Dungeons & Dragons Online - April 2013 Data Breach

[DefecTalisman]

I have just been made aware that my account along with one and half million others was part of a massive data breach of DDO. I would like to know why I wasn't made aware of this from Turbine at all. At the time I was a VIP member, had my card details and other personal details in your trust. At no point did Turbine make any effort to contact me or warn me that my information had been breached and leaked. Since this breach I have wondered why I have been receiving so many phishing scams regarding online games.
My wife who also trusted you with her card details and information joined only a little after the breach and she does not appear to have been affected.

Dungeons & Dragons Online
In April 2013, the interactive video game Dungeons & Dragons Online suffered a data breach that exposed almost 1.6M players' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and password hashes.

Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity

I see LOTR members were also victim to a massive data breach only 5 months after the DDO breach and they too were not informed or warned:

In August 2013, the interactive video game Lord of the Rings Online suffered a data breach that exposed over 1.1M players' accounts. The data was being actively traded on underground forums and included email addresses, birth dates and password hashes.

Compromised data: Dates of birth, Email addresses, IP addresses, Passwords, Usernames, Website activity

Please explain to me why I was not informed or warned about this.

P.S. For any one else wondering if they had their information breached you can use this site to check -> https://www.haveibeenpwned.com/


EDIT: I have received a warning via PM for cross posting, nice to know that someone has taken the time to remove my posts but not answer my question.

[UurlockYgmeov]

if true, that would explain the spam.

if true, would have been nice to know so could have at least changed passwords.

if true

[Karadon_II]

Apr 2013? Wasn't this the month they made the forums use the game account log in, which caused *outrage* and *Doom* etc. I wonder if the tinfoil hats were actually right for once?

[DefecTalisman]

Apr 2013? Wasn't this the month they made the forums use the game account log in, which caused *outrage* and *Doom* etc. I wonder if the tinfoil hats were actually right for once?

This was brought up on the only post I can see relating to the data breach issue on the LOTR forum. -> https://www.lotro.com/forums/showthr...13-data-breach

[Kwyjibo]

If this is true, wow, just wow.

[Ague]

Really glad I regularly change my passwords and rarely keep CC/bank info stored on websites...

[RistoffDervish]

It seems to be true. I put in a couple of old emails and they showed breaches from myspace. My current one came up with DDO.

This is the kind of stuff we need to know about so we can take preventative measures and change passwords.

[Drwaz99]

It appears to be true for me, too. I put in a secondary email that I use for non-essential things/spam (and knowing it's had a couple of data breaches from various sites/companies) and it showed all of them that I was already aware of. I then used my primary email and it showed DDO breach for me as well.

Unfortunately, I'm not the least bit surprised Turbine never disclosed this.

[Loromir]

I have just been made aware that my account along with one and half million others was part of a massive data breach of DDO. I would like to know why I wasn't made aware of this from Turbine at all. At the time I was a VIP member, had my card details and other personal details in your trust. At no point did Turbine make any effort to contact me or warn me that my information had been breached and leaked. Since this breach I have wondered why I have been receiving so many phishing scams regarding online games.
My wife who also trusted you with her card details and information joined only a little after the breach and she does not appear to have been affected.



I see LOTR members were also victim to a massive data breach only 5 months after the DDO breach and they too were not informed or warned:



Please explain to me why I was not informed or warned about this.

P.S. For any one else wondering if they had their information breached you can use this site to check -> https://www.haveibeenpwned.com/

Not saying I don't believe you...but what is the source of your information?

[DefecTalisman]

Not saying I don't believe you...but what is the source of your information?

The only source I personally have is the www.haveibeenpwned.com site.

It seems Turbine kept this very much under wraps and there is very little information regarding it around. But like others here have done, I have used my many email's (I'm talking about a different email address for each signup for anything) to check and the things I was aware of like Myspace and LinkedIn reflect as a positive from the site. The only address I have used for DDO reflected positive for DDO. My wife who started playing a few months after the breach reflects as a negative for DDO.

My hunt for what was fishy started when I started playing a new MMO and within days of playing it I got a phishing email in relation to the game, but what was more fishy than the Chinese grammar was that it was to my DDO accounts email address and not the one relating to the game I had just started playing. Now before I started playing the game I had no clue it even existed and any emails that might have come in phishy form would have disregarded and not a single thought given to them as like I said I have been inundated with phishing emails regarding any type of MMO.

[DefecTalisman]

Interesting that there was downtime just at the end of March 2013 and also a report of downtime on the servers in April 2013 -> http://www.isitdownrightnow.com/ddo.com.html

[JOTMON]

Can't 100% trust anything on the internet...and really in this day and age how could you trust someone you do not know that your information is 100% safe and secure.

..Don't trust in the system..
..change passwords regularly..
creative use of false information returns interesting results.. like intentionally spell your name wrong and see what comes from who...

[DefecTalisman]

Can't 100% trust anything on the internet...and really in this day and age how could you trust someone you do not know that your information is 100% safe and secure.

..Don't trust in the system..
..change passwords regularly..
creative use of false information returns interesting results.. like intentionally spell your name wrong and see what comes from who...

As much as I agree with you (hence my multiple email accounts) an argument like that is pointless because unfortunately you can't fake your credit card details or the billing address associated with it.
This is why I have multiple TLD's with email forwarding, I am able to make up any email prefix on the fly when signing up for something. And yes you are right, things like this come from it because I am able to see that certain emails I receive are sent to a address which should have no relevance to the content.

[EazyWeazy]

I can understand turbine not being very communicative about their own plans or direction of the game, that's their prerogative even if I think its backwards and stupid. Taking that same approach with a data breach of user information is ****ing ******. **** them.

http://www.worldstarhiphop.com/video...S0tN13f8KF9ul1

[DefecTalisman]

Almost a full week, 500+ views and not a single response from Turbine.

[TitusOvid]

A reply would be great and since this could be a serious matter it would be a good idea even.

But I don't find any conclusive infos on that testing website so it could be fake, too. Just keep it in mind and don't post all your adresses there.

As for a official reply, I guess you have a long wait ahead of you. I am happy to be proven wrong.

[DefecTalisman]

A reply would be great and since this could be a serious matter it would be a good idea even.

But I don't find any conclusive infos on that testing website so it could be fake, too. Just keep it in mind and don't post all your adresses there.

As for a official reply, I guess you have a long wait ahead of you. I am happy to be proven wrong.

I am pretty sure the site is legit. All the address I have used to check it with have come through with what was expected of them as I had been informed from the sites that my data had been part of the relevant breaches, all except for Turbine and DDO.
Also if the site was fake, then wouldn't it be a good idea for Turbine to contact them and suggest they remove the listing of DDO as it is untrue along with making a public statement that it was untrue.

The list of sites that have been breached seems very comprehensive -> https://haveibeenpwned.com/PwnedWebsites and if these where untrue i'm sure some of these big names would have contacted them and had them remove the listings.

[Taimasan]

Why was I not informed about my data being breached. This is not a good look Turbine.

[Coyopa]

This doesn't surprise me and seems to me to be par for the course with Turbine. They don't give a **** about their customers in any form, and this simply proves that to be true. I do appreciate the link to haveibeenpwned.com, as that site informed me that my information had been stolen in the LinkedIn breach from last month - which LinkedIn hadn't even notified me about. So, I closed my account there, even though I changed my password there frequently.

[Amundir]

I would be highly surprised if this were true. Not reporting such a known incident surely would open them up to a class action suit.

Edit: Actually that may not be true. They may not be required to inform there customers of data breaches if they can be sure that the data lost did not include credit card information. Dunno, who of us is an actual lawyer,