Turbine has released an update to their forum status stating:
We have identified a potential issue in the forum system. As a precautionary measure we have disabled our forums while we investigate. We will bring the forums back online when we complete our work. We thank you for your patience.
Please follow us on Twitter @LOTRO or like us on Facebook to receive updates during the maintenance.
There are some rumors on the “LOTRO Community Forums” (via Contains Moderate Peril) stating that it might be related to a possible security breech. Whether this is true or not remains to be seen, but I would imagine that if it does turn out to be true that we will see a press release sooner or later stating this.
We have no official information from Turbine as to why their forums are offline (the rest of the my.lotro site is still operating) or what the potential issue is.
I myself am not prone to overexcitement, but I personally went over to my account page and changed my password just to be on the safe side.
Loading ...
October 12, 2011 at 3:06 pm
Thanks for the tip Merric. Changed my password immediately.
October 12, 2011 at 3:07 pm
I might change mine too.. just to be on the safe side….
October 12, 2011 at 3:15 pm
Hum, I just tried to change mine, and the my.turbine account manger keep saying my old password is wrong, so it will not let me change it.. of course, I used my password to log in… hum… the plot thickens…
October 12, 2011 at 3:26 pm
The same thing happened to me. ::Worried::
October 12, 2011 at 3:29 pm
It is a known error today. If you got the “The old password you entered was incorrect. [err: -1006]” message, you were quite likely successful.
Try to relog into the account system with your new password to see if it works.
October 12, 2011 at 4:08 pm
something went wrong.. could not log into game or to my account.. had to do the forgot password thing.. changed it to what I wanted to change it to in the 1rst place and it worked.. I tried to log into both with my old and what I wanted (and did change) new one.. very odd.. anyway I’m updated…
October 12, 2011 at 3:09 pm
Pre-disgruntled players telling everyone, in absence of official information, that there has been a security breach? Smells like FUD to me, honestly.
Not saying there hasn’t been, just that the source for the hacking story is hardly trustworthy.
October 12, 2011 at 3:10 pm
I can’t change my password, work blocks the lotro accounts website.
October 12, 2011 at 3:19 pm
Changed my pwd too, [ihope] just in case ;=)
October 12, 2011 at 3:25 pm
I just went and changed mine. Can never be too safe.
October 12, 2011 at 3:41 pm
I found it amusing that just after they added the thread saying they want to hire new developers that the forums mysteriously were brought off line
October 14, 2011 at 8:36 am
lol that is funny even if in a disturbing way
October 12, 2011 at 3:42 pm
I changed mine as well. From what I’ve gleaned, there was a security vulnerability found by a player. That player sent an e-mail about it, but was ignored. Eventually tweeted the detail to Sapience and the forums came down shortly after that. So my take on it – there’s been a security hole for a long time, and someone forced turbine’s hand in shutting down the forums/ fixing the hole.
October 12, 2011 at 3:43 pm
They should have never made the forum login the same as your account login. That’s just ASKING for security trouble.
October 13, 2011 at 7:48 pm
I agree. I’m called a rabid fan a lot on the official forums but let’s be honest even a fan can see this isn’t a great thing to do. I remember in earlier days when new players would complain that they had to come up with two accounts to play the game and some would get into confused about which was a private account name and which was the one everyone would see. At the time we had people point out that this was actually a good idea.
So why did it change? Maybe someone thought they’d avoid the confusion and complaints if there were just one account? I don’t think that’s it though. Players like to think that companies are highly coordinated entities but in reality they’re just as confused and mixed up as anyone else. So instead of a big Turbine Executive Memo that demanded the logins be changed I suspect it was just the web design team that did this on their own. Possibly it was a directive from the IT side of WB that just wanted everyone to be using common software to cut licensing costs.
Common logins for game and forum were the only things that messed up with the new forums. Quite a lot of players just hated it, it was slow, it was more difficult to use. And yet it hasn’t changed. Making me thing it was indeed an IT directive to use a particular brand of forum software.
Contrary to some opinions out there, being purchased by another company does not give you a lot of cash. The new owners of companies very often start to tighten the screws, merge staffs, ignore the side teams that don’t seem critical to the bottom line, etc. So the lotro web team may actually be short of budget and unable to fix things like they’d like/
October 14, 2011 at 8:37 am
+2 to the op in this — our game account names and passwords should NEVER have been used as our forum ones, worst security idea ever
October 12, 2011 at 4:07 pm
Is there a way to remove your billing information from my Turbine account? I’m not currently on subscription anyway so I would feel safer if I could remove any info that ties my account to my real life…
October 13, 2011 at 8:59 pm
Contact Account Support via http://support.turbine.com/ to have existing payment methods removed from your Turbine account.
