Intruder compromises user database for Star Trek Online and other MMORPGs

Filed Under: Data loss, Featured, Law & order, Phishing

Cryptic Studio logoCryptic Studios—the studio behind online multiplayer role playing games such as Star Trek Online, City of Heroes, City of Villains, and Champions Online—suffered a user account database breach 16 months ago and is warning users about it now.

According to a notice the company posted to their site and emailed to affected users, the unauthorized access happened in December 2010, and warnings are only being issued now due to "increased security analysis".

The breach exposed user account names, handles, and encrypted passwords that the intruder was able to crack, at least in part.

The game company reset the passwords for all the accounts that it thinks were stored in the affected databases, but they're not even particularly sure about what the intruder did or didn't get his/her hands on.

From their notice:

"While we have no evidence that any other information was taken by the intruder, it is possible that the intruder was able to access additional account information. If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed. We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user."


The investigation continues, and the company says it's "taking even further action" to pump up systems and "redouble" its security vigilance and protections.

Unfortunately, that redoubled vigilance and protection doesn't appear to include identity fraud protection for affected users.

The company is also reminding people to be wary of phishing expeditions that ask for personal or sensitive information, which Cryptic would never request.

From their notice:

"For your own security, we encourage you to be especially aware of e-mail and postal mail scams that ask for personal or sensitive information. Cryptic will not contact you in any way, including by e-mail, asking for your credit card number, social security number, or any other personally identifiable information. If you use the same password for other accounts, especially financial accounts or accounts with personal information, we strongly recommend that you change them."

I don't like to pick on a company when it's down, but this all strikes me as a little feeble. I sent a note to Cryptic asking these questions:

  • Why has it taken 16 months to discover this breach?
  • Was there no security monitoring prior to the security analysis that discovered the breach?
  • Is this discovery the result of the first time Cryptic Studios has analyzed its logs or used the services of a security firm or product?
  • What specific type of encryption was used to protect passwords?
  • Will Cryptic use a stronger form of encryption following the intruder(s)' success at cracking encrypted passwords?
  • Why hasn't the company offered identity fraud protection for users?

If Cryptic gets back to me, I'll post their answers in the comments section below.

Cryptic's notice about this incident begins by assuring users that "your privacy and security is important."

Let's see Cryptic put their money where their mouth is. If appropriate, let's see identity fraud protection provided for those who were affected.

After leaving a database open for 16 months, it seems like a reasonable expectation.

, , , , , , , , ,

You might like

7 Responses to Intruder compromises user database for Star Trek Online and other MMORPGs

  1. Alex Van Schuylen · 1220 days ago

    ...should I mis-trust and doubt them?...abso-lute-ly!!! I know that this could not have been checked on & secured, over-night, but...16 months?? If I were a woman, I could have had 3 children by

    • I don't have much confidence in your math. 3 children in 16 months?
      Maybe if you had triplets as 16/9 is 1.7 labour terms.

      • Tim · 1220 days ago

        But a single labour term can yield more than one child :-)

      • Math Nut · 1220 days ago

        The first term doesn't count, and it's entirely possible to deliver in 8 months... so although really unlikely, it's still possible to deliver 3 kids in 16 months from 3 different terms.

  2. Karel P Kerezman · 1220 days ago

    Technically, Cryptic was the originator of the City Of Heroes games, but they're no longer directly involved. Paragon Studios took that over years ago, and account info is managed by NCSoft.

  3. emmdee · 1220 days ago

    They won't get back with you, they're pretty incompetent.

  4. Concentus · 1219 days ago

    As a player of Star Trek Online, I can tell you that 16 months ago Cryptic Studios was being abused by their owner at the time (Atari) and barely had enough funding to keep the game alive, let alone have a proper network security team. As much as the sale to Perfect World has turned the game into an eastern-style MMO grindfest with abundent over-monetization of game elements (*cough*lockboxes*cough*), at least they are finally getting the funding they need to amp up their security.

    If only they could use something other than CAPTCHA to keep bots off of the website...

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.