passwords
Latest
Guild Wars 2 brings trading post online, handles hacked accounts
It's a good day for Tyria's Wall Street and its many denizens, as ArenaNet has brought Guild Wars 2's trading post fully online. The trading post, which works as an advanced version of an auction house for the game's players, has only been sporadically available since launch. The defense and counter-attack against the legion of GW2 hackers continues, however. The devs report that "a Guild Wars-related fan site" was recently hacked for its account information, and say that the reset password feature for the game will remain disabled for the time being as to not allow hackers another avenue of attack. ArenaNet said that during the past 24 hours, the team has dealt with over 2,500 hacked accounts and over 2,800 login issues.
Blizzard suffers security breach, encrypted passwords and authenticator data compromised
According to a recent Blizzard security update, now might be a good time cook up a new password. Blizzard's security team found that its internal network has been illegally accessed, and answers to personal security questions, authenticator data and cryptographically scrambled Battle.net passwords have found their way into the perpetrator's hands. The team is confident, however, that the compromised data isn't enough to give the attacker access to user accounts, and says that there is no evidence to suggest financial data (credit cards, billing addresses and customer names) were accessed. Blizzard President Mike Morhaine recommends that users update their passwords all the same, and we couldn't agree more. Check out his official statement at the source link below and get that Diablo III account locked down.
Amazon, Apple stop taking key account changes over the phone after identity breach
By now, you may have heard the story of the identity 'hack' perpetrated against Wired journalist Mat Honan. Using easily obtained data, an anonymous duo bluffed its way into changing his Amazon account, then his Apple iCloud account, then his Google account and ultimately the real target, Twitter. Both Amazon and Apple were docked for how easy it was to modify an account over the phone -- and, in close succession, have both put at least a momentary lockdown on the changes that led to Honan losing much of his digital presence and some irreplaceable photos. His own publication has reportedly confirmed a policy change at Amazon that prevents over-the-phone account changes. Apple hasn't been as direct about what's going on, but Wired believes there's been a 24-hour hold on phone-based Apple ID password resets while the company marshals its resources and decides how much extra strictness is required. Neither company has said much about the issue. Amazon has been silent, while Apple claims that some of its existing procedures weren't followed properly, regardless of any rules it might need to mend. However the companies address the problem, this is one of those moments where the lesson learned is more important than the outcome. Folks: if your accounts and your personal data matter to you, use truly secure passwords and back up your content. While Honan hints that he may have put at least some of the pieces back together, not everyone gets that second chance.
Talkcast tonight, 7pm PT/10pm ET: Dog days edition!
It's Sunday again, like it or not, and as long as you can turn the air conditioner down low enough so the noise doesn't drown it out, you can join us tonight to record the Talkcast! We'll be discussing the latest and greatest (or not so greatest) news on Mountain Lion, the Apple/Samsung Showcase Legal Showdown, and include a PSA about security. It may be a warm one where you are, so tonight's Aftershow will likely include topics that go well with ice. Now it's really all about you, the community, so join me won't you? To participate, you can use the browser-only Talkshoe client, the embedded Facebook app, or download the classic TalkShoe Pro Java client; however, for +5 Interactivity, you should call in. For the web UI, just click the Talkshoe Web button on our profile page at 4 HI/7 PDT/10 pm EDT Sunday. To call in on regular phone or VoIP lines (Viva free weekend minutes!): dial (724) 444-7444 and enter our talkcast ID, 45077 -- during the call, you can request to talk by keying in *8. If you've got a headset or microphone handy on your Mac, you can connect via the free X-Lite or other SIP clients; basic instructions are here. Talk to you tonight!
Microsoft fights back against Xbox Live account threats, begs you to update your security settings
Redmond's console gaming network may not have suffered a breach of security comparable to last year's PSN fumble, but that doesn't mean it hasn't braced for impact. According to Xbox Live General Manager Alex Garden, Microsoft has made great strides in account security by taking legal action against sites who share phished usernames and passwords, enacting two-step login verification for untrusted devices and pushing fresh security updates to devices. Even so, Garden says that many of Xbox Live's account protection measures rely on member profiles being up to date, and heartily encourages users to make sure their security information is accurate. Get the word directly from the horses mouth at the source link below.
