search | Login Forums | New posts | Last 24h

OFFICIAL NEWS
uiWebPrevious12uiWebNext

#1 Added by Tamarea 10 years ago Report | QuoteMultilingual 

Multilingual | [Français] | Deutsch | English
{translate}
Nous avons découvert récemment une cyber-attaque contre notre système de connexion. Cette attaque a compromis moins de 1% des comptes Ryzom.

Ce qu'il faut savoir : 
- Le pirate n'a récupéré que le login et la version *cryptée* de votre mot de passe. 
- Nous ne stockons jamais d'informations bancaires dans notre base de données. Toutes les informations bancaires sont stockées chez nos fournisseurs, WorldPay et PlaySpan. Cela signifie qu'aucun accès aux informations bancaires n'a été possible, elles n'ont donc pas été compromises.

Nous avons décidé de bloquer tous les comptes compromis, donc si vous vous connectez en jeu et voyez l'erreur 4444 vous demandant de changer de mot de passe, merci de le changer et vous pourrez jouer ensuite.

La meilleure façon de changer votre mot de passe est d'aller sur cette page (https://secure.ryzom.com/payment_profile/lost_secure_password.php ?language=fr) et de suivre les instructions. Cela vous enverra un lien sur votre adresse mail (celle que vous avez saisie dans votre profil Ryzom).

Nous sommes bien conscients que changer votre mot de passe peut être gênant. Nous faisons tout notre possible pour protéger vos données.

Si vous avez plus d'un compte Ryzom, vous devriez changer le mot de passe de chacun des comptes. Si vous avez utilisé le même mot de passe sur d'autres sites, notamment pour votre adresse email, nous vous encourageons à le changer également sur ces autres sites.

Si vous avez le moindre problème, merci de nous contacter à support@ryzom.com

Nous vous présentons toutes nos excuses pour la gêne et les soucis que cette situation pourrait engendrer.

L'Équipe Ryzom

Edited 6 times | Last edited by Tamarea (9 years ago)

---

Tamarea
Ryzom Team Manager
(FR / EN / ES)
tamarea@ryzom.com

#2 Added by Mikira 10 years ago Report | Quote[en] 

{translate}
Thank you for letting us know.

Can you please change the way, these password needs to look like? 5-8 characters aren't that complex. Please consider to allow longer passwords.

Thank you :-)
Mikira

---


________________________

High Officer of Syndicate
________________________

#3 Added by Suboxide 10 years ago Report | Quote[en] 

{translate}
+999 to Mikira

---

#4 Added by Talkirc 10 years ago Report | Quote[en] 

{translate}
hmm, up to 12, special and non-alphanumeric also...

---

Remickla (atys)
Other games - they give you a cookie whether you succeed or not, in fact you don't even have to participate. Ryzom takes your cookie, eats it in front of you, and slaps you 2 or 3 times for bringing a cookie in the first place.
What Cookies is about ---- Contact Cookies ---- Cookies at Events ---- For Cookies Diggers and Crafters
Useful Links:
cookies approved referance data, guides, and more. --- ryztools web version --- talkIRC forum post table of contents

#5 Added by Mjollren 10 years ago Report | Quote[en] 

{translate}
Tamarea,

It would be normal to send an e-mail to the associated e-mail address for the compromised accounts, informing them of the same. If a person is not active in Ryzom, they would need to know nonetheless that there has been a security breach.

Other points I want to see addressed:

- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.

This is a very justified fear considering players have had to notify you in public that the server software was severely outdated.

- related: were the passwords salted too, or just hashed?

- As others have already pointed out, please allow more complex passwords ASAP.

- Take this opportunity to implement extra security measures, for instance the usage of a PIN code to change characters (create/delete).

Time is of the essence. Answer fast.

Edited 2 times | Last edited by Mjollren (10 years ago)

---

#6 Added by Karu 10 years ago Report | Quote[en] 

{translate}
Mjollren (atys)
- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

---

Hello!

