Forum Vulnerability Discussion Thread

    • Isn't sending out emails horrible judgement here?

      If email addresses were compromised, and the person that did this is almost definitely going to send those email addresses scam emails. Aren't you just desensitizing people to deal with this issue through email, and this will just lead to people being taken advantage of?

      A better route would have been a popup in game with a link in the popup to the account page. (this already exists at the bottom of the login screen)
    • How brilliant it is, I could change my PW without 2-step verification, even though 2-step-auth is enabled when I login to the game/account from a new location.

      So I am not sure if hackers could login to the account bypassing 2-step verification and then update the password.


      PS. maybe not everyone knows the page but you can check here if your email/password has been breached in the past, so if you keep using the same pw, you'd better update your passwords. I hope this link doesn't break any forum rules:
      haveibeenpwned.com/
    • New

      Does this have any relation to the multiple in-game disconnections many players had on the 16th, some even mentioning that they were kicked because someone had logged into their account? If this was only limited to the forum why was there an ingame impact? Do you have measures in place to prevent malicious patches being pushed through the launcher if someone were to gain access?
    • New

      glokz wrote:

      How brilliant it is, I could change my PW without 2-step verification, even though 2-step-auth is enabled when I login to the game/account from a new location.

      So I am not sure if hackers could login to the account bypassing 2-step verification and then update the password.
      The 2FA for the game account is tied to your email, so it can not be bypassed in the way you describe.

      The key thing is to have a proper password and/or 2FA on your email account. Also, please make 100% sure that the password used for your email account is unique and not used anywhere else.
    • New

      Eltharyon wrote:

      Cessari wrote:

      Wydoyolo wrote:

      Please implement 2FA.
      This. 2FA (Two-Factor Auth) is already used on a lot of platforms, and is (in my experience) not that intensive to implement. Having 2FA on all of your services going forward would be a huge boost in the communities trust of SBI and Albion Online as a game.EDIT: the security code message you get when you log on to an account in-game for the first time doesn't count as full 2FA.
      Hi Cessari,
      thanks for your feedback. We will investigate the possibility of implementing 2FA!

      A word on the existing measures: The existing device/location based solution is already extremely effective at defending against this breach (and hacking attempts in general). Since it was implemented the amount of properly hacked accounts (that is to say actual hacks that were not the result of illegal account sharing) has been absolutely minimal.

      The best measures to protect your Albion Account is a reasonably strong password, a separate password for your email account and complete privacy around your account credentials.
      However, y'all have showed that even if you are a big streamer, this system will fail the player... Albionpewpew lost his first main account to this shit cause he couldn't claim it back at all after password was changed and connection from the wrong place happened.

      2FA is NEEDED to prevent account theft.

      Device/location based solution proved to not be effective even if the guy is one of the biggest streamer. After failing on this one this can't be said to be effective at all.

      Regarding privacy about account credential, might be the time to implement a streamer mode for the login page since if anyone does a tiny bit of crafting (Like Varis and Sohrab does), they'll be swapping alts often which means need to LOG out to go to a different character even if it's on the same account and usually people have multiple accounts for crafting so that's another huge issue. (Saying they can just change scene during this phase isn't a valid answer at this point just due to the sheer lack of support shown to streamers over issues through the years imo)

      Now's the best time to actually make impactful decision on how important you actually protect customer information and show it with measures that reflects it.
      Cause currently with this news, it leaves a really weak impression that this is that important since 2FA isn't yet implanted (should have been at least suggested before F2P launch imo).

      Obviously still good advice to change passwords, However, the ball is now in your court SBI to make the biggest changes.
      2FA needs to be there soon'ish to help this.
      Streamer mode to protect login info due to character swapping logging you out fully/having alts and login back on.
    • New

      The email I received made it sound as if the passwords that were exposed were still encrypted/salted so not really in a state usable by the attackers.

      Even so, I would change your password. I have.

      Thanks!


      What happened?
      The intruder was able to access forum user profiles, which include the e-mail addresses connected to those forum accounts.