NVIDIA Developer Zone shut down, may have been hacked
Bad news from the land of Tegra. NVIDIA has shut down its Developer Zone forums after noticing what it calls "attacks on the site by unauthorized third parties." While the nature of the attacks isn't clear, what's troubling is that these attackers "may have gained access to hashed passwords." Users are of course encouraged to change their secret codes and, with all the hackery going on lately, we might recommend you just go ahead and change them all -- just in case. [Thanks, Alfredo]
Yahoo confirms server breach, over 400k accounts compromised
Online account security breaches are seemingly commonplace these days -- just ask LinkedIn or Sony -- and now we can add Yahoo's name to the list of hacking victims. The company's confirmed that it had the usernames and passwords of over 400,000 accounts stolen from its servers earlier this week and the data was briefly posted online. The credentials have since been pulled from the web, but it turns out they weren't just for Yahoo accounts, as Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com login info was also pilfered and placed on display. The good news? Those responsible for the breach said that the deed was done to simply show Yahoo the weaknesses in its software security. To wit: We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in Web servers belonging to Yahoo Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage. In response, Yahoo's saying that a fix for the vulnerability is in the works, but the investigation is ongoing and its system has yet to be fully secured. In the meantime, the company apologized for the breach and is advising users to change their passwords accordingly. You can read the official party line below. At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday, July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.
OS X Lion update accidentally outs user passwords in plain text, stumbles over FileVault
Are you an avid user of OS X's FileVault encryption and running a recently updated version of Lion? It may be time to consider changing your passwords. According to security researcher David Emry, users who used FileVault prior to upgrading to 10.7.3 may be able to find their password in a system-wide debug log file, stored in plain text outside of the encrypted area. This puts the password at risk of being read by other users or enterprising cyber criminals, Emry explains, and even opens the door for new flaw-specific malware. FileVault 2, on the other hand, seems to be unaffected by the bug. The community doesn't currently have a way to fight the flaw without disabling FileVault, so users rushing to change their password now may find it being logged as well. Obviously, we'll let you all know once we hear back from Apple regarding this matter.
The Daily Grind: How do you keep track of your passwords?
It's a hazard of the job that we accumulate scores of passwords while writing at Massively. It makes sense: Every new MMO tried means a new account, and because I'm not stupid, a new password. Unfortunately, the numbers began to pile up on me and I began to realize that there was no way I was going to remember all of these for when I'd go back to a game months after the fact. My old system used a common theme (say, names of Pokemon) that allowed for different passwords while giving me a chance at guessing them if I forgot. My new system is a $0.99 notebook that I desperately hope my kids don't discover and chew up. It's a slight improvement but not perfect. So I'm curious: How do you keep track of your passwords? Do you memorize them, write them down in a notebook, have a text file on your computer, or use a password manager program? Every morning, the Massively bloggers probe the minds of their readers with deep, thought-provoking questions about that most serious of topics: massively online gaming. We crave your opinions, so grab your caffeinated beverage of choice and chime in on today's Daily Grind!
Researchers suggest haptics and audio for discreet password input
You can use as complex as a password as you like, but that won't do you much good if someone's able to watch or record you entering it. Researchers Andrea Bianchi, Ian Oakley and Dong-Soo Kwon have some ideas for overcoming that little problem though, and recently put together a video demonstrating a few of the possibilities they've come up with. All of those rely on haptic input systems -- either on their own or in conjunction with some audio output (through headphones for privacy). That includes things like a dedicated haptic keypad or haptic wheel, and different methods that could take advantage of a haptic display on a smartphone. As you can see in the video after the break, some of those options could be a bit more time consuming than an easy-to-remember password, but there's certainly plenty of potential applications where security would trump convenience.[Thanks, An]
Microsoft Store hacked in India, passwords stored in plain text
Frequenters of India's online Microsoft Store were briefly greeted with the suspicious visage of a Guy Fawkes mask this morning, following a hack that compromised the site's user database. According to WPSauce, Microsoft Store India's landing page was briefly taken over by a hacker group called Evil Shadow Team, who, in addition to putting a new face on Windows products, revealed that user passwords were saved in plain text. The group's motivations are unknown, though the hacked page warned that an "unsafe system will be baptized." The store is now offline, suggesting that Microsoft may have regained control. Read on for a look at the compromised password database.[Thanks to everyone who sent this in]
Passware claims FileVault 2 can be cracked in under an hour, sells you the software to prove it
Lunch hours may never feel safe again. That is, if you have a Mac running Lion / FileVault 2, like leaving your computer around, or have unscrupulous colleagues. Data recovery firm Passware claims its "Forensic" edition software can decrypt files protected by FileVault 2 in just 40 minutes -- whether it's "letmein" or "H4x0rl8t0rK1tt3h" you chose to stand in its way. Using live-memory analysis over firewire, the encryption key can be accessed from FileVault's partition, gifting the pilferer privy access to keychain files and login data -- and therefore pretty much everything else. If you want to try this out for yourself, conveniently, Passware will sell you the software ($995 for a single user license) without so much as a flash of a badge.
