Cryptic Warns of Possible Server Hack 16 Months Later
Cryptic is just now warning of a server breach that took place back in December 2010.
If you've played one of Cryptic Studios' MMORPGs over the last two years, chances are you're currently receiving a warning about a user database breach via email.
In the warning, Cryptic states that, as a result of routine security checks and upgrades, the company has discovered that certain account information, including passwords, may have been accessed by an unauthorized party. Given that we live in a post-Sony Apocalypse world, the news really isn't all that surprising. But what is surprising is that the breach happened back in December 2010, and Cryptic is just now figuring it out more than a year later.
Cryptic is the studio behind City of Heroes, Champions Online, Star Trek Online, and the upcoming Neverwinter MMOG.
"The unauthorized access included user account names, handles, and encrypted passwords for those accounts," the studio said on Wednesday. "Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database. All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident."
So far there's no evidence that any other information has been swiped by the intruder, but it's possible that additional info was obtained. "If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed," Cryptic said. "We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user."
Let's just hope they don't figure it out in another sixteen months. Currently the investigation into the breach is still ongoing, and the studio says it's taking even further action to strengthen its systems, and to redouble its security vigilance and protections. In the meantime, Cryptic customers should be on the lookout for email and postal mail scams that ask for personal, sensitive information. Naturally Cryptic won't ask for any of this.
"While we have no evidence of unauthorized use of personal information as a result of this incident, to protect against any possible identity theft, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports," the studio said. "Further information regarding the prevention of identity theft can be found at the Federal Trade Commission’s website here."
News like this is making board games look better and better every day.
I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.
I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.
I totally agree man. We need to set up some kind of policy that incentive the need for better security.
The answer is easy... When people stop paying a company for crappy service (or buying it's related products).
Would you trust your money on a bank that gets robbed every week?
The answer, I will concede, is not "black and white", but you get the bottom of my argument.
Cheers!
4 times a year I have to log into one of their websites and then for 4 hours they try to hack into my computer.
I always score 98 on the test. 2 points off because my computer is pingable.
Funny thing is I never changed any of my security measures. I have always had my network set up this way.
I have been running wireles since the early 90s when it was 1mb. 2mb(mebabits) if you had the upgraded antennae and was $4000 for two direct connect boxes and standard antennae.
My wife laughed at me when I made antennaes out of coffee cans.But they worked very well and did not cost an additional $450 dollars each.
Willard, wake the hell up. They ARE taking security seriously. The problem is that you cannot 'predict' every single hole in your security that someone might use to get into your systems.
It's time to stop expecting these companies to be miracle-workers and stop every hack before it happens.
Christopher1, wake the hell up. I'm NOT talking about 0-day exploits. I'm talking about companies who detect intrusions years after the fact because they aren't performing proper audits. I'm talking about companies who let dumbass wannabe hackers like LulzSec in because they have admin accounts with the password admin. I'm talking about companies who don't even try to follow security best practices and as a result, put the personal information of millions of users at risk.
The vast majority of hacks are not super talented people breaking down the security door, so to speak. They're using well known vulnerabilities to exploit systems that would have been secure if they had the latest patches, or bothered to do trivial things like sanitize database inputs. Failure to sanitize DB inputs was actually what allowed the Sony hack last year.
I don't want miracles, I just want competence.
Competence means work, work means labor costs. Crossing their fingers and hoping this never happens costs nothing. Which do you expect them to choose? We simply are not going to see companies take security seriously when they are not held responsible even if it is do to their incompetence. It is a total loss for the consumer and since you can't expect government intervention nowadays when it comes to consumer rights nothing will change.
As long as IT people are on average the most lazy and arrogant people in the universe.