Forum Vulnerability Discussion Thread

    • FAQ

      Who was affected by this security vulnerability?
      Forum accounts registered prior to October 16, 22:00 UTC are affected. If you have never chosen a forum name and just read the forum, you are NOT affected.

      What password should I change?
      If you are affected by this vulnerability, you should change your Albion account password. To do this, scroll to the bottom of albiononline.com/en/profile/

      What hashing method was used to protect the passwords?
      The passwords are protected using the Bcrypt (en.wikipedia.org/wiki/Bcrypt) hashing mechanism. This algorithm incorporates a salt and is resistant to brute force search attacks.

      Have you contacted affected players?
      Yes, we're reaching out via e-Mail to affected accounts directly, but these mails may take a moment to arrive. Since it is important to us that we are open with the community about what is going on, we have also made this public announcement.

      Are you reporting this incident to the authorities and are you pursuing legal actions?
      Yes, we are in the process of compiling a comprehensive report for the authorities. So far we have prioritized fixing vulnerabilities and informing players about this incident.
      Losing my insanity would mean I'm losing everything: the dreams where I can fly.

      The post was edited 7 times, last by Eltharyon ().

    • Wydoyolo wrote:

      Please implement 2FA.
      This. 2FA (Two-Factor Auth) is already used on a lot of platforms, and is (in my experience) not that intensive to implement. Having 2FA on all of your services going forward would be a huge boost in the communities trust of SBI and Albion Online as a game.

      EDIT: the security code message you get when you log on to an account in-game for the first time doesn't count as full 2FA.

      The post was edited 1 time, last by Cessari ().

    • 1. What was the cause of the breach?
      2. Do you monitor 0days? For 3rd party software.
      3. Do you have cybersecurity officer at SBI or you using outsourcing services?
      4. What are your plans to avoid situations like this in the future? ( Forum software should be updated immediately after CVE/hotfix release)
      5. When can we expect 2FA commonly used solution to be implemented?
      discord.com/invite/syKykHg --- AOLoot Logger | Discord BOTs: RegearBOT, AOServerStatus, Doorkeeper, Killbot, Battlebot
    • Cessari wrote:

      Wydoyolo wrote:

      Please implement 2FA.
      This. 2FA (Two-Factor Auth) is already used on a lot of platforms, and is (in my experience) not that intensive to implement. Having 2FA on all of your services going forward would be a huge boost in the communities trust of SBI and Albion Online as a game.
      EDIT: the security code message you get when you log on to an account in-game for the first time doesn't count as full 2FA.
      Hi Cessari,

      thanks for your feedback. We will investigate the possibility of implementing 2FA!

      A word on the existing measures: The existing device/location based solution is already extremely effective at defending against this breach (and hacking attempts in general). Since it was implemented the amount of properly hacked accounts (that is to say actual hacks that were not the result of illegal account sharing) has been absolutely minimal.

      The best measures to protect your Albion Account is a reasonably strong password, a separate password for your email account and complete privacy around your account credentials.
    • 1. What was the cause of the breach?
      2. Do you monitor 0days? For 3rd party software.
      3. Do you have cybersecurity officer at SBI or you using outsourcing services?
      4. What are your plans to avoid situations like this in the future? ( Forum software should be updated immediately after CVE/hotfix release)
      5. When can we expect 2FA (tools.ietf.org/html/rfc6238) commonly used solution to be implemented?
      discord.com/invite/syKykHg --- AOLoot Logger | Discord BOTs: RegearBOT, AOServerStatus, Doorkeeper, Killbot, Battlebot

      The post was edited 1 time, last by Wydoyolo ().

    • Am i correct :

      Database had list of e-mails of our accounts

      Are those accounts was encrypted ? or they leaked to unknown source and everybody can read them ?

      I know passwords was encrypted and its almoust impossible to hack them. I'm talking about adresses itself


      From technical side should't you inform about changing passwords to e-mails too ?


      As a youtuber i already changed all of my email/albion passwords and also for every other site i used them
      AngryWolf from EliteGankers
    • You say what was breached is "forum’s user database" only. However, then you say hashed passwords were also in this data breach. How is this possible? As much as I'm aware forum accounts doesn't have their own passwords. We log in to forum through albiononline.com with our game accounts. So how is possible that password hashes were also stolen? Were they inside the "forum’s user database" even though there is no log in panel here? Why are you saying only forum accoounts were affected by this? It's clearly not the truth.

      Talion wrote:

      Have you contacted affected players?
      Yes, we've reached out via e-Mail to affected accounts directly. Since it is important to us that we are open with the community about what is going on, we have also made this public announcement.
      Haven't got any email from SBI yet, still waiting.
    • Nithrall wrote:

      You say what was breached is "forum’s user database" only. However, then you say hashed passwords were also in this data breach. How is this possible? As much as I'm aware forum accounts doesn't have their own passwords. We log in to forum through albiononline.com with our game accounts. So how is possible that password hashes were also stolen? Were they inside the "forum’s user database" even though there is no log in panel here? Why are you saying only forum accoounts were affected by this? It's clearly not the truth.

      Talion wrote:

      Have you contacted affected players?
      Yes, we've reached out via e-Mail to affected accounts directly. Since it is important to us that we are open with the community about what is going on, we have also made this public announcement.
      Haven't got any email from SBI yet, still waiting.
      No email here either.

      Wydoyolo wrote:

      1. What was the cause of the breach?
      2. Do you monitor 0days? For 3rd party software.
      3. Do you have cybersecurity officer at SBI or you using outsourcing services?
      4. What are your plans to avoid situations like this in the future? ( Forum software should be updated immediately after CVE/hotfix release)
      5. When can we expect 2FA (tools.ietf.org/html/rfc6238) commonly used solution to be implemented?
      This x2. We as the community deserve to know how you (SBI) are protecting our data and accounts going forward.

      EDIT: If you DO use 3rd party software or services (alot of companies, like TJX for example, outsource their security and other things like customer service - which is fine as long as you know their secure) how do you know they are secure or compliant to the appropriate standards. If you DON'T outsource your security, how do you handle your cybersecurity?

      The post was edited 1 time, last by Cessari ().

    • @Nithrall It's possible. Forums probably runs on DRBD with API to node login server, so these servers are not entirely connected, so they won't get any information like purchase history.

      Noone is that stupid to keep it in one node without DRBD :) It's 2020.

      As for 2FA - it's pretty common standard now, and there is a lot of opensource projects supported by big companies, also there is a lot of supported OTP projects for Unity.

      We are still waiting for the information on how this breach happened - I think we are privileged to know that, not the details but information like "Breach was caused by 3rd party forum software" would be enough.

      I'd recommend to unlink all email addresses from forums and use API/Hashed email addresses since forums DON'T need them. There is no separate registration, so there is no need to keep email addresses in one more additional database.

      Implementing 2FA should be prio tho, and with all the solutions out there should be done under one week starting from choosing the solution or making new one.
      Implementing 2FA for game should be done under one month.

      All of these optional to cut the tickets flow ofc.

      @ImRandy

      Passwords have been reset probably, and that's a good news. If not, well ... do it asap.
      discord.com/invite/syKykHg --- AOLoot Logger | Discord BOTs: RegearBOT, AOServerStatus, Doorkeeper, Killbot, Battlebot

      The post was edited 1 time, last by Wydoyolo ().