Ooh Betty: Bethesda Forums Hacked Again

By John Walker on August 14th, 2011 at 6:17 pm.

A stunningly original picture for this article.

Just when you thought gaming websites getting hacked was soooooo last month, Bethesda have sent out an email to forum users warning them that it’s happened to them all over again. The new email reports that the “potential” attack to their forums took place on Friday (12th) morning, and says that all forum passwords have been reset once more. No details of what happened are given, but the full email is below. (Admittedly this story broke yesterday, but I only received my email about it this afternoon.)

The last time Bethesda was attacked, it was the work of LulzSec, who then went on to release internal details and admin passwords, etc. It seems extremely unlikely it would be that lot this time, with the group having gone extremely quiet since the arrest of someone the police alleged to be at the helm. No group appears to have made claim to this breach, but if I were a betting man I’d put my money on it being some sort of “revenge” for the lawsuit made against Mojang. Here’s the email:

Dear Bethesda Forum User,

We have identified a potential breach of our forum user database that occurred Friday morning, Aug 12. We have reset your forum password as a precaution, in the event that any encrypted forum user passwords were compromised.

When you next try to login to the forums, your old password will not work. Click the “I’ve forgotten my password link” underneath the login boxes, and follow the steps to setup a new password for your account.

We recommend you do not use your old password or a password you have used for other sites. Further, if your old forum password was used for any other online purposes, we recommend changing the password on those accounts as well.

If you have any concerns, visit the following link:
http://www.bethsoft.com/eng/contact_email.php

__________________

« | »

, .

52 Comments »

  1. Captchist says:

    As always with these things. It’s not about them resetting your forum account password. Nobody cares (that much) if their forum account is briefly hacked. The issue is any other sites you might use the same password on. If a company screws up like this it can create breaches into other sites that are impractical to fix – even if you use something like Lastpass to use unique passwords on each site, you can’t use those products everywhere.

    There need to be laws about password storage to ensure these sorts of hacks are pointless.

    • simonh says:

      Everyone should use at least two different passwords; for two tiers of sites:

      Tier 1: Your primary Email and sites who you trust with your credit card.
      Tier 2: Forums etc. which don’t have any confidential information about you.

      A law would be difficult to enforce as companies don’t like giving out the source code for their security systems (even though “security through obscurity” is a bad idea) and the administration cost would be huge. Also, small noncommercial sites and forums that don’t even have a registered company behind them shouldn’t be forced to submit to that kind of monitoring. And which country would they be tried in anyway?

    • Captchist says:

      Whilst true. All it takes is for companies to store passwords in encrypted forms with proper hashing + salt. Then if something gets hacked I lose nothing. The only way I can lose my password is if I give it away or type it into a bad site. That has to be the solution to this. Not some clunky work around with password resets and me managing different tiers of sites (over long periods of time, plus all the password changing every few months + the various different rules different sites have about the amount of digits etc etc). This stuff needs to be standardised.

    • Vesperan says:

      Another problem is not remembering what password you had used for the forum in the first place.

      Perhaps it was one of my lower level/quality passwords. Perhaps it was a password I never use anymore. Should I change them all now?

      This is the problem I had when an old Bioware server was hacked. The hackers have more of an idea about what the password is than I do!

    • patricij says:

      I have so many passwords, I sometimes, when logging on some site I use infrequently, spend good few minutes trying out all the passwords and variations of em I use…

    • Juan Carlo says:

      I have three tiers of passwords:

      1. Forums and other internet sites (I also never ever use my real name on these and only use dummy e-mail accounts that I set up just for internet forums and never actually check–so I probably wouldn’t care at all if these accounts were hacked as they really aren’t tied to me in any real way)
      2. Internet Stores (anything that requires my credit card)
      3. My bank

    • dsi1 says:

      @Simonh: I have 3 tiers:

      Tier 1: Regular websites.
      Tier 2: Money handling websites/services. (Each site/service has its own password)
      Tier 3: E-mail.

      With a user’s E-mail you can break into everything else.

    • Kdansky says:

      No, what you really should do is this:

      http://blown-to-bits.blogspot.com/2011/05/passwords-part-two-of-two.html

      In essence: unique password for every site, and only one single rule to remember. Beats any tiered system.

      I have written this piece exactly because I don’t want to retype it every two weeks. Also: Make it very long, like a full sentence. I’ve also written about why you should do that in part one, and argued against the most common (wrong) complaints in part three.

