Please, No War: The War Z Catastrophically Hacked

By Nathan Grayson on April 2nd, 2013 at 9:43 pm.

Poor, innocent victims of the recent hacking and server downtime.

The astounding saga of The War Z continues, but this time, with a twist: the rank odor of awfulness isn’t coming from inside some fissure in the game’s rotting flesh. Rather, an external force – data-hungry hackers – decided to stir up trouble, and boy did it ever hit the jackpot. In short, if you ever signed up for The War Z, go change everything. Financial information, fortunately, is still safe and sound (except, you know, for the fact that it’s presumably being spent on The War Z), but far too many other crucial pieces of information have been compromised. As a result, the more-than-a-little wobbly zombie survivor’s been forced offline for the time being.

Publisher OP Productions released a rather urgent statement on the matter:

“We are issuing this Security Alert to all Survivors as a precaution so you can take some precautionary measures on your own. We have already taken a number of steps to increase security and are continuing to work with external advisors and investigators to identify and implement measures to minimize the chance of this happening in the future.”

“The data accessed included email addresses used to log-in to the forum, forum passwords which we encrypt, email addresses used to log-in to the game, encrypted game passwords as well as in-game character names and the IP addresses from which players log-in to the forum and to the game. If you posted other information to the forum it is likely that such data was accessed as well. We do not collect the names or addresses of our gamers so that information was not impacted unless you posted it on the forum. We are investigating whether additional information may have been obtained.”

So basically, your fleshiest e-bits are now flopping about in the breeze – or at least, they’re catching a chill in some hacker’s dank info-cellar. You should probably take care of that as soon as humanly possible, one way or another.

This whole episode is made all the worse by the fact that The War Z’s hardly proven impregnable in the past. This particular instance, however, is easily the worst, so – if for some reason you haven’t already – maybe consider living out your murderously misanthropic fantasies elsewhere.

For now, though, OP assures that it’s “undertaking a full review and update of our servers and the services we use and adding additional security mechanisms.” But honestly, if you’re still playing this one, how many strikes until it’s out? How close to the dust-and-duct-tape cliff side do you draw the line?

__________________

« | »

, , .

74 Comments »

  1. Discopanda says:

    I just feel so much sadness for anyone who bought the game. Except for my Facebook friend, who I WILL NEVER ALLOW TO LIVE DOWN HOW BAD AN INVESTMENT THEY MADE!

  2. Hahaha says:

    “The data accessed included email addresses used to log-in to the forum” = Spam/phish
    “forum passwords which we encrypt” = jack depending on the encryption
    “email addresses used to log-in to the game” = Spam/phish
    “encrypted game passwords” = jack depending on the encryption
    “in-game character names” = bruteforce/phish
    “IP addresses from which players log-in to the forum and to the game.” = jack, maybe a dos (maybe account jacking)
    “If you posted other information to the forum it is likely that such data was accessed as well.” = jack

    meh

    • Beernut says:

      I wouldn’t put it past the WarZ-devs to have used unsalted md5 as “encryption” without any kind of key-derivation-techniques though. Just judging by the amount of care they put into the rest of their endeavours. But maybe privacy and security is their one strong point, who knows?

      • Hahaha says:

        XD Am hoping that people are at least starting to get that right (I’m an optimist :p). Your password getting compromised shouldn’t be a problem outside of whatever was hacked anyway.

      • Triplanetary says:

        My money’s on a simple substitution cypher. A=Z, B=Y, and so on.

        • darkChozo says:

          My bet’s on Pig Latin.

          • Bhazor says:

            My bet’s on they just hid it in another folder.
            Just like hiding your porn folder. Truly the most popular of all PC games.

          • The Random One says:

            Just like you kept your porn in a folder called “Boring School Stuff”, they ironically kept the user passwords in a folder called “Porn”.

      • CowTsign says:

        Given their track record, I wouldn’t bet on anything other than ROT26…

      • FaceWound says:

        It might as well be fact. They managed to get into all forum administrator accounts, compromise their email and send our racist messages aswell as login to Sergey’s in game account. I think its fairly safe to say they have all the passwords they want, probably in plain text. I’ve been a long standing player and critic of this game and have had several friends who were forum moderators and some of the stories I have heard are astonishing! I’m also a developer and have had a poke around and all I can say is its UGLY.

