• Announcements

    • IMPORTANT - REACH US IN THE NEW FORUM   05/04/2017

      Ladies and gentlemen ATTENTION please:
      It's time to move into a new house!
        As previously announced, from now on IT WON'T BE POSSIBLE TO CREATE THREADS OR REPLY in the old forums. From now on the old forums will be readable only. If you need to move/copy/migrate any post/material from here, feel free to contact the staff in the new home. We’ll be waiting for you in the NEW Forums!

      https://community.blackdesertonline.com/index.php

      *New features and amazing tools are waiting for you, even more is yet to come in the future.. just like world exploration in BDO leads to new possibilities.
      So don't be afraid about changes, click the link above and follow us!
      Enjoy and see you on the other side!  
    • WICHTIG: Das Forum ist umgezogen!   05/04/2017

      Damen und Herren, wir bitten um Eure Aufmerksamkeit, es ist an der Zeit umzuziehen!
        Wie wir bereits angekündigt hatten, ist es ab sofort nicht mehr möglich, neue Diskussionen in diesem Forum zu starten. Um Euch Zeit zu geben, laufende Diskussionen abzuschließen, könnt Ihr noch für zwei Wochen in offenen Diskussionen antworten. Danach geht dieses Forum hier in den Ruhestand und das NEUE FORUM übernimmt vollständig.
      Das Forum hier bleibt allerdings erhalten und lesbar.   Neue und verbesserte Funktionen warten auf Euch im neuen Forum und wir arbeiten bereits an weiteren Erweiterungen.
      Wir sehen uns auf der anderen Seite!

      https://community.blackdesertonline.com/index.php Update:
      Wie angekündigt könen ab sofort in diesem Forum auch keine neuen Beiträge mehr veröffentlicht werden.
    • IMPORTANT: Le nouveau forum   05/04/2017

      Aventurières, aventuriers, votre attention s'il vous plaît, il est grand temps de déménager!
      Comme nous vous l'avons déjà annoncé précédemment, il n'est désormais plus possible de créer de nouveau sujet ni de répondre aux anciens sur ce bon vieux forum.
      Venez visiter le nouveau forum!
      https://community.blackdesertonline.com
      De nouvelles fonctionnalités ainsi que de nouveaux outils vous attendent dès à présent et d'autres arriveront prochainement! N'ayez pas peur du changement et rejoignez-nous! Amusez-vous bien et a bientôt dans notre nouveau chez nous

[Notice] Account Security

184 posts in this topic

Posted

How about you mention that part where we can't have a password we've ever set before. This is for whatever reason always left out.

Share this post


Link to post
Share on other sites

Posted

tfw an user posted yesterday about a compromised account and people only laughed at him

3 people like this

Share this post


Link to post
Share on other sites

Posted

Don't really see why they are worried about emails now... Anyone who activates a game will have their full email address listed on the account page of the user who gave it to them.

Share this post


Link to post
Share on other sites

Posted

tfw an user posted yesterday about a compromised account and people only laughed at him

I know right, and the thread was deleted after he was suitably mocked. Disgusting :(

Share this post


Link to post
Share on other sites

Posted

I personally enjoy the fact that the forum itself has no SSL or security what so ever.  Nothing like typing a password in that the entire world can see.

Share this post


Link to post
Share on other sites

Posted

THIS IS WHY YOU DON'T USE FACEBOOK TO LOG INTO EVERYTHING LOL!!

Only 3rd party website that would even have access to you BDO account is facebook to my understanding so probably that.

I seriously can't think of any site related to BDO that I registered to, other than this forum ...

do you log in with facebook?

 

Share this post


Link to post
Share on other sites

Posted

THIS IS WHY YOU DON'T USE FACEBOOK TO LOG INTO EVERYTHING LOL!!

Only 3rd party website that would even have access to you BDO account is facebook to my understanding so probably that.

Steam?

