Forum Vulnerability Discussion Thread

  • Wydoyolo wrote:

    1. What was the cause of the breach?
    2. Do you monitor 0days? For 3rd party software.
    3. Do you have cybersecurity officer at SBI or you using outsourcing services?
    4. What are your plans to avoid situations like this in the future? ( Forum software should be updated immediately after CVE/hotfix release)
    5. When can we expect 2FA (tools.ietf.org/html/rfc6238) commonly used solution to be implemented?
    I'm going to second this line of questions, though I'm unsure if they plan to answer assuming they would be accepting some sort of liability for damages.
    This forum software is incredibly old, and most likely hasn't been updated in months prior to this breach.

    Also, this does not just affect the forums, passwords are linked to both game accounts and website. This needs to be directed as a full DB breach, and not downplayed as a "small forum data breach".

    Shame.

  • I have one remaining question.

    I have changed my password on the forums, which as I understand it is the same as for logging into the game. I use the STEAM client, and I was not normally prompted to enter any log on information.

    Is this working as expected? I assumed I would have needed to re-enter my new password when connecting via steam, but I was not prompted.

    Thank you.
    Are you a PvPer or a RAT? Take my PvP Challenge and find out!

  • VLAN wrote:

    Wydoyolo wrote:

    1. What was the cause of the breach?
    2. Do you monitor 0days? For 3rd party software.
    3. Do you have cybersecurity officer at SBI or you using outsourcing services?
    4. What are your plans to avoid situations like this in the future? ( Forum software should be updated immediately after CVE/hotfix release)
    5. When can we expect 2FA (tools.ietf.org/html/rfc6238) commonly used solution to be implemented?
    I'm going to second this line of questions, though I'm unsure if they plan to answer assuming they would be accepting some sort of liability for damages.This forum software is incredibly old, and most likely hasn't been updated in months prior to this breach.

    Also, this does not just affect the forums, passwords are linked to both game accounts and website. This needs to be directed as a full DB breach, and not downplayed as a "small forum data breach".

    Shame.
    I'm going to keep bumping this until it gets properly answered.

  • Draedark wrote:

    I have one remaining question.

    I have changed my password on the forums, which as I understand it is the same as for logging into the game. I use the STEAM client, and I was not normally prompted to enter any log on information.

    Is this working as expected? I assumed I would have needed to re-enter my new password when connecting via steam, but I was not prompted.

    Thank you.
    Logging in via Steam uses the SteamAPI to verify your account connection, so it does not use your password locally. This works as expected and does not share your Steam password, simply authenticates.

  • Draedark wrote:

    I have one remaining question.

    I have changed my password on the forums, which as I understand it is the same as for logging into the game. I use the STEAM client, and I was not normally prompted to enter any log on information.

    Is this working as expected? I assumed I would have needed to re-enter my new password when connecting via steam, but I was not prompted.

    Thank you.
    This is working as expected. Your Steam account is connected to your Albion Account used on Steam, login is directly & automatically via Steam.

    The password you set for the account is only used if you log in to the game via the native client or via Android/iOS/etc. That's why it is good that you changed it nevertheless.

    Also see @VLAN's reply above.

  • VLAN wrote:

    Draedark wrote:

    I have one remaining question.

    I have changed my password on the forums, which as I understand it is the same as for logging into the game. I use the STEAM client, and I was not normally prompted to enter any log on information.

    Is this working as expected? I assumed I would have needed to re-enter my new password when connecting via steam, but I was not prompted.

    Thank you.
    Logging in via Steam uses the SteamAPI to verify your account connection, so it does not use your password locally. This works as expected and does not share your Steam password, simply authenticates.
    Thanks for the reply!

    Does this use a token or some other such "cookie" item that could be used to reverse engineer back into my STEAM account from the leaked data, or is it purely one way? Or perhaps wrangle that data and use it to log in with anthers STEAM client?

    I was pretty sure I had to log into AO the very first time via the STEAM client but I do not 100% recall.
    Are you a PvPer or a RAT? Take my PvP Challenge and find out!

  • Draedark wrote:

    VLAN wrote:

    Draedark wrote:

    I have one remaining question.

    I have changed my password on the forums, which as I understand it is the same as for logging into the game. I use the STEAM client, and I was not normally prompted to enter any log on information.

    Is this working as expected? I assumed I would have needed to re-enter my new password when connecting via steam, but I was not prompted.

    Thank you.
    Logging in via Steam uses the SteamAPI to verify your account connection, so it does not use your password locally. This works as expected and does not share your Steam password, simply authenticates.
    Thanks for the reply!
    Does this use a token or some other such "cookie" item that could be used to reverse engineer back into my STEAM account from the leaked data, or is it purely one way? Or perhaps wrangle that data and use it to log in with anthers STEAM client?

    I was pretty sure I had to log into AO the very first time via the STEAM client but I do not 100% recall.
    Your Albion account will remain secure so long as your Steam account & email attached to your steam account does too. I highly recommend Steam's internal 2FA system.

    There is not a "cookie" you need to worry about. When you login "via steam" to games like Albion, PoE, etc. you are using your steam account as the "password" to login, otherwise known as a token or ticket.

