OFFICIAL NEWS


uiWebPrevious12uiWebNext

#1 Report | QuoteMultilingual 

Multilingual | Français | [Deutsch] | English
Hallo,

Kürzlich haben wir festgestellt, dass es einen Cyberangriff auf unserem Login-System gab. Der Angriff bezog sich auf weniger als 1% der Ryzom Accounts.

Was wichtig für euch ist:
- Die Hacker bekamen einzig den Login und die verschlüsselte Version eures Passworts.
- Wir haben nie finanzielle Informationen in unserer Datenbank gespeichert. Alle finanziellen Informationen sind bei unseren Providern WorldPay und PlaySpan gespeichert. Dies bedeutet, dass auf keinerlei finanziellen Informationen zugegriffen oder diese kompromitiert wurden.

Wir entschieden uns, komprmitierte Accounts zu blockieren, so dass beim Login die Fehlermeldung 4444 angezeigt und nach einer Passwortänderung verlangt wird. Bitte ändert dieses und ihr seid danach wieder in der Lage wie gewohnt zu spielen.

Der beste Weg, um das Passwort zu ändern, ist auf diese Seite zu gehen ( https://secure.ryzom.com/payment_profile/lost_secure_password.php ?language=de ) und den Anweisungen zu folgen. Es wird euch einen Link zu eurer registrierten E-Mail (der Emailadresse, die in eurem Account gespeichert ist) schicken.

Wir verstehen, dass eine Änderung des Passworts unangenehm sein mag. Wir tun alles was wir können, um eure Daten zu schützen.

Solltet ihr mehr als einen Ryzom Account besitzen, so solltet ihr auch dort euer Passwort ändern. Falls ihr diese Passwörter auch auf anderen Seiten benutzt, empfehlen wir diese auch dort zu ändern.

Sollten irgendwelche Probleme auftreten, schreibt uns bitte: support@ryzom.com

Wir entschuldigen uns für jedwege Unannehmlichkeit, welche diese Situation mit sich bringt.

Ryzom Team

Edited 6 times | Last edited by Tamarea (9 years ago)

---

Tamarea
Ryzom Team Manager
(FR / EN / ES)

tamarea@ryzom.com

#2 Report | Quote[en] 

Thank you for letting us know.

Can you please change the way, these password needs to look like? 5-8 characters aren't that complex. Please consider to allow longer passwords.

Thank you :-)
Mikira

---


________________________

High Officer of Syndicate
________________________

#3 Report | Quote[en] 

+999 to Mikira

---

#4 Report | Quote[en] 

hmm, up to 12, special and non-alphanumeric also...

---

Remickla (atys)
Other games - they give you a cookie whether you succeed or not, in fact you don't even have to participate. Ryzom takes your cookie, eats it in front of you, and slaps you 2 or 3 times for bringing a cookie in the first place.
What Cookies is about ---- Contact Cookies ---- Cookies at Events ---- For Cookies Diggers and Crafters
Useful Links:
cookies approved referance data, guides, and more. --- ryztools web version --- talkIRC forum post table of contents

#5 Report | Quote[en] 

Tamarea,

It would be normal to send an e-mail to the associated e-mail address for the compromised accounts, informing them of the same. If a person is not active in Ryzom, they would need to know nonetheless that there has been a security breach.

Other points I want to see addressed:

- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.

This is a very justified fear considering players have had to notify you in public that the server software was severely outdated.

- related: were the passwords salted too, or just hashed?

- As others have already pointed out, please allow more complex passwords ASAP.

- Take this opportunity to implement extra security measures, for instance the usage of a PIN code to change characters (create/delete).

Time is of the essence. Answer fast.

Edited 2 times | Last edited by Mjollren (10 years ago)

---

#6 Report | Quote[en] 

Mjollren (atys)
- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

---

Hello!

#7 Report | Quote[en] 

Mjollren (atys)
Tamarea,
- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

Agreed. There are 3 accounts in my household alone that have been compromised, and one of the few guildies I saw the other night also had the same issue. If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

---

Do not assume that you speak for all just because you are the loudest voice; there are many who disagree that simply have no desire to waste words on you.

#8 Report | Quote[en] 

Mjollren --

I don't know for sure of course, but if I had a significant number of accounts compromised, I'd put in a block on *all* accounts to make them change their passwords. The rest of your comments are good, but would involve there being coding time to do it. Changing security systems is not a simple matter. Karu undoubtedly knows more and might be able to comment.

-- Bitty -- (not a dev or a csr)

Last edited by Bitttymacod (10 years ago)

---


Remembering Tyneetryk
Phaedreas Tears - 15 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>

#9 Report | Quote[fr] 

We can implement in game password change option and complex password. we should make a rule that you can not use last password used in your account too. one more thing is one more rule that player must change their password after certain time (As most of us dont bother to change our password once we made account. We are lazy atleast i am , hehehe).

---

I am the one in ten. Even though I don't exist. Nobody Knows me.
Even though I'm always there. A statistical reminder of a world that doesn't care.


#10 Report | Quote[en] 

I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.

---

It's bad luck to be superstitious . . .



Palta e decata, nan nec ilne matala.

When one goes on a journey it is not the scenery that changes, but the traveller

#11 Report | Quote[en] 

Gidget (atys)
If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

They didn't say 1% of active accounts.

SELECT * from nel WHERE SubDate > '2014-08-14'

---

Kaetemi

#12 Report | Quote[en] 

Arfur (atys)
I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.
+1 and bank details are safe - so we are good to go

---

Binarabi
This idea of "I'm offended". Well I've got news for you. I'm offended by a lot of things too. Where do I send my list? Life is offensive. You know what I mean? Just get in touch with your outer adult. (Bill Hicks)

#13 Report | Quote[de] 

Wieso ist es eigentlich nicht möglich Passwörter länger als 8 Zeichen oder mit Sonderzeichen einzustellen? Wobei es zumindest möglich zu sein scheint längere Passwörter zu haben, denn mein ursprüngliches Passwort als ich mich einst bei Ryzom anmeldete war definitiv länger als 8 Zeichen.

Edit:
Es gibt dazu und zu anderen Sicherheitsmerkmalen schon eine Diskussion im englischen Forum. Leider aber noch kein Statement von offizieller Seite.

Last edited by Khalaoden (10 years ago)

---

#14 Report | Quote[en] 

Karu (atys)
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

Yep, the traditional DES-based scheme of crypt(3) uses a very small salt (12 bits represented by 2 characters). Fun fact: Ryzom's code include implementations of crypt(3) and MD5 (md5 isn't used for game passwords).

Just a note for all the people who thought it's hard to retrieve a password hashed in such a way: https://twitter.com/hashcat/status/160488271267364864

Edited 2 times | Last edited by Markanjio (10 years ago)

---

Markanjio di Segafredo
Alkiane
Noble Gardien des Matis - Noble Matis Guardian
Fléau de l'Empire - Scourge of the Empire

#15 Report | Quote[en] 

For those of us who are somewhat computer literate but not uber-coders, what did that screenshot say?

---


Remembering Tyneetryk
Phaedreas Tears - 15 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>
uiWebPrevious12uiWebNext
 
Last visit Thursday, 28 March 08:53:15 UTC
P_:

powered by ryzom-api