#7 Added by Gidget 10 years ago Report | Quote[en] 

{translate}
Mjollren (atys)
Tamarea,
- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

Agreed. There are 3 accounts in my household alone that have been compromised, and one of the few guildies I saw the other night also had the same issue. If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

---

Do not assume that you speak for all just because you are the loudest voice; there are many who disagree that simply have no desire to waste words on you.

#8 Added by Bitttymacod 10 years ago Report | Quote[en] 

{translate}
Mjollren --

I don't know for sure of course, but if I had a significant number of accounts compromised, I'd put in a block on *all* accounts to make them change their passwords. The rest of your comments are good, but would involve there being coding time to do it. Changing security systems is not a simple matter. Karu undoubtedly knows more and might be able to comment.

-- Bitty -- (not a dev or a csr)

Last edited by Bitttymacod (10 years ago)

---


Remembering Tyneetryk
Phaedreas Tears - 15 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>

#9 Added by Shvet 10 years ago Report | Quote[fr] 

{translate}
We can implement in game password change option and complex password. we should make a rule that you can not use last password used in your account too. one more thing is one more rule that player must change their password after certain time (As most of us dont bother to change our password once we made account. We are lazy atleast i am , hehehe).

---

I am the one in ten. Even though I don't exist. Nobody Knows me.
Even though I'm always there. A statistical reminder of a world that doesn't care.


#10 Added by Arfur 10 years ago Report | Quote[en] 

{translate}
I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.

---

It's bad luck to be superstitious . . .



Palta e decata, nan nec ilne matala.

When one goes on a journey it is not the scenery that changes, but the traveller

#11 Added by Kaetemi 10 years ago Report | Quote[en] 

{translate}
Gidget (atys)
If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

They didn't say 1% of active accounts.

SELECT * from nel WHERE SubDate > '2014-08-14'

---

Kaetemi

#12 Added by Binarabi 10 years ago Report | Quote[en] 

{translate}
Arfur (atys)
I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.
+1 and bank details are safe - so we are good to go

---

Binarabi
This idea of "I'm offended". Well I've got news for you. I'm offended by a lot of things too. Where do I send my list? Life is offensive. You know what I mean? Just get in touch with your outer adult. (Bill Hicks)

#13 Added by Khalaoden 10 years ago Report | Quote[de] 

{translate}
Wieso ist es eigentlich nicht möglich Passwörter länger als 8 Zeichen oder mit Sonderzeichen einzustellen? Wobei es zumindest möglich zu sein scheint längere Passwörter zu haben, denn mein ursprüngliches Passwort als ich mich einst bei Ryzom anmeldete war definitiv länger als 8 Zeichen.

Edit:
Es gibt dazu und zu anderen Sicherheitsmerkmalen schon eine Diskussion im englischen Forum. Leider aber noch kein Statement von offizieller Seite.

Last edited by Khalaoden (10 years ago)

---

#14 Added by Markanjio 10 years ago Report | Quote[en] 

{translate}
Karu (atys)
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

Yep, the traditional DES-based scheme of crypt(3) uses a very small salt (12 bits represented by 2 characters). Fun fact: Ryzom's code include implementations of crypt(3) and MD5 (md5 isn't used for game passwords).

Just a note for all the people who thought it's hard to retrieve a password hashed in such a way: https://twitter.com/hashcat/status/160488271267364864

Edited 2 times | Last edited by Markanjio (10 years ago)

---

Markanjio di Segafredo
Alkiane
Noble Gardien des Matis - Noble Matis Guardian
Fléau de l'Empire - Scourge of the Empire

#15 Added by Bitttymacod 10 years ago Report | Quote[en] 

{translate}
For those of us who are somewhat computer literate but not uber-coders, what did that screenshot say?

---


Remembering Tyneetryk
Phaedreas Tears - 15 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>
uiWebPrevious12uiWebNext
  
Last visit Friday, 19 April 21:54:37 UTC
P_:

powered by ryzom-api