| Mail |
You might also like: WoW Insider, Joystiq, and more

Reader Comments (14)

Posted: Oct 19th 2011 10:07AM Ocho said

  • 2 hearts
  • Report
I yesterday received an e-mail, not saying that my password had been reset like it says above, but that it was just a good idea to change it... and then it offered links to do so. Hovering over the links, they were not exactly the links they claimed to be (one claims to go to https://myaccount.turbine.com/ and the other claims to go to https://support.turbine.com/, but both go to email.turbine.com/ct/*).

However, this message came to my inbox, sent from newsletter@turbine.com, a trusted e-mail address. I'm not fully convinced this message isn't a fishing scam, because of the masked links (I receive about 10,000 of these from "Blizzard" daily).

I did the right thing, though, and changed my password, but I went there directly and not through the link.

I could just be paranoid... but its better to be safe than sorry.

Posted: Oct 19th 2011 10:32AM Pingles said

  • 3 hearts
  • Report
@Ocho

Companies that send emails asking for password changes with embedded links drive me crazy.

I wish every single one said:

NEVER FOLLOW A LINK IN AN EMAIL. GO TO OUR MAIN WEBSITE AND FOLLOW THE INSTRUCTIONS ON THE HOMEPAGE

I wonder what percentage of email readers even know to hover over the link much less to investigate any further.
Reply

Posted: Oct 19th 2011 11:32AM Icemasta said

  • 2 hearts
  • Report
@Ocho
Welcome to the internet. This is a very common thing called e-mail spoofing. Maybe the e-mail was legit and they did crappy htmling, but most of the time, e-mails are spoofed, the most frequent one I've seen is World of Warcraft. The e-mail will come in with the "proper" e-mail address, heading and everything, and will provide textually correct links that lead to the official website, but the actual link that is added to the text via html leads to their phishing website.
Reply

Posted: Oct 19th 2011 10:11AM Nandini said

  • 2.5 hearts
  • Report
Did Turbine really claim no payment details were stolen? To me it reads that no payment details were in the forum database.

It's a strangely clever way to avoid answering the question directly.

Posted: Oct 19th 2011 11:06AM SnarlingWolf said

  • Half a heart
  • Report
@Nandini

1) You do realize that "FAQs" are actually just question and answers the company came up with to make things easy to understand right? In this day and age they are almost never actually frequently asked questions. Therefore they aren't dodging an asked question.

2) If no payment information is contained in the database that they found issues with then it means no payment information was compromised.

3) SOE should take note on how to handle security issues. Just throwing that out there.
Reply

Posted: Oct 19th 2011 11:40AM Icemasta said

  • 3 hearts
  • Report
@SnarlingWolf
To be honest, not really. It took a very long time from the discovery of the breach (caused by outdated vbulletin forum software, same thing that lead to SOE and Bethesda leaks and caused a security breach on the CCP websites), to the announcement and mass e-mail. The breach was discovered on the 11th, the e-mail was released on the 18th. That's 7 days of potential danger even if they didn't know the extent of the intrusion at that time.

The difference between SoE and Turbine here is that Turbine got lucky. If Turbine's forum password database had been leaked, the mood would be outrageous. People would be wondering why the hell it took a full week for Turbine to tell its users of the intrusion.
Reply

Posted: Oct 19th 2011 12:15PM Nandini said

  • 2.5 hearts
  • Report
@SnarlingWolf

I'm just saying that Turbine itself posed a simple, direct question in its own FAQ, and avoided giving a simple, direct answer to that same question.

The simplest and most satisfactory answer, of course, would be "No."
Reply

Posted: Oct 19th 2011 4:29PM augustgrace said

  • 2 hearts
  • Report
@Icemasta
As I recall it took Sony at least two weeks to admit there had been a breach, and they had been warned of weaknesses in their security before the incident. This occurrence with Turbine is quite different. 1) They caught it almost immediately and took the appropriately steps. 2) Payment details were never in danger. 3) Turbine wasn't warned of some security flaw. 4) Turbine didn't try denying the incident before finally admitting to it.

*rolls eyes* Interesting how Sony fanbois have managed to rewrite history.
Reply

Posted: Oct 19th 2011 9:17PM Celtar said

  • 2 hearts
  • Report
@augustgrace

Don't roll your eyes, makes you look stupid. Especially when 'actually" Turbine 'was warned of a forum security risk before hand by a user. So your "Number 3" is wrong. Did they move much faster then Sony? Yep, but they did not move right away from what most of us could tell. Also making a slam against someone being a fanboi of Sony while coming off like one for Turbine makes you look just as bad.

I am a Turbine customer and have been since July 07', I am a happy customer btw. I am just refuse to put blinders when a company I pay screws up. They get a passing grade for how they responded, just not a high grade since they did dither around and not move right away. Sony on the other hand gets a failing grade and I refuse to have accounts with them nor do I allow the rest of my family either.
Reply

Posted: Oct 19th 2011 11:22AM bobfish said

  • 2 hearts
  • Report
How do they know if you have a vunerable password? Surely it is encrypted/hashed on their servers?

Posted: Oct 19th 2011 11:43AM Icemasta said

  • 2 hearts
  • Report
@bobfish
They don't, they e-mailed everyone. I received one and my password comes from a password card that is 16 characters long with special characters, capital and normal letters, numbers, all at random. That's just an excuse to say "Oh we only sent it to those who put themselves in that position (by having a weak password, supposedly), it's not OUR fault YOU picked a weak password." I am assuming it's encrypted but not salted, as such very short passwords could be easily cracked, assuming 32-bit encryption. By easily I mean a couple of weeks, but someone with enough time and computer on their hand could run each extracted password through a brute force and hope for a couple of positives.
Reply

Posted: Oct 19th 2011 5:42PM JayDay said

  • 2 hearts
  • Report
@bobfish

If you use your bobfish as a password it's a safe bet you'll be hacked. ;)
Reply

Posted: Oct 21st 2011 2:00AM Jack Pipsam said

  • 2 hearts
  • Report
It wasn't JUST lotro!

Posted: Nov 13th 2011 7:14PM GregJL said

  • 2 hearts
  • Report
Good to know. Course, you should know that now you have become part of the target of the vitriol from the so-called "LotroCommunity" forum.

Featured Stories

Engadget

Engadget

Joystiq

Joystiq

WoW Insider

WoW

TUAW

TUAW