    • Maktaka says:

      Why not use a password generation system? I take the name of the place I’m logging into, run it through a simple mental algorithm, and get my password. Even if I haven’t logged into a place in a very, very long time, I can usually still guess the password. Every password is unique and the system I use generates more robust passwords than your typical fare.

    • Tam-Lin says:

      1Password. It’s a beautiful thing.

    • deedty says:

      ★ good web

      === w w w . j o r d a n f o r w o r l d . c o m ===

      exquisite watches shirts,bags,hat and the decorations.We have good reputation, fashion products,

      favourable price.—★FREE SHIPPING

    • JeepBarnett says:

      http://www.xkcd.com/936/

      http://www.xkcd.com/792/

      http://www.wired.com/geekdad/2009/11/10-geeky-laws-that-should-exist-but-dont/
      1. Munroe’s Law: A person in a geeky argument who can quote xkcd to support his position automatically wins the argument. This law supersedes Godwin, so that even if the quote is about Hitler, the quoter still wins.

    • age says:

      I’m no expert on password security laws, but isn’t the issue that there is no security system powerful enough to stop a determined skillful hacker? How would increased regulation improve anything?

    • kregg says:

      I just use KeePass.

      It’s an opensource program you install on your PC, multi-platform too. Plus there are tons of extra plugins to make it autofill on Google Chrome and Firefox, and any other program necessary.

      Oh, and it does all that lovely random password gibberish. All you need is at least a master password or a key file to unlock it. For best measure, use both and keep the key file on a seperate disk if you are paranoid.

    • dadioflex says:

      Another vote for Keepass here. I just share the database (protected with a 50 digit passphrase) with my various PCs. Installed it after that first big round of site hacking – so Lulz did make me more security conscious. Obviously Bethesda didn’t get the same wake-up about security that I did.

    • psyk says:

      @age

      Yep, but people like to think they are safe.

  2. Heliocentric says:

    I actually think these forums getting hacked might have some greater social worth if the idea of “one password for every site” died a death… too much to hope?

    • TillEulenspiegel says:

      That, on the user’s end.

      For the websites, bcrypt really needs to become standard. No more SHA or MD5 for password hashes. Bcrypt is designed to be computationally expensive, so attempting to crack even one password will take for-fucking-ever. It’s stupidly easy to implement, and hugely mitigates the effect of a successful hack.

    • Parthon says:

      The problem is that ever second site you go onto requires a new user account. Because of this, I have user accounts on about 100 different sites. I’m not sure how I’m meant to remember 100 different passwords. I could use a password remember, but then what if *that* gets hacked?

    • Heliocentric says:

      PAD OF PAPER ON YOUR DESK, ENCRYPTED OLD SCHOOL WITH A CODE WHEEL BURNED INTO YOUR RETINA WITH A LASER

  3. Dosium says:

    I bet they’re going to use Mojang as some scapegoat. :\

  4. Metonymy says:

    I learned the hard way to not only not use the same passwords at different places, but also to never recycle them.

    I used a very old password for something recently, and within 24 hours I had received a ‘suspicious activity’ email. This means hackers are brute-force checking hacked password databases, even several years after they have been demonstrated to not work anymore.

  5. Sheng-ji says:

    I have an account with them, I’ve checked my inbox, my junk mail filter and everywhere, why didn’t they tell me!

  6. DSR says:

    Personally, I use the same simple and dumb password on almost every site(Including this one) where I don’t really care if my account is hacked. On game forums? Come on! What they can do? Post spam? Troll it in my name?

    But sites where security is a paramount(Bank account, Steam and so on), I’m using the most complex password I can memorize.

    Works fine so far.

    • Silphatos says:

      Exactly, just use dump pass for forums, etc and use uber-complex pw’s for important things.

    • johnpeat says:

      If you use something like LastPass, you can generate a ‘nonsense’ password for every site – you never even know the password yourself, LastPass remembers it for you.

      Then you just need to choose the mother of all passwords for LastPass ofc. :)

    • Silphatos says:

      What if LastPass gets hacked? lol

    • The Sentinel says:

      As I understand it, Lastpass only stores data online in a highly encrypted form. The key for unlocking that encryption is stored on your computer/s, so while it is still at risk (nothing is truly secure) the risk is as minimised as they can make it. Hacking their servers would just get you a load of data you need to un-encrypt, using millions of different keys stored on millions of different machines (themselves encrypted by your password choice).

  7. Koozer says:

    I feel this is apt.

    Now I feel glad I didn’t change my Bethesda password the first time…

    • gwathdring says:

      Damn. Beat me to it. The forum discussion on that one has some interesting internet security info and ideas.