Trion Worlds customer database hacked, 'no evidence' credit card info stolen
Trion Worlds has become the latest in a long string of MMO studio security breaches this year, as the company reported an intrusion into its customer database. At risk of compromise were customers' user names, passwords, birthdates, email and billing addresses, and partial credit card info. However, the company states that "there is no evidence" that full credit card numbers were stolen at this time. In a message posted on the Trion Worlds website, the company promises that it is both researching the intrusion and taking steps to increase security. As part of this, all RIFT players will be asked to change passwords and security questions, and their mobile authenticators will need to be reconnected. The company urges customers to watch their bank statements for questionable activity, and provides customers with resources to get a free credit report and putting a freeze on credit reports. To compensate customers for the issue, Trion is providing all RIFT players with three extra days of gaming time and a Moneybags' Purse that increases all money looted by 10% in-game. [Thanks to everyone who sent this in!]
Turbine explains recent LotRO forum security issue
While Lord of the Rings Online's forums have returned following Turbine's decision to take them down due to a security issue, many players were left in the dark about what had happened. To clear the air with this, the studio posted a brief security FAQ that addresses the specifics of what went down this past week. According to the FAQ, Turbine became aware of a compromise in the forum database that would allow unauthorized access from outsiders. The company took the forums offline, brought in security experts, and fixed the bug that caused this issue. Turbine also claims it has strengthened its web security and that no payment details, including credit card information, were in danger of being stolen. As part of an effort to make sure all players were secure, Turbine sent out notices to a few customers with particularly vulnerable passwords. In the email, the players were informed that their passwords were reset for their own safety. The FAQ ends with a few Dos and Don'ts about password creation which all MMO players would be wise to adopt.
Star Wars Galaxies fan site hacked, 23K passwords stolen
Talk about kicking a game's community when it's down. VentureBeat reports that Star Wars Galaxies.net, a major SWG fan site, was hacked yesterday. Star Wars Galaxies.net is part of a LucasArts fan site network, and apparently was not being actively maintained, as the last update was in June of 2009. Still, over 21,000 email addresses and 23,000 passwords were stolen -- some of which could lead to identity theft, according to authorities. The hack was perpetrated by ObSec, a small group in the vein of LulzSec. The hackers posted the email addresses and passwords online for all to see. Analysis of the passwords found that 71% were relatively weak and easy to crack anyway. Some Star Wars Galaxies players may see this as an unfortunate echo of the much larger Sony hack that happened earlier this year. We at Massively urge any players who have used this fan site to make sure that they change their passwords elsewhere as well.
