Gaming studio Cryptic, the company behind Star Trek Online, Champions Online and City of Heroes, has admitted that its players' details were lifted in an unauthorised database access two years ago. Cryptic said in a canned statement yesterday that it had only just discovered evidence of a data breach in December 2010, during …
>>The studio said it had reset passwords and sent emails out to all affected online role-players.<<
For a data breach that happened 2 years ago! I think they might as well not have bothered, any compromises will have taken place ages ago.
Talk about closing the stable door... the horse has bolted, found a new owner, and sired three foals by now...
If they've just found out about it like the article says then I'd rather be informed about it than not, even if it was 2 years ago.
What the hell? You mean that email I received I few hours ago, which asked me to reset a password by clicking on links that pointed to a different domain than the one shown in the link text - was actually genuine?
It's been a long time since I played Champions, I didn't know that Cryptic was bought by Perfect World, and I had never heard of Perfect World before reading this article: the email itself only talks about Cryptic. I looked at the URLs declaring themselves to be champions-online.com, saw they were actually "perfectworld.com" followed by a whole lot of crap, and deleted the email.
Is it so hard to understand that if a link reads "www.whatever.com" it needs to point to www.whatever.com or at least something on that domain, or me and millions of other people are just going to assume it's a phishing attempt?
I thought it was fake too, mine had a spelling error in it.
So that was actually a genuine email? Damn, that makes 5 times in the last 18 months that a website has lost my details. I only found out about the last time after someone tried to charge a hotel room in Paris to my credit card.
Was it at the Paris Hilton?
@Flippo RE:"was actually genuine?" It does make you wonder does it not?
The e-mail I received a few hours ago purported to come from PayPal and asked me to "click here" and thereafter (when one had arrived at the "home page" if one were so transcendentally stupid as to click on the link) re-enter your account details. A standard phishing attempt of course, immediately recognizable to any techie with more than two neurones firing at the same time. Seeing a legitimate company sending a genuine e-mail that is the very twin of the one I have just described leaves me utterly convinced that I would never under any circumstances trust any confidential details to bunch of tools like that.
what filippo said...
was about to post roughly the same..
Looked only slightly more believable than the multiple 'enjoy wow beta' ones which arrive.. The not correct url was the most dodgy part..
Still, I logged in and changed the password... Using a typed in url of course...
Soooo change passwords... does that mean they were storing them in plain text or a reversible encryption??
I think the article said encrypted passwords..... reverseable ? maybe
Anything that is encrypted can be bruteforced....if given long enough
Yes, the email was genuine. I was playing Star Trek Online last night when they took the login servers down for emergency maintenance, then sent out those emails and the canned statement. It will be interesting to see if they offer the affected accounts anything more than the current "we're sorry" statement. I doubt it though, Cryptic isn't exactly well known for their generosity or for compensating people when things happen or stuff they promised gets U-turned. For instance, when the game went Free-2-Play a bunch of races you had to unlock with Cryptic Points (and therefore may have paid real money for) became available to everyone, and anyone who had actually bought those races was not compensated in the slightest. It's in their TOS that they can basically do whatever they want.
That would be...
Direct people to the main website.
Personally I feel security warning emails should never encourage bad practices like asking people to click a link to log into their account.
Instead of a link they should instruct and encourage people to log in normally, and maybe enter a code from the email when prompted.
Otherwise you are simply training people to fall for email phishing scams.