NCsoft "master" account security compromised

If you have a NCsoft master account, it’s time to change your password. Seems like a pretty clear cut case of incompetence from the NC application developers. I’ll be interested to see if they notify all of their customers in california and 20+ other states that require public disclosure when personal information is stolen. So far, most corporations have been resisting that law.

Oh crap! Somebody will steal all my Maple Story mesos.

If your account was penetrated, they also have your email address, physical address, phone number, answers to verification questions, and password. That’s halfway to identity theft.

Also, do you use that same password anywhere else, perchance? Like online banking, other games, steam, or gmail?

Unlikely, seeing as I supply bogus information to all sites which I have no financial stakes in.

As for the password, it differs from site to site, like some examples from the password thread.

My friend and guild leader had his NCSoft master account hacked and his AION character stripped of pretty much everything that wasn’t needed for them to bot with his character. He’s still waiting to see if he gets his stuff returned but this is very confindence shattering in the company…

How do you find out if your acount was compromised if you haven’t played in a long time and don’t have any of their software installed?

I can’t even login to change it, heh

Yeh seriously. I remember setting up an NCSoft account to play CoH but hell if I can remember what my details were.

Yeah, I couldn’t remember my account name and password, so now I reset my password, but I think I might have had an old email account on the account, as the password reset email isn’t showing up in my inbox.

I think I’m totally locked out now, heh.

If you don’t use the same password on multiple sites and don’t play any ncsoft games, I wouldn’t worry too much about it.

Password can only be letters and numbers and HAS to start with a letter. WTF? Such retarded password policies invoke my nerd rage.

Does this affect Guild Wars accounts? From what I read, it sounds like it would have to be linked to a separate NCSoft account. I’ve never played any of their MMOs, so I don’t have anything other than a Guild Wars account.

Oh man, they stored the plaintext password instead of a hash? Now that is truly incompetent…

Well, according to the OP article, the problem is that accounts had access to other account privileges, so they could reset the password, but not see it.

Ok I figured out my password. Should I be uhh… changing it now or something?

Well, according to the article, that would be pointless. But on the other hand, why not, the article could be wrong.

Only if you have your Guild Wars account linked to your NCSoft account. Most of us did that to get the free storage pane that was given away as an aniversary present a while ago.
It’s the NcSoft accounts that seem to be compromised, not the Anet ones.

I just got back into Guild Wars recently, but have to admit I’ve dropped it now again like a hot brick. There’s no use in spending time and effort into unlocking things in GW to get the bonus items in GW2 if my account can be hacked at any time due to something I have no control over what so ever.
At the moment my characters are dirt poor, so if they do strip out my account, there isn’t that much lost…

Edit: Pogo, you might want to change it anyway. They do seem to be putting other safety measures in place now. There’s always the chance hackers were compiling a list before going on a spree, and if you haven’t changed your password they might still be able to log in.
However, as long as you can still accidently log into someone else’s NCSoft account, the new password isn’t safe either. So don’t use anything you use for other stuff you don’t want compromised, and change it again once this get sorted. at least, that’s what I’m planning on doing.

I assume when you log into an account, legitimately or otherwise, you still can’t see your own password, though you can reset it. For this reason, it would be pointless to change your password, as a “hacker” who had exploited this bug wouldn’t be able to see it either; in fact still being able to log in to your account would be evidence of its integrity.

But if my assumption is wrong and they store or display your password in clear text in any way whatsoever, you’re screwed no matter what you do, as the whole thing is essentially insecure.

A few of my online financial accounts allow letters and numbers only and are case insensitive. These are major companies and not local credit unions or something (Discover comes to mind). Some even have a limit such as a maximum of 8 characters. It goes far beyond nerd rage, my friend. But storing a PW in plaintext server-side is pretty much the most grotesque and barest incompetance.

Thank goodness that NCSoft has good customer support, (and that Steam saves cd keys!) I was able to get my email address updated and my password re-reset.