    • The Sentinel says:

      I’m shocked. My structure of my best passwords is exactly like the example given in XKCD, garnered from web security tips from varying sources over the years, but a bunch of common words are more secure? It’s enough to make you swear, isn’t it? Loudly and continuously.

      I’m going to have to rethink my entire online password strategy!

  8. Davee says:

    I totally tipped you about this yesterday morning. RPS losing their touch, hmm?

    But seriously; I guess I’ll have another round of password changes then. *Sigh*

  9. skurmedel says:

    Weak passwords or not, it’s really no excuse for them to be hacked twice in such short amount of time. It’s really no excuse to be hacked at all, they have money enough to secure their services. Nothing is 100% hackproof, but this just sounds lazy to me.

    • TillEulenspiegel says:

      That too, though I assume fingers will be pointed at crappy forum software. When it’s third-party stuff you have little control over, I have a bit more sympathy. Still, twice…

  10. WPUN says:

    In the future we will all use epic passpoems detailing the life and works of seven mythical Norse heroes.

  11. Sami H says:

    Any announcement on whether the passwords stolen (assuming they were) are encrypted?

  12. Beaverman says:

    To be honest i think every password should be stored as a md5 hash, only the hash should be there, that way the hacker would have to bruteforce the hash…

    no websites should store it as plaintext, not even if it’s “encrypted” because a potential haver could get the encryption key too

  13. roethle says:

    Söldner.

  14. Solidstate89 says:

    I didn’t even know I had a Bethesda forum account until I got that e-mail. I must have made one years and years ago and completely forgot about it.

    Oh well. The password can stay reset for all I care. When I started using LastPass a year ago I changed all of my web-login passwords to those randomized hashes anyways.

  15. PetiteGreve says:

    I feel like it could be related to the lawsuit against Notch, a “the Big Company is beating the golden indie underdog, it deserves a slap in the face !” thing.
    (nb : I know it’s a trademark problem -and trademarking “Scroll” is not neutral at all-, but meeting Notch to talk about it would have been better, on the legal and on the PR side)

    Or it’s just random hacking, not motivated by anything, just Bethesda not securing their forum at all.

    My security policy => For each website/forum :
    * Unique login
    * Unique password
    * One of 5 trash email addresses for any important registration
    * Temporary email (redirection) leading to one of the trash email addresses for anything not important
    * If I forget the login/password, I create a new account (see the article regarding multiple accounts, http://www.uie.com/articles/three_hund_million_button )
    => all login/password are kept in a small paper notebook (one copy on the desk, one in the safe – frequently updated), while the most used (and not risky, like bank) in an encrypted file on the computer.

    If someone breaks in my house, he’ll steal the computer and the monitor, not a small paper notebook (stored next to other empty/useless paper notebooks).

    If someone breaks in my house to steal login/password informations (governments tend to do that to journalists, judges, lawyers, NGO members, etc), then you can’t hide these informations (without an entire new security policy), since they have : ISP-level DPI and browsing history going back to 1 year, bugged phone/house, can order sites’ owners to give access to the accounts, day-0 keyloggers and so on.

    • Vesperan says:

      Dude!
      What country do you live in that you think your government does that sort of stuff, to those types of people?
      If its a country like the UK/US (or for me, NZ).. I think you could be considerably overestimating their evilness, and competence.

  16. Neon Kitten says:

    I feel kind of vindicated now; after the previous Bethesda hack I changed my passwords everywhere else, but re-used the same old password on their forums as I thought at the time “they’ll probably just get hacked again anyway”. I don’t personally care if someone has my Bethesda forum login and uses it to post spam, photos of kittens, whatever. They deserve it for price-gouging Australians on Skyrim and Rage anyway (US$90? Don’t expect any sympathy from me!)

  17. Milky1985 says:

    “It seems extremely unlikely it would be that lot this time, with the group having gone extremely quiet since the arrest of someone the police alleged to be at the helm.”

    They went quiet after they quit a few months back, they came back up again a bit then went quiet again when the alleged spokesperson was arrested.

    On the other hand how have they got themselves hacked again, shouldn;t they bee looking into security after last time :/

  18. MythArcana says:

    Damn. Now Bethesda will have to spend all that money they saved by releasing a console port to PC users on server security schemes. See, kids, shortcuts get you nowhere.

  19. pipman3000 says:

    Notch has gone too far >:(

Comment on this story

XHTML: Allowed code: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>