Cryptic Servers Hacked, You Know The Drill

By Nathan Grayson on April 26th, 2012 at 11:00 am.

Everyone, prepare to throw bananas on the count of three.

It feels like it’s been ages since a major game company reported a break in from a gang of keyboard-wielding malcontents – and for Star Trek Online and Neverwinter developer Cryptic, it actually has been ages. Well, not actual ages. There were no lances, moats, or trebuchets involved (to my knowledge), but today – in the Neo Future Space Year 2012 – Cryptic cautioned users about an “unauthorized access” from December 2010. And while that certainly spooks an entire flock of northward-migrating eyebrows from their cozy forehead nests, there are more immediate concerns at hand. The short version: while Cryptic has “no evidence” that anything beyond usernames and encrypted passwords were taken, you should still change your password and keep a close eye on credit card info.

Here’s the main thrust of Cryptic’s statement on the matter:

“At Cryptic Studios, your privacy and security is important. As part of our ongoing efforts to monitor and enhance security, we recently detected evidence of an unauthorized access to one of our user databases. The unauthorized access occurred in December 2010, and evidence of this has just been uncovered due to increased security analysis.”

“The unauthorized access included user account names, handles, and encrypted passwords for those accounts. Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database. All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident.”

“While we have no evidence that any other information was taken by the intruder, it is possible that the intruder was able to access additional account information. If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed. We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user.

So that’s a fun mix of good news, bad news, and extremely questionable news to kick off your day. Better late than never on that “increased security analysis,” but it sure would’ve been nice to know about this back in – oh, you know – 2010.  I can’t even begin to fathom why Cryptic’s taken this long to get up to speed, but – especially after hackers pushed the industry’s innermost buttons mid-last year – there’s no excuse to avoid clamping down on this stuff. Obviously, malicious hacking will never go away completely, but here’s hoping that’s the end of that for a good, long time.

, , .

33 Comments »

Sponsored links by Taboola
  1. inertia says:

    I guess you could say they got…

    Decrypted.

    • B1A4 says:

      They were definitely cryptic about the hack.

    • Milky1985 says:

      The tears in this thread will be very salty, but i’m sure everyone will be able to hash it out

    • Godsmith says:

      Well, it seems like they have been digging their own grave.

    • Premium User Badge

      Morlock says:

      Bah, I am sure their security is back on Trek.

    • Premium User Badge

      P7uen says:

      Don’t know why they would klingon to their findings for so long before making it public though.

      • Premium User Badge

        Lord Custard Smingleigh says:

        Is this the thread where we make pseudorandom puns?

  2. Milky1985 says:

    Yes most people will see this nad instantly check the credit card statements from a year and a half ago.

    Also change your password now?

    I should add as well that when they sent out the emails they put a link to the password reset. But that link STILL goes throug hthe email atracking stuff, so when you mouse over the link its LINKING TO A RANDOM OTHER WEBSITE (some email tracking website with a random string of characters at the end of it)

    This is not good for a email about acconut security, i assumed it was spam cause it wasn’t linking correctly until i read about it an hour later and did some more digging around.

    They screwed up bad here.

    • gibsnag says:

      I also assumed that the email I got from Cryptic was spam… those links were not cool.

      • Luke says:

        +1.
        If the actual href doesn’t match the legitimate looking link-text, I’m not bloody well clicking on it.

        Stupid email.

      • sephiroth says:

        +100

        hotmail thought the email was spam and was blocked. good start

        then the whole email seemed low quality for anyone in a tech industry

        oh and the links looked about as fake and scammy as ive seen in ages including the ones that are fake/scammy

        based on this and my experiance in the game I do wonder how and why cryptic are still a company

      • Highstorm says:

        +1000

        Deleted and blocked the e-mail, figuring it was yet another phishing scam (I get about 8 dozen of them every day already). A friend and I even joked with each other about how pathetic the attempt was. Oiy.

    • Premium User Badge

      Thermal Ions says:

      It’s not actually another random website, it’s a URL for Perfect World who own Cryptic and by the looks of it appears to host the mailing list daemon (is that the right term?) used by it’s subsidiaries. Your point does stand that a nice clean URL link straight to the password reset pages would be preferable, but it may be that their mailing list system doesn’t allow such.

      Interestingly, although the email about the leak was in my Gmail inbox, the email sent to confirm my password reset was tagged as spam.

  3. mixvio says:

    I got a similar email about the same thing that went to my spam folder by default; it was full of a number of really atrocious spelling errors (including one where they spelled Cryptic wrong) and I assumed it was a phishing attempt.

    Lovely that this happened over a year ago and they’re letting us know now.

  4. weego says:

    One time hacks are good for headlines, but the smart people keep the backdoor into the system open and bleed it over time. Employees change, some little oddity someone notices is ignored and left because it was there when they started and on it goes until some code changes, some network infrastructure changes or the hacker gets sloppy and then suddenly oh shit.

    They could easily not have known about it till recently and then audited the logs for some innocuous looking outbound traffic on a certain port and found out when it started.

  5. Premium User Badge

    Siresly says:

    Surprised to get an email about this. Guess I’m in their database since I tried the City of Heroes beta a decade ago. Glad I never put any actual details on their servers.

    And yeah, the links in that email are indicative of the type of thing Cryptic says to be vigilant of on their site. Pretty shitty of them. Alongside the not discovering this breach for a year and a half thing.

