BioWare's Neverwinter Nights Forum Server Hacked

garatheus writes "The folks at EA/BioWare sent out an email this morning (GMT +2) outlining that their older Neverwinter Nights forums had been hacked, with a fair amount of user information stolen from the database — the likes of user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates. They do go on to say that 'no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers.' There's no pointing of fingers as to who might have done the compromising, though."

Re:

[Nidi62]

who cares anymore?

People that have or may have bad accounts on that forum?

Re:

[lennier1]

Guess they didn't find any sited related to Pong.

LulzSec

[flnhst]

LulzSec is due to release more 'booty' on Monday. Could this be it?

CD Keys?

[PixetaledPikachu]

...on a forum database?

Re:

[byner]

Forum access and titles (NWN Owner, etc.) that showed up required the entry of CD keys to add to your list of owned games.

Re:CD Keys?

[kav2k]

On old BioWare forums you had "registered owner" status for accounts. At the same time, this served as a backup for cd-keys of sorts: they were retrievable by the user.

I don't care about their keys

[JSBiff]

Back when I signed up for their forum, like, I dunno, 6 or 8 years ago, I thought about this issue. At the end of the day, I decided that as long as they don't try some nonsense like invalidating my keys because *they* let them get stolen, I didn't care.

It's their forum, and their game keys. The keys don't protect me, they protect Bioware. They don't expose ANYTHING else of mine to any risk.

If they try to invalidate my keys for, e.g. online multiplayer, because of their stupidity in making people put the ke

Re:

[sgt scrub]

I'll go contact a class-action lawsuit lawyer
Keep us informed. You'll have no problem with that. The email addresses for everyone will be out shortly. Note: Mine is a spam bucket that I only check after I sign up for some site so don't send to it multiple times in one day.

I got this e-mail...

[MoldySpore]

...strange thing I have never played Neverwinter Nights, nor have I ever signed up on those forums. I believe everyone with an EA account for any game must have received this e-mail. Nice to at least see a company do a full disclosure quickly after a breach, rather than sitting on the info for a few weeks whole they "assess the damage".

Re:

[Anonymous Coward]

The NWN hack was reported last week. As you said, this batch seems to be the entire EA account list.

Re:

[flibbidyfloo]

Oddly enough, I played NWN when it first came out, and had an active forum account, yet I didn't get notification when they originally were hacked. Now I get an email to one of my EA accounts that isn't attached to any games, but not the other.

Two weeks ago, however, I started getting daily spam to that other EA account, which almost never got spam before (or at least never got spam that wasn't caught by google's filters). It's all related to "games" too, although it appears to be gambling/online casino spa

Re:

[LingNoi]

Actually it is harmful, while the company is out trying to figure out how and what got stolen the hackers are trying the stolen passwords on users email accounts and anywhere else that the user's email address pops up. Time is very important when dealing with these things so that the users can change their passwords as soon as possible.

Re:

[ifrag]

Nice to at least see a company do a full disclosure quickly after a breach

You know what would really be nice? For a company to take a fucking look at their security and prevent this from happening. THAT would be nice. Seems like some amount of my information has been leaking on a weekly basis for months now.

Re:

[CampingTips]

Haha! Yes. Can't believe all the crap that is happening at the moment. It is not that hard to secure your IT systems. I guess all these companies have been sitting back and enjoying their free ride, up until now. But because everyone is being hacked, does even affect their reputation?

Re:

[poly_pusher]

LOL! I actually reported this email as spam because I too don't have a Neverwinter knights account and haven't visited the forums. So I figured this was just a phishing scam...

Re:

[delinear]

Well annoyingly for me I never had an account with NWN but I did create one for Dragon Age (required for DLC) and I still received the email. I'm not sure where that leaves me - if it was the NWN servers that were hacked does that mean my data is safe, or is this an admission that the hack is more widespread, or do they have no way to distinguish who signed up for what, or is it just cheaper and easier for them to spam everyone? Way to add a bucket load of ambiguity to the situation.

I don't get it...

[Anonymous Coward]

I got the email this morning but for the life of me don't know why. I'd never played nor heard of Neverwinter before I got the email.

Email below...

"We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers’ data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we

Re:

[HikingStick]

I don't know how long you've had your eddress, but if you've only had it a short time, it's possible that the previous owner had a BioWare user account.

Either that, or someone who didn't want to use their own contact information used your eddress to register. I don't know why they'd bother, but, oh well.

Re:I don't get it...

[delinear]

More likely it was some related game or game forum he signed up to. I got the email but my account was set up for DA:O and Dead Space 2, I've never played NWN. Seems like they're emailing everyone who has signed up for anything to do with their games, I don't know if that's just being cautious or if it's indicative that the leak might be wider than NWN players.

