Sophos Cloud Optix
Frogster, publisher of the popular “Runes of Magic” video game, says that they will not give in to the demands of a blackmailing hacker who has threatened to release personal information and payment details of customers.
Last month, a hacker calling himself Augustus87 posted a message on the Runes of Magic forum making a number of demands – including that staff should be treated more fairly and that security should be improved to protect the personal data of game players.
The message was quickly deleted, but some quick thinkers took a screenshot to capture it for posterity:
Part of the message read (the typos are the hacker’s own):
I HAVE ALREADY COMPROMISED ALMOST EVERY SYSTEM AND IM GOING TO SHUT THEM DOWN SERVER BY SERVER IF FROGSTER DOES NOT AGREE TO THE FOLLOWING REQUESTS:
#1 - NO CLOSED THREADS ANYMORE JUST BECAUSE U DONT LIKE THE DISCUSSION OR THE TOPIC. RESPECT FREEDOM OF SPEECH!
#2 - NO DELETED THREADS ANYMORE SAME REASON AS #1
#3 - BETTER TREATMENT OF FROGSTERS EMPLOYEES WORLDWIDE!
#4 - MORE TRANSPARANCY TO YOUR CUSTOMERS! TELL THEM WHAT IS GOING ON AN STOP LIE TO THEM. DONT TREAT THEM LIKE CHILDREN. BE RESPECTFUL!
#5 - SECURE THE GAME CLIENTS AGAINST CHEATING AND OTHER NOT WANTED MODIFICATIONS. YOU KNOW WHAT TO DO. DO IT!
#6 - TAKE CARE OF ALL PERSONAL RELATED INFORMATION! DONT LIKE ABOUT LOST INFORMATION LIKE EMAILADDRESSES OR EVEN ACCOUNTS! TELL THE TRUTH!
#7 - STOP SPY ON YOUR EMPLOYEES! WHILE INSPECTING YOUR NETWORKS AND SERVES I DID FIND A SNIFFING PROCESS WHICH STORES ALL RUNNING TRAFFIC OF ALL EMPLOYEES INTO A DATABASE AND FILESYSTEM ALLOWING TO RECONSTUCT CYBERMOVEMENTS OF EMPLOYEES FOR MONTHS. EMAILS WEBSITES CHATS EVERYTHING IS STORE AND CAN BE USED AGAINST YOUR EMPLOYEES. STOP SPYING THEM! I WILL LOOK FOR MORE OF THOSE PROCESSES ON YOUR INFRASTUCTURE.YOU HAVE T W O W E E K S TO FULLFILL THESE REQUESTS.
IF YOU DONT OR IF YOU REMOVE THIS THREAD WITHOUT NOTICE IM GOING TO INCREASE THE NUMBER OF RELEASED COMPROMISED ACCOUNTS TO THE PUBLIC BY EVERY DAY THE THREAD IS NOT ACCESSABLE ANYMORE!
Clearly who was behind the message felt very passionately about the “Runes of Magic” game. However, his fellow players are likely to have lost some sympathy when he published personal information on 2000 users, including their billing information, to prove he had access to the data.
For its part, “Runes of Magic” publisher Frogster deleted the messages from its forum and issued a statement saying that the data released was from users who registered in 2007, and that affected accounts had had their credentials reset. Hopefully users were also advised to change their login details on other websites if they were silly enough to be using the same password.
In a GameIndustry.biz interview, Frogster Chief Operating Officer Dirk Weyel has confirmed that the firm will not negotiate with the blackmailer or cede to the hacker’s demands, and has called on the services of the police to investigate the case.
Hmm. I hope at the very least Frogster is taking a fresh look at their security, and investigating as a matter of urgency what could be done to better protect its customers’ data in future.
All online businesses need to learn to take security seriously – they don’t just need to protect their valuable corporate information, they also have a duty to properly protect the personal data belonging to their customers and partners.
Frogster announced the resignation of their CEO, Andreas Weidenhaupt, earlier this week.
Could it be that the attack came from inside? The demands would suggest so – or at least someone close to an employee. I think it’s great that they won’t be blackmailed, but I do hope they warned all their users – not just the ones who have been published and deleted.
wut? at first i thought he blackmailed them for money.. but actually… if what he tells is right, they should actually feel ashamed. I hope he publishes every last bit and they go bankrupt. this article sucks.
