Security Breach
Sep. 16th, 2015 11:09 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
madimpossibledreamer`Dev Geirin Kuzunoha XXI:
A welcome out to the fellow walkers of the world of Innocent Sin!
Unfortunately, a less than nice side effect to the server merges happened on Tuesday. This will be long-winded and isn’t the “official” announcement, which should go out fairly soon after my post.
If you haven’t gotten an email, don’t worry, your account wasn’t affected. Just to be safe, though, you might want to change your password.
If you have gotten an email FROM MY COMPANY ACCOUNT, it is important that you follow the instructions therein as soon as humanly possible, especially if you have your credit card information linked to your account.
If you’ve gotten an email that you can’t verify is actually from me, don’t open it. My email account is fine, but I’ve gotten reports of someone using an email account that sounds vaguely like mine for phishing. Just to remind everyone, my official email account is the only one I’ll be using for official things, and information like that can be found on my profile as well as on the main website.
If you’d prefer to do this over the phone, call customer support. I listed the number, again, in the email from my company account as well as special instructions in order to bypass the usual answering machine rigamarole and actually get you talking to a real person right away (note: this will only work for the current security breach crisis).
How serious is it, you ask? Most accounts were safe, since only one of our player databases was hacked, but we’re still working on assessing the damage. As far as we know, only usernames and encrypted password data were found, but just to err on the side of caution you might want to assume that any information associated with your account (real name, date of birth, any credit card information, anything else you might have entered into your account profile) might also have been taken. Given some aberrant behavior on a few of the compromised accounts (that we quickly froze), it’s likely that the password encryption was broken as well. My ISO account was actually one of the ones hit, and I put a watch on my credit card and changed all my passwords, just to be safe. It’s recommended that you change your passwords as well.
This is important. It’s vaguely legalese, but it’s also important and not in really vague terms. For your own security, we encourage you to be especially aware of e-mail and postal mail scams that ask for personal or sensitive information. No one associated with the game, including Saeki, Kirijo, or employees will contact you in any way, including by e-mail, asking for your credit card number, social security number, or any other personally identifiable information. (Common sense-if it’s information that we should already have access to as managers of a game, then we won’t ask for it. If it’s information that we shouldn’t have access to, then why would we be asking for it?)
Here, we’re tightening security, going through and fixing things. This might actually put us behind on a few of those upgrades we were going to implement, but if it results in an overall safer world, we think it’s worth it.
We’re also changing a relic of the past that weakens security. Originally, we were thinking of using your username as your unique identifier, so everyone in the game could have a character named Bill, for instance. We didn’t end up implementing this, as it was argued that when you’re wandering around the game with your username showing, all someone would have to get their hands on is your password in order to get into your account. However, we forgot to change this feature with the implementation of in-game posting on the forums. Only if you were signed in and playing a character would it automatically use your character name when posting. If you just logged into the forums or were logged into the game but weren’t playing a character at the time, the default option was posting under your username, and a lot of people either didn’t know about this or liked being known by their username.
In order to not interfere with this, we’re changing your previous usernames to your profile names. These are a new, public identifier that you can use in pretty much the same ways you used your username in the past. All players, on the other hand, will be required to change their usernames. (You could opt to keep your username and profile name the same, but any damage to your own system, bank account, etc. per the game contract falls on your shoulders, then, and any damage caused by you being a weak link to others will likewise leave you liable. Seriously, just don’t do it.) Your username will now be your way to log in, nothing more. You should be the only one who knows your username and password.
I’ll direct you to `Dev Kashihara’s General Security post, as well as the Kirijo Security Plug-In (which I can confirm works wonderfully for the game and Kashihara is busy like a squirrel updating it so it runs on the forum as well). If you do a search for MMO Security, you can also find other suggestions on how to stay safe out there.
Off to adventure!
Riskin: Soooo…where was the breach, anyway?
Seimei: Rumor says it was account data stored for people who use the forum. Particularly, I’d say, the username/password combos stored for those who post using their username, given the fact that they’re completely overhauling the system (which is good but it might mean a fair amount of downtime until they get everything ship-shape again).
Lusy: Okay, I’m panicking but I should probably send a ticket through support to get an idea what’s going on rather than panicking here in the comments. I’m good with ticket through support. I’m also doing security checks on EVERYTHING but, well, better safe than sorry.
Iwaro: At least they’re giving us a head’s up. That’s courteous. (And, actually, I’ve dealt with Kirijo making a big mess of themselves before, and they’re actuallyreallly honest about it for a company. They apologize and you usually get at least a littlemonetary compensation. Unlike some other jerk companies I’ve worked with.) Thanks, Geirin, though I wish you’d had better news for us.
Is’dano: Heads up, they’re having EVERYBODY, volunteer and employee, in because of the TON of tickets going through. Plus side? Going through the phone message was a piece of cake. Luckily, I was able to fix everything before anything got through.