October 12, 2011 at 4:31 pm
The issue popped up yesterday in the german forums on lotrocommunity.com – recently a lot of accounts on server Morthond got hacked, someone decided to investigate and found a way to get database access via SQL-injection. The user was able to read account data, emails, password hashes and credit card info from the lotro community database. It is rumored that the issue is linked to the transfer of accounts from Europe (Codemasters) to Turbine a few months back…
Some screenshots with database content were published and later removed by board admins. The user tried to get Turbine into action by reporting his findings but his warnings seemed to have been ignored until he made the issue public.
October 12, 2011 at 5:00 pm
Yep, that’s roughly the chain of events. We removed the methods and results of the investigation to prevent the typical “script kid” to abuse them. As “disgruntled” (to use Joshua’s words) as we might be over there, we don’t want to see other players harmed.
October 15, 2011 at 4:18 pm
I changed my account password as soon as I saw this – then this morning, it occurred to me that I should check my credit card account that I had mapped to my Turbine account. Lo and behold – fraudulent activity galore, starting on October 11th. Apparently my bank’s anti-fraud department has been trying to get in touch with me but could not due to me ignoring my voicemail (duh-oh!).
Cancelled my card and and I have started the identity theft war dance.
This could be totally coincidental to the Turbine issue but I wanted to say thank you to Merric & Goldenstar for bringing this to my attention, as well as to Dee for describing the potential information disclosed.
I would highly recommend people double check their payment accounts for their own peace of mind
Thanks again everyone – your comments have saved me a bunch of grief!
October 12, 2011 at 5:01 pm
Here’s the thing, if there really was some serious breach into the account system then bringing down just the forums (as opposed to the whole site and/or the log-in server) can’t really help with that, can it? Unless everything but the forums is hacker-proof.
October 12, 2011 at 11:29 pm
Exactly, and all of turbines forums have gone down, so it’s unlikely to be related to anything done for lotro, such as the Codemasters transfer. But that’s not going to slow the conspiracy theorists down at all is it?
And the knee-jerk reaction to change your password (when only the hash was (possibly) exposed (apparently)) is only needed if you’re silly enough to use the same password for an online forum as you use for something actually important.
October 13, 2011 at 4:56 pm
Stu, the LOTRO official forum account and LOTRO account is the same. If your forum name and password are stolen, so is your LOTRO name and password, including the credit card you have on file (which cannot be removed except by replacing it with another credit card). Maybe it’s “knee jerk” but I’d much rather spend two minutes changing my password than spend a few hours on the phone debating fraudulent charges with my bank.
October 14, 2011 at 12:14 pm
A surprising number of of web sites do it wrong, but hopefully Turbine isn’t stupid enough to store your password itself. Any halfway decent password authentication system stores an irreversible hash of the password instead, and chooses a hashing algorithm that is computationally expensive to prevent brute force attacks.
October 13, 2011 at 7:35 am
If the problem was an SQL injection vulnerability then taking down the forums will probably prevent it. I’ll be moderately surprised if that’s really all it is though. SQL injection is such a common attack that it seems unlikely that it hadn’t been tried before now. If there was some upgrade to the forum software for international use I suppose it’s possible that opened up some type of hole that wasn’t there before.
October 12, 2011 at 10:24 pm
For the love of all that’s holy!!! I wish they would implement authenticators!
October 12, 2011 at 11:11 pm
Someone just linked this on Massively. http://tweakers.net/nieuws/77371/databaseserver-lotro-was-toegankelijk-voor-anonieme-gebruikers.html
It looks like the rumors of hacks are true. The following is a translation:
“The database with account information and the official forum of Lord of the Rings Online login details were not available to internet users. Also, the forum open to sql injection. Developer Turbine has either taken offline.”
“User ‘Freundlich’ the unofficial forum LotroCommunity discovered that the account database of the Lord of the Rings Online mmog was vulnerable to SQL injection attacks. The database was both the game’s official forum used and includes usernames, md5 hashes of passwords, IP addresses and personal data. There were also payments data are available. User Amrundir discovered that the database via the Internet for all to access.”
“The user has the leak reported in developer Turbine, the database is taken offline and forum. Turbine just announced via Twitter that the forum is currently unavailable. The forums of Asheron’s Call and Dungeons & Dragons Online, which also come from the stable of Turbine are currently unavailable.”
“Turbine introduced in December 2009 Siege of Mirkwood expansion and thereby took a new community website to use. With this new website were gamers forced to the same username-password combination to use for the game and the forum, something the developer had to endure criticism. Turbine took over on June 1 the management of European LotrO on Codemasters servers and added them together with its U.S. servers and services.”
October 13, 2011 at 4:13 am
Oh, so the forum engine is indeed screwed. Very well. On the other hand and no ill will intended, Amrundir must be aware he will most likely be banned for this.