        • MrLebanon says:

          I watched some youtube video uploaded by the team claiming to be the hackers in which they logged into some popular WarZ PvP youtubers account and deleted all of his characters

          • DrollRemark says:

            “popular WarZ youtuber”

            …nope, sorry, you’re going to have to run that one by me again.

        • Grey Poupon says:

          Those accounts are obviously the first ones to be hacked. As long as there’s nothing special about you, the likeliness that your passwords are cracked in the first day or two is rather low. If they didn’t leak the hashes that is.

      • Aardvarkk says:

        I feel so cynical, my first thought was this seedy company just went and sold all the info and claimed it was stolen.

        • hamburger_cheesedoodle says:

          It wasn’t my first thought, but I was thinking it too.

          (It was my second thought; the first is that someone noticed a company this big and stupid probably had awful security surrounding all those juicy data.)

    • Dan Puzey says:

      The passwords shouldn’t be encrypted at all, they should be hashed. There’s a big difference, and I hope for their users’ sake that the guys running that unfortunately mess at least know the difference…

        • asthasr says:

          I hope you’re not facepalming due to the “hashed” comment. He’s absolutely right.

          • Triplanetary says:

            He’s right, but he’s being a bit pedantic, since a hash is a type of encryption. Despite my joke above, I find it virtually impossible to believe that they’re unaware of the need for a password hash to be non-reversible and subject to the avalanche effect. I know these things and I’m not even a developer, so I’ll give them the benefit of the doubt.

            Now, occasionally you will find a dev stupid enough to think that a MD5 hash is sufficiently secure…

          • Dan Puzey says:

            @Triplanetary: it’s not pedantry at all; there’s a huge difference between encryption and hashing: MD5 is the latter, not the former. Encryption is designed to be (relatively easily) reversible; hashing is designed not to be. You can only crack a hash by brute force.

            If their passwords are encrypted rather than hashed, it’s far more likely that they’ll be discoverable from the database.

            That said, MD5 is massively outmoded now and doesn’t represent much security at all either, so I hope they used better… With a modern PC, you can brute-force any MD5-hashed password under 10 characters in a couple of minutes.

      • PoulWrist says:

        The failure is strong in this one.

  3. phelix says:

    HACKFACE.

    Wait sorry, wrong meme.

    *punches self*

  4. Revolving Ocelot says:

    Y’know, when I checked earlier today War Z was 17th on the Steam top sellers list. It was actually selling more than Tomb Raider.

    I cannot possibly comprehend how this is possible, assuming it’s just normal people buying it. Did they not catch the seething mass of bad news last time? Are they buying it hoping for some kind of Big Rigs style enjoyment? Are we all being replaced by the cattle those aliens have been stealing for so long?

    EDIT: Ooh hang on, it’s still there! Position #30. A notch above Borderlands 2.

    • Hahaha says:

      just lol

    • Shuck says:

      Apparently most people who buy games don’t read gaming sites. Instead they buy based on screenshots, the supposed feature list and, in this case, a vague sense of familiarity with the name (capitalizing on a similarity to both “Day Z” and “World War Z”), I suspect.

      • Niko says:

        This Just In: Dumb People with Lots of Money Buy Games on Steam Based on Pictures Alone!

        • Soldancer says:

          And this is news how, exactly? ;)

          It is sad, though. The more mainstream/popular a thing gets, the more there are people willing to purchase said thing based solely on initial appearance and advertising rather than research. Unfortunately this goes for darn near everything, from games to movies to physical products (and their War Z equivalent, the dreaded Brand X).

    • Corrupt_Tiki says:

      It may not count for much, but I am purchasing Tomb Raider, right this minute, after reading that.

  5. Dowr says:

    I feel stupid for asking (but this is serious): how do I log in to change my information on their site? I know I’m missing something but I’m not going to waste time trying to figure it out.

    • Hahaha says:

      Depending on the encryption used it’s not that serious, unless they missed out some bits in the press release. Also why change your info somewhere that might still be compromised? your password should be different everywhere already so no harm done.

    • Stardog says:

      There seems to be no way to change your password on their website… Another failure on their end.

  6. Llewyn says:

    As a result, the more-than-a-little wobbly zombie survivor’s been forced offline for the time being.

    There’s always a silver lining to these stories.

