| Mail |
You might also like: WoW Insider, Joystiq, and more

Reader Comments (19)

Posted: Jan 2nd 2010 10:25AM Sephirah said

  • 2 hearts
  • Report
"LOGGING INTO YOUR OWN PLAYNC MASTER ACCOUNT CAN RANDOMLY LOG YOU INTO ANOTHER PLAYER'S ACCOUNT."

Account ID Hash collision?

Posted: Jan 2nd 2010 5:11PM (Unverified) said

  • 2.5 hearts
  • Report
Little Bobby Tables is at it again.
Reply

Posted: Jan 2nd 2010 10:36AM (Unverified) said

  • 2 hearts
  • Report
NCSoft and second-rate? Colour me surprised. :rolleyes:

Posted: Jan 2nd 2010 10:36AM archipelagos said

  • 2 hearts
  • Report
That's some fairly scary stuff. Hope they get it sorted soon.

Posted: Jan 2nd 2010 9:38PM GaaaaaH said

  • 2 hearts
  • Report
If my memory serves right, this began with the Master Account linking about 2 years ago.
Reply

Posted: Jan 2nd 2010 10:49AM Cinnamoon said

  • 2 hearts
  • Report
Security has been an issue ever since NCSoft linked all of our COH, GW, etc accounts under a single old email address login that is NOT changeable and which most likely, given how old these accounts are, not at all a secret email (as you'd presumably use for, say, Battlenet). That was years and years ago. GW hacking existed long before Aion and it's far more likely that all Aion did was create a critical mass of people capable of losing said multi-game password -- I mean come on, all it takes is one subtle keylogger on an unscrupulous fansite, or sharing your Aion creds with a "friend", and bam, all your accounts are compromised -- GW is just the easy one to target since it's free to play.

Getting people who think themselves internet savvy to believe they could succumb to such obvious tricks is harder than the hacking itself, I suspect. It's much easier to believe some hocus pocus about random logins (and if the "whistleblowers" here really believe what they are saying, they really should be ashamed of themselves for bringing the exploit into mass circulation to escalate the hack attempts. Brilliant.)

Posted: Jan 2nd 2010 10:53AM hmmdar said

  • 2 hearts
  • Report
Wasn't there stories about people being logged into the wrong master accounts several months ago? I might be wrong, but i swear I remember reading about this a while ago, and it was supposed to be fixed.

It might of been fixed previously, and somehow reintroduced. (it happens sometimes when people are careless)

But it does not surprise me in the least to see how NCSoft is handling the issue.

Posted: Jan 2nd 2010 11:26AM Pingles said

  • 2 hearts
  • Report
I have no history with them so I don't know how much of the hate is justifiable but it doesn't seem unreasonable that when they checked out their account security they found things they could improve upon.

In other words, somebody yells "OMG YOU HAVE SECURITY BREACH!" so you check out your system. No breach is found but you see where you can make improvements.

Posted: Jan 2nd 2010 11:55AM blomma said

  • 2 hearts
  • Report
What you dont do tho is tell people that there is no breach/security risk and then turn around auditing your system which leads to them implementing changes.

This gives of the impression that they are incompetent and/or covering things up.
Reply

Posted: Jan 2nd 2010 12:07PM Tanek said

  • 2 hearts
  • Report
They did not come out and say there is no security issue. There was some initial confusion over what was being reported, but once the situation was understood, this was one of the postings from Gaile Gray:

"I do not know what to advise you. We still do not have confirmation that there is such a security issue. *holds up hand* Wait, please! I'm not in denial and I'm not taking "the party line" in blind defense of NCsoft. But until we test it, we don't have any real data about the reported exploit. (Anecdotal reports are helpful, yes, but they do not and cannot trump actual testing by an experienced crew.)

So at this point, I don't have any additional information to share, and I am sorry -- we all are sorry -- that this is the case. As I have said previously, a lot of emails are being exchanged and many team members and many teams are aware of this report. We are taking this seriously and moving forward with testing and, if necessary, resolution. -- Gaile"

Considering they put what additional security they could in right away and Gaile kept us informed the whole time, I don't think anything was being hidden in this case.

If there is a security issue, am I happy that it exists in the first place? Of course not. But things like this happen and the key is then in the response. It may be the companies where you never hear of problems that you should worry about. ;)
Reply

Posted: Jan 2nd 2010 12:13PM Tanek said

  • 2 hearts
  • Report
They did not come out and say there is no security issue. There was some initial confusion over what was being reported, but once the situation was understood, this was one of the postings from Gaile Gray:

"I do not know what to advise you. We still do not have confirmation that there is such a security issue. *holds up hand* Wait, please! I'm not in denial and I'm not taking "the party line" in blind defense of NCsoft. But until we test it, we don't have any real data about the reported exploit. (Anecdotal reports are helpful, yes, but they do not and cannot trump actual testing by an experienced crew.)