So, because he thinks the site is run poorly (and believes it has bad security) it's acceptable for him to publish innocent people's passwords and payment info?
Doesn't sound justified to me. He could still have pressured the site by sharing details responsibly with the media, rather than put innocent folks at risk.
Yeah, like the media is "responsible" with sensitive data.
He could have gone to the media, but when confronted with a set of serious nefarious claims about their own business practices, they chose to jab the beehive.
I think in the face of corporate power, people are feeling the need to take strange steps to be heard or taken seriously. Augustus87 isn’t right… but he’s not completely wrong either… personal financial stuff being posted publicly is never right. Shame on the security measures taken. And shame on the passive attitude about the threat.
No, if he did decide to do things responsibly and so innocent people were not put at risk they would have taken even less notice than what they have now.
Would there even be this article…?
Apart from the bits about the employees (I agree, sounds like an insider) it all sounds pretty reasonable…. They will probably lose customers through their response more than the initial hack.
I totally agree with you, Mr Cluley.
I can't understand the propensity for some people, upon becoming disgruntled with someone or some company, they punish someone else entirely who just has the rotten luck to be peripherally (and often, innocently) associated with the object of their ire. That's tantamount to saying, "I just got this bill from the electric company, and they've made a horrendous mistake! I know what I'll do…I'll shoot the postman, since he's the one who brought it to me! Then I'll hack into the electric company's computers and expose all my neighbor's account information…that'll teach them!"
It makes no sense whatsoever! You expose all those user's information and subject them to the possibility of endless problems with identity theft to make your point? If I were one of those users, I'd be looking for YOU to exact a little vengeance, and I'd be a lot more justified in doing that than you were in exposing my information in the first place.
I must say that I agree with Graham on this one. There were things that the company should have been doing better and there were probably grounds for trying to force them to do so but to involve the innocent users of the site is just morally wrong. I am sure that if the hacker had as much access as he claimed then he could have gained information that would have affected the company without harming the users. He would possibly have even gained support from the users that he has now just upset and alienated.
It's about time someone did something to make those guys listen. Frogster is like a state fair rigged game. Step right up folks, buy yourself a luck potion… might get lucky, might not. There is no game in this world that punishes it's players like Frogster. I once dinged 51 three times in one day because the server didnt' back up my character. That was 9 hours for nothing. GMs did nothing. Frogster claimed Double Diamonds over Christmas Friday through Monday with no claim on the front page when it was going to expire. On Monday I purchased a card, and turned it in that evening about 8pm. I live on the east coast, so it was technically Monday in the entire United States. When I put the card it, the date shows Tuesday. I come to find out, it's Tuesday in Europe. GMs did nothing. I've a friend who's diamonds were sent to another server. GMs did nothing. (That was December).
So Augustus87, I salute you! Frogster is like a Dictator and finally someone had the piety to bring them down. Me? I'll just go back to a 15 a month game. It's cheaper and WORKS.
I hope he keeps the servers offline forever.
This is one sad company.
Teach em a good lesson mr hacker.
does anybody know how to find out if your account information is made public??
I hate it when people who have knowledge have a tendancy to get a god complex. this is comparable to wikileaks. not in the sense of the data that's being shared but more over to the fact one individual that has tunnel vision. These people do not look at the full implications of their actions. People who do this do it mostly for recognition and to pet their self ego. If it were a person acting anonomously and had given frogster a fair chance to make the changes neccessary via e-mail threads and if they didn't respond then go public via media outlet not a vulgar forum posts. Yet another person that does not deserve to be called a hacker. It sounds like an ex-employee to me but we'll see. If they're smart they should see the entry from his/her forum post with time and IP stamp. then it's a matter of tracing it down to a service provider. It should be especially easy if the user is constant poster on the forums.
wow really dont like what i say so just take it down yea that works…
i want to kick that little crybaby in the face. I dont care what he is trying to do i really dont give a damn but blocking the servers so i cant play really piss me off
The hacker is back, or someone similar.
Even GM accounts are getting hacked.
Could be a disgruntled employee, since dozens have been fired recently.