Share this post


Link to post
Share on other sites

Posted (edited)

THIS IS WHY YOU DON'T USE FACEBOOK TO LOG INTO EVERYTHING LOL!!

Only 3rd party website that would even have access to you BDO account is facebook to my understanding so probably that.

do you log in with facebook?

 

Nope. Never did it anywhere. Also not Steam for me.

Edited by Galaxis

Share this post


Link to post
Share on other sites

Posted

tfw an user posted yesterday about a compromised account and people only laughed at him

This, this, this

So much this

Share this post


Link to post
Share on other sites

Posted

tfw an user posted yesterday about a compromised account and people only laughed at him

he did admit that other people had his password.

Share this post


Link to post
Share on other sites

Posted

@CM_Aethon @PM_Jouska Could we please get the name of the third party site that has been compromised, so we can avoid it? Also, the RU client has two step verification, could we communicate to the developers that we would like that added into our version?

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Steam?

BDO isn't on steam yet right?

Share this post


Link to post
Share on other sites

Posted (edited)

Maybe you should finally enable SSL here because posting about security while forums are not secured doesn't look serious at all.

 

@CM_Aethon @PM_Jouska Could we please get the name of the third party site that has been compromised, so we can avoid it? Also, the RU client has two step verification, could we communicate to the developers that we would like that added into our version?

Has nothing to do with the devs. RU publisher has done it on their own but they are competent and take account security seriously.

Edited by Ateena

Share this post


Link to post
Share on other sites

Posted

This thread is a great example why you should never try to sell a product to an intelligent consumer group.

 

If you are honest, they hate you.

Dishonest, they can tell and hate you.

Vague, they think you think they are dumb and hate you.

Share this post


Link to post
Share on other sites

Posted (edited)

Intelligent consumer group.

Lol'd.

Maybe you should finally enable SSL here because posting about security while forums are not secured doesn't look serious at all.

 

Has nothing to do with the devs. RU publisher has done it on their own but they are competent and take account security seriously.

tfw you don't know what ssl is but you bring it up as if you do :S

It is 100% to do with pearl abyss(Black Desert Developers).
There are also different laws regarding any http encryption & client sided security in russia, than in EU and NA.

Not to say those laws are the reason we don't have it implemented, because i don't know. I just know the laws. Lol.

Edited by War
1 person likes this

Share this post


Link to post
Share on other sites

Posted

BDO isn't on steam yet right?

Its not

 

In other news,

-No account password reset

-No clue what "3rd party" it might be

-everyone freaking out

yaaaay, A+ job on handling the situation kakao,
Step-by-step plan for next time:
1. reset affected accounts first.
2. Investigate the issue quickly
3. Release a proper statement as to where you think the flaw is, and what has been obtained (e.g only usernames? emails? hashed passwords? etc.)
4. Do a deep investigation into the issue and keep your player base up-to-speed as to what's happening and what you're currently doing to resolve the issue.

Share this post


Link to post
Share on other sites

Posted

Maybe you should finally enable SSL here because posting about security while forums are not secured doesn't look serious at all.

 

Has nothing to do with the devs. RU publisher has done it on their own but they are competent and take account security seriously.

I'll give the NA/EU team the benefit of the doubt, maybe their licensing prohibits those alterations.

1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

In other news,

-No account password reset

 

Greetings Adventurers,

 

We recently received a report that account security may have been compromised on a third party website. In response, we have reset the password for any related accounts. We strongly urge any user whose password was reset to contact customer support in order to change your e-mail address. Additionally if you used the same or a similar password on any other services, it should be replaced.

 

Please note that a password reset can take up to 90 minutes. Spamming the reset request will result in your account being blocked.  We do apologize for any inconvenience this process has caused, but we place paramount concern on matters of security, and will take any steps necessary to protect our players.


As always, your support is appreciated.

 

intelligent consumer group.

Bout sums it up. 

