Turbine/LOTRO Accounts may have been exposed

(1/1)

neath:
Looks like a security screw up has occurred as rumored on web. See  official take/announcement at

http://www.lotro.com/news/latestnews/1497

Change those passwords and lets hope the breach was discovered before harm was done.

Orophor:
Nice catch Neath, you scooped Massively.com:
http://massively.joystiq.com/2011/10/17/turbine-addresses-lotro-forum-security-concerns/

Orophor:
And the official response is covered here:
http://massively.joystiq.com/2011/10/19/turbine-explains-recent-lotro-forum-security-issue/

One thing that caught my eye is that the database stores passwords in a format that Turbine can see, which is a bad practice. A password is only secure for use in authentication if the owner of that password is the only person that knows the password. The database at Turbine ought to store a salted one-way hash of the password.

Digger:
I had no idea Turbine kept pswds in clear text.  Where did that idea come from?  Even small companies store pswds encryted.

Digger

Navigation

[0] Message Index