OFFICIAL NEWS


uiWebPrevious12uiWebNext

#1 Report | QuoteMultilingual 

Multilingual | Français | Deutsch | [English]
Hello,

Recently, we discovered a cyberattack on our login system. This attack compromised less than 1% of  Ryzom accounts.

What’s important for you to know:
- The hacker only got the login and the *encrypted* version of your password.
- We never store any financial information on our database. All the financial information is stored by our providers WorldPay and PlaySpan. It means that no financial information was accessed or compromised.

We decided to block compromised accounts so if you try to login on the game and see the error number 4444 asking you to change your password, please change it and you'll be able to play after that.

The best way to change your password is to go to this page (https://secure.ryzom.com/payment_profile/lost_secure_password.php ?language=en ) and follow the instructions. It will send you a link to your email (the email you entered on your Ryzom profile).

We understand that changing your password may be inconvenient. We are doing everything we can to protect your data.

If you have more than one Ryzom account, you should change the password for each account. If you used the same password on any other site, we encourage you to change it on those sites too.

If you have any issues, please contact us: support@ryzom.com

We apologize for any inconvenience or concern this situation may cause.

Ryzom Team

Edited 6 times | Last edited by Tamarea (9 years ago)

---

Tamarea
Ryzom Team Manager
(FR / EN / ES)

tamarea@ryzom.com

#2 Report | Quote[en] 

Thank you for letting us know.

Can you please change the way, these password needs to look like? 5-8 characters aren't that complex. Please consider to allow longer passwords.

Thank you :-)
Mikira

---


________________________

High Officer of Syndicate
________________________

#3 Report | Quote[en] 

+999 to Mikira

---

#4 Report | Quote[en] 

hmm, up to 12, special and non-alphanumeric also...

---

Remickla (atys)
Other games - they give you a cookie whether you succeed or not, in fact you don't even have to participate. Ryzom takes your cookie, eats it in front of you, and slaps you 2 or 3 times for bringing a cookie in the first place.
What Cookies is about ---- Contact Cookies ---- Cookies at Events ---- For Cookies Diggers and Crafters
Useful Links:
cookies approved referance data, guides, and more. --- ryztools web version --- talkIRC forum post table of contents

#5 Report | Quote[en] 

Tamarea,

It would be normal to send an e-mail to the associated e-mail address for the compromised accounts, informing them of the same. If a person is not active in Ryzom, they would need to know nonetheless that there has been a security breach.

Other points I want to see addressed:

- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.

This is a very justified fear considering players have had to notify you in public that the server software was severely outdated.

- related: were the passwords salted too, or just hashed?

- As others have already pointed out, please allow more complex passwords ASAP.

- Take this opportunity to implement extra security measures, for instance the usage of a PIN code to change characters (create/delete).

Time is of the essence. Answer fast.

Edited 2 times | Last edited by Mjollren (10 years ago)

---

#6 Report | Quote[en] 

Mjollren (atys)
- Several old encryption mechanisms have been proven weak in time; we need to know what encryption you are / were using. My fear is that you are still using a hashing algorithm that was "standard" at the game launch in 2004, i.e. md5 or sha1, and which means the lost passwords were cracked almost immediately.
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

---

Hello!

#7 Report | Quote[en] 

Mjollren (atys)
Tamarea,
- I have multiple accounts (storage alts, etc) and ALL of them have been compromised. A lot of the active guildmates have all confirmed they have been hit too. This is too much of a coincidence.

Given this data, I do not believe in the slightest that only 1% of the accounts were hit; it is statistically improbable that everyone I know has been hit. How many accounts of active players have been compromised?

Agreed. There are 3 accounts in my household alone that have been compromised, and one of the few guildies I saw the other night also had the same issue. If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

---

Do not assume that you speak for all just because you are the loudest voice; there are many who disagree that simply have no desire to waste words on you.

#8 Report | Quote[en] 

Mjollren --

I don't know for sure of course, but if I had a significant number of accounts compromised, I'd put in a block on *all* accounts to make them change their passwords. The rest of your comments are good, but would involve there being coding time to do it. Changing security systems is not a simple matter. Karu undoubtedly knows more and might be able to comment.

-- Bitty -- (not a dev or a csr)

Last edited by Bitttymacod (10 years ago)

---


Remembering Tyneetryk
Phaedreas Tears - 15 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>

#9 Report | Quote[fr] 

We can implement in game password change option and complex password. we should make a rule that you can not use last password used in your account too. one more thing is one more rule that player must change their password after certain time (As most of us dont bother to change our password once we made account. We are lazy atleast i am , hehehe).

---

I am the one in ten. Even though I don't exist. Nobody Knows me.
Even though I'm always there. A statistical reminder of a world that doesn't care.


#10 Report | Quote[en] 

I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.

---

It's bad luck to be superstitious . . .



Palta e decata, nan nec ilne matala.

When one goes on a journey it is not the scenery that changes, but the traveller

#11 Report | Quote[en] 

Gidget (atys)
If at least 3 of the 4 players I talked to recently had a problem, the odds are that it wasn't 1%.

They didn't say 1% of active accounts.

SELECT * from nel WHERE SubDate > '2014-08-14'

---

Kaetemi

#12 Report | Quote[en] 

Arfur (atys)
I for one am glad that this attack was detected and dealt with so quickly and efficiently. Yes, things could be made more secure, but nothing online is ever totally secure.
+1 and bank details are safe - so we are good to go

---

Binarabi
This idea of "I'm offended". Well I've got news for you. I'm offended by a lot of things too. Where do I send my list? Life is offensive. You know what I mean? Just get in touch with your outer adult. (Bill Hicks)

#13 Report | Quote[de] 

Wieso ist es eigentlich nicht möglich Passwörter länger als 8 Zeichen oder mit Sonderzeichen einzustellen? Wobei es zumindest möglich zu sein scheint längere Passwörter zu haben, denn mein ursprüngliches Passwort als ich mich einst bei Ryzom anmeldete war definitiv länger als 8 Zeichen.

Edit:
Es gibt dazu und zu anderen Sicherheitsmerkmalen schon eine Diskussion im englischen Forum. Leider aber noch kein Statement von offizieller Seite.

Last edited by Khalaoden (10 years ago)

---

#14 Report | Quote[en] 

Karu (atys)
passwords are encrypted with 'crypt', it uses DES i think and it's salted.

Yep, the traditional DES-based scheme of crypt(3) uses a very small salt (12 bits represented by 2 characters). Fun fact: Ryzom's code include implementations of crypt(3) and MD5 (md5 isn't used for game passwords).

Just a note for all the people who thought it's hard to retrieve a password hashed in such a way: https://twitter.com/hashcat/status/160488271267364864

Edited 2 times | Last edited by Markanjio (10 years ago)

---

Markanjio di Segafredo
Alkiane
Noble Gardien des Matis - Noble Matis Guardian
Fléau de l'Empire - Scourge of the Empire

#15 Report | Quote[en] 

For those of us who are somewhat computer literate but not uber-coders, what did that screenshot say?

---


Remembering Tyneetryk
Phaedreas Tears - 15 years old and first(*) of true neutral guilds in Atys.
(*) This statement is contested, but we are certainly the longest lasting.
<clowns | me & you | jokers>
uiWebPrevious12uiWebNext
 
Last visit Thursday, 28 March 08:42:36 UTC
P_:

powered by ryzom-api