Re:

[blackraven14250]

I used to play NWN, but never signed up on the forums. I have played ME, ME2, DA:O, and others, though, so I think you're right.

Re:

[oneiros27]

I got it, too, and I don't remember using any forum, although I think I remember playing it years ago.

I suspected it was a phishing attempt of some sort, as although the link text goes to 'support.ea.com', the actual link goes to 'em.ea.com', with what looks to be a unique key in it.

Re:

[0123456]

I suspected it was a phishing attempt of some sort, as although the link text goes to 'support.ea.com', the actual link goes to 'em.ea.com', with what looks to be a unique key in it.

I thought that was funny too, when the same email warned to be careful about suspicious emails.

Happened a while ago

[dusanv]

I generated a unique e-mail address for Bioware forums way back when NWN first came out. I started getting spam on that address in the last couple of weeks. So it's likely this didn't happen in the last couple of days.

I got the e-mail from Bioware about the breach only yesterday.

Re:

[Anonymous Coward]

My email from the Bioware forums presents only a click-through link, rather than including additional instructions for users to go to the root site and navigate to the password reset page.

I *never* click on links in email that imply they take me to a login or support page. You'd think that a competent admin would realize this is training their users for bad behavior.

Re:

[dusanv]

I *never* click on links in email that imply they take me to a login or support page.

Excellent idea. I cut and paste the link and checked that it came from EA mail servers. But you're right, it's unprofessional of them.

Old News

[somaTh]

Ars Technica [arstechnica.com] ran this article over a week ago.

Old news to you maybe...

[dstyle5]

Considering I only received an e-mail from BioWare last night its not old to me, or probably most other people who received it. I've never played NWN, but I have a forum account to get the ME2 "free DLC". Disconcerting how they are mailing everyone out of "an abundance of caution", seems like they can't be certain how much info the hackers got.

Re:

[delinear]

I would have far preferred them to have demonstrated an "abundance of caution" before they got hacked. Locking the stable door after the horse has bolted much? That's assuming they're actually even being more cautious (and not just covering their arses) since it didn't seem to prevent SOE getting hacked weeks after the PSN fiasco - how much trust can we put in their caution?

Of all the games...

[mlts]

NWN1 is one of the few games that actually didn't suck. Bioware yanked all DRM except the CD key needed to get to use the multiplayer servers (which is perfectly acceptable), and supported the game for a very long time with not just fixes, but additional content.

It is sad to see this hacked -- one could easily get thousands of hours of entertainment with NWN1 just due to well written player made modules.

I wish the hackers could have nailed some game company that puts out crap instead of a game which has aged quite well and is actually still worth playing.

Re:

[djsmiley]

"I wish the hackers could have nailed some game company that puts out crap instead of a game which has aged quite well and is actually still worth playing."

So not like EA then... who sell horse armour?

Re:

[delinear]

Not to mention Bioware, who put out Dragon Age 2 - the game in which they literally use the same five dungeons, but pretend they're different dungeons, repeatedly (gee, isn't it odd how this noble's house is exactly the same as this NPC's house which is exactly the same as that brothel...). Maybe they made quality back in the day, but the latest offerings are definitely a case of phoning it in. I'm almost dreading to see what they're going to do with ME:3.

Re:

[0123456]

NWN1 is one of the few games that actually didn't suck.

No, it sucked. 'Oh look, a room that's empty other than sixteen crates and barrels. Oh look, fifteen of the crates and barrels are empty. Oh look, I found a copper piece in the other barrel'.

I had to quit part-way through because I knew I'd go mad if I had to search through yet another room full of empty crates and barrels in the hope of finding something useful.

Re:

[shutdown -p now]

Single-player in NWN was pretty bland, but that wasn't its point. It let people with minimal map design experience create large, interesting worlds. Sure, it would still be rooms and crates and barrels (at least in the dungeons), but at that point it all depends on how well they can spin the story. And you could do a lot of nifty stuff there with scripts.

I never got into the MMO wave largely because for me it already happened back in NWN. I mostly played on Middle Earth servers which promoted strict rolepla

Re:

[shutdown -p now]

The game isn't hacked, only the forums are. You can still enjoy NWN as much as you always could.

Wasn't that forum shut down?

[jonescb]

I believe that forum was shut down, and moved to Bioware's new Social site along with the Dragon Age and Mass Effect forums. If it's no longer possible to login and use that forum, the database probably should have been scrubbed of passwords and CD Keys and the like.

Re:

[Nemesisghost]

The forum was technically shut down, but remained available for archival purposes. Over the years there was a lot of information gathered and made available on that site. You could still find most of your answers to NWN there. But you are correct, some, if not all, of the information should have been scrubbed from the site.

