Dec 13Th Incident - Official Response
#201
Posted 14 December 2012 - 12:29 PM
PGI apparently you have things that need to be worked out with the security of these forums. Day two now and the third time in under 24 hours that I have seen this warning pop up after it was corrected.
Whats the deal?
#202
Posted 14 December 2012 - 12:31 PM
Thontor, on 14 December 2012 - 11:55 AM, said:
It's up to you to make it difficult to guess the password of course.
And even if they do get both pieces of information, what are they goin to do with it? I suppose they might sell it to someone who wants an account with lots of stuff on it. But it shouldnt be hard to get back if you report it, and they could probably even revert the account to what it was.
I highly doubt there's a market for MWO accounts anyways..
I'm not so sure my password is safe. This, proprietary is it?, forum software has failed in my eyes as a customer.
Using MD5 checksums, which are also not safe, deepens my skepticism.
Yes, the worst thing that can happen to me is waking up to an empty mech bay or perhaps having somebody abusing my forum profile and in game identity. But brushing aside risks, agreed with limited (known) potential damage is again not something I approve. Not when there's a simple way to avoid it by separating forum and in game accounts, or adding two factor authentication which is the better way.
I agree about restoring my account via support.
Regarding a market for MWO accounts, take a look at WoT. They said the same thing yet there is definitely a demand for those accounts. At least in Europe and Russia.
I predict the same after we get Community Warfare going.
Although PGI panicked a bit with all those forum topic locks, they did come clean in the end and that's good. Then again, having your site blacklisted by Google and every major antimalware software isn't something you can hide.
So I'm not panicking here - just stating my point of view as an alternative to "don't worry about it - it's fixed" general opinion.
Edited by OpCentar, 14 December 2012 - 12:37 PM.
#203
Posted 14 December 2012 - 12:32 PM
An email is not a concern unless it has a link and you clicked it.
As far as I understand these things.
Now the warning being back well that is a real issue.
#204
Posted 14 December 2012 - 12:34 PM
been hit by the page warning still just to let someone know it is not gone yet
#205
Posted 14 December 2012 - 12:35 PM
Thontor, on 14 December 2012 - 12:15 PM, said:
Neither of the email accounts I have used for MWO got that spam by the way... Yes I checked my spam folder.
allright... fair is fair... others may have gotten the same email...
and yes the forum software was hacked and not pgi or mwo in particular! BUT... the problem is... they lied anyway...
fact is that there are spamemails going out to players of mwo without any connection to each other... some players might get them... some players dont... but this cant be a coincidence... and therefore the emailadresses HAVE to come from here...
yet pgi still tells us that our emails are safe... so they are lying!
#206
Posted 14 December 2012 - 12:35 PM
Columbit, on 14 December 2012 - 12:14 PM, said:
Lol I've been using WinRT IE10 which has a bug in it that disallows mwomercs.com's javascript from working. I thought IE sucked, but it looks like it has been blocking the hack script even if it was by accident. :-p
#207
Posted 14 December 2012 - 12:35 PM
ZealotTheFallen, on 14 December 2012 - 12:34 PM, said:
been hit by the page warning still just to let someone know it is not gone yet
Funny it seemed to come back as I was switching between pages yet now it is gone again.
#208
Posted 14 December 2012 - 12:41 PM
Lon3Wo1f, on 13 December 2012 - 06:57 PM, said:
Perhaps you can explain why I received two identical spam emails to two addresses used exclusively with MWO if this is true. It was what first made me think there was a hack / exploit problem. I came to the forums and got the "Reported Attack Site" message.
JavaScript on the page watched you type your email as a username (really stupid practice on IGP's part here) and reported it to its master.
#209
Posted 14 December 2012 - 01:39 PM
Thontor, on 14 December 2012 - 12:46 PM, said:
You realize that many of those sites and games still use MD5 hashes for that "encryption" part, right?
As I mentioned ... that's no longer secure. But there are tons of developers that don't know that, even though it's been widely publicized.
LinkedIn. You'd think they'd know about this, right? Not so much. They were breached and when the dump of hashes was made public it was used as the poster child for why MD5 is bad. Box full of GPUs, brute forcing, and presto - your pasword isn't secure.
Coda Hale has an excellent writeup about this: http://codahale.com/...ore-a-password/
#210
Posted 14 December 2012 - 01:39 PM
focuspark, on 14 December 2012 - 12:41 PM, said:
Edited by GrunHerz, 14 December 2012 - 01:41 PM.
#211
Posted 14 December 2012 - 01:46 PM
#212
Posted 14 December 2012 - 02:00 PM
Oh, and before someone chimes in with their AOL help desk tips, yes, I've cleared the cache.
Fix your **** PGI
#213
Posted 14 December 2012 - 02:03 PM
If they've been infected I'll never hear the end of it.
#214
Posted 14 December 2012 - 02:05 PM
Edited by GrunHerz, 14 December 2012 - 03:56 PM.
#215
Posted 14 December 2012 - 02:06 PM
#216
Posted 14 December 2012 - 02:11 PM
Thontor, on 14 December 2012 - 11:55 AM, said:
In general, the goals are usually:
Obtain in-game items to sell for real money. Since MWO doesn't have trading or a real in-game economy, this probably isn't a motivation.
Obtain passwords, which can then be tested against other accounts, which may or may not belong to the same user. This is what happened with the plentyoffish.com hack... the passwords, of which many were re-used, were used to log into other accounts. I wouldn't be surprised if many, many of the passwords for MWO matched the passwords for the email accounts they're connected to. (A number of my own users had their university accounts hacked right after the PoF attack... and yes, they were PoF users...)
Obtain emails which can be sold to spammers. "Confirmed" accounts go for more money than scraped addresses.
And finally, some do it just to cause chaos. Yes, if you log in one day to find your mech bays empty, PGI can probably recover your stuff, but for the length of time it takes to do so, your time is wasted, PGI's time is wasted, and many players will give up and quit.
#217
Posted 14 December 2012 - 02:21 PM
Nothing wrong with a little paranoia, but really folks, some of you are going way overboard with it...knew I should have bought stock in aluminum foil...
#218
Posted 14 December 2012 - 03:07 PM
#220
Posted 14 December 2012 - 03:58 PM
7 user(s) are reading this topic
0 members, 7 guests, 0 anonymous users