How was this hack possible?

[viruz_bs]

I never herd about the US servers getting hacked or anything?
How come only GOA who allways seems to be slow on the trigger get's a problem like this.
Not to mention that only french and german servers are high populated tonight.

I hope thay will soon get this going , its a pity to ruin a good game like DAoC with crap like this.

Viruz /out

 

[svartmetall]

Originally posted by viruz_bs
Not to mention that only french and german servers are high populated tonight.

I've been wondering about that myself.

 

[Tilda]

jeez.

they send passwords out in the order you signed up.
If you recall, french and german people were able to play/regiaster befor the UK people, thus the odd numbers.

 

[viruz_bs]

Ahh , that's bad :/ , So all of us playing english servers are the once getting our passwords latest.
Just so crap that we gotta pay for them screwing up the safety of their programs.
I seriously hope im not paying for these days on my acc.

Viruz /out.

 

[thegreatest]

Well think they are finished with sending the german/french ones and are now somewhere at january/february 2002? When did daoc actually got released in Europe? I registered in november 2002 so according to my calculates I will receive my password in 10-18 hours :/

 

[samurai001]

I got one of my passes, the only thing is, i have 3 accounts, and the email doesnt tell you which one the pass is for, oh well, i feel sorry for groups of people who share like 10+ accounts.

 

[viruz_bs]

Uhm , I just reopended my acc, but its only 6 months old. So im sure i'll wait long time to get mine open

 

[svartmetall]

Originally posted by thegreatest
Well think they are finished with sending the german/french ones and are now somewhere at january/february 2002? When did daoc actually got released in Europe? I registered in november 2002 so according to my calculates I will receive my password in 10-18 hours :/

That's about when I regged, too...FFS that's both my days off with no DAOC, basically.

 

[Pi0z]

RightNow was probably exploited - it uses a proprietory piece of PHP software, hax0rs probably got their mitts on the source and combed it for weaknesses. I'd wager it was SQL injection leading to privilege escalation etc.

I still don't understand why they have their business database facing the web, idiotic imo. Hopefully they'll have access logs for whatever database they use (Oracle I bet) and can nail the twats who did it.

 

[Breni]

I think they use MySQL

And as far as I know, the credit card information isn't held by GOA, don't they use WorldPay or some similar organisation to bill us?

 

[Pi0z]

Aye, all they will get back is a payment reference which they use on their generated PDF invoice things. The data I was referring to was their own data such as usernames/passwords for game/subscriptions, which were probably farmed with ease by the naughty people.

It would make more sense to handle RightNow authentication via some kind of xml interface on an internal-only box (completely locked down) and just get a SUCCESS/FAILURE depending on the credentials supplied. That way, you're not exposing your user database to the web directly and whatsmore, the webserver is unable to query the database server directly so if your website is owned by remote script invocation or whatever, your user data is still safe.

I hope they don't use MySQL for the game itself.

On a side note, I don't think they've handled the reissue of passwords very well but I guess everyone is of the same opinion judging by the reactions on these forums.

Hopefully, the subscription password email will be a bit more verbose, coz I don't have a scooby what one of the passwords emailed to me is for.. uke:

 

[the_fnord]

Originally posted by Tilda
jeez.

they send passwords out in the order you signed up.
If you recall, french and german people were able to play/regiaster befor the UK people, thus the odd numbers.

Ermm... Hate to say it Tilda but that's utter BS! Have a friend who registered about ½year before me and he haven't got his pass and I got my.... :doh:

 

[Tilda]

Originally posted by the_fnord
Ermm... Hate to say it Tilda but that's utter BS! Have a friend who registered about ½year before me and he haven't got his pass and I got my.... :doh:

nope, mabey he deactivated or got stuck in his ISP's system, but there deffinatly going out in order of registering.

 

[-Nxs-]

I agree thats its in date order, my password arrived at 3.05am and the 2nd account i registered a month later arrived around 4.00am

 

[the_smurflord]

1st account registered 15th feb 2002 - No e-mail
2nd account registered 24th aug 2002 - Got the new password
3rd account registered 4th jan 2003 - No e-mail

HAving my doubts about the date order business.

 

[old.Jable]

i got mine. im ecstatic.

 

[Eleasias]

I was among the first 100 players on English servers and havent gotten my PW yet .. so kindly fo tilda xD

 

[Tractartus]

I registered second day, but had to alter e-mail info so I am guessing that makes me lower in the system. No PW yet.

As Sub page down I can't check this, but is there only one e-mail account that GOA stores? Reason I ask is that I've changed my e-mail for the subscription details and I am getting those e-mails fine, is the PW getting sent to the same account?

Hope that makes sense!

 

[geysor]

I got my password, but you know what? I just can't be arsed to log in.