Security oversight reduces complexity of Apple ID passwords
One of our readers pointed out a hiccup on Apple's security settings for Apple ID passwords. While Apple ID passwords usually require a mix of capital and lowercase letters, this issue removes that condition. Earlier this year Apple changed the password requirements for Apple ID, the credential for logging into the iTunes Store, MobileMe accounts, etc. Apple ID passwords already had to include both numbers and letters, but then Apple added the requirement of at least one capital/uppercase letter in the password. Existing users who had Apple IDs and passwords already set up were not required to change their passwords, but any new user creating an Apple ID through the iTunes Store was required to use a mixed-case password, as a gesture towards increased security. Passwords with mixed numbers/letters and mixed case are presumably harder to crack than case-insensitive passwords with just numbers and letters. Passwords like that are also harder to remember -- which may reduce their effectiveness, as xkcd pointed out. Capitalizing a single letter also doesn't dramatically increase password entropy, while the simple xkcd scheme actually does & thereby makes your password much tougher for a computer (if not a human) to guess by brute force. While one could argue whether or not Apple's change really helps password security that much, there's no question that it does make things more tricky for data entry: alphanumeric mixed-case passwords are somewhat of a pain in the butt to enter if you forget which letters are capitalized and which are lowercase. Also, entering intercapped passwords on an iOS device is even more of a pain because the extra tap required for the Shift modifier key slows down typing; Apple requires users to re-enter their Apple ID passwords every so ofter after a set amount of time has passed when shopping at the App Store, iBookstore, or iTunes Store on an iOS device, so the password entry dance will be frequent. However, despite Apple's initiative on making an Apple ID harder to crack, its very own password reset tool, iForgot, represents a security oversight. It allows a user to bypass the mixed-case password requirement. Apple ID holders can simply navigate to iforgot.apple.com and start the password reset process: you enter your Apple ID and an email will be sent to your address on file which contains a link that allows you to reset your password. The oversight here is that an Apple ID password created through iForgot doesn't require a capital letter. Now, whether you use iForgot to get rid of mixed case in your password is up to you. iTunes accounts are frequent hacking targets, and the more security the better. However, if those capital letters in your Apple ID really bug you, you now know how to change them. I'd do it fast however. Apple is sure to close this loophole once it's made public. Also keep in mind that if you do change it, you'll need to abandon your current password. Apple doesn't allow you to reset your password (mixed-case or not) to one that was used in the past year. Thanks to reader Phillip for the heads up.
AT&T ramps up voicemail security, say hello to your new pin code
Have anything sitting in your voicemail that you'd prefer the rest of the world didn't hear? When's the last time you went about checking it, anyway? AT&T is now on a mission to save its carefree customers from themselves, and beginning today, all new subscribers will be required to set a voicemail password or affirmatively disable the security measure. Ma Bell's new policy is a reaction to the current unauthorized intrusion hubbub in the media, combined with the very real threat of caller ID spoofing. Shockingly, its current customers won't receive similar treatment until early next year, and only when they upgrade their handsets. Of course, you can easily secure your voicemail within the settings, and if you prefer the convenience of retrieving your messages without hassle, you'll still have that option -- much to Rupert Murdoch's pleasure, that is.
Hotmail adds 'My friend's been hacked!' feature to finger phishers
Hotmail's spent the past few years playing catch up with the competition, but for the most part, it hasn't done anything particularly groundbreaking with its services. Earth shattering might not be the appropriate descriptor for its latest addition, but Hotmail's added a helpful new feature to distinguish plain old spam from the kind that comes form a trusted source. Now, when you get an email from a friend that smells of something sea dwelling -- say a plea for some extra scratch from abroad -- you can select "My friend's been hacked!" from the "Mark as" menu, alerting the powers that be that your friend's account has been hacked. When you mark a missive as junk, you can likewise click a box that reads: "I think this person was hacked!" Once that's done, the spammers are kicked to the curb, and your friend is put through an "account recovery flow" the next time they attempt to log in. On the prevention front, Hotmail will soon roll out a new service that blocks users from selecting common passwords. It might not be enough to coax us over, but maybe this time the other guys could learn a few lessons.
Apple servers hacked by Anonymous
According to Anonymous' twitter account, the hacking group used a SQL injection exploit to pull down the usernames and passwords of several accounts from an Apple-run server (abs.apple.com). The passwords appear encrypted so there is little threat that others can abuse this account information. It's more a blow to the company's reputation. The hackers implied they could do more if they wanted, but told the company and the public not to worry as they "are busy elsewhere."
Sega's online Pass hacked, 1.3 million user passwords stolen
Let's bid a bitter welcome to Sega, the latest entrant to the newly founded club of hacked online communities. Sega Pass, the company's web portal, suffered a breach of its defenses on Thursday, which has now been identified to have affected a whopping 1.29 million users. Usernames, real names, birth dates, passwords, email addresses, pretty much everything has been snatched up by the malicious data thieves, with the important exception of credit / debit card numbers. We'd still advise anyone affected to keep a watchful eye on his or her banking transactions -- immediately after changing that compromised password, of course. In the meantime, Sega's keeping the Pass service offline while it rectifies the vulnerability; it'll be able to call on an unexpected ally in its search for the perpetrators in the form of LulzSec, a hacker group that boasted proudly about infiltrating Sony's network, but which has much more benevolent intentions with respect to Sega. What a topsy-turvy world we live in!
