TrueWoW

Thanks for the transparency, password changed!

P.S. Tip for people use passphrases rather than word, easier to remember.

Roel wrote: ↑

08 Oct 2018 21:44

Last Wednesday night.

So, October 3?

I'm just double checking because I changed all my password not knowing about this last weekend (Oct 7).

I guess I'm good then?

Gadoschi wrote: ↑

09 Oct 2018 19:48

I'm just double checking because I changed all my password not knowing about this last weekend (Oct 7).

I guess I'm good then?

Don't worry, the accounts you bought wont be stolen

Bloodshade wrote: ↑

09 Oct 2018 19:55

Don't worry, the accounts you bought wont be stolen

What do you mean?

Bloodshade and Gadoschi, may I ask you to please not turn this announcement into Who Did What attack series? Let's keep it civil and on topic so people can quickly find relevant information about an announcement this serious.

I am keeping it civil.
I just have no idea what he's talking about.
Don't even know who that is.

Ravenseeker wrote: ↑

09 Oct 2018 15:19

NoblestHeart wrote: ↑

09 Oct 2018 14:18

I got hacked, put in a ticket to get a piece of gear back and got told "CAN'T DO ANYTHING, GOOD BYE" (This was on Primal 2 - 3 dyas ago now after coming back) Not the first time either. I had a DK on the the True WoW releam and that disappeared after me being away for a long while, I didn't delete. That was a few years back. Got told same response "CAN'T DO ANYTHING, GOODBYE".

That was actually a week ago, before this breach. And the actual response was

We are sincerely sorry for your loss, but there isn't anything we can do about it. Always remember to secure your account.

I was unable to find any logs showing that you had indeed lost this item, possibly due to the age of the issue, and thus i am unable to help in your case.

Freakin great, some luck I have. Thank-you anyway. I'm mad at myself not you.

Error occured when changing password!

Oh well.
At least several people have birthdays today.

Congratulations to: Swundead, ElderJames, Kevinprogs (38), trjohnson (26), bloodsugar (23), Weveriss (23)

Also, you kinda confused me so please clarify, " We know that e-mail addresses and password hashes were accessed and it is possible that they may have been leaked." by this you mean that since now they have our e-mails, they may log into them since passwords might be same?

Fastor wrote: ↑

11 Oct 2018 21:34

...
Also, you kinda confused me so please clarify, " We know that e-mail addresses and password hashes were accessed and it is possible that they may have been leaked." by this you mean that since now they have our e-mails, they may log into them since passwords might be same?

E-mail addresses were indeed acquired, but the passwords themselves were not. Instead "hashes" of passwords were acquired. I'll explain what is meant by that in a bit more detail for those who are interested.

In general, when you have some sort of system for verifying who someone is by use of a password, the seemingly most straight-forward way of doing this is to just store the passwords themselves in a database and check what the user enters matches the stored password. However, this is not a very sensible thing to do in-case of a breach such as this one.

Therefore, what happens is the passwords are passed through an algorithm that turns them into an unintelligible string of letters and numbers called a "hash". This algorithm is designed in such a way that you can't create an algorithm to reverse it to retrieve the original password, but given the same input it will always output the same hash. Therefore, if you store the hashes of everyone's passwords instead, you can then just put the password they enter on the login page through the same algorithm and see if the output of it matches the stored hash in the database.

This way you can validate someones password without ever having to store the password itself in the database. It was these hashes that were acquired, not any passwords themselves (since we don't actually store any passwords).

The worry with this breach comes from the fact that more recent advances in computing power mean that some hashing algorithms can be "broken" by brute force. That is, by putting a multitude of different potential passwords through the hashing algorithm and seeing which give the same output as any stored in the database. This way, the more simple passwords may have been acquired in plain-text.

The algorithm that PHPbb (our forum software) uses is one of these algorithms that has the potential to be brute forced, hence the message to change your passwords. We are looking at how to make PHPbb use a more secure hashing algorithm currently.

Our password hashes had an extra layer of security in the form of a "salt", this is a string of characters unique to each user that gets mixed into your password before being hashed. This prevents two people who have the same password from having the same password hash, thus preventing the use of statistical techniques to try and decipher people's passwords. However, this also can be overcome with enough brute-forcing, as can anything. It simply comes down to a question of how much computing power is available and how much time they're willing to spend on trying to crack them.

So yes, there's a risk that if your password hash was cracked and you use that same password somewhere else (such as your e-mail account), they could use it to log in there.

Would be better to send everybody email about this. Its not good for server but would keep people safe.

So arnis finally did it... amaze

All of my toons have been deleted from primalwow. Is there anyway i can get them back?

Since TW Server is located in france, i guess the GDPR needs to be followed as well since my E-Mail Adress and my Name is a personally identifiable information about my person.

According to Art. 33 (https://gdpr-info.eu/art-33-gdpr/)
This breach has to be reported to a supervisory authority.
Was this done already?

According to Art. 34 (https://gdpr-info.eu/art-34-gdpr/)
You (The administrator) has to conntact each and every natural person about this issue (not just by a thread on the website)
I did not get any E-Mail information about this breach, i just got the info. by randomly visiting the website.


Be aware, breaking this law can end with a prison sentence of 5 Years and more.

Considering private WoW servers are kind-of illegal I doubt they reported it to anyone lmao

We are doing our best to contain the damages and inform the players but we are not a business and not a legal entity.