Sign in with
Sign up | Sign in

Cryptic Warns of Possible Server Hack 16 Months Later

By - Source: Cryptic Studios | B 14 comments

Cryptic is just now warning of a server breach that took place back in December 2010.

If you've played one of Cryptic Studios' MMORPGs over the last two years, chances are you're currently receiving a warning about a user database breach via email.

In the warning, Cryptic states that, as a result of routine security checks and upgrades, the company has discovered that certain account information, including passwords, may have been accessed by an unauthorized party. Given that we live in a post-Sony Apocalypse world, the news really isn't all that surprising. But what is surprising is that the breach happened back in December 2010, and Cryptic is just now figuring it out more than a year later.

Cryptic is the studio behind City of Heroes, Champions Online, Star Trek Online, and the upcoming Neverwinter MMOG.

"The unauthorized access included user account names, handles, and encrypted passwords for those accounts," the studio said on Wednesday. "Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database. All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident."

So far there's no evidence that any other information has been swiped by the intruder, but it's possible that additional info was obtained. "If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed," Cryptic said. "We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user."

Let's just hope they don't figure it out in another sixteen months. Currently the investigation into the breach is still ongoing, and the studio says it's taking even further action to strengthen its systems, and to redouble its security vigilance and protections. In the meantime, Cryptic customers should be on the lookout for email and postal mail scams that ask for personal, sensitive information. Naturally Cryptic won't ask for any of this.

"While we have no evidence of unauthorized use of personal information as a result of this incident, to protect against any possible identity theft, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports," the studio said. "Further information regarding the prevention of identity theft can be found at the Federal Trade Commission’s website here."

News like this is making board games look better and better every day.

Display 14 Comments.
This thread is closed for comments
Top Comments
  • 17 Hide
    willard , April 26, 2012 9:03 PM
    How many of these "whoops, my bad" apologies do we need before companies start taking security seriously? It's not 1990 any more, you need to be proactive.

    I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.
Other Comments
  • 3 Hide
    jryan388 , April 26, 2012 8:49 PM
    LOL that's uber embarrassing. Although if the hackers haven't used the data by now does it even matter?
  • 17 Hide
    willard , April 26, 2012 9:03 PM
    How many of these "whoops, my bad" apologies do we need before companies start taking security seriously? It's not 1990 any more, you need to be proactive.

    I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.
  • 6 Hide
    DroKing , April 26, 2012 9:22 PM
    willardHow many of these "whoops, my bad" apologies do we need before companies start taking security seriously? It's not 1990 any more, you need to be proactive.I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.


    I totally agree man. We need to set up some kind of policy that incentive the need for better security.
  • 4 Hide
    Yuka , April 26, 2012 9:26 PM
    willardHow many of these "whoops, my bad" apologies do we need before companies start taking security seriously? It's not 1990 any more, you need to be proactive.I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.


    The answer is easy... When people stop paying a company for crappy service (or buying it's related products).

    Would you trust your money on a bank that gets robbed every week?

    The answer, I will concede, is not "black and white", but you get the bottom of my argument.

    Cheers!
  • 2 Hide
    Unolocogringo , April 26, 2012 9:48 PM
    I dont get this. Our businneses take credit cards that are processed on our computer.
    4 times a year I have to log into one of their websites and then for 4 hours they try to hack into my computer.
    I always score 98 on the test. 2 points off because my computer is pingable.
    Funny thing is I never changed any of my security measures. I have always had my network set up this way.
    I have been running wireles since the early 90s when it was 1mb. 2mb(mebabits) if you had the upgraded antennae and was $4000 for two direct connect boxes and standard antennae.
    My wife laughed at me when I made antennaes out of coffee cans.But they worked very well and did not cost an additional $450 dollars each.
  • 7 Hide
    A Bad Day , April 26, 2012 9:54 PM
    At least it only took Sony less than a month to figure out something went terribly wrong...
  • 2 Hide
    caqde , April 27, 2012 12:13 AM
    Damn over a year... I feel a lot safer using the PSN than letting them have my information at least with Sony I will know before the end of the month...
  • -3 Hide
    Gundam288 , April 27, 2012 12:15 AM
    and this is why I prefer paypal, just another way of keeping my card numbers harder to get at.
  • 0 Hide
    Anonymous , April 27, 2012 12:49 AM
    ... should note that while Cryptic's "behind" City of Heroes, they haven't been involved with it for a few years now. CO and STO though... >.< yeah, timely word would have been good.
  • -2 Hide
    Anonymous , April 27, 2012 3:36 AM
    to all those saying to be proactive with security, its hard to justify the cost involved with doing so until something of this magnitude occurs. then focus shifts, and money is spent, then passed on as costs to end users.
  • -1 Hide
    Christopher1 , April 27, 2012 7:35 AM
    willardHow many of these "whoops, my bad" apologies do we need before companies start taking security seriously? It's not 1990 any more, you need to be proactive.I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.


    Willard, wake the hell up. They ARE taking security seriously. The problem is that you cannot 'predict' every single hole in your security that someone might use to get into your systems.

    It's time to stop expecting these companies to be miracle-workers and stop every hack before it happens.
  • 1 Hide
    willard , April 27, 2012 2:52 PM
    Christopher1Willard, wake the hell up. They ARE taking security seriously. The problem is that you cannot 'predict' every single hole in your security that someone might use to get into your systems.It's time to stop expecting these companies to be miracle-workers and stop every hack before it happens.

    Christopher1, wake the hell up. I'm NOT talking about 0-day exploits. I'm talking about companies who detect intrusions years after the fact because they aren't performing proper audits. I'm talking about companies who let dumbass wannabe hackers like LulzSec in because they have admin accounts with the password admin. I'm talking about companies who don't even try to follow security best practices and as a result, put the personal information of millions of users at risk.

    The vast majority of hacks are not super talented people breaking down the security door, so to speak. They're using well known vulnerabilities to exploit systems that would have been secure if they had the latest patches, or bothered to do trivial things like sanitize database inputs. Failure to sanitize DB inputs was actually what allowed the Sony hack last year.

    I don't want miracles, I just want competence.
  • 1 Hide
    NuclearShadow , April 27, 2012 4:20 PM
    willardI don't want miracles, I just want competence.


    Competence means work, work means labor costs. Crossing their fingers and hoping this never happens costs nothing. Which do you expect them to choose? We simply are not going to see companies take security seriously when they are not held responsible even if it is do to their incompetence. It is a total loss for the consumer and since you can't expect government intervention nowadays when it comes to consumer rights nothing will change.
  • 1 Hide
    iamtheking123 , April 28, 2012 1:05 AM
    willardHow many of these "whoops, my bad" apologies do we need before companies start taking security seriously? It's not 1990 any more, you need to be proactive.I bet if we started seeing criminal cases brought against companies who obviously mishandled private information they'd start taking security seriously.

    As long as IT people are on average the most lazy and arrogant people in the universe.