So at this point, I don't have any additional information to share, and I am sorry -- we all are sorry -- that this is the case. As I have said previously, a lot of emails are being exchanged and many team members and many teams are aware of this report. We are taking this seriously and moving forward with testing and, if necessary, resolution. -- Gaile"

Considering they put what additional security they could in right away and Gaile kept us informed the whole time, I don't think anything was being hidden in this case.

If there is a security issue, am I happy that it exists in the first place? Of course not. But things like this happen and the key is then in the response. It may be the companies where you never hear of problems that you should worry about. ;)
Reply

Posted: Jan 2nd 2010 11:59AM Tanek said

  • 2 hearts
  • Report
While it is a frightening thought that someone could log on to your master account by accident, when it comes to the "hackings" you have to keep in mind a couple of things:

1. From the research NCSoft has done, they say the majority of compromised GW accounts were not even linked to a master account.

2. The malicious parties involved in stealing accounts will always ind the path of least resistance for stealing as many as they can in as short a time as they can. Given the information so far, a potential flaw in the logon for the master accounts is not one they are using to any extent.

As many people have done in the forums and on the GW wiki, I send my thanks to the technicians who worked through night and day on New Year's to help the players and do what they could to increase security on any potential avenues of access to our GW accounts.

Posted: Jan 2nd 2010 12:04PM (Unverified) said

  • 2 hearts
  • Report
Even though NCsoft may have it's issues, it's wouldn't be the sole reason of why people are getting hacked. I think people are just trying to point a finger at something quickly so that they can blame someone.

People forget that you do NOT need an NCsoft account, unless you plan or making purchases from their site. I have a good friend who got hacked that never used any online forums and never made an NCsoft account. Although his password could have been stronger, anything that has been mentioned so far doesn't make sense in this case.

Account hackings have been around for a while. These situations should be evaluated on a per account basis to help find a root cause of the issue. Although this would take time, but at the same time it'll help in the long run by providing more security to different ways that accounts are being hacked right now.

I think there is more than one issue here and that people are jumping to conclusions a bit too fast. Only time will tell.

Posted: Jan 2nd 2010 12:57PM (Unverified) said

  • 2 hearts
  • Report
Well, that explains why my GW account got cleaned out when my EVE and WoW accounts were untouched.

Weird at the time, 'cause I'm kinda rich in EVE and stupendously wealthy in WoW, but all that got hit was my impoverished GW account.

My theory at the time was that they brute-forced my GW password. Which is a weird thing to spend one's time doing, but seemed the only explanation.

Posted: Jan 2nd 2010 2:23PM Meyithi said

  • 2 hearts
  • Report
Happened to me recently. I haven't logged into GW for over a year and then I received an email telling me that my GW password had been changed. My master account password was fine, which let me log onto it and then change the GW password from there. I reported it to NCSoft but no explanation was ever given.

http://www.meyithi.com/graphics/gw.jpg (proof)

Posted: Jan 2nd 2010 3:09PM MrDiamondJ said

  • 2 hearts
  • Report
I can tell you that Aion's website has some security bugs. Yesterday I logged into the My Aion portion of the site, and it took me to a username that was similar to mine but a different user entirely (and I have no alts, so it was definitely another user's character). I didn't do anything out of the ordinary, either...I just logged in. There was a weird delay, and then there I was, in another user's account.

Posted: Jan 2nd 2010 6:39PM (Unverified) said

  • 2 hearts
  • Report
Personally I advise anyone who uses a master account to immediately log in, change the password to something utterly gibberish (write that down!), enter made-up personal info and immediately cancel all games subscriptions you have with them.

In the event you do get hacked expect to spent a week replying via e-mail (only) with account support to resolve the issue. They will want they key to every game (including releases) linked to your master account and the registration code you received at the time you created the master account. They also want a bunch of personal information as well.

They are available via e-mail only M-F 12p-5p CST. IT's webmail so expect to go back and forth using a very un-user-friendly form. Then all they will do is ban the account and then your master account without offering much detail as to what they did to "fix" the problem. Good luck.

Posted: Jan 3rd 2010 11:13AM TheJackman said

  • 2 hearts
  • Report
They can have my GW account if they wanna maybe they already got it I really not known I did not log in for years!

Posted: Jan 4th 2010 8:36AM Metalheart said

  • 2 hearts
  • Report
I also managed to login to an account which was not mine :( the person is luckly i am not from China!

Featured Stories

Engadget

Engadget

Joystiq

Joystiq

WoW Insider

WoW

TUAW

TUAW