Account Hacked? What did they Steal?

[Nod]

I can certainly comment on a lot of the concerns in this thread.

Just to be clear, there is absolutely no indication that forum logins are involved in any account compromises. Account Compromises have become increasingly common in the online game industry, and in the vast majority of situations they are directly related to login information being compromised by spoofed e-mails, phishing websites, malware / keyloggers, or third-parties being compromised. In those cases, a person's account information is stored and then used against a wide variety of websites, e-mail domains, and online games.

An example of this occurring is Symantec's discovery of 44 million stolen game account logins. From their release located here:

We recently analyzed a new sample submitted to Symantec and came across a server hosting the credentials of 44 million stolen gaming accounts. What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers.

Please note that in no way are we indicating that this database contained login information for our games; rather, it is an example of the type of activity that may be compromising online game accounts.

Turbine will continue to work to identify potential account compromises, notify the account holder, and prevent this from occurring in the future.

If you have any further questions, you may e-mail us at rmt@turbine.com, or submit a question at our webform here.

[Toranoga]

I've heard the horror stories and thought, "How can an account get hacked?" And of course thought that since I never travel to unknown sites and never answer 'those' emails or in-game texts that I would not get hacked (I've been playing since first week of retail launch of SoM). Well sometime between this past Friday evening and Sunday evening I was hacked.

I have one 65 toon and was quite concerned that his money, gear, chests, house, etc. would be totally wiped. When I recovered my account, I logged in to find that only his gold was wiped, and nothing else?!?! And no alts were touched. Was I lucky? Is this the typical MO? What has happened to others that have been hacked? I am quite relieved and consider myself fortunate, but very curious about the whole episode.

[akaBlues]

Thanks for all the advice. One poster stated that my gmail account was compromised. What makes you say that? My gmail account is not attached to lotro, and was not compromised to my knowledge. If there is something more to that statement I would appreciate the advice. Some of you are making general assumptions, but it's still good advice, no matter how wrong it may be for what occurred to me. It may help someone else. And yes I could change my password more often, and maintain different passwords for all accounts, etc., but nothing else was compromised. And I feel very fortunate.

Lotro was very quick to replace my gold, so in the end I was only inconvenienced and had to reset passwords everywhere. However, I still feel that this could happen again even though proper security measures are followed. And, it is really practical to stay away from the web site and forums because some feel there is a risk here?

[Koboldfodder]

Some people use the same game accounts/passwords for other sites. That is one way they get your password. They hack those sites and get a bunch of user names/passwords. Another way is by hacking your computer. The first way is the most common.

This is ALL on the move to F2P. Before that announcement, accounts were rarely hacked. Now it is a major problem. It's all coming from south east Asia. Korea and China where gold selling is not only a part of the games, but a huge business.

[demosthenes]

Passwords are no good if you can't remember your own, and when you need to have a different password for every game, every website, email, blackboard at your university, etc etc, and have to change it every 30 days.. it becomes impossible to remember them all. Writing them down is said to be a bad thng if you live in a house with other people in it that might see the passwords, storing them on your computer is outright not a good idea.

So you're seriously expecting people to remember dozens of passwords that change every month and aren't familiar phrases or dates?

It gets a little unrealistic.

Best thing to do there is use a password storage program

I use http://keepass.info/

It generates strong passwords automatically (like iORP.xh6_,giLe3L!!y4tzx*iC - just a random sequence) and you can store them in an encrypted vault on your computer. You use a single password (strong) to log into the program and it stores all the other ones you need. You then use the secure copy to transfer the password to the game so you never need to remember the password. The login can also be tied to a file that has random data. that way even if your password vault was taken, they would not have the file, so would not be able to open the vault. if you want to be really secure in the case of a computer in a shared house, store the vault and the encryption key file on a USB stick. The program has a stand alone install so can be run independently and not installed.

on a computer located in a less secure environment like a shared house - if you want to securely store personal data, I recommend creating an on-the-fly encrypted disk using http://www.truecrypt.org/ .

Both programs are open source. so it can be checked as well. Open source encryption is a well validated way to be secure.

if you use firefox and store any passwords for websites, use the in-built password manager, with a master password. And as other have said, never use your in-game username or password anywhere else.

I agree with posters regarding the account name and password being used for forums. I think it is much more secure to have a separate username and password from your game account and your forum account. and these should not match any in game toons names.