This seems to be happening everywhere

[N0Man74]

I'm getting way too many of these e-mails lately. I've had multiple companies send me e-mails to inform me their servers have been compromised. One of my accounts on another server was compromised last week as well.

I think that my biggest concern isn't what they might get out of an individual account, but what type of information that they can put together through cross-referencing information derived from multiple compromised servers. Birth dates, secret questions that might open up other accounts elsew

Re:

[delinear]

Secret questions are one of my biggest bug bears - especially when so many sites use them as a way to, for instance, reset your account email address. 99% of the questions seem to be the same across multiple sites. In a very few occasions I've seen the option to create your own challenge and response, this seems to be a much more sane option as you can literally create a unique question (or set of questions) for every site, and you can tailor them to be far more difficult to guess (mother's maiden name must

Re:

[0123456]

mother's maiden name must be relatively trivial to track down for most folks these days.

Fortunately my mother's maiden name is GMgDcbkxfT1Mk6T4znV3IQ.

But this is a pain because no-one in their right mind should be giving correct answers to these insecurity questions, but then they becomes yet more passwords that you have to remember for all these different sites.

Vindication!

[chill]

NWN was one of my favorite games, and one of the few I bothered to register on forums for. There was a lot of high-quality user generated content that was available. I was in their system, with CD keys, name, partial address, phone, (fake) DOB, etc.

About two months ago I decided to "clean up" my presence on the internet. Among other efforts, I went thru my mail archives for the last 7 years looking for references to anywhere I had created an account, posted messages, or had an identifiable presence.

Next, I created an anonymous, free Hushmail account. Just for paranoia's sake, I used a random proxy whenever I logged in there. I then logged in to every site that I had record of having an account on, recovering passwords if necessary. This included NWN forums.

Once back in, I changed all the login information to bogus info. Incorrect addresses, phony phone number, wrong dates of birth, random passwords and the disposable Hushmail e-mail address. Most sites needed confirmation on e-mail, so you just can't make something up.

The few sites that allowed it, I then deleted or disabled the account. Those that didn't are forever beyond my reach with false info and not tied to my e-mail address.

Only three remain, including Slashdot and GMail. I'm working on replacing GMail, and Slashdot I'll keep since it never had and valid personal info other than my e-mail (GMail) address.

Checking Hushmail shows I got a copy of the letter from EA, proving my efforts paid off. All the info is bogus. After July, waiting just to make sure I didn't miss anything, I'll let the Hushmail account expire and be purged.

My identifiable presence on the Internet will be only what I want it to be. With a little effort, privacy *can* be maintained regardless of what Messrs. Zuckerberg and Brin say.

Re:

[chill]

Anyway, what's to say that some of the sites you have changed your login for (including possibly NWN) don't keep archived or backup records of previous email addresses, password hashes, addresses, etc?

Are you kidding? Have you seen the code quality and effort put into most websites? While I have no trouble believing Google or Facebook might keep histories or backups, most of the lesser sites just don't put that sort of effort or expense into their code and data. *MAYBE* a banking or investing site, but CNet

Re:

[Cow Jones]

Most sites needed confirmation on e-mail, so you just can't make something up.

There's always Mailinator [mailinator.com] for quick disposable e-mail addresses.

Re:

[eedwardsjr]

You should look at sneakemail. It allows you to pass out a disposable address. They handle the routing to the real email of your choice. One of the few email service I still pay for. It lets you pick out a problem email rather quickly.

Can NWN be just opensourced now?

[Dr.Syshalt]

I don't think the game generates any revenue for BioWare anymore, they've stopped doing expansions a long time ago, etc. CD keys are all compromised now as well - they were the last line of protection.
Can't they just make the sources available so all the fans can go on improving the game?

Re:

[Shadow99_1]

I think the engine it used was used by other companies, which may make things hard to opensource it... Kinda like the unreal engine being used in multiple titles... I certainly wouldn't mind seeing them open source it, but I just doubt it will happen...

Re:

[royallthefourth]

They started distributing it on gog.com fairly recently, so yeah they are still getting money for it.

Whaddya know?

[mark-t]

I got one of those emails last night, and I presumed it to be some sort of phishing attempt, since I don't have actually have any account on EA's or Bioware's forums. I simply deleted the email without clicking the link.

I may have used that email to register the product, but that was the extent of it.

Why bother having secure passwords?

[cvtan]

If the site gets hacked, what difference does it make if you have a strong password? It appears that nothing is really safe. Tell me again how cloud services are supposed to work??

Social Security Numbers?

[jayveekay]

Why would I give my SSN to a game company whose services I purchase? Why would they ask for my SSN?

If I don't give them my SSN then it won't be vulnerable to being stolen off their servers. That's the ultimate in security.

Grrr

[Tolkien]

Well fuck. There goes my NwN CD key. God damnit.