  7. derbefrier says:

    I know people like to hate this game because OMG IT COPIES DAYZ but as someone who knows nothing about the technical crap I would like to know how this is so much worse than say when steam or sony got hacked. You read this article you would think your whole life is in jeopardy but it seems like the pretty standard “your encrypted passwords got stolen so change them just in case 12345 is your standard password” type of thing. Just seems like its getting way overblown. I think it wrong to make people panic unnecessarily if that’s the case.

    • Triplanetary says:

      I’m not seeing any panic-mongering in the article. It’s common practice to change your passwords and such if a site you have an account on has been hacked. Even if the danger is minimal, so is the effort involved in changing your password.

      Beyond that it’s just fun to make fun of The War Z. Because fuck the devs. Seriously, just fuck them.

      • Hahaha says:

        “in short, if you ever signed up for The War Z, go change everything”

        • Tssha says:

          That’s hyperbole, not panic-mongering. Granted, it’s blatantly unhelpful hyperbole, but given the information they have access to it’s likely the best they could do.

      • frightlever says:

        If War Z was hacked the devs have already emailed everyone with an account to tell them, right?

        No-one who reads RPS has bought the War Z. Thus no-one who reads RPS needs to read a warning about the hack on RPS. The overlap between people who bought the game and informed gamers is statistically insignificant. The purpose of this news post is schadenfreude loosely wrapped in a big coat and floppy hat to make it look like a public information posting.

        Which is fine.

    • Deadly Habit says:

      Here’s the thing, Sony’s hack was plaintext, costing people some credit card info and more because of inept security practices and protocols.

      Steam was hashed passwords and still has Steamguard, so nothing was gained.

      The WarZ devs have shown themselves incompetent on quite a few fronts, now this.
      Which situation do you think it will be more akin to?

      • Malibu Stacey says:

        Steam was hashed passwords and still has Steamguard, so nothing was gained.

        Also Steam wasn’t hacked. The Steampowered forum which is completely independent of Steam itself (for this very reason) was.
        If like me you’ve never used the Steampowered forum then you had to do absolutely nothing.

  8. ass wasp says:

    Now all we need is for this to happen to simcity.

  9. kiza95 says:

    ‘OP Productions LLC issues Security Alert for The War Z game players,

    We are sorry to report that we have discovered that hackers gained access to our forum and game databases and the player data in those databases. We have launched a thorough investigation covering our entire system to determine the scope of the intrusion. This investigation is ongoing and is our top priority. As part of the remediation and security enhancement process we will be taking the game and forums down temporarily.

    We are issuing this Security Alert to all Survivors as a precaution so you can take some precautionary measures on your own. We have already taken a number of steps to increase security and are continuing to work with external advisors and investigators to identify and implement measures to minimize the chance of this happening in the future.

    The data accessed included email addresses used to log-in to the forum, forum passwords which we encrypt, email addresses used to log-in to the game, encrypted game passwords as well as in-game character names and the IP addresses from which players log-in to the forum and to the game. If you posted other information to the forum it is likely that such data was accessed as well. We do not collect the names or addresses of our gamers so that information was not impacted unless you posted it on the forum. We are investigating whether additional information may have been obtained.

    No Payment information Exposed.
    All payments are made through a third party and not through our system. Therefore there was absolutely no exposure of your payment or billing information of any kind.

    Email Addresses.
    If you registered on our forum your registration email address was taken. Those Survivors who use the same email address to access their game accounts should be aware that the hackers have the email address.

    Passwords.
    We encrypt all passwords. However, there is a possibility that simple passwords can be obtained using brute force even if they are encrypted. Our research shows that many users are not using strong passwords.

    Therefore, we are asking all of our players to please change your passwords immediately. You may do this by visiting our website or by clicking “Forgot Password” on The War Z launcher screen. If you use the same password for accounts on other services, you should change those passwords as well. Please make sure to use a strong password that is unique and uses a combination of upper and lower case letters, numbers and special characters. Longer passwords are stronger. We suggest not to use password shorter than 8 symbols, with 12 to 15 symbols long password being preferred.

    What we are doing.
    We have engaged outside experts and investigators to assist in our investigation of this incident and committed substantial resources to that effort. We have identified number of ways access was obtained and have enhanced our security to improve game and forum safety. We are undertaking a full review and update of our servers and the services we use and adding additional security mechanisms. In addition to this post, we are emailing all of our players just to make certain that everyone is informed and has been advised to change their passwords.

    The security of your data is important to us and we want our players to be assured that we take this situation very seriously. We have taken steps to improve security to minimize the chance of this happening in the future and will continue to invest in improving security going forward.

