67 replies to this topic

[SmackZ]

Yep I got the emails too...but I also noted every website I go to has a MWO ad on it so now I gotta find the damned cookie on my puter!

[ItsAPotato]

Just checked, and I also got this email on Jan 1st. This is also the first time I've received the email.

SmackZ, on 07 January 2013 - 07:43 AM, said:

but I also noted every website I go to has a MWO ad on it so now I gotta find the damned cookie on my puter!

...same.

[Bishop Steiner]

I don't recall that exact one, no, but will say I noted many spam emails showing on the 3 accounts linked to this game, and none currently on my others.

[Oderint dum Metuant]

Oh no, i received more spam email...to go with the rest in the last 15 years..it's Armageddon i tell ye..


Has anyone noted any strange behaviour on their credit cards? paypal? bank accounts?

No?

All is well.

Edited by DV McKenna, 07 January 2013 - 08:55 AM.

[Inertiaman]

It's not about the odd bit of spam, it's about faith generally in a system that we'll pour our card info into.

Bryan Ekman, on 13 December 2012 - 04:14 PM, said:

We can confirm:

• At no time were any databases containing personal information compromised. This includes e-mails and passwords.
  
• PGI and IGP does not store, nor have access to any user credit card information.
  
• Account passwords are encrypted, salted, peppered and stored in databases not affected by today’s incident.

It's hard to have any faith in the latter given the lack of truth and feedback on the former.

[Haxxplz]

Just checked my spam folder, receeived it as well.

[Oderint dum Metuant]

Inertiaman, on 07 January 2013 - 09:02 AM, said:

It's not about the odd bit of spam, it's about faith generally in a system that we'll pour our card info into.



It's hard to have any faith in the latter given the lack of truth and feedback on the former.

Your card details go to a third party who deals with the transaction, PGI do not hold that info it quite clearly states that.

And its your monetary info, that is important.

[Terran123rd]

No spam here. Didn't get any after the December 13th incident either.

[Inertiaman]

DV McKenna, on 07 January 2013 - 09:25 AM, said:

Your card details go to a third party who deals with the transaction, PGI do not hold that info it quite clearly states that.

Yeah I'm fairly au fait with ecomm - but again - the point is that it also clearly states that the no email addresses were compromised yet they were. Generally were this to happen you'd change your password and crack on. In this case though is there any latent security issue remaining? Have they fixed the problem? What was the impact? Will we be given the functionality to change email address on our profile etc.

just saying "it clearly says everything is ok" hardly answers any of the above - and doesn't demonstrate if it's a serious or trivial problem either way.

[Oderint dum Metuant]

I don't disagree with their overall approach, and there certainly should be some update by now once and for all.

Yet the question remains, aside from your monetary info, what else is there to gain from your MWO account?
There are no transfers possible, except for spite there is no physical gain for any hackers, Chinese farmers.

[BLUPRNT]

I have not received this email or any other that is not supposed to be there. I'am no where near tech level enough to confirm this but would like to mention as a possibly.
The Penny Arcade tutorial and free premium time showed up by either a link in the forums or an ad on home (I can't remember which) on that same day and you had to put in your email to redeem the premo time. Just a thought.
I know nothing about Penny Arcade so total speculation.
I did not redeem that day.

[Windies]

DV McKenna, on 07 January 2013 - 09:35 AM, said:

I don't disagree with their overall approach, and there certainly should be some update by now once and for all.

Yet the question remains, aside from your monetary info, what else is there to gain from your MWO account?
There are no transfers possible, except for spite there is no physical gain for any hackers, Chinese farmers.

Well if the website was compromised, it's entirely possible for them to have implemented code into the form used for entering your payment info, and having that sent to both the processor and the 3rd party individual who compromised the website. There's a lot of unknown's that could have happened, I would be watchful of entering my info on the website.

[Inertiaman]

Yeah that's exactly it - or more fundamentally the payment portal on the MCis just iframed in I think and could be easily subverted if the site is compromised. If the current site admins didn't even know their user database was lifted then they could quite easily miss the fact that their customers are sending money to a completely unrelated paypal address or a similar analogue of theirs.

