333 réponses à ce sujet

[flexxdk]

This news is really old to me.

Past week I got a message about this on my social network about this and already had taken the necessary steps.

Way to go EA! This news is a week old to me.

[Mr Heatsink]

I got it a 2 this morning and upon reading about the hack thought the hackers were impersonaing a mod so I checked here and had some trouble getting on. I feel a lot better knowing that it's real but it looked very dodgy to me. Anyways, dangers past I'm off to get yet another new password.

[PsychoMoggieBagpuss]

This would be the decade old bioware server that had all the old forums and that on it? which we don't actually have access to anymore (well, unless we're hackers apparantly?).
Good work fellas...........................................

[Halfdan The Menace]

[tomaltach]

Dreammosaic wrote...
Have to agree with you. I tried to use /
!  # $ in my password, long with a mix of upper and lower case letters.
Told me it wasn't accepted.

Really? Like that guy said, you were just hacked and you are still limiting the amount of variety a password can be?

Amazing work, EA/Bioware. Just brilliant.

Quickly making a change and putting it into production after an attack is a sure way to either another breach or even more angry customers. That being said, reducing the charset available for passwords to prevent, say, SQL injection attacks, is the wrong way of doing things.

Python Jones wrote...
There is no point in having a long password when hackers just hack the site and steal them.

Got the email this morning the most annoying thing for me was I just changed password afew days ago :| With stuff like EA Accounts and Steam we should have a chip and pin card but then that requires them to actually spend money on security.

Length of password still matters. What they got were encrypted passwords. Any site that stores its passwords in plaintext should be avoided like an ebola-infeseted leper. What a long, complex password does is buy you time. It makes it less likely that your password is in a dictionary of pre-encrypted passwords, and it makes it harder to find it via brute force.

Two-factor authentication has its own problems. Recently, RSA was attacked and their SecurID token system was compromised, allegedly leading to the breach of some defense contractors. Also, your cost argument is silly. It would just get passed directly to customers. Blizzard has the option of using fobs for their battle.net accounts, and last I checked, they didn't give the fobs away for free.

[Nekator]

Wow... way to go Bio... i posted here when this was made public. Now over a week later i get the damned email (which looks like a bad phising try)??

[OBakaSama]

I got an email too. Though I have to admit it seemed odd to me in a sense in that...I don't think I had any real info at the old site. Still a concern though of course.

[K K Slider]

Received the email during the early hours of this morning.  Thought it was a phishing attempt.  Good job I checked here.

Not sure what the "decade-old BioWare server system supporting the Neverwinter Nights forums" means though,  I've never registered there.

[Python Jones]

tomaltach wrote...
Length of password still matters. What they got were encrypted passwords. Any site that stores its passwords in plaintext should be avoided like an ebola-infeseted leper. What a long, complex password does is buy you time. It makes it less likely that your password is in a dictionary of pre-encrypted passwords, and it makes it harder to find it via brute force.

Fair enough point but I don't see the point of having a 20+ one, surely the more unique it is the better.

tomaltach wrote...
Two-factor authentication has its own problems. Recently, RSA was attacked and their SecurID token system was compromised, allegedly leading to the breach of some defense contractors. Also, your cost argument is silly. It would just get passed directly to customers. Blizzard has the option of using fobs for their battle.net accounts, and last I checked, they didn't give the fobs away for free.

Thats because ActiBlizzard choose to make a profit from it they're not doing it out of the kindness of their hearts. If EA are gonna link all there games to one account system (especially with it now being your origin account) I would prefer at least some sort of security enhancement.

Modifié par Python Jones, 24 juin 2011 - 10:21 .

[Vmode]

Nekator wrote...

Wow... way to go Bio... i posted here when this was made public. Now over a week later i get the damned email (which looks like a bad phising try)??

Yeah I thought the same thing. Even though I'd read about the breach on Kotaku when it first happened, I still thought the email looked way to "fishy", so I just did a regular password reset on the Bioware social site (instead of clicking the link in the email).