    This has been a humbling experience for us. While we all know that there is no guaranty of security on the internet, our goal is to try our very best to protect your data. We sincerely apologize.

    We will update you on status as we make progress.

    Thank you,

    The War Z Team’

    If you notice they have spelt guarantee wrong and have spelt it as guaranty. A very very silly mistake for a game developing companies official apology do you not think? I will not change my password due to the fact that this gives me the impression that the system is still compromised. Overall, I think this is ridiculous. With all of the troubles that Sony had with the PS3 and also with the recent cyber-attack that slowed down the internet for most of the UK, you had have thought that more companies would exercise a greater deal of caution when it comes to customers private information. However, I think the system is still compromised and that there is more to this than is being let on purely because of this very silly infant school spelling mistake.

    • Hahaha says:

      “you had have thought that more companies would exercise a greater deal of caution when it comes to customers private information.”

      People
      Cost
      Time
      Agenda

      Companies are still getting robbed for amounts in/above the hundred thousand range.

    • DrScuttles says:

      Wasn’t that recent cyber attack that slowed us down allegedly a load of balls anyway? I know my connection has been absolutely fine though that evidence is anecdotal at best.

    • Beernut says:

      “We encrypt all passwords. However, there is a possibility that simple passwords can be obtained using brute force even if they are encrypted. Our research shows that many users are not using strong passwords.”

      I’m curious as to the nature of their “research”. How can they judge the strength of any of their user’s passwords, if those are hashed properly? There are only few possibilities as far as I can see:

      1.) They use a very simple hashing algorithm without a salt, so they can easily check their user’s hashes against publicly available databases of pre-computed hashes. This is the worst possible case and effectively means that all but the most complicated and long (i.e.: not yet bruted) PWs of their userbase should be regarded as definitely compromised.

      2.) They use a good hash-algorith with key-stretching, but with the same salt for every user. This means, that they have at least the ability to compare the hashes of different users and count the occurrences. I have no idea how large their userbase actually is and if any conclusions could be drawn at all based on such observations. But in principle, their “research” could then have consisted of counting how many times a specific hash existed in their database and conclude that the corresponding users must obviously use common or easy-to-guess/-remember PWs, because otherwise it would’ve been unlikely for them to come up with the same password as a number of other users. This would be better news for the userbase than case 1), since even though there’s only one salt, enough rounds of pbkdf2- or bcrypt-like algorithms to create the hash would result in significant cost-increases for brute-forcers and even slow down dictionary-attacks.

      3.) They used a unique salt for each user and a proper hashing-method, in which case I really can’t imagine a single way for them to form any kind of intelligent opinion in regards to the strength of their user’s passwords.

      4.) They hash in a secure way like in 3), but go through the trouble of creating a temporary, insecure hash every time a user registers or changes his PW and check it against a DB of stored hashes for common or generally “known” passwords. If the hash is found, they know that the PW probably isn’t very good and they can increase a counter in their “research”-statistic before disregarding the insecure hash and generating the proper one for the actual authentication processes. I honestly can’t imagine them doing this, I don’t even know if anybody did or does this kind of stuff, but it’s a possibility nonetheless.

      5.) They told a fib, there was never any research going on and I pondered/typed all this in vain. :(

      • darkChozo says:

        My guess is they store statistics on their passwords when they’re first set, pre-hash.

        Well, no, that’s a lie. My real guess is that their “research” was that they asked anyone who knows anything about passwords and users. Because honestly.

        • Llewyn says:

          My real guess is that their “research” was that they asked anyone who knows anything about passwords and users

          …and those people replied, “We’re talking about users who spent money on your game, right?”

    • Earl Grey says:

      Should point out that ‘Guaranty’ is perfectly fine. There is a lot of wrong going on at OP productions but spelling ain’t one of em.

  10. mrmalodor says:

    The only thing surprising here is that War Z still exists.

  11. SkittleDiddler says:

    Where’s your god now? WHERE IS YOUR GOD NOW?

  12. vash47 says:

    Financial information, fortunately, is still safe and sound (except, you know, for the fact that it’s presumably being spent on The War Z)

    First time I’ve laughed out loud reading RPS. Bravo.

  13. Personoic says:

    In the grim darkness of the zombie apocalypse future, there is only war Z.. and hackers.

Comment on this story

XHTML: Allowed code: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>