Turbine Security Woes

I haven’t played DDO in over a year so I can’t say how things are there, but since F2P launch the number of compromised LOTRO accounts have skyrocketed.

Mine included.

Luckily, I was online at the time. My kinship had just finished an instance run about a week-and-a-half ago and were in the process of reloading back into the world when I got the message that I was being disconnected because I had just logged into the Brandywine server. Huh? Suspecting the worst, I immediately hit up the Turbine Account page and changed my password then re-logged back into the game, which would boot the hacker offline just like I had been minutes earlier.

I was lucky, and did that before the hacker had time to switch servers to where my active characters are.

Other kin-mates have not been so lucky. Two days after my attempted hack, one of the kin’s main hunters was hacked while he was at work. I was in-game at the time, as were a few other regulars, and wondered why he wouldn’t talk to us. Our kinship leader just happened to login and notice the odd behavior then noticed the hunter trying to clean out the chests in our kin-house, so kicked him (and all alts) from the kinship until the mess was straightened out. Later the hunter logged in again — this time the real player — standing naked at the mailbox. Gold gone, armour, weapons, vault, etc. had been cleaned out.

Tonight, my kin leader was also hacked. It’s an ongoing process as I write this — we’re all in Ventrilo together as Turbine gets to him. They did reset his in-game password so he could login, but they also automatically apply a one-hour ban on the account, which just expired a few minutes ago. So far all of his characters were standing at the mailbox but only his gold is missing. All armours, etc. and vaults are intact. Permissions were altered to the kin-house, however, so apparently more of us are still being targeted. Our kin-leader is down roughly 500 gold, but in the big scheme of things, that’s probably not of much value anymore. Armour is bartered these days, and cannot be bought. His crafting materials and Symbols of Celebrimbor would go for much more on the Auction House than Turbine would give him as a condolence prize.

The forums are going crazy with threads of compromised accounts. Turbine’s primary response? “It’s not our fault. Check your PC for keyloggers.”

Turbine also has a No Rollback policy, which is retarded. No, I don’t think they should rollback every little thing, because that makes it too easy for players to game the system, but having an immobile policy to never, under any circumstance rollback a character even when proven beyond a shadow of a doubt that it was compromised is equally retarded. Even Blizzard will do a character rollback.

I’m not buying the “it’s not our fault” and “it’s always a keylogger.” It’s been documented and proven numerous times that when creating an account, your account info is sent via unencrypted plain text. If your email account is compromised, bingo. Second, thanks to the Skirmish Leaderboards, it is incredibly easy to see all the players. Near as we can tell, it shows either your forum username (in my case, my game and forum usernames were the same) or your game username (our hunter has never signed up for the forums, so we easily found his game login on the leaderboards). At that point, passwords can be brute-force hacked.

LOTRO readers, consider this a forewarning and go change your login password, and make it something separate from your forum login if you have one. I’ve still not seen a single gold farmer spam, but I’m hearing the prices on the LOTRO gold selling sites has recently risen (also coincidentally after the F2P launch) so they’re going after as much gold as they can get, any way they can get it. Apparently why farm the gold when you can just steal it?

8 thoughts on “Turbine Security Woes”

  1. It’s Turbine. What did you expect?

    It’s also important to ensure your account name is not something obvious either; that’s the first like of defense. Not a single one of my account names has anything to do with “Smaken” or “SmakenDahed” or any of my character names.

    I hated that Blizzard switched the account name to email addresses. That forced me to create a really obscure and unpublished email address as an account. This is how I know all those emails from “Blizzard” aren’t really from Blizzard since Blizzard has the right address while others do not.

    Take precautions to not reuse game account names with forum names (if Turbine is dumb enough to use your account name as your forum handle – don’t ever post on their forums). Also do not reuse passwords, especially not on third party sites.

    SmakenDahed recently posted..Heroic Nerfs Round 2… Still Tweaking

  2. Reading this is a little disturbing, especially since my WoW account was hacked yesterday. I better go change my password for LOTRO immediately. Thanks for the warning.

  3. Definitely change anywhere that password is used. If I were a hacker, I’d try all sorts of other things with that user account and password; a lot of games keep CC info on file so you can re-sub easily.

    One thing Blizzard has started to do (it seems) is check IP addresses (I’m making an educated guess here) then request that you verify you are how you say you are when it’s coming from a different location.

    I discovered this when my sister tried logging into WoW on my system in my house instead of hers which is way out in the middle of nowhere.

    SmakenDahed recently posted..Server Status on the Launcher

Comments are closed.