Potential User Data Breach

"

electrikapricot wrote:

That seems like a great resource and I am glad they mentioned Snort! That's also an interesting tale so thank you for sharing; unfortunately, I can't say I'm surprised. I don't disagree that some sort of IDS would be wise, I guess I'm just uncertain what sort of resources GGG has to throw at it.

If such breaches affect major institutions with a bunch of funding at their disposal all the time, I can't particularly fault a small F2P gaming company largely relying on user donations for finding it faster than most and disclosing it promptly afterwards.

Yeah, that's what I'm worried about. GGG is big enough to be a target now (and was probably a target ever since sometime after 2.0), but especially a target now that they're launching an XBox version of PoE.

We can't change the past, and it's pointless trying to place granular blame among GGG, but hopefully they've learned from this that they should have at least one full-time cyber security employee performing some sort of regular intrusion detection, researching threats, and responding to attacks.

But GGG does have one big advantage: now that they're a target, they're small enough to maneuver and protect themselves quickly. Big companies and organizations struggle to make such a drastic change.

I keep getting alot more spam mails since last week (2-3 on a daily base), that also use my former adress to make them look legit.

It is very likely, that the data stored on the servers is being used to do this.

Well.... Blizzard Hack confirmed! Capitalism at its best, Blizz lacks the Quality in Games, especially shooting the Diablo Franchise to Pieces.... and then, they contact the CIA for hacking GGG, the only Way to get rid of the Success Path of Exile has!




People resist! GGG is the best Example for a F2P Game, growing up and getting famous because of an fair F2P System and ...that is important, for the Quality of this Game and de continued development!
No serious Haxxor or hacking Community would ever attack your Company!

Maybe someone, who played 24/7 since closed Beta and never found a Mirror of Kalandra, but no Freelancer or a serious Crowd.

On a similar note:
http://gizmodo.com/lastpass-exploit-shows-that-last-password-you-made-prob-1793750568

"

electrikapricot wrote:

If such breaches affect major institutions with a bunch of funding at their disposal all the time, I can't particularly fault a small F2P gaming company largely relying on user donations for finding it faster than most and disclosing it promptly afterwards.

GGG really isn't a small company and it doesn't rely on donations.

"

Garr0t wrote:

"

bwam wrote:

"

hunter_AS wrote:

^ This does not inspire a lot of confidence. If you severed internet connections and started immediately reformatting without performing imaging on the affected systems, it shows that you clearly do not have capable incident responders on staff. With that being known, I sincerely doubt the security measures you put in place are adequate, unless you have identified root cause, which is once again hard to do when you immediately start erasing evidence. Along with this, if there was potential proof that sensitive information was accessed, you are wiping this out as well.

With that said, as long as the payment card data never touches your network and you actually are salting, very little issue aside from your proprietary information potentially being breached. I appreciate the notice, but your response didn't inspire much enthusiasm for your ability to handle the event.

I know the common though is blah blah blah who does this guy think he is, I am a former PCI Forensic Investigator consultant who has led with major credit card breaches and now lead the incident management department at a large financial institution. Before this I served as a lead penetration tester as well.

Man joins PoE over a year ago, leaves forums untouched. Man's first post? This one. I'd be inclined to pay attn to what he said.

Chris' background is in software security... I'm more inclined to take the game developer's statements at face value than some random poster hiding behind an alias spewing a bunch of unsourced/unverified 'credentials'.

^that :D I wanted to remind people too, that Chris works in software security

"

I_ysk wrote:

I see the question on what strong/weak password, hashes and the like are in quite a few previous replies, so I compiled a short list of video explanations on the topic:

How NOT to store Passwords: a quick insight into why GGG uses hashes and salts instead of just writing the passwords to their database in plain text.

Password Cracking: A demonstration on how a possible attacker would likely attempt to extract passwords from the previously mentioned hashes and salts (although somewhat rudimentary, but the concept is shown very nicely).

Password Choice: Basically how to create strong Passwords that you can actually remember.

(All Videos © by Computerphile)


A question @GGG: I only ever connected to your site and game through my steam account. I suppose there's no worries here since the authentification happens through an external provider?

Nice ones :) I really like Computer- and Numberphile :) very good work there

[Removed]

I didn't go through all comments to check whether someone already explained what "salted and hashed" means, but if your password has decent length and isn't something super generic like "password123" then you're probably fine.

Alright so a short explanation.
For reasons like this breach, your password is almost never stored as plaintext in the database. Instead, a hash is stored. A hash is a sort of encryption which goes only one way. A hash function (used to compute a hash) has a few properties, the most relevant in this case is that from the hash you cannot feasibly derive the original input. When you try to log in and enter your password, what happens is that the server hashes your password and checks whether the computed hash is the same as the hash stored in the database (so in a way, GGG also doesn't know your password).

Now the "salted" part. When a lot of hashed passwords leak, say millions, there is an attack a hacker can use to get access to at least some accounts. This attack goes as follows, enter a password into the hash function and check whether the hash is somewhere in the list of hashes you stole. As long as you stole enough hashes this will usually give you access to at least a few accounts (at least the ones with passwords like "password123"). To prevent this attack you use salts. Salts are usually simple words, each user gets a unique one and this gets attached to his password before it is hashed. Because of this countermeasure the aforementioned attack is no longer possible. (Google salted hash for a more thorough explanation I feel like I should rewrite parts for clarity but don't feel like doing so :))

Hope this helped.

I'm going to need some free "wings of Security" to feel safe continuing to play and spend money with GGG.