Funcom, makers of The Secret World, The Longest Journey, Age of Conan and Anarchy Online, announced earlier this morning that their forums have been compromised and user data exposed.
In an announcement on their website, Funcom announced that the data breach for the four games above included encrypted passwords, user names and e-mail addresses. “Even though passwords were encrypted, these can be cracked and should be considered compromised,” the company said.
According to the LeakedSource data breach monitoring hub, many of the forum passwords have already been cracked. On the English forums for The Secret World alone, more than 81,000 passwords from nearly 228,000 users had been cracked.
Game accounts are still secure as those were “separate and are stored on different servers using different security systems”. It’s still frustrating for users, however, particularly when the breach was made possible “due to a security fault in the vBulletin forum system”.
Along with other sites that were breached recently, LeakedSource wrote that “not a single website used proper password storage, they all used some variation of MD5 with or without unique salts”. Funcom has reset all passwords for all accounts on the sites affected, and its recommended that users change their passwords elsewhere if that password has been reused. (Which you absolutely shouldn’t be doing, but probably do anyway.)
The breach was revealed just days after the forums for Epic Games and Unreal Tournament were also exposed. Both of those forums were placed into maintenance mode as a result.
Comments
2 responses to “The Secret World’s Forums Have Been Breached And Passwords Cracked”
MD5. FFS. I can maybe accept that for Anarchy Online since the game is so old, but not for modern stuff.
For those that don’t understand, you can crack an an MD5 with zero effort. Just build a rainbow table (or use a pre-generated one). There’s sites out there that you can put MD5s into and it’ll give you back the cracked password immediately.
It’s a little bit trickier if the site added salt. If it was the same salt each time, you just build a new rainbow table (would take a few hours for MD5, if that) and if it was unique salt, you’d need to build the table for each password meaning that it’d be a few hours work to crack each one (or a few seconds on a botnet or other distributed system).
No site should be storing passwords hashed with MD5 in 2016. There’s really no excuse.
They haven’t sent out email notifications to players, which is very bad. Simply putting something up on the site really isn’t good enough of a notification.