Intruder compromises user database for Star Trek Online and other MMORPGs

Intruder compromises user database for Star Trek Online

Cryptic Studio logoCryptic Studios—the studio behind online multiplayer role playing games such as Star Trek Online, City of Heroes, City of Villains, and Champions Online—suffered a user account database breach 16 months ago and is warning users about it now.

According to a notice the company posted to their site and emailed to affected users, the unauthorized access happened in December 2010, and warnings are only being issued now due to “increased security analysis”.

The breach exposed user account names, handles, and encrypted passwords that the intruder was able to crack, at least in part.

The game company reset the passwords for all the accounts that it thinks were stored in the affected databases, but they’re not even particularly sure about what the intruder did or didn’t get his/her hands on.

From their notice:

"While we have no evidence that any other information was taken by the intruder, it is possible that the intruder was able to access additional account information. If they did so, the first and last name, e-mail address, date of birth (if provided to Cryptic Studios), billing address, and the first six digits and the last four digits of credit cards registered on the site may have been accessed. We have no evidence at this time that any data other than the account name, handle, and encrypted password were accessed for any user."


The investigation continues, and the company says it’s “taking even further action” to pump up systems and “redouble” its security vigilance and protections.

Unfortunately, that redoubled vigilance and protection doesn’t appear to include identity fraud protection for affected users.

The company is also reminding people to be wary of phishing expeditions that ask for personal or sensitive information, which Cryptic would never request.

From their notice:

"For your own security, we encourage you to be especially aware of e-mail and postal mail scams that ask for personal or sensitive information. Cryptic will not contact you in any way, including by e-mail, asking for your credit card number, social security number, or any other personally identifiable information. If you use the same password for other accounts, especially financial accounts or accounts with personal information, we strongly recommend that you change them."

I don’t like to pick on a company when it’s down, but this all strikes me as a little feeble. I sent a note to Cryptic asking these questions:

  • Why has it taken 16 months to discover this breach?
  • Was there no security monitoring prior to the security analysis that discovered the breach?
  • Is this discovery the result of the first time Cryptic Studios has analyzed its logs or used the services of a security firm or product?
  • What specific type of encryption was used to protect passwords?
  • Will Cryptic use a stronger form of encryption following the intruder(s)’ success at cracking encrypted passwords?
  • Why hasn’t the company offered identity fraud protection for users?

If Cryptic gets back to me, I’ll post their answers in the comments section below.

Cryptic’s notice about this incident begins by assuring users that “your privacy and security is important.”

Let’s see Cryptic put their money where their mouth is. If appropriate, let’s see identity fraud protection provided for those who were affected.

After leaving a database open for 16 months, it seems like a reasonable expectation.