  • Cessari wrote:

    VLAN wrote:

    Wydoyolo wrote:

    1. What was the cause of the breach?
    2. Do you monitor 0days? For 3rd party software.
    3. Do you have cybersecurity officer at SBI or you using outsourcing services?
    4. What are your plans to avoid situations like this in the future? ( Forum software should be updated immediately after CVE/hotfix release)
    5. When can we expect 2FA (tools.ietf.org/html/rfc6238) commonly used solution to be implemented?
    I'm going to second this line of questions, though I'm unsure if they plan to answer assuming they would be accepting some sort of liability for damages.This forum software is incredibly old, and most likely hasn't been updated in months prior to this breach.
    Also, this does not just affect the forums, passwords are linked to both game accounts and website. This needs to be directed as a full DB breach, and not downplayed as a "small forum data breach".

    Shame.
    I'm going to keep bumping this until it gets properly answered.
    Hi everybody,

    please understand that we cannot go into details on any security related questions for obvious reasons. I'll try to answer what I can, however.

    1. What was the cause of the breach?
    An attacker actively sought out and exploited a weakness in the forum caused by a combination of the employed 3rd party software and our server configuration. We're still investigating how exactly this combination of factors came to be, but we won't disclose any details as part of our operational security.

    2. Do you monitor 0days for 3rd party software?
    Yes.

    3. Do you have a cybersecurity officer at SBI or are you using outsourcing services?
    We work primarily with external cybersecurity teams for penetration testing.

    4. What are your plans to avoid situations like this in the future?
    As mentioned in our initial statement, we'll begin with a thorough review of all systems, bringing in additional security experts to look at angles we might have missed. After that, depending on findings, we'll likely increase frequency and the depth of external security reviews.

    5. When can we expect 2FA (tools.ietf.org/html/rfc6238) commonly used solution to be implemented?
    Additional 2FA will be evaluated, but we can't give you any timeline at this time. At the moment we want to focus on completing our security reviews.

  • VLAN wrote:

    Also, this does not just affect the forums, passwords are linked to both game accounts and website. This needs to be directed as a full DB breach, and not downplayed as a "small forum data breach".

    Shame.

    Hi there,

    we're not trying to downplay this incident in any way. However, we feel it is important to note that only users registered in the forum are affected by this breach. That number is only roughly 5% of the total number of Albion Online users.

    95% of Albion Online users who never registered on the forum have their information in different databases that were not breached and remain completely unaffected.

  • Eltharyon wrote:

    VLAN wrote:

    Also, this does not just affect the forums, passwords are linked to both game accounts and website. This needs to be directed as a full DB breach, and not downplayed as a "small forum data breach".

    Shame.
    Hi there,

    we're not trying to downplay this incident in any way. However, we feel it is important to note that only users registered in the forum are affected by this breach. That number is only roughly 5% of the total number of Albion Online users.

    95% of Albion Online users who never registered on the forum have their information in different databases that were not breached and remain completely unaffected.
    Thanks for the clarification. I was under the impression the last statement wasn't true.

  • Talion wrote:

    FAQ


    What hashing method was used to protect the passwords?
    The passwords are protected using the Bcrypt (en.wikipedia.org/wiki/Bcrypt) hashing mechanism. This algorithm incorporates a salt and is resistant to brute force search attacks.
    Isn't exposing your hashing algorithm counteractive to hashing the passwords in the first place? Now whoever has these hashed/salted passwords knows exactly which part is the salt and which part is the password hash and it would be easier for them to get our cleartext passwords...

    Bcrypt looks like it uses a constant salt on the wikipedia page which is easy to remove and find the usalted hash, all they have to do is Base64 decode the last 31 characters of the hashes they found and they have the 192 bit unsalted hash of our passwords.

    192 bits is rather long though so I guess it would take a while to crack those hashes... maybe not though lol

    edit: ignore this I’m dumb, it runs the encryption loop after the salt is added

    The post was edited 7 times, last by Dip ().

  • I understand you had a
    Vulnerability in the system
    ---------------------------------------
    1) Affected people should be rewarded urgently
    Reason:

    This problem is a very and extremely serious one, you have to assume and pay for these vulnerabilities
    ---------------------------------------

    2) security comes first I hope I don't see anything like this again, if you don't invest more than 50% in security you will have serious problems in the future!



    3) people affected due to this vulnerability may lose email accounts, bank accounts, etc.
    who bears these losses? we? between us to judge and waste our time in the call centers to solve our problems because of this?

    please if you consider that the security of the platform is poor, announce at registration that:

    • please do not use passwords that you use on other platforms





    I'm sorry to hear that something like this happened
    do not take me in a bad name, only from a moral point of view we should take this matter seriously and think that maybe this incident can affect your image!

  • I just want to point out some glaringly stupid things the devs have done

    They issue email they been hacked change your password ok fine

    However i just logged into my account with the old password as it was not reset so a hacker couldve still had free reign over my account

    I have now changed my pass

  • glokz wrote:

    How brilliant it is, I could change my PW without 2-step verification, even though 2-step-auth is enabled when I login to the game/account from a new location.

    So I am not sure if hackers could login to the account bypassing 2-step verification and then update the password.


    PS. maybe not everyone knows the page but you can check here if your email/password has been breached in the past, so if you keep using the same pw, you'd better update your passwords. I hope this link doesn't break any forum rules:
    haveibeenpwned.com/


    They robbed my account and deleted the character. My total fame 300m.