IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

All you need to know about the happenings of TrueWoW can be found here.
User avatar
paroliak
Posts: 104
Joined: 01 Jan 2014 17:01

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#16 » Post by paroliak » 09 Oct 2018 17:59

Thanks for the transparency, password changed!

P.S. Tip for people use passphrases rather than word, easier to remember.

User avatar
Gadoschi
Donor
Posts: 222
Joined: 27 Feb 2015 19:44
Location: Croatia

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#17 » Post by Gadoschi » 09 Oct 2018 19:48

Roel wrote:
08 Oct 2018 21:44
Last Wednesday night.
So, October 3?

I'm just double checking because I changed all my password not knowing about this last weekend (Oct 7).

I guess I'm good then?
PC
MB: Asus M5A97 R2.0 (AM3+); CPU: AMD FX 8300 (@4,2GHz); GPU: Gigabyte R9 380 4GB GDDR5 (@1,15GHz); RAM: Kingston HyperX Fury 1866MHz (2x4GB Kit); PSU: Coolermaster V550 (80+ Gold); CPU Cooler: LC-CC-120; Case: Antec GX505; Fans: Antec TrueQuiet 120mm x5; Monitor: AOC G2460PF (24'', 1ms, 144Hz, Freesync); Keyboard: Corsair Strafe RGB (Cherry MX Red); Mouse: Logitech G302; Surface: Roccat Taito Mid 5mm

User avatar
Bloodshade
Posts: 149
Joined: 07 Aug 2014 23:19

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#18 » Post by Bloodshade » 09 Oct 2018 19:55

Gadoschi wrote:
09 Oct 2018 19:48

I'm just double checking because I changed all my password not knowing about this last weekend (Oct 7).

I guess I'm good then?
Don't worry, the accounts you bought wont be stolen
- - -Wrathful chiken - - - - - Salty chiken - - -
ImageImageImageImage

User avatar
Gadoschi
Donor
Posts: 222
Joined: 27 Feb 2015 19:44
Location: Croatia

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#19 » Post by Gadoschi » 09 Oct 2018 23:14

Bloodshade wrote:
09 Oct 2018 19:55
Don't worry, the accounts you bought wont be stolen
What do you mean?
PC
MB: Asus M5A97 R2.0 (AM3+); CPU: AMD FX 8300 (@4,2GHz); GPU: Gigabyte R9 380 4GB GDDR5 (@1,15GHz); RAM: Kingston HyperX Fury 1866MHz (2x4GB Kit); PSU: Coolermaster V550 (80+ Gold); CPU Cooler: LC-CC-120; Case: Antec GX505; Fans: Antec TrueQuiet 120mm x5; Monitor: AOC G2460PF (24'', 1ms, 144Hz, Freesync); Keyboard: Corsair Strafe RGB (Cherry MX Red); Mouse: Logitech G302; Surface: Roccat Taito Mid 5mm

User avatar
Jiranthos
Admin
Posts: 1978
Joined: 23 Jun 2015 03:43
Location: Not on your bad side, hopefully

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#20 » Post by Jiranthos » 10 Oct 2018 08:42

Bloodshade and Gadoschi, may I ask you to please not turn this announcement into Who Did What attack series? Let's keep it civil and on topic so people can quickly find relevant information about an announcement this serious.

Everybody knows that the best way to describe the ocean to a blind man is to push him in

User avatar
Gadoschi
Donor
Posts: 222
Joined: 27 Feb 2015 19:44
Location: Croatia

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#21 » Post by Gadoschi » 10 Oct 2018 11:16

I am keeping it civil.
I just have no idea what he's talking about.
Don't even know who that is.
PC
MB: Asus M5A97 R2.0 (AM3+); CPU: AMD FX 8300 (@4,2GHz); GPU: Gigabyte R9 380 4GB GDDR5 (@1,15GHz); RAM: Kingston HyperX Fury 1866MHz (2x4GB Kit); PSU: Coolermaster V550 (80+ Gold); CPU Cooler: LC-CC-120; Case: Antec GX505; Fans: Antec TrueQuiet 120mm x5; Monitor: AOC G2460PF (24'', 1ms, 144Hz, Freesync); Keyboard: Corsair Strafe RGB (Cherry MX Red); Mouse: Logitech G302; Surface: Roccat Taito Mid 5mm

User avatar
NoblestHeart
Donor
Posts: 64
Joined: 15 Aug 2015 11:27

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#22 » Post by NoblestHeart » 10 Oct 2018 14:32

Ravenseeker wrote:
09 Oct 2018 15:19
NoblestHeart wrote:
09 Oct 2018 14:18
I got hacked, put in a ticket to get a piece of gear back and got told "CAN'T DO ANYTHING, GOOD BYE" (This was on Primal 2 - 3 dyas ago now after coming back) Not the first time either. I had a DK on the the True WoW releam and that disappeared after me being away for a long while, I didn't delete. That was a few years back. Got told same response "CAN'T DO ANYTHING, GOODBYE".
That was actually a week ago, before this breach. And the actual response was
We are sincerely sorry for your loss, but there isn't anything we can do about it. Always remember to secure your account.
I was unable to find any logs showing that you had indeed lost this item, possibly due to the age of the issue, and thus i am unable to help in your case.
Freakin great, some luck I have. Thank-you anyway. I'm mad at myself not you.

