• Announcements

    • IMPORTANT - REACH US IN THE NEW FORUM   05/04/2017

      Ladies and gentlemen ATTENTION please:
      It's time to move into a new house!
        As previously announced, from now on IT WON'T BE POSSIBLE TO CREATE THREADS OR REPLY in the old forums. From now on the old forums will be readable only. If you need to move/copy/migrate any post/material from here, feel free to contact the staff in the new home. We’ll be waiting for you in the NEW Forums!

      https://community.blackdesertonline.com/index.php

      *New features and amazing tools are waiting for you, even more is yet to come in the future.. just like world exploration in BDO leads to new possibilities.
      So don't be afraid about changes, click the link above and follow us!
      Enjoy and see you on the other side!  
    • WICHTIG: Das Forum ist umgezogen!   05/04/2017

      Damen und Herren, wir bitten um Eure Aufmerksamkeit, es ist an der Zeit umzuziehen!
        Wie wir bereits angekündigt hatten, ist es ab sofort nicht mehr möglich, neue Diskussionen in diesem Forum zu starten. Um Euch Zeit zu geben, laufende Diskussionen abzuschließen, könnt Ihr noch für zwei Wochen in offenen Diskussionen antworten. Danach geht dieses Forum hier in den Ruhestand und das NEUE FORUM übernimmt vollständig.
      Das Forum hier bleibt allerdings erhalten und lesbar.   Neue und verbesserte Funktionen warten auf Euch im neuen Forum und wir arbeiten bereits an weiteren Erweiterungen.
      Wir sehen uns auf der anderen Seite!

      https://community.blackdesertonline.com/index.php Update:
      Wie angekündigt könen ab sofort in diesem Forum auch keine neuen Beiträge mehr veröffentlicht werden.
    • IMPORTANT: Le nouveau forum   05/04/2017

      Aventurières, aventuriers, votre attention s'il vous plaît, il est grand temps de déménager!
      Comme nous vous l'avons déjà annoncé précédemment, il n'est désormais plus possible de créer de nouveau sujet ni de répondre aux anciens sur ce bon vieux forum.
      Venez visiter le nouveau forum!
      https://community.blackdesertonline.com
      De nouvelles fonctionnalités ainsi que de nouveaux outils vous attendent dès à présent et d'autres arriveront prochainement! N'ayez pas peur du changement et rejoignez-nous! Amusez-vous bien et a bientôt dans notre nouveau chez nous

[Notice] Account Security

184 posts in this topic

Posted (edited)

the beta forums have ssl applied to it, everything here but the posting itself uses ssl (including logging in to your forum account)

its probably an issue with ipb which prevents it from being forum wide (hence maybe the push to swap to the new forum?)

No, that's not true. This whole forum platform is insecure and not using HTTPS transfer or SSL authentication (or even ROT13 or whatever). Account names,  email addresses, and passwords are transmitted in plain text as part of regular HTTP requests:

x5A3uP6.png

It's absolutely unprofessional and they keep running the forums in an unsecure way despite having been called out on it several times since release by multiple people, myself included.

They don't, that's why they state it.Many people use the same passwords across accounts because they are lazy and or don't know any better.
It's not uncommon to assume that 70% of the people on these forums have the same email password as they do game password.

These forum accounts and passwords match game accounts because they can be used to login as far as I remember (I don't think I ever created a forum account; just used my login).

Despite this, if passwords are saved in a secure/hashed way, there's no way for them to compare them to any data dump, whether it's one of their own services or a third party one. You can only do that if passwords are stored in plain text, which is completely unacceptable today (or even years ago).

Edit: One more thing. Even if it's a third party they're subcontracting, they should at least tell us which kind of data was compromised, e.g. email and passwords or email and passwords and credit card numbers. They're only telling us the bare minimum, mostly just to be on the safe side regarding any "but we told ya" incident.

