Tobold's Blog
Thursday, April 26, 2012
 
Cryptic fail

Cryptic wants you to know that their database has been hacked, and you better watch out for the various negative effects that could possibly have on accounts where you used the same password, or on your credit card. Oh, and by the way, that database hack happened in December 2010, and Cryptic sent out the warning on April 25, 2012. Because it is inconceivable that the people who hacked them could possibly already have used the information they found, Cryptic decided it wasn't worth warning us before. Fail!

Comments:
This kinda highlights how important it is to diversify your passwords and make sure that you are securtiy conscience at all times. The 17 month delay is quite despicable indeed.
 
Use a password manager.
(unless you have an amazing memory for 100 different sites)

There are many different systems here, any is better than reusing the same old password.
http://lifehacker.com/5881113/today-is-change-your-password-day-celebrate-by-upgrading-your-password-system?tag=passwords
 
I don't think this email came from Cryptic.

You might want to take a careful look at that email. I received it as well, but if you mouse over the link to https://www.champions-online.com/user/password in the email you will see: http://click.email.perfectworld.com/?qs=81a647d0541d07a6c397055214a91cd7f30386e9e800b1d78724d0d099118dd5

This is a pretty standard technique for a 'phishing' email. If you followed that link, you may have exposed your information to hackers.
 
Perfect World acquired Cryptic a bit over a year ago. Perfectworld.com is in fact the legit address.
 
http://www.crypticstudios.com/securitynotice in case you were suspicious of the mail. They have an official statement. And yeah, Cryptic was acquired by Perfect World in late 2011.

It's definitely 'interesting' (disappointing/suspicious) timing on the face of it, but hear them out.

They claim to have only just discovered it, as part of a more intensive security analysis.

Given that the big Sony hack of 2011 resolved only a few months before acquisition by Perfect World, the timing makes a bit of sense. Cryptic were probably in internal lockdown at the time, with no major spending or process change to be allowed during the acquisition. Prior to that, odds are good they weren't on the best financial ground to be looking at any intensive security systems anyway, and all online companies got a lot less complacent mid-2011.

Fast-track a month after the ink dried (Aug11) for the dust to settle on the acquisition and CEO/senior management team to jerk each other off by coming up with their visionary new strategic policy, and for operations-focussed managers to start thinking about interpreting that into implementation into operational policy.

The company starts taking bids on security offers (because this sort of specialist security is usually sourced, rarely developed in-house), allow the successful bid to do their analysis and offer recommendations, another month for approvals and budgeting, then the work begins in earnest...

First things first, all data is quarantined, new security systems are implemented to safeguard current user data, then the legacy databases get analysed for previous intrusions to identify weaknesses/and/or data to hand to law enforcement for prosecution (easier in the case of internal/social engineering) or sources of repeat intrusion attempts, working backwards. Backwards, because more recent attempts have priority over older – for the fact that older intrusions have likely already been acted upon or more of the relevant details already out of date, such as credit card expiries and so forth.

Someone hit’s something suspicious in the legacy audit, foists it up to management and their corporate liaison, client company (Perfect World/Cryptic) management is made aware, meeting with security about impact on current security, details are passed between grunts, a media person gets assigned to a techie to draft a public statement, they’re given a few hours back and forth to collate the data and make it understandable to lay-folk, media release goes up, individual emails go out, media person sighs and puts their phone to voicemail for the rest of the week, advising people (canned) responses can be received via email, while the self-righteous blogosphere, hungry for outrage, collectively goes apeshit for the third time today.

…If I were to hazard a guess.
 
Cam is probably right... but it might have behooved Cryptic to explain the situation ass nicely as Cam did!
 
That was meant to be "as nicely".
 
Post a Comment

Links to this post:

Create a Link



<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool