OFFICIAL NEWS


IMPORTANT – Please change your Ryzom password

Tamarea,

It would be normal to send an e-mail to the associated e-mail address for the compromised accounts, informing them of the same. If a person is not active in Ryzom, they would need to know nonetheless that there has been a security breach.

Other points I want to see addressed:

- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.

This is a very justified fear considering players have had to notify you in public that the server software was severely outdated.

- related: were the passwords salted too, or just hashed?

- As others have already pointed out, please allow more complex passwords ASAP.

- Take this opportunity to implement extra security measures, for instance the usage of a PIN code to change characters (create/delete).

Time is of the essence. Answer fast.

---

Show topic
Last visit Thursday, 28 March 08:42:44 UTC
P_:

powered by ryzom-api