IMPORTANT: Recent hackings

[chadz]

Most of you probably noticed (some poor lads even first hand) that there was a lot of hacking going on lately. People logged into other players accounts and tried to cause havoc in it. Mostly by selling heirlooms or by resetting chars.

a) Will those chars be restored.

Yes, definately. We will not allow anyone's fun and effort to be ruined by incidents like this. It will probably be a lot of work though, so just hang in there. Every transaction is logged, so it can be verified and restored. We will announce it when we have the tools&admins ready to reestablish the belongings.

b) How does it work.

It is, as far as I can see (the investigation isn't finished yet) related to the unpassed alts. Everyone can log into your account if you have no password set, all he needs is the name. We are currently believing, though not verified, that the reason why it got so easy is the NA stats. All you have to do is search for a player, check for some low level alt and hope for the best. I assume that works really well. This would also explain why it started when the stats were released and why it is mostly NA accounts that got hacked.

c) What are we doing about it.

Right now, we disabled logging into unpassworded alts. So this means you cannot use alts as a password retrieving tool for now. We will be changing the system entirely - when you join a server with a new alt, you will receive a 4 digit password that you can then enter into the website. This should deal with this exploit. However, this requires a website and a cRPG patch, and could take some time. We're trying to deal with this as fast as possible though.
Edit: actually, we changed it a bit. You now have 120 seconds to log into an alt before it gets impossible to login via this alt. Then you'd have to create a new alt and login within 120 seconds again. This should make it impossible for alt-guessers.


We're really sorry about this, and even further sorry that this will delay strategus ;)

But we're working on it, and all will be back to normal.

PS: please make sure your password is secure (not easily guessable). If you think your account got compromised, change your password.

[Glyph]

Thanks for doing a fix for c-rpg again chadz

[[ptx]]

Great news, thanks! 

[Matey]

Good to hear, just to mention though; most of the guys I talked to said that they had set passwords for all of their characters... i dont know if maybe they messed up and missed one or what, but I worry that the hacker might have found a different way to get in to peoples accounts.

[chadz]

Check Edit in first post:
Edit: actually, we changed it a bit. You now have 120 seconds to log into an alt before it gets impossible to login via this alt. Then you'd have to create a new alt and login within 120 seconds again. This should make it impossible for alt-guessers.

Good to hear, just to mention though; most of the guys I talked to said that they had set passwords for all of their characters... i dont know if maybe they messed up and missed one or what, but I worry that the hacker might have found a different way to get in to peoples accounts.

This might be, and would be very worrying. If you - or anyone else - could send me a PM with the names of those that got hacked and are 100% sure they haven't had an unpassed alt, I could check them out.

So far, we had some people that thought they didn't have an unpassed alt, but just joined once with the wrong name and then had an alt for it. As I said, we're still investigating.

[Classical]

This negates brute force attempts, and guesses. But for the entirety of the matter, what you are implying is that all recent hacking(s) are because of alternative characters? As much as I want to criticize this, it looks logical, only NA players have been taken down in the past attempts, but some of this attacks don't look related to the alt. characters "exploit".

But I know not all of the attacks and recent hacking(s) could have been done by alts. as stated by the LLJK members who were hacked, and I believe Goretooth, who was (All of them) among some of the first before this got out of control. Is there any reason to believe that there was at any point an exploit within your server, in the form of simply reading listed files, etc? Did something leak? Basically this doesn't add up the whole story, seems like there are other elements and this is only part of the problem.

I guess on that separate issue, let's congratulate Ecko on a job well done. Thank you for your wonderful site that opened up a crippling domain, allowed people to get items stolen, and revamped part of the cRPG security. On a non-sarcastic note, maybe when people suggest you change something on your site (Shik, Poophammer), you'll take it as a valid fucking criticism.

[Ginosaji]

Maybe I miss something, but wouldn't it be better to set the password of a newly registered character to the password of the main character registered with the given Warband key?

Or, even better, make it only possible to register new accounts on the website, not directly via joining a game. Maybe then you could implement a message that gets written in pink text whenever someone logs in with an unregistered character, like "You've joined with an unregistered character. Any progress you make with this character won't be stored. Please register your character at c-rpg.net" or similar.
For new players you'd have to set the Warband key to something invalid then, until the player joins a game with the same character name.

[Goretooth]

I don't have any alts.

[a_bear_irl]

Lots of the guys who got their stuff stolen were long term or "top tier" players, it seems a little unlikely to me that all these people, it's got to be over a dozen at this point, had unpassworded alts particularly considering that a bit ago there was a big scare with people getting their stuff jacked in that same way. I mean, I don't really know anything about coding or hacking or security but it seems to me that the dev team should start considering ways someone might gain unauthorized account access without using unsecured alts.

[Felix]

We're really sorry about this, and even further sorry that this will delay strategus ;)

Please, chadz, permaban ALL hackers and their collaterals. No, kill them! Make them code for food! ARGH!!
Greedy good for nothing bastards. Not only they robbed those poor guys but also make devs waste their time and efforts instead of them patching strategus. What the f****! They should have their warband cd-keys banned on all warband servers.
And i am sure everyone will want to know their names. Make the list public. It has gone far worse the last time.

[Stabby_Dave]

I recently gave away my looms to clanmates, hope this doesnt get seen as hacking.

[Cosmos_Shielder]

Stupid fucking account hacker who dont understand that dev and admin cant work on getting strategus back and repair their bullshit at the sametime...

[Felix]

Stupid fucking account hacker who dont understand that dev and admin cant work on getting strategus back and repair their bullshit at the sametime...

Our world is full of shit cause of such irresponsible and selfish, and furthermore - stupid people.

[Cosmos_Shielder]

I want them to be definitely banned from crpg forum and crpg servers. Having them beheaded will reduce the ammount of hacked account and punish them for being asshole

[okiN]

You fellas know the guys who pull this crap basically live for that kind of reaction, right?