Cryptic reveals accounts breach to users

Cryptic Studios alerted users today of a security breach from 2010 where a hacker got into account and password information.

13

An effort by Cryptic Studios to enhance security on its servers and its databases uncovered a breach from 2010 where the unauthorized intruder had access to account names, encrypted passwords and other account information.

In an email to users today and a post on it website, Cryptic said the hacker had breach one of its user databases:

The unauthorized access included user account names, handles, and encrypted passwords for those accounts. Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database. All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident.

Cryptic also believes the hacker may have had access to additional information such as player names, birth dates and partial credit card details, but there was no evidence that any of this information was taken.

The company, which handles such MMOs as Star Trek Online, Champions Online and the upcoming Neverwinter, said they are continuing to monitor the situation and ask its users to do the same.

(Correction: We had originally reported that Cryptic handled City of Heroes. The studio developed the game, but it is owned and operated by NCsoft. We regret the error)

Contributing Editor

From The Chatty

  • reply
    April 25, 2012 6:30 PM

    John Keefer posted a new article, Cryptic reveals accounts breach to users.

    Cryptic Studios alerted users today of a security breach from 2010 where a hacker got into account and password information.

    • reply
      April 25, 2012 6:36 PM

      Guess this wasn't a scam email I just got then.

      • reply
        April 25, 2012 6:39 PM

        heh, I got the email too but I don't play any of the games they own. I was wondering if it was real or not.

        • reply
          April 25, 2012 10:31 PM

          Same here. Not sure what the deal is.

    • reply
      April 25, 2012 6:37 PM

      I haven't logged in so long I don't think I remember the password I used.

      • reply
        April 25, 2012 6:40 PM

        Same issue here.

        • reply
          April 25, 2012 6:42 PM

          The breach was from 2010, so if you were playing around that time or before, then you may have been affected.

    • reply
      April 25, 2012 6:46 PM

      Cryptic has -nothing- to do with City of Heroes other than a handful of remaining sprite & sound royalties, and it's been that way for almost FIVE years now (2007 I think). Three years before the breach mentioned in this story.

      NCSoft & Paragon Studios would probably appreciate the correction, as *their* City of Heroes customers are in no way tied to this.

    • reply
      April 25, 2012 7:26 PM

      We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user.

      No evidence like the spam and phishing mails that have been coming since some time in 2010 to the email address I've only ever given to them, eh?

      • reply
        April 26, 2012 3:05 AM

        Haha, then what does it matter? You don't use it for anything else..

        Or if you do use it for anything else, then that's hardly "the email address you've only ever given to them".

        • reply
          April 26, 2012 8:29 AM

          What matters is that they would be lying, if what he said is true. That's why he made that post.

          • reply
            April 26, 2012 11:48 AM

            BS. He made that post to troll and nothing else. Why? Because they never said nothing else was leaked, they just said they only had evidence for name, handle and encrypted password.

            Thanks for your response!

            • reply
              April 26, 2012 12:01 PM

              I do not see how him offering an opinion on the origin of spam in a once-only account is a troll. He cites that he has (anecdotal) evidence that their statement is incorrect.

              I use the same method for registrations thanks to google mail aliasing. I have not checked if my account for Cryptic was compromised, so I cannot offer an opinion, but dismissing his post as a 'troll' simply because you disagree with his opinion, and my summation of that where I answer your sarcastic question, is immature. Just as your sarcastic rejoinder at the end of this post that I am replying to is.

              You should try to be more polite.

              • reply
                April 26, 2012 3:15 PM

                Yes, I have my own domains and use unique mail aliases for every new registration. If one starts getting spam, I know exactly who leaked it and can simply redirect that address to null at the server.

                It's worth noting that I had multiple accounts with Cryptic (for their various games), using different addresses. At least two of them were getting the exact same spams starting around the time of the breach.

        • reply
          April 26, 2012 3:11 PM

          Haha, then what does it matter? You don't use it for anything else..

          It matters because it plainly contradicts their claim that there was no evidence of any leakage aside from names and hashes.

          It was obvious to me at the time that their system had been compromised, and that attackers had obtained that single-use-email-alias-on-a-private-domain (long since redirected to /dev/null as I do with any such compromised aliases). Nobody else was ever provided with that unique address.

          I even vaguely recall pointing out the likely compromise to their support department when it started, though that may have been another MMO company who was similarly compromised that I did that for.

    • reply
      April 26, 2012 1:32 AM

      Sure it was in December 2010, Cryptic? Not February?

      Just wondering, because a Google search of an old password I don't use any more showed up on an MD5 hash decrypter website on 05 Feb 2010.

      http://www.md5this.com/list.php?page=46025&key=1&author=ToXiC&country=Cyprus&city=Nicosia

      Since I seriously doubt anyone else in the world has ever used that specific combination of random letters and symbols, it means that someone going by the handle "ToXiC" from Nicosia, Cyrus (not his real town, I'm assuming) had access to a list of passwords converted to md5 hashes from something I used.

      I don't remember what password I used on the Cryptic site, so I can't say that it's from this breach, but it's still troubling.

    • reply
      April 26, 2012 7:53 AM

      soooo they didnt run any security checks for 2 years then ?

    • reply
      April 26, 2012 8:33 AM

      Interesting - the email I got was definitely a scammer (unverified senders, text URLs hyperlinked to some scammer site). I have not received any real email about this issue from Cryptic.

      That's an interesting technique - when a company announces that, immediately send a phishing email.