[Felicitatem Parco]

Numerous internet communities got "hit" by that Windows 8 is fail email, it's not an MW:O exclusive. Also, many of us don't get MW:O-specific spam (myself included).

Anyways, posting about this on the forums is not the most efficient way to notify the webmaster about it or to receive Support assistance. If there was a significant problem, then telling the non-employees won't help as much as telling the employees. You can always write an email to support@mwomercs.com to get an official report generated.

(also, remember that the MC purchases you do over this website takes place on ultimatepay servers (playspan servers) through a secure link to their website in the new frame that pops up - the financial transactions are not hosted on mwomercs.com servers and neither is your payment/CC info. the only "account info" they store here is your MC spending in the game client, viewable whenever you click the "Buy MC" button on the game homepage)

Edited by Prosperity Park, 07 January 2013 - 09:55 AM.

[GioAvanti]

I got a password reset request from origin (I used the same e-mail for this).... today.

[Inertiaman]

Prosperity - please back off a little and read what we're saying before dismissing it as noise.

Point 1) Your email database was lifted at least in part. This is supported by the number of using using MWO specific aliases and not even a debate at this point.
Point 2) Our comments on the forums are there in response to the pinned Official Announcement on the matter. If you'd like a deluge of support mails on the subject feel free to post in the Official Announcement telling everyone with an issue to do so.
Point 3) The ultimatepay setup is easily replicable if the MWO site is compromised. If PGI have verification in place to ensure that the content their site serves is consistent and secure I'm not seeing any evidence of it from an external pov.

I'd really recommend taking some advice from the forums once in a while. On most matters some people seem a few steps ahead of the management.

Moreover - if you're handling money for people you have an obligation to ensure their security. It is not obvious at all that this obligation is being taken seriously.

Edited by Inertiaman, 07 January 2013 - 10:01 AM.

[Felicitatem Parco]

If your Comments are in response to the Official Announcement, then please place your comments in the Official Announcement Thread that was created specifically for this instance.

[Oderint dum Metuant]

Inertiaman, on 07 January 2013 - 10:00 AM, said:

Prosperity - please back off a little and read what we're saying before dismissing it as noise.

Point 1) Your email database was lifted at least in part. This is supported by the number of using using MWO specific aliases and not even a debate at this point.
Point 2) Our comments on the forums are there in response to the pinned Official Announcement on the matter. If you'd like a deluge of support mails on the subject feel free to post in the Official Announcement telling everyone with an issue to do so.
Point 3) The ultimatepay setup is easily replicable if the MWO site is compromised. If PGI have verification in place to ensure that the content their site serves is consistent and secure I'm not seeing any evidence of it from an external pov.

I'd really recommend taking some advice from the forums once in a while. On most matters some people seem a few steps ahead of the management.

Point 1 ) It is not his email database, he is a community moderator, not an employee, you'd do well to learn the difference in that aspect

Point 3) Given that nobody has had any suspicious transactions for any of their payment methods as yet, that answers that question

What PP is actually saying is correct, once you choose the amount of MC you want, your then directed outside of PGI's servers, you can quite clearly see that in the pop up window, you'd have to more than a simple injection script to change that part.

GioAvanti, on 07 January 2013 - 10:00 AM, said:

I got a password reset request from origin (I used the same e-mail for this).... today.

Not great news, but ultimately harmless unless they have access to your actual inbox.

Edited by DV McKenna, 07 January 2013 - 10:07 AM.

[Inertiaman]

So I post my issues in the official thread alongside the other 17 pages that haven't received a single official response yeah?

Edited by Inertiaman, 07 January 2013 - 10:07 AM.

[Felicitatem Parco]

Yes. Posting them all in the same place makes it easier for the Employees to gather the information, instead of having to manually browse the forums to accumulate a list of threads in order to address a situation. Information Consolidation breeds efficiency.

This lets them browse the forums more efficiently.

Edited by Prosperity Park, 07 January 2013 - 10:11 AM.