October 13, 2011 at 8:25 am
If they had told turbine of the problem and got no response then in someways I can see that they thought they were doing the right thing. Not having seen the screenshots in question I dont know if they’d be tweaked to obscure either names or whatever.
Yes they should have a wrist slapped for the initial breach where they took the screenshots but I dont feel they should be banned unless proof in found that they themselves took advantage.
The authenticator is a nice idea however given that turbine has moved everything stateside I’d wonder about the cost of it. I got one for my wow account around the relase of wrath and the postage on it was more than it cost to buy and that was from inside the EU.
October 13, 2011 at 9:59 am
What is an authenticator? How is it obtained and how is it used? What does it do?
October 13, 2011 at 11:10 am
Authenticators were used by WoW to fight account hacking. A purchasable USB stick with LCD digits (or free smartphone app) linked to your account would randomly generate numbers every 20 seconds that you would enter in a second box after your password on the login screen.
October 13, 2011 at 11:19 am
An authenticator is a way to prove to a computer system that you really are who you are. WOW and EQ use them.. basically it’s a a small USB sized device that you add to your account, then when you want to sign in, you have to get a authentication number from that device and enter along with your password, if your number does not match (it changes with each login) you can’t access the game…
October 13, 2011 at 11:25 am
Some editions of Star Wars: The Old Republic are also shipping with an authenticator.
I think the one for WoW cost something like $10, which I would gladly pay if LOTRO would use them.
October 13, 2011 at 2:32 pm
Ok so conceptually it’s the same as the RSA token that I use to log on remotely for my job. Thanks!
October 13, 2011 at 9:55 am
I would not change my password just now, what if the hackers can still watch the DB’s ? i mean if you can change your password the DB is still live, and its the DB they breached no?
will see how it goes, as long as we can play the game i’m happy!
October 13, 2011 at 5:03 pm
Then they have your new password, but how’s that worse than them having the old one? Unless you reuse passwords (which isn’t recommended) there’s no downside to changing your password. If shutting down the forums closed off the hole, or any malicious hackers have already dumped the database, then you stand to gain. (AFAIK the only known hackers were those trying to point out the security hole, but once the hole was made public it could have been exploited by others.) In most cases the passwords will be cracked from a local copy on the hackers’ computers, not the live copy on the LOTRO servers. So they “dump” it onto their computers and try to crack as many passwords as they can. If they crack your (old) password and it doesn’t actually work because you have a new password, they shrug and move on. Most players won’t change their PWs and they’d be looking for the low-hanging fruit. Of course if you’re going to change your password now, you’d want to change it after the hole has been sealed for sure too, in case they dump the DB after you change your PW. (Some hackers will just sell the database dumps for others to crack, so it could be some time between the breach and the account thefts.)
October 13, 2011 at 9:25 pm
I miss the forums very, very much right now. I feel like I’ve been stuck in the game for the last couple of days. Thanks to the new expansion there’re a few things that I really want to look up, like the ‘Battle of Dol Baran’. All searches send me to the forums, and that sad page of sadness. Oh, the angst.
October 14, 2011 at 3:12 pm
To me, the biggest problem is the invisible NPC in the Bonevales. What’s his name, Ilan or something? Can’t turn in the quest because only his gold ring is visible, like the Cheshire cat’s grin, and can’t figure out what to do because the necessary info is on the forums and not available.
October 14, 2011 at 5:26 pm
He gave you more than one quest… when you’ve completed them all, then you should be able to turn them in.
October 14, 2011 at 8:43 pm
As far as I can tell, I have only ome quest from Ilar: “A glimpse of the fall’. Nothing else in the Bonevales, and no other quest with his name that I can find.
October 14, 2011 at 3:41 pm
Any word on from turbine yet? and will they let us know if our info was leaked?
October 14, 2011 at 7:46 pm
Regarding your own break in/hack of this site, what is the worst that could have happened to readers?
I’ve run some malware scans, and everything has come up clean (except for the usual tracking cookies). I’ve done the “fine tooth comb” thing … even getting rid of daemon tools which was doing some weird things.
But is there anything for us to be concerned about?
October 15, 2011 at 3:40 pm
If you have scanned your own computer, you’re probably fine. A couple of people did say that they were prompted to go to sites where a download tried to initiate, but they cancelled out of it. So as long as you didn’t download anything and you have scanned your computer you should be fine. We don’t store any user data.
As for our server, that is where the infection took place and it looks like that is the only location where there were malicious files.
October 14, 2011 at 8:24 pm
Update post – http://www.lotro.com/news/latestnews/1497-forum-maintenance
“Recently, we were made aware of an issue with the security of our LOTRO community web applications….We are continuing to investigate and the forums will not reopen until this work is complete.”
“As an additional precaution we recommend that all players change their passwords by visiting http://myaccount.turbine.com. ”
Looks like the suggestion to go ahead and change your password is indeed a good precaution.