  6. spamenigma says:

    Thats pretty bad, Dec 2010???

    What’s also poor is the wording in the email they sent me.

    “As a result of routine security checks and upgrades, we have discovered that certain of your account information, including your password, may have been accessed by an unauthorized party.”

    Normally I take one look at an email like this, see that its badly worded, think its been through a translator and such as it is and dismiss as fake which I did last night when I received it.

    I further believed this was fake as the email has links to click on to reset my password, a definate no no in any security message.

    I checked the STO news page and nothing was there so the whole thing smelled of a phishing email, so the fact this turned out to be legit is quite rubbish. I guess the fact its been almost 18months since the breech I would have accepted a further hour to do this properly! get the news on the website and construct a better email.

    I actually like STO but a lot of respect is being lost for this balls up!

    • Premium User Badge

      Thermal Ions says:

      The failure in having any information posted on either the STO or CO sites just shows really bad management of this issue. A player who hasn’t checked their email will try to log in (in-game or on the site) and get a username or password incorrect message with no indication of what’s going on. How many people actually go to the Cryptic site itself?

      You’ll forgive me Cryptic if I’m inclined to believe your statements of “we have no evidence that any other information was taken by the intruder” and “We have no evidence at this time that any data other than…” means jack sh!t given the length of time involved the handling of the communication.

      • sephiroth says:

        december 2010 to today 26/4/2012!!! thats what 17 months to notice a hack and tell your customers. REALLY?!?

        after all that time it would of been better (highly wrong however) to just not say anything about it or LIE!! as to when the hack was.

        it reads to me as if they had no idea they were breached until sum new employee (f2p money) came in and wasnt a total incompotent fool who actually did his (or her) job rather than the nothing all the other cryptic employees seem to do. <<< this is largely based on the lack of content and the quality to time ratio of new content as well as the programed by primates feel of the game overall.

      • LionsPhil says:

        Yeah, that’s pretty stupid. Not noticing an intrusion until they go back and reanalyze the logs with new tools I can understand. Being “good-natured” enough to fess up that they found something from long ago and get a lot of stupid rage from the Internet (“WHY DID YOU TELL ME BACK THEN WHERE IS YOUR TIME MACHINE”) rather than pretending it didn’t happen I can understand.

        But if you’re going to tell people, do make an effort to tell them properly. :/

  7. Meusli says:

    “At Cryptic Studios, your privacy and security is important. Therefore it gives me great pleasure to let you know your privacy and security are a thing of the past.”

    I always wonder why they start these hacking apologies with how important it is that they don’t mess up.

  8. westyfield says:

    Fucksake.

  9. Nallen says:

    “that certainly spooks an entire flock of northward-migrating eyebrows from their cozy forehead nests”

    :D RPS <3

  10. Cooper says:

    Kinda glad I’ve been playing it f2p and using the Steam Wallet now…

  11. Premium User Badge

    Zak T Duck says:

    That’s strange I didn’t even realise I even had an account with Cryptic, having never played Champions Online or STO.

    Oh hang on, Cryptic were once under Atari’s wing weren’t they? That explains it then, my “Cryptic” account is in fact an old Atari account from back on the Test Drive Unlimited 2 beta.

  12. sephiroth says:

    I hope with every fibre of my being (whatever that litterely means) that this will finally mean craptic will go bust and then we might finally get a good star trek game (mmo wise anyway there has been a few good trek games allthough nothing for a while)

    how can a company fail so hard??

    game = fail

    security = fail

    company = fail

    • Hoaxfish says:

      maybe their corporate lunches are amazing to balance it out

    • Premium User Badge

      Foosnark says:

      As a lifetime subscriber of Champions Online, let me be the first to say: bite me.

      “I don’t like this game, so I want to break everyone else’s toys too.”

      Cryptic… I mean, Perfect World has some issues, but name one MMO that people don’t gripe about? Somewhat with justification, but mostly with hyperbole and an excess of vitriol?

      • LionsPhil says:

        Ditto. CO was the only MMO I bothered with to any extent because it fixed a hell of a lot of MMO gripes.
        1) No awkward server sharding, so if I was a player and a friend was a player we could—gasp—play together. You might have to jump instance but that’s an easy thing you can do repeatedly in-game without so much as logging out.
        2) The missions were actually fun to solo for a lot of the earlier stuff, more than just “go kill Xs until they drop Y X parts”
        3) The combat was actually fairly good for something that has to deal with massive lag
        4) Cosmetic chargen options are pretty damn awesome and the setting means it actually works to have lots of ludicrously attired people larking around, supporting rather than undermining the tone of the setting
        5) F2P model means it doesn’t eat your life “getting your subscription’s worth”. It was easy to walk away when I had other stuff to do.

  13. Torgen says:

    Crap, I just realized I made a Cryptic acct in the misty past that was CO pre-release. And really, a YEAR and a half? Bush league.

  14. Highstorm says:

    If anyone is trying to change their password through the Champions-Online site and can’t log in after setting the new password, consider that your username might be something other than what the e-mail tells you it is.

    I bashed my head against the keyboard for the better part of an hour until I randomly decided to try another username I use – one that is not mentioned in the password reset e-mail and, in fact, is not mentioned anywhere in your account info once you do finally log in. Infuriating!

  15. Nalano says:

    Less than useless piece of information, telling me that my stuff may have been compromised 16 months ago.

  16. Sarkhan Lol says:

    Login: Jemmert
    Password: Statesman