for a while to ensure that there aren't other lurking issues this one was hiding, but the issue I found is no more.

[Linus]

I just wanted to say thanks to MWDP. You could have done many disreputable things with what you skillfully discovered. You, instead, chose the high road. I commend you for that. I know that doesn't mean much from an anonymous person on the internet, but I promise you I don't offer praise lightly.

If you ever find yourself in Austin, TX, PM me. I will definitely buy you dinner or at least a beer. You deserve much more, but it's what I can offer.

Also thanks to seebs, HomeFry, and Scoo as well. The beer offer is open for you three as well.

[Agronas]

Seriously... you guys saved them an enormous amount of lost business, you should each get at least one or more free accounts for the life of the game (at a minimum)

[Zilvermoon]

Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed.

They have to proverbially play their proverbial cards close to the chest for a while to ensure that there aren't other lurking issues this one was hiding, but the issue I found is no more.

Really really good news.

Zilvermoon

[TheScoo]

This is the main advantage of a Pay-To-Play vs free, the community actually cares, they are paying for it so they want it right, and the developers want it right for them. Trion truly cares about our gaming and social experiences, and we should have faith that anytime an issue comes up, the commnity and trion will work together diligently to correct it!

[ManWitDaPlan]

I dunno, man, I don't think I woulda gotten it. I'm not very good at the fiddly bits of security stuff.

But yeah. Trion's response to this? Perfect.

1. Fix the bug RIGHT NOW. No delay, no "let's roll this in".
2. No attempt to deny or play blame games.
3. Fix goes live IMMEDIATELY once it's available.
4. Explain what the fix was AFTER it is fixed, not before.

The decision to coin lock everyone is a reasonably good one when you consider that they have solid evidence that a whole lot of accounts were at least partially compromised... but that the attackers did not know the email addresses or passwords. Coin lock is perfect for that.

Yep, they did what you do. You fix it. No whining, no games, no finger pointing, you fix it, you fix it hard, you fix it so it's fixed and fixed but good. Then you can do whatever.

[HomeFry]

Yep, they did what you do. You fix it. No whining, no games, no finger pointing, you fix it, you fix it hard, you fix it so it's fixed and fixed but good. Then you can do whatever.

I'm tempted to walk in the other room and slap you for making me read this.... ;p

[Lisnpuppy]

Thanks everyone that figured this out and worked to get it fixed.

For those *****ing about being occasionally coin-locked....well it took less than 2 min for me to get the email and unlock the account. It took me longer than that to figure out where I had left my WoW authenticator every time.

Get some patience people. It does wonders for your blood pressure.

[TheScoo]

I'm tempted to walk in the other room and slap you for making me read this.... ;p

I join in on monday!

[Letendeth]

Thank you MWDP + Trion.

I feel like there should be some memorial rectified. I'll cook up something.

[derek7527]

account got hacked last Sunday now its Friday and still don't have my stuff customer service is crap

[TheScoo]

account got hacked last Sunday now its Friday and still don't have my stuff customer service is crap

Give them some time dude, The massive security bug had to be squashed first, then they can start the cleanup process! Patience is a virtue!

[Letendeth]

Give them some time dude, The massive security bug had to be squashed first, then they can start the cleanup process! Patience is a virtue!

Gotta be honest, this is easy to say when your not the one that is hacked. I've been waiting since Monday to get anywhere... The CS, up until the last call I've had has been very helpful. Granted I have made no progress, but they said some nice things and empty promises to keep me calm

[ManWitDaPlan]

More replies!

I guess the process is something like: authenticate with one user, and then use the email from another user to login into the game, without needing to use his password. So a hacker would need only his own account and a list of valid emails to access other accounts.

I'm wildly guessing based on my knowledge of token based systems because I really dont know how the hole works.

I've asked Trion about whether to do a postmortem analysis of the exploit. If they approve of this I'll work something up over this weekend that will explain the situation in more detail. I'm sure you can understand that it's up to them to decide whether and to what extent to reveal such details... ;)

I'll be a guinea pig. I'm skeptical about this, and I'd like to see you hack into my account. My character is on Sunrest and one of my alts has this name. You can log in to my highest level character and move him to another zone if you'd like to show me.

I am one of the naysayers, so please prove me wrong and I'll rescind what I said. Trion's first post in this thread already covered what I knew was happening with the hacks.

If all went well the exploit is no longer exploitable, so hopefully I can no longer do so. I would need one specific piece of info (neither username nor password) to target a specific account - the hacks were likely random in nature since that one key piece of data was unavailable.

So, feel free to remain skeptical. I know better, as do some others on the forums and, well, pretty much all of Trion at this point.

You expect a company like Trion, that wants the best possible scenario to win customers over to try to keep this hush hush? I'll wait till I see an official release that this was a supposed bug.

I'd imagine that will be forthcoming. Look for mention of an authentication fix in the patch notes.