Edited by Smaxx
2 people like this

Share this post


Link to post
Share on other sites

Posted

lol @ change email address. TWO STEP AUTH you slackers! Whilst your at that fix servers. Not another dim from me until you do!!!!!!!!

OMG

I suggest you review your cipher list on your new forum cert, its open to all kinds of attacks. Cert is shared with other sites using SNI, you may want to move it to its own VIP which will allow you to tighten the cipher list.

https://www.ssllabs.com/ssltest/analyze.html?d=community.blackdesertonline.com

This one is free. Contact me if you wish further help on how to properly secure a Certificate.

1 person likes this

Share this post


Link to post
Share on other sites

Posted (edited)

Edit: One more thing. Even if it's a third party they're subcontracting, they should at least tell us which kind of data was compromised, e.g. email and passwords or email and passwords and credit card numbers. They're only telling us the bare minimum, mostly just to be on the safe side regarding any "but we told ya" incident.

I don't remember any mention of sub-contracting in the OP. Let's not making it something it may not be due to a lack of information, also they did tell us what type of data was compromised, Email and password of those affected. If they were, they got a password reset from the company.

Literally if you were not a part of that list, your'e fine. That's what I take from OP but tbh, I don't know the entire scope of the attack was, assuming it was even an attack.
They gave us what they needed to. If you've any experience in Risk Management you know why they didn't give us any more.

Edited by War

Share this post


Link to post
Share on other sites

Posted

I don't remember any mention of sub-contracting in the OP. Let's not making it something it may not be due to a lack of information, also they did tell us what type of data was compromised, Email and password of those affected. If they were, they got a password reset from the company.

Literally if you were not a part of that list, your'e fine. That's what I take from OP but tbh, I don't know the entire scope of the attack was, assuming it was even an attack.
They gave us what they needed to. If you've any experience in Risk Management you know why they didn't give us any more.

Probably wasn't even an attack :D it's most likely people tried to buy ingame currency and got infected with a malware, or something more stupid like using the same email and password to create an account at their site. Then the techs or login servers noticed an anomaly when accounts were logging in from a different region than they usually do on a large scale lol. Also I don't think they're stupid, if credit cards were affected I think they would do more than this.. But yes a little reassurance would be nice if it was said on the original post, that no credit cards were compromised. If those people affected weren't already compromised by entering credit card info on the malicious website, trying to buy gold.

Share this post


Link to post
Share on other sites

Posted

Probably wasn't even an attack :D it's most likely people tried to buy ingame currency and got infected with a malware, or something more stupid like using the same email and password to create an account at their site. Then the techs or login servers noticed an anomaly when accounts were logging in from a different region than they usually do on a large scale lol. Also I don't think they're stupid, if credit cards were affected I think they would do more than this.. But yes a little reassurance would be nice if it was said on the original post, that no credit cards were compromised. If those people affected weren't already compromised by entering credit card info on the malicious website, trying to buy gold.

quite possibly

I suppose we will never know /shrug :)

Share this post


Link to post
Share on other sites

Posted

This is what happens when your IT department is trash... really how hard is it to install and force use an SSL on the forums? It takes less than 5-10 minutes... 

Share this post


Link to post
Share on other sites

Posted

Just stop. You do not have the resources to replace your forum correctly.

There is no need. You are only introducing risk.

It will look bad for whoever owns this project, yes. Still, do what's best for your company and customers and cut your losses on the new forum.

Share this post


Link to post
Share on other sites

Posted (edited)

OMG

I suggest you review your cipher list on your new forum cert, its open to all kinds of attacks. Cert is shared with other sites using SNI, you may want to move it to its own VIP which will allow you to tighten the cipher list.

LOL! Thank you, you made my day. xD They probably fear missing the money of anyone still on WIndows XP with Internet Explorer 7 or something like that. ;)

Edit: Just checked our company website, which is hosted using a "click here to enable HTTPS" and it passes using a "A" rating. I'd be very, very ashamed.

Edited by Smaxx

Share this post


Link to post
Share on other sites