[tomaltach]

frudi wrote...
Well, the passwords aren't stored in readable (clear-text) form, but are stored encrypted. Hackers therefore steal the encrypted passwords and have to 'crack' them before they're able to use them.
How fast encrypted passwords can be cracked depends on:
- the length of the password
- the number of possible different characters a password can contain
- the method used to encrypt the password

EA, in all their stupidity, put unacceptable limits on both the length of your password (it maxes out at between 16 and 18 characters) and the characters you can use (just letters and numbers).
Since anyone with $1000 can build a computer that can test billions or even tens of billions of passwords per second, such limitations are completely unacceptable.

While there are certainly unnecessary restrictions on the character set, it's more than just numbers and letters. I'm not especially fond of the restrictions either, but one should keep things in perspective. Even with just upper and lower case letters and numbers, guessing 10 billion pw/sec would take over two years to exhaust the password space for a 10-character password. Add a single character, and that becomes almost 165 years.

The encryption method can also affect the speed of password discovery. I use a password storage system configured to perform enough transformations on the master password that it takes about 5 seconds to open the database. That 10 billion/sec becomes maybe a few thousand/sec assuming a more modern system and cracking software taking advantage of CPU and GPU cores.

In any case, no matter how long your password is or how long it would take to crack it, if the encrypted password is stolen, it should be changed. Password strength isn't about making you secure. It's about buying you time before your next (un)scheduled password change.

[tomaltach]

Python Jones wrote...

tomaltach wrote...
Two-factor authentication has its own problems. Recently, RSA was attacked and their SecurID token system was compromised, allegedly leading to the breach of some defense contractors. Also, your cost argument is silly. It would just get passed directly to customers. Blizzard has the option of using fobs for their battle.net accounts, and last I checked, they didn't give the fobs away for free.

Thats because ActiBlizzard choose to make a profit from it they're not doing it out of the kindness of their hearts. If EA are gonna link all there games to one account system (especially with it now being your origin account) I would prefer at least some sort of security enhancement.

Well, my point was that I don't see EA doing it out of the kindness of their hearts either

Edit: fixed broken quoting

Modifié par tomaltach, 24 juin 2011 - 11:07 .

[tomaltach]

Edit: Brain fail

Modifié par tomaltach, 24 juin 2011 - 11:07 .

[nightscrawl]

I dislike complaining to companies, because I know you all try your best. But this response is shameful. You all have known about this issue for over a week, but I received an email only 12 hours ago. The very first step when something like this happens should be damage control. If that means you send a scripted email to every Bioware account telling them to change their passwords, well then you just do that. Not only should there have been a huge red message in that spiffy flash banner you have displaying your major current games on the user home page, there should be a sticky in the news forum of every game.

I had to hunt around the forums before I clicked on the link in the email because I was afraid of a phishing attempt. I certainly was not going to go on the advice of other forum goers for my own security and deemed it necessary that I had to see an official post about this issue. Once I found that I felt safe in clicking the password reset link. Since I know it will be stated by some, I could NOT reset it manually on this site because it had already been flagged as invalid. I should not have had to scroll all the way down to the special social.bioware.com Site Help section, when I didn't even know there was a problem in the first place, until I read the email I was sent a week after the incident.

This isn't really about legacy NWN account, since I think you all will get that straightened out eventually, but I do use (or had used before I changed it) this same information for my Dragon Age account, as well as another game. I also don't entirely fault you guys for the hack, especially when there are people out there purposely targeting companies. It's not something you had control over. However, you did have control over your response to the issue, and that is where I find fault.

To be honest, these entire forums are unworthy of such a large company like Bioware, and your parent EA. I've thought this for a while now, but I certainly wasn't going to make a pissy forum post about it. Please use this as an opportunity to change things for the better and not just put a band-aid on the issue.

K K Slider wrote...

Not sure what the "decade-old BioWare server system supporting the Neverwinter Nights forums" means though,  I've never registered there.