[Darkheart06]

Best thing to do there is use a password storage program

I use http://keepass.info/

It generates strong passwords automatically (like iORP.xh6_,giLe3L!!y4tzx*iC - just a random sequence) and you can store them in an encrypted vault on your computer. You use a single password (strong) to log into the program and it stores all the other ones you need. You then use the secure copy to transfer the password to the game so you never need to remember the password. The login can also be tied to a file that has random data. that way even if your password vault was taken, they would not have the file, so would not be able to open the vault. if you want to be really secure in the case of a computer in a shared house, store the vault and the encryption key file on a USB stick. The program has a stand alone install so can be run independently and not installed.

on a computer located in a less secure environment like a shared house - if you want to securely store personal data, I recommend creating an on-the-fly encrypted disk using http://www.truecrypt.org/ .

I just downloaded this program and updated all my passwords (After having my LoTRO recently stolen for the first time since I been playing this game since launch). I can't recommend it enough. It's simple enough for unsavvy PC users and can also be complex enough to satisfy the most paranoid of internet security conscious people. It's easier than having to come up with your own passwords and a million times more secure.

[Alias86]

So how would they get your account info?

Unfortunately, all the personally installed and monitored security in the world is not going to prevent your account from being compromised by the half-assed idea from Turbine to link your Game Account username/password to this community/forum site.

Prior to that, account hacks were very rare, now they are as common as muck. Turbine are using standard packages like Wordpress and vBulletin, all of which have massive exploits so it is no wonder people are now very confused as to how their accounts were hacked - it has nothing to do with them, and everything to do with Turbine.

Even worse, they don't even update the packages they are using on a regular basis... vBulletin 4.04 is 4 iterations out of date, and several months worth of exploits are still available through it.

I have tried requesting that my forum account be deleted so that my details aren't exposed this way, but Turbine refuse to do it.

[Tech-D]

All of you need to stop buying gold and power leveling services and you won't have to worry about getting hacked.

Or if you're going to buy gold then do it off of your cell phone or public computer.

Don't EVEN Go there, I have a Kin member and VERY close friend that had her account hacked. She is very good about computer security and we scanned her entire system for spyware/virii and nothing. She also NEVER purchased from a Gold Farmer. So don't throw this out there thinking this is THEIR problem. This is a real problem that needs to get resolved.

I won't pretend that I have the answers but this is a real concern.

Darren (Tech-D)

[TheMntneer]

Don't EVEN Go there, I have a Kin member and VERY close friend that had her account hacked. She is very good about computer security and we scanned her entire system for spyware/virii and nothing. She also NEVER purchased from a Gold Farmer. So don't throw this out there thinking this is THEIR problem. This is a real problem that needs to get resolved.

I won't pretend that I have the answers but this is a real concern.

Darren (Tech-D)

I hadn't used my account in months, probably since last Winter. Right after I got a new laptop from Dell about 2 months ago I re-installed LOTRO. I logged in to try it out, played one of my characters for a few hours (even used the new "Store" system for the first time, buying a horse) and logged back out.

Then, about a week ago I got an email saying my account was compromised, and blocked, and after having it unblocked and logging back into my character, I discovered all my items and gold were gone, and my character was standing next to a mailbox.

So unless my account information was compromised over a year ago and stored on some hacker database for later use, or I got a virus on a brand new laptop that I've hardly used since getting it (I've since scanned it multiple times with 2 online scanners, AVG and Anti-Malware, and came up clean every time.).

I find it odd that they hit my account after I re-installed after a long long break from the game, and played for a short time.

It's frustrating to say the least, as I can't even remember all that was stolen.

[Niki38]

It is very frustrating! I was hacked last week. I don't buy gold, I don't answer weird emails, I have no viruses or keyloggers on my computer. My friend was logged in to his account and I was at work. He saw me start logging into my toons and then logging out without saying anything. After 4 of my toons left our kin, he dropped a ticket.

All said, the hackers wiped out all 3 of my 65's leaving only the barter items in my vault and the equipped items. They even took the time to decon my LI's that were slotted but not equipped to get shards and fragments. They wiped out another 8 of my toons, and deleted them. They were stopped prior to hitting my last 2 toons. Yes, I have 13 toons on 1 server.