Edited by War

Share this post


Link to post
Share on other sites

Posted

I'll give the NA/EU team the benefit of the doubt, maybe their licensing prohibits those alterations.

the beta forums have ssl applied to it, everything here but the posting itself uses ssl (including logging in to your forum account)

its probably an issue with ipb which prevents it from being forum wide (hence maybe the push to swap to the new forum?)

Share this post


Link to post
Share on other sites

Posted

I'll give the NA/EU team the benefit of the doubt, maybe their licensing prohibits those alterations.

That's generally what prevents it.
Legalities.

To put it simply...
This wouldn't be the first time i've seen a foreign based company prohibited from placing this type of security on end users.

Share this post


Link to post
Share on other sites

Posted

 
 

 

Bout sums it up. 

Not my point, my point is that there is NO info on what 3rd party has been affected, was it a payment solution? was it a fan site? what?

Share this post


Link to post
Share on other sites

Posted (edited)

Not my point, my point is that there is NO info on what 3rd party has been affected, was it a payment solution? was it a fan site? what?

You don't need it.
Why would they give that out.

I can't think of any practical reason to give this to an end user and i deal with situations like this on a daily basis.
Not to mention, smarty pants. Giving the site out publically would increase the vector of attack and possibly jeopardize emails. Many people use the same password for multiple accounts. If you couldn't figure that out yourself i don't know what you expected to do with the site once you got the name for it.

Edited by War

Share this post


Link to post
Share on other sites

Posted

You don't need it.Why would they give that out.

I can't think of any practical reason to give this to an end user and i deal with situations like this on a daily basis.

So an end user can properly secure their information.

If its a payment solution, end users can expect their info being used for illegal purchases as well and secure themselves against it.

If its a fan site, users can know if its an account that shares a password of theirs, what they've put on the forums, etc.

If its an automatic login system (like the facebook integration) that uses tokens and no passwords have been obtained, users know that and can do shit about it.

 

Don't give me the "daily basis" crap, I've dealt with assholes breaking into my shit quite a few times, and its pretty handy to know exactly what the hell they have and if I should change shit, and to what extend.

Share this post


Link to post
Share on other sites

Posted (edited)

So an end user can properly secure their information.

If its a payment solution, end users can expect their info being used for illegal purchases as well and secure themselves against it.

If its a fan site, users can know if its an account that shares a password of theirs, what they've put on the forums, etc.

If its an automatic login system (like the facebook integration) that uses tokens and no passwords have been obtained, users know that and can do shit about it.

 

Don't give me the "daily basis" crap, I've dealt with assholes breaking into my shit quite a few times, and its pretty handy to know exactly what the hell they have and if I should change shit, and to what extend.

1. As the OP states. If it has affected you, you get your password reset. Problem solved.

2. What does this have to do with you.

3. What does this have to do with you.

4. Lmfao. Facebook token system getting compromised for bdo accounts that are data dumped somewhere. Mk.

5. This is my career.

 

I'm more than positive that if any of these came about, they'd let you, us, know.
They'd be liable if they were the cause of security risks outside of their own game.
Clearly because they did not give the site and stated exactly what the vector of attack was in the OP(if you were educated you'd of noticed?), none of your conspiracy is the issue as it stands.

If you're as interested as you claim to be, how about you go look for the site yourself? I found it in 10 minutes.
This is literally why us cyberSec nerds qualify for risk management roles as well(I'm actually pretty sure it's a relativity labeled position).

I do agree that we need 2fa. I do agree that we need HTTPs.
Please keep in mind that those have their flaws as well, and in some cases, can be easier to bypass than what is currently being used. Simply because you see nothing doesn't mean there isn't.

Edited by War
1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

Well, since you're here and divulging information.

What third party sites DID you register to? ;)

Just tried to log on and it seems my password has also been reset. This email (alias) is only used for BDO, for reasons like this.

Now, if this alleged third party site got hacked how the hell would Kakao know MY email was taken.

Kakao either got compromised or one of their bargain basement service providers did.

Edited by Saccharin
Spelling is hard.
1 person likes this

Share this post


Link to post
Share on other sites