The old Neverwinter Nights website (nwn.bioware.com - now just redirecting to the main Bioware page) and forum were organized differently as well as probbaly built on different software. Also, I assume that the statements about servers is a literal one: they were over 10 years old. Who knows how long it's been since they did security patches and so forth. "This is an older game, we don't need to do as much to manage it." So, the servers just sit there, and as long as nothining breaks on the forums, or with the game registration process, there is really no need to maintain them as much. Since NWN is so much older, there will be less traffic to the site and forums, which also decreases the need for maintenance.

As I said above, hopefully this will be a learning experience.

Modifié par nightscrawl, 24 juin 2011 - 11:53 .

[Y2Kevin]

K K Slider wrote...

Received the email during the early hours of this morning.  Thought it was a phishing attempt.  Good job I checked here.

Not sure what the "decade-old BioWare server system supporting the Neverwinter Nights forums" means though,  I've never registered there.

I'm in the same exact situation.  I too never registered for the Neverwinter Nights forum that was hacked, yet still received the e-mail...and that e-mail looks rather phishy (pardon the pun), especially considering this is the e-mail address it came from "support-bwfbb2bbgwmbfsau65qw3rakctc6rf@em.ea.com"

I do believe more could have been done to make users aware of the breach, as well as make users feel more comfortable with the legitimacy of the password reset e-mail.

Modifié par Y2Kevin, 24 juin 2011 - 12:17 .

[SillyJerry]

well ..if they have names and email adresses and whatnot ..isnt there a way for them to change new made passwords anyway? i cant remember if bioware and/or EA have secret questions and nonsense like that.

I changed my password again today just to be sure but still its annoying as hell.

[Skarren]

i too found the e-mail rather....dodgy, so i went to the bioware.com page to try and login, the password was disabled as i expected, pressed the lost password button there, now here is where it really got fishy for me.

this ofcourse took me to the ea.com support pages, got the e-mail to reset my password sent to me.

now hotmail didn't actually like this e-mail a whole lot, but i suspect it's because there seems to be a bit of a bug with it, it is from the @em.ea.com line of e-mails i get from all EA stuff, sims etc (yes i play, sue me )

but for some reason the e-mail uses @@em.ea.com so i suspect it got flagged for that reason.


suspicious part number two, the e-mail mixed german and norgwegian, i'm norwegian, first paragraph was in german, then it went on to talk about origin in Norwegian, seems really really suspect to me, but then again this is what i got from just using Biowares lost password on the main bioware page, and not through the initial e-mail recived.

anyone else got anything like this in their lost password e-mail?

just to note, the whole page to type inn the e-mail for the password reset on the EA page was also in norwegian, no german mixed inn here.

[ecto69]

This in case interested here is an FAQ on the breach

support.ea.com/app/answers/detail/a_id/5367/showhome/true

When I got the email I questioned it right away and search for info and found above and other sites talking about

[nightscrawl]

So I'm curious: I had been thinking of installing Neverwinter Nights since I haven't played it in years. Would I still be able to patch the game fully up to 1.69, or was all of that taken down too?

[OBakaSama]

There is a NWN board here at the current forums. I don't visit there but I'm sure the info and stuff is there.

[Herethos]

Just what I feared would happen when tying and linking accounts together to get preorder stuff, dlc's and such working together with the game, and displayed on a social forum that you've bought the game, to a more serious EA account where you have credit card, personal information and such with EA Store and all linking to and from the bioware social account. I changed the passwords but what does it matter if they already have the information?

[ForumHelper]

Ok, so... I made an old legacy account, there I've learned I needed to make a BSN account and link it to EA account. My question is: what's the connection between new and old accounts? I don't remember linking them in any way.
That being said, I had different passwords for both accounts. Does this mean that both were compromised?

IF it is only the legacy account that's been hacked,  why reset EA account passwords? Just for security(better safe than sorry?)?

Modifié par SarKter, 24 juin 2011 - 02:14 .

[Sweetz]

I just got the email this morning at my work e-mail address - which is rather shocking.

It's not the security break that's shocking - read about that a week ago on gaming blogs. Rather, for the life of me, I can't remember ever using my work email to register on ANY EA or Bioware associated forums, so I'm a bit spooked by the fact that I received the warning email there.