11 of my toons were affected prior to them getting booted out of my account, 8 of my girls were deleted and only 2 were left intact. I am very careful about computer security and am still baffled at how they were able to compromise my account when my password was at least 10 characters long with uppercase, lowercase, numbers and symbols in it. OP was very lucky indeed. There is definitely a growing trend in hacking right now. Hopefully security can be tightened before it gets worse. It's not always the fault of the account holder.

[Happyfish]

All of you need to stop buying gold and power leveling services and you won't have to worry about getting hacked.

Or if you're going to buy gold then do it off of your cell phone or public computer.

I used to feel the same way, but I recently reactivated my WoW account after 3 years only to find that sometime between 2007 and now, someone figured out my password. No idea how but its kind of annoying and disconcerting. If all it takes is accidentally clicking the wrong webpage and years of work are wiped out, I feel for people who lost characters they had investment in.

Edit: oh i didnt realize this thread was so old. sorry!

[criosdaidh22]

A Windows PC doesn't have to visit known unsafe sites anymore. Most malware these days comes from legitimate sites that have been manipulated into serving out pieces of malware. The safety software makers are losing the battle for being up-to-date big time.

Turbine in their wisdom has decided that you now use your in-game password for logging into the forums. That means that a keylogger attached to your web browser will get your in-game password. Previously that was only the case when you actually logged into your subscription account.

I am not aware of a keylogger that has been specialized to attach itself to the LOTRO launcher, or any MMO launcher for that matter. I am aware of a bazillioquadrozuple keyloggers that attach to web browsers.

Exactly. Alot of large websites today run 3rd party ad services. I don't remember the exact details but there was a fairly large and known forum for an MMO out there that was running one of these add services. (I can't remember for sure but I think it was google ads). Somehow someone used one of these adds to run a malicious script and get some forum information that was supposed to be secure.

There really is no safe website anymore. At one of the latest hacker conventions a group of (although very high skilled beyond the norm) hackers demonstrated how they could hack a server without actually making contact with that server. They used some kind of process to get into the pipeline leading up to that server and intercept packets meant for it. This required no hacking of the server itself or the client trying to connect to the server. It was more like stealing your mail out of the box before the postman had a chance to pick it up.

[Tech-D]

Exactly. Alot of large websites today run 3rd party ad services. I don't remember the exact details but there was a fairly large and known forum for an MMO out there that was running one of these add services. (I can't remember for sure but I think it was google ads). Somehow someone used one of these adds to run a malicious script and get some forum information that was supposed to be secure.

There really is no safe website anymore. At one of the latest hacker conventions a group of (although very high skilled beyond the norm) hackers demonstrated how they could hack a server without actually making contact with that server. They used some kind of process to get into the pipeline leading up to that server and intercept packets meant for it. This required no hacking of the server itself or the client trying to connect to the server. It was more like stealing your mail out of the box before the postman had a chance to pick it up.

I'm sorry but I still think there is a concern on Turbine's side. Let's say my friend that had her computer compromised and she did have a key logger or password stealer. Why would a person take stuff from a game? Why not go where the REAL money is and go into her eBay account, her PayPal account, and even her Bank account. Why go after paltry in game FAKE gold?

I know people keep pointing to computer security, but what happens when that is not the reason. Any answers for that turbine? Anyone?

I'm an IT specialist I know there are just as many "Back End" viruses that can hit a company that would compromise data as much as the end user. That is why my company has audits done from our customers to see how secure we are. Your security is as good as your weakest link. So how are your computers there at Turbine? Do you do spyware/virii scans?

[Mangler]

Maybe its just me being paranoid but it seems to me like there has been an increase in hacking since we have changed to using our ingame account info to log into forums now. I would like to go back to using our old forums names not our ingame account info. Also when you log into the formus NEVER CLICK SAVE PASSWORD!

[Kelswen]

The majority of the recent account compromises come from players using the same username and password across multiple games, forums, or websites. When any one of these locations are compromised, it can lead to any number of other sites, games, or forums being compromised for that user. This is why we suggest that all of our players use a unique username and password for our games, in addition to regularly running anti-virus software and being aware of phishing or spoofing websites and e-mails. If you are concerned about account compromises, make sure to change your password regularly and be vigilant for potential spoofing or phishing attempts.

You may review our information about these compromises in our Account Support forum, and specifically in this forum thread.

Alright - that being said, why are the LOTRO forums now forcing us to use our game login information to sign in? Isn't that a security weakness, using the same username/password for more than one portal?