User avatar
Fastor
Posts: 4031
Joined: 16 Dec 2012 17:38

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#23 » Post by Fastor » 11 Oct 2018 21:34

Error occured when changing password!
Oh well.
At least several people have birthdays today.

Congratulations to: Swundead, ElderJames, Kevinprogs (38), trjohnson (26), bloodsugar (23), Weveriss (23)

Also, you kinda confused me so please clarify, " We know that e-mail addresses and password hashes were accessed and it is possible that they may have been leaked." by this you mean that since now they have our e-mails, they may log into them since passwords might be same?

User avatar
Nuko
Former Staff
Posts: 540
Joined: 27 Aug 2010 21:47
Location: United Kingdom

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#24 » Post by Nuko » 12 Oct 2018 01:56

Fastor wrote:
11 Oct 2018 21:34
...
Also, you kinda confused me so please clarify, " We know that e-mail addresses and password hashes were accessed and it is possible that they may have been leaked." by this you mean that since now they have our e-mails, they may log into them since passwords might be same?
E-mail addresses were indeed acquired, but the passwords themselves were not. Instead "hashes" of passwords were acquired. I'll explain what is meant by that in a bit more detail for those who are interested.

In general, when you have some sort of system for verifying who someone is by use of a password, the seemingly most straight-forward way of doing this is to just store the passwords themselves in a database and check what the user enters matches the stored password. However, this is not a very sensible thing to do in-case of a breach such as this one.

Therefore, what happens is the passwords are passed through an algorithm that turns them into an unintelligible string of letters and numbers called a "hash". This algorithm is designed in such a way that you can't create an algorithm to reverse it to retrieve the original password, but given the same input it will always output the same hash. Therefore, if you store the hashes of everyone's passwords instead, you can then just put the password they enter on the login page through the same algorithm and see if the output of it matches the stored hash in the database.

This way you can validate someones password without ever having to store the password itself in the database. It was these hashes that were acquired, not any passwords themselves (since we don't actually store any passwords).

The worry with this breach comes from the fact that more recent advances in computing power mean that some hashing algorithms can be "broken" by brute force. That is, by putting a multitude of different potential passwords through the hashing algorithm and seeing which give the same output as any stored in the database. This way, the more simple passwords may have been acquired in plain-text.

The algorithm that PHPbb (our forum software) uses is one of these algorithms that has the potential to be brute forced, hence the message to change your passwords. We are looking at how to make PHPbb use a more secure hashing algorithm currently.

Our password hashes had an extra layer of security in the form of a "salt", this is a string of characters unique to each user that gets mixed into your password before being hashed. This prevents two people who have the same password from having the same password hash, thus preventing the use of statistical techniques to try and decipher people's passwords. However, this also can be overcome with enough brute-forcing, as can anything. It simply comes down to a question of how much computing power is available and how much time they're willing to spend on trying to crack them.

So yes, there's a risk that if your password hash was cracked and you use that same password somewhere else (such as your e-mail account), they could use it to log in there.
Nuko - In the event of malfunction, please insert tea.
"In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move."

User avatar
Fastor
Posts: 4031
Joined: 16 Dec 2012 17:38

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#25 » Post by Fastor » 13 Oct 2018 22:18

Would be better to send everybody email about this. Its not good for server but would keep people safe.

User avatar
Thexelez
Posts: 43
Joined: 26 Feb 2014 11:27
Location: Estonia

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#26 » Post by Thexelez » 16 Oct 2018 16:01

So arnis finally did it... amaze
Ambaal / Tyrael
Divinity
EU : Tolbajoob - Draenor
xelez#2396 -diskörd

User avatar
Punkikid
Posts: 4
Joined: 21 Jun 2016 16:36

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#27 » Post by Punkikid » 18 Oct 2018 22:45

All of my toons have been deleted from primalwow. Is there anyway i can get them back?

User avatar
Bigjeffrey
Posts: 8
Joined: 09 Nov 2014 20:15

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#28 » Post by Bigjeffrey » 21 Oct 2018 12:26

Since TW Server is located in france, i guess the GDPR needs to be followed as well since my E-Mail Adress and my Name is a personally identifiable information about my person.

According to Art. 33 (https://gdpr-info.eu/art-33-gdpr/)
This breach has to be reported to a supervisory authority.
Was this done already?

According to Art. 34 (https://gdpr-info.eu/art-34-gdpr/)
You (The administrator) has to conntact each and every natural person about this issue (not just by a thread on the website)
I did not get any E-Mail information about this breach, i just got the info. by randomly visiting the website.


Be aware, breaking this law can end with a prison sentence of 5 Years and more.

User avatar
Bloodshade
Posts: 149
Joined: 07 Aug 2014 23:19

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#29 » Post by Bloodshade » 21 Oct 2018 12:49

Considering private WoW servers are kind-of illegal I doubt they reported it to anyone lmao
- - -Wrathful chiken - - - - - Salty chiken - - -
ImageImageImageImage

User avatar
Jiranthos
Admin
Posts: 1978
Joined: 23 Jun 2015 03:43
Location: Not on your bad side, hopefully

Re: IMPORTANT ANNOUNCEMENT: BREACH OF SECURITY

#30 » Post by Jiranthos » 21 Oct 2018 15:33

We are doing our best to contain the damages and inform the players but we are not a business and not a legal entity.

Everybody knows that the best way to describe the ocean to a blind man is to push him in

Locked

Who is online

Users browsing this forum: No registered users and 3 guests