English French German Spanish Russian
IMPORTANT – Please change your Ryzom password - OFFICIAL NEWS - Ryzom Community ForumHomeGuest

OFFICIAL NEWS


uiWebPrevious12uiWebNext

#1 Report | QuoteMultilingual 

Multilingual | Français | Deutsch | [English]
Hello,

Recently, we discovered a cyberattack on our login system. This attack compromised less than 1% of  Ryzom accounts.

What’s important for you to know:
- The hacker only got the login and the *encrypted* version of your password.
- We never store any financial information on our database. All the financial information is stored by our providers WorldPay and PlaySpan. It means that no financial information was accessed or compromised.

We decided to block compromised accounts so if you try to login on the game and see the error number 4444 asking you to change your password, please change it and you'll be able to play after that.

The best way to change your password is to go to this page (https://secure.ryzom.com/payment_profile/lost_secure_password.php ?language=en ) and follow the instructions. It will send you a link to your email (the email you entered on your Ryzom profile).

We understand that changing your password may be inconvenient. We are doing everything we can to protect your data.

If you have more than one Ryzom account, you should change the password for each account. If you used the same password on any other site, we encourage you to change it on those sites too.

If you have any issues, please contact us: support@ryzom.com

We apologize for any inconvenience or concern this situation may cause.

Ryzom Team

Edited 6 times | Last edited by Tamarea (3 years ago)

---

Tamarea
Ryzom Teams and Communications Manager - (FR / EN / ES)

tamarea@ryzom.com



Join Ryzom Forge IRC
Ryzom Forge Wiki

#2 Report | Quote[en] 

Thank you for letting us know.

Can you please change the way, these password needs to look like? 5-8 characters aren't that complex. Please consider to allow longer passwords.

Thank you :-)
Mikira

---


________________________

High Officer of Syndicate
________________________

#3 Report | Quote[en] 

+999 to Mikira

---

Adaptation from "I have a dream" by "Martin Luther King"
I have a dream that one day this world will rise up and live out the true meaning of its creed: "We hold these truths to be self-evident: that all homin are created equal." I have a dream that one day on the hills of Fairhaven the sons of former homins left behind and the sons of former homins that were lucky enough to be rescued will be able to sit down together at a campfire of brotherhood. I have a dream that one day even the Matis, a state, sweltering with the heat of injustice and sweltering with the heat of oppression, will be transformed into an oasis of freedom and justice. I have a dream that my 64 little guildies will one day live in a nation where they will not be judged by the color of their skin or the religion they follow but by the content of their character. I have a dream today.

#4 Report | Quote[en] 

hmm, up to 12, special and non-alphanumeric also...

---

Remickla (atys)
Other games - they give you a cookie whether you succeed or not, in fact you don't even have to participate. Ryzom takes your cookie, eats it in front of you, and slaps you 2 or 3 times for bringing a cookie in the first place.
What Cookies is about ---- Contact Cookies ---- Cookies at Events ---- For Cookies Diggers and Crafters
Useful Links:
all in one IRC link for web based IRC chat --- cookies approved referance data, guides, and more. --- ryztools web version --- talkIRC forum post table of contents

#5 Report | Quote[en] 

Tamarea,

It would be normal to send an e-mail to the associated e-mail address for the compromised accounts, informing them of the same. If a person is not active in Ryzom, they would need to know nonetheless that there has been a security breach.

Other points I want to see addressed:

- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.

This is a very justified fear considering players have had to notify you in public that the server software was severely outdated.

- related: were the passwords salted too, or just hashed?

- As others have already pointed out, please allow more complex passwords ASAP.

- Take this opportunity to implement extra security measures, for instance the usage of a PIN code to change characters (create/delete).

Time is of the essence. Answer fast.

Edited 2 times | Last edited by Mjollren (3 years ago)

---

#6 Report | Quote[en] 

Mjollren (atys)
- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

---

Hello!

#7 Report | Quote[en] 

Mjollren (atys)
Tamarea,
- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

Agreed. There are 3 accounts in my household alone that have been compromised, and one of the few guildies I saw the other night also had the same issue. If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

---

#8 Report | Quote[en] 

Mjollren --

I don't know for sure of course, but if I had a significant number of accounts compromised, I'd put in a block on *all* accounts to make them change their passwords. The rest of your comments are good, but would involve there being coding time to do it. Changing security systems is not a simple matter. Karu undoubtedly knows more and might be able to comment.

-- Bitty -- (not a dev or a csr)

Last edited by Bitttymacod (3 years ago)

---


Remembering Tyneetryk
Phaedreas Tears - 12 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>

#9 Report | Quote[fr] 

We can implement in game password change option and complex password. we should make a rule that you can not use last password used in your account too. one more thing is one more rule that player must change their password after certain time (As most of us dont bother to change our password once we made account. We are lazy atleast i am , hehehe).

---

I am the one in ten. Even though I don't exist. Nobody Knows me.
Even though I'm always there. A statistical reminder of a world that doesn't care.


#10 Report | Quote[en] 

I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.

---

It's bad luck to be superstitious . . .



Palta e decata, nan nec ilne matala.

When one goes on a journey it is not the scenery that changes, but the traveller

#11 Report | Quote[en] 

Gidget (atys)
If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

They didn't say 1% of active accounts.

SELECT * from nel WHERE SubDate > '2014-08-14'

---

Kaetemi

#12 Report | Quote[en] 

Arfur (atys)
I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.
+1 and bank details are safe - so we are good to go

---

Binarabi
This idea of "I'm offended". Well I've got news for you. I'm offended by a lot of things too. Where do I send my list? Life is offensive. You know what I mean? Just get in touch with your outer adult. (Bill Hicks)

#13 Report | Quote[de] 

Wieso ist es eigentlich nicht möglich Passwörter länger als 8 Zeichen oder mit Sonderzeichen einzustellen? Wobei es zumindest möglich zu sein scheint längere Passwörter zu haben, denn mein ursprüngliches Passwort als ich mich einst bei Ryzom anmeldete war definitiv länger als 8 Zeichen.

Edit:
Es gibt dazu und zu anderen Sicherheitsmerkmalen schon eine Diskussion im englischen Forum. Leider aber noch kein Statement von offizieller Seite.

Last edited by Khalaoden (3 years ago)

---

#14 Report | Quote[en] 

Karu (atys)
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

Yep, the traditional DES-based scheme of crypt(3) uses a very small salt (12 bits represented by 2 characters). Fun fact: Ryzom's code include implementations of crypt(3) and MD5 (md5 isn't used for game passwords).

Just a note for all the people who thought it's hard to retrieve a password hashed in such a way: https://twitter.com/hashcat/status/160488271267364864

Edited 2 times | Last edited by Markanjio (3 years ago)

---

Markanjio di Segafredo
Noble Gardien des Matis - Noble Matis Guardian
Fléau de l'Empire - Scourge of the Empire

#15 Report | Quote[en] 

For those of us who are somewhat computer literate but not uber-coders, what did that screenshot say?

---


Remembering Tyneetryk
Phaedreas Tears - 12 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>
uiWebPrevious12uiWebNext
 
Last visit Fri Oct 20 09:10:50 2017 UTC
P_-1:

powered by ryzom-api