Edit 4 (October 15): They finally admitted that it is an “issue with their security”. Change your password as soon as possible if you haven’t done so yet! No need to panic or anything. As far as we know (from the person who found the security breach), the passwords are hashed and potentially even salted. So they can’t just be copied and pasted! ;) Still, the issue still means that people did have access to your user information (user name, password, email address), so take it seriously enough and don’t sit on your old password just because you finally managed to memorise it. ;)
Yesterday, I stumbled over a post on the German subforum of the inofficial Lotro community (you can read everything without signing up, by the way!). You can find the thread here and a rough English translation here. All in all, it seems that there could be/could have been a security issue on the official Lotro forums. The forum database could have been “open” and granted access to usernames and passwords. The user who reported about it on the inofficial forums had apparently posted on the official forums prior to that but that posting got deleted. No reply from Turbine to him or to anybody else who asked about it.
Then yesterday evening (European time), the Lotro forums went down. Several hours later, we got one tweet about it: “The LOTRO Forums are currently unavailable. We do not have an ETA for their return at this time.”
The official forum tells us this: “The LOTRO Forums are currently down for maintenance. Thank you for your patience.
Please follow us on Twitter @LOTRO or like us on Facebook to receive updates during the maintenance.”
The thread on the inofficial forum has people saying that when they asked if they should change their passwords etc. on Lotro’s Facebook page, that the postings got deleted really fast. That’s weird, if you ask me. I also went to their Facebook page to get more information and oddly enough, I didn’t find any mentioning of the forums being offline at all. Not even mentioning of said forum maintenance. So the only message we’ve gotten so far is the one on the official forums directing us to Twitter and Facebook. And Twitter is the only of the two with at least one short message.
Security issue or not, that’s not a good way to inform your customers of what’s going on! I think it’s weird to take down the forums for maintenance and keep them offline without telling us when they could come back and, most importantly, without telling those worried about security issues that there’s nothing to worry about.
My advice would be to change your Lotro password soon. And if you’ve made the mistake of using your Lotro password on other websites/for other accounts as well: Change those as fast as possible! One shouldn’t have the same password for different accounts anyway. Who knows which site gets hacked next?
Edit: Just found this thread – again, German, sorry. It seems that the user “freundlich” who first wrote about the security issue had proof by posting user data (username, IP address, email address and password hash – Valandir says they’re salted) on the inofficial forum (which got deleted by the moderators). For now, everything points to a security issue.
Edit 2: Here’s a link for the Dutch-speaking Lotro players.
Edit 3: We finally got an update from Turbine: “We have identified a potential issue in the forum system. As a precautionary measure we have disabled our forums while we investigate. We will bring the forums back online when we complete our work. We thank you for your patience.”
Edit 4 (October 15): They finally admitted that it is an “issue with their security”. Change your password as soon as possible if you haven’t done so yet! No need to panic or anything. As far as we know (from the person who found the security breach), the passwords are hashed and potentially even salted. So they can’t just be copied and pasted! ;) Still, the issue still means that people did have access to your user information (user name, password, email address), so take it seriously enough and don’t sit on your old password just because you finally managed to memorise it. ;)
I really want to go change my password but not sure if it’s a good time or if I should wait until the forums are back up. Wish they’d say something to let us know. Would have huge admiration if, if it IS a security issue for sure, they tell us so we can know to change our passwords.
LikeLike
If you’ve used the same password for other accounts, then changing those would at least be a good idea.
I’m not sure either if I should think of a new password now or if it doesn’t change anything because the security hole would still be there. Then again, maybe it’s not because the forum is down?
I’m just very much alarmed because they do not say that it’s NOT a security issue. If it really wasn’t, they could just say so. But this silence… is strange.
LikeLike
They have always denied any security issues from what I recall. I don’t remember them ever acknowledging having security holes, and I doubt they will acknowledge this one either. What you should expect to see in a day or so is a blurb in the forums and/or the client stating that you should periodically change your password as a general security precaution, or something to that effect. I’d be astonished if they actually admitted their system was breached.
I and others have received spam in the past at email addresses that we ONLY used for lotro and that we used nowhere else. I have a hard time believing this is their first security breach, and I doubt it will be the last.
I love the game but hate their poor security.
LikeLike
I was a bit shocked when they changed it so you have the same password on the forum as you use for the game. That’s… just a terrible idea, nothing else.
I’m curious if they’ll say something about what happened or not. But I’m almost certain that we will not see additional security measures in the future… unfortunately. :/
LikeLike
*pulls his tinfoil hat on snugger and carefully peaks out through a tiny crack in the blinds covering the window*
>there is a knock at the door<
*checks that shotgun is fully loaded before leveling it at the door* "Who is it?" (said in a friendly, almost musical fashion.)
LikeLike
Thanks very much for reporting on this – you’ve done a great job summing it all up! I’m trying to get the word out – I’ve featured this article on the MMO Melting Pot, and Twittered/Reddited/etc.
Hopefully nothing too serious happened, but it’s starting to sound extremly concerning. I’m certainly changing my password!
LikeLike