      On top of that, the attacker gained access to encrypted passwords (in technical terms: hashed and salted passwords). These can NOT be used to log in to Albion Online, the website or the forum, nor can they be used to learn the passwords themselves. However, there is a small possibility they could be used to identify accounts with particularly weak passwords.
      It is important to note that no payment information was accessed, or could ever have been accessed in this way.
      Are you a PvPer or a RAT? Take my PvP Challenge and find out!
    • New

      For the people that dont understand what is meant with encryption and hashing, basically your passwords are only stored in a hashed format so say your password is test123 there will first be added a series of random characters (the salt) and then put through a mathematical function to become a hash this looks like this: ecd71870d1963316a97e3ac3408c9835ad8cf0f3c1bc703527c30265534f75ae.

      So that is the only form in which passwords could have been leaked, these are not usable to log in, but they can be cracked with f.e rainbow attacks in which an attacker will try to hash a lot of passwords and see of any of them match. Luckily the salt is an extra layer of security against this, but can still be circumvented with advanced methods. Bottom line that is the reason you need strong and unique passwords so an attacker cannot guess it.

      These things also happen often so there is no reason to panic yet ( if you monitor your accounts and what not ), you can also check if your email is linked to any other data breaches on sites like have haveibeenpwned.com/
    • New

      LegoGlass wrote:

      For the people that dont understand what is meant with encryption and hashing, basically your passwords are only stored in a hashed format so say your password is test123 there will first be added a series of random characters (the salt) and then put through a mathematical function to become a hash this looks like this: ecd71870d1963316a97e3ac3408c9835ad8cf0f3c1bc703527c30265534f75ae.

      So that is the only form in which passwords could have been leaked, these are not usable to log in, but they can be cracked with f.e rainbow attacks in which an attacker will try to hash a lot of passwords and see of any of them match. Luckily the salt is an extra layer of security against this, but can still be circumvented with advanced methods. Bottom line that is the reason you need strong and unique passwords so an attacker cannot guess it.

      These things also happen often so there is no reason to panic yet ( if you monitor your accounts and what not ), you can also check if your email is linked to any other data breaches on sites like have haveibeenpwned.com/
      Note that our passwords are hashed using BCrypt, which is very effective against rainbow tables.

      However, there is a higher risk if one uses a super common / unsecure paswort such as the ones listed here. If you have such a common/weak password, please change it - that's true in general, not just related to current issue.
    • New

      Korn wrote:

      LegoGlass wrote:

      For the people that dont understand what is meant with encryption and hashing, basically your passwords are only stored in a hashed format so say your password is test123 there will first be added a series of random characters (the salt) and then put through a mathematical function to become a hash this looks like this: ecd71870d1963316a97e3ac3408c9835ad8cf0f3c1bc703527c30265534f75ae.

      So that is the only form in which passwords could have been leaked, these are not usable to log in, but they can be cracked with f.e rainbow attacks in which an attacker will try to hash a lot of passwords and see of any of them match. Luckily the salt is an extra layer of security against this, but can still be circumvented with advanced methods. Bottom line that is the reason you need strong and unique passwords so an attacker cannot guess it.

      These things also happen often so there is no reason to panic yet ( if you monitor your accounts and what not ), you can also check if your email is linked to any other data breaches on sites like have haveibeenpwned.com/
      Note that our passwords are hashed using BCrypt, which is very effective against rainbow tables.
      However, there is a higher risk if one uses a super common / unsecure paswort such as the ones listed here. If you have such a common/weak password, please change it - that's true in general, not just related to current issue.
      Forgive me for asking rather sensitive details and I understand if this isn't shareable, but do you also use some sort of pseudo random generator for the salts that are added to the passwords?
    • New

      en pocas palabras me pueden decir la posibilidad de que entren a mi cuenta si mi contraseña no sale en las más débiles?

      si a ti no te llego un correo significa que no esta en peligro

      vamos a recibir alguna recompensa en lo personal es bastante estresante esto ya no puedo jugar Agusto por este tipo de inconcombenientes