Yeah, I didn’t click a link or anything – went to the website manually.
Trigger:
From http://support.turbine.com/ics/suppo...p?deptID=24001
you can click “My Account”
And it loads MyAccount.Turbine.com in a frame
The Certificate Warning you might get is because they are using code remnants of
something called CYRACLE TECHNOLOGIES from 2000.
And the Customer Support system is from Parature, http://www.parature.com/
This is what their Password Form Field States.
“Must be between 6 and 16 characters in length, of mixed alpha-numeric characters only”
And the side bar states:
“Because this password protects access to your game subscriptions and billing information, you should use a combination of letters, numbers, and punctuation for maximum security.”
The javascript they use on the site contains the following:
var gAlphaNumericCharacters = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890’;
var gProductKeyChunkLength = 5;
var gProductKeyMaxRawLength = 25;
var gProductKeyMinRawLength = 15;
var gGameCardPrefix = ‘GTC’;
That said, its probably only used for GameCards, and above is some of the info you’d need to create your own I’m sure.
It could be that the web page will accept any type of password, but the web page states it only accepts AlphaNumeric.
So: it is messy.
That is because they are using a EMS solution for Mass-Emails, be it Marketing, Security Warnings and whatnot.
This Solution has click-tracking, and to track these clicks, even if it is redirects, they direct you to the solution first.
You can visit it yourself at: http://email.turbine.com/ems/auth/login/
The bolded parts are Unique to your “clickthrough”. The first one is probably the ID for each of the links in the email.
The second bolded is your customer ID, which I edited.
You can view it online on if you click the link in the email.
http://email.turbine.com/hostedemail/email.htm?h=914537ddf9eacca4a7d94e77a9901627
Some companies automatically wrap all URLs in their emails through a marketing redirector so they can track stats, and that DNS name is handled by an email marketing firm (and presumably still under Turbine’s authority), so it’s not necessarily malicious. I wish they wouldn’t do that since people wind up getting mixed messages about fighting phishing and what to trust, but they do anyway.
I haven’t received any such email though, despite having a longtime Asheron’s Call account (but not LOTRO), but I changed my password anyway just to be safe.
Yeah - seems the email is legit after all.
What a mess.
@Instant - Okay, I don’t understand half of what you are saying, but I take it you have some web skills I dont, and I’ll take your word for it. :-)
Well, I’m not clicking any goddamned links in emails. They should know better.
This, really. I know companies want to put links in emails because they want to make sure people get the correct address, but all it does is train people to click anything that looks official. They need to stop putting in links and force people to type out the address. I know it will be a painful adjustment, but it really needs to be done at this point.
FWIW the thread now says the email is not false. Making it, I guess, true.
As for the email, this is a valid email. Though of you who receive our newsletter know we use Bluehornet to send emails when we need to reach out to all, or a large portion, of the player base.
Sapience - Lead Community Specialist, The Lord of the Rings Online.
Still, a mess. I’ve changed my PW twice this morning, first because I WAS stupid enough to click the link in the email. Then again after going to support through the LOTRO client. The fact that the email was apparently legit doesn’t make my clicking the link less stupid.
Exactly, got this last night, but have had so many phony WoW emails I always go to them to do whatever.
Not putting the proper SSL certificate on support.turbine.com was incredibly unprofessional of them. Hell no, I wouldn’t proceed on a site like that. It does look legit at first blush, though. parature.com is the cert’s common name, and where turbine’s DNS servers point you. http://www.parature.com looks like the sort of company that handles these sorts of customer service issues.
But seriously: Bad cert when the Internet is in ‘SSL Paranoia Mode’? gg, guys. That some one hasn’t fixed this by now is even scarier.
Well, I thought I’d read somewhere that Turbine accounts may be hacked. However, anytime I get sent an email like the one mentioned in the OP, I never click through to get to the account. Instead, I go to the original site.
I have had my account hacked once, and even then I didn’t click through on the email that the company had sent me. I just don’t trust links.
I changed my password, but will check it again.
No, that thread states it is real: http://forums.lotro.com/showthread.php?425915-Watch-out-for-false-email-concerning-password!!&p=5756866#post5756866
As for the email, this is a valid email. Though of you who receive our newsletter know we use Bluehornet to send emails when we need to reach out to all, or a large portion, of the player base.
EDIT: Doh! Beaten to it.
Wendelius
Agreed.
Apparently parature provides their CS infrastructure.
Firefox spews this @ https://support.turbine.com
This is really funny to encounter, considering that the fake email tells you about a security breach.
This Connection is Untrusted
You have asked Firefox to connectsecurely to support.turbine.com, but we can’t confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site’s identity can’t be verified.What Should I Do? If you usually connect tothis site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn’t continue.Technical Details support.turbine.com uses an invalid security certificate.The certificate is only valid for *.parature.com
(Error code: ssl_error_bad_cert_domain)
Thanks for the heads up.
Changed my password by going directly to the Turbine Support site and logging into My Account. Even though I don’t subscribe I still have unspent TP associated with my account. I tried to remove my CC from the payment options since I’m not a subscriber anymore, but I could not find a link anywhere that would allow me to do that.
I made no changes to my Turbine forums password as my username/password for the Turbine forums is different than the ones I use for my account. I make it like that for any online games I play, as I figure it’s far easier for someone to hack the usernames/passwords of the game’s forums than it would be to somehow crack the master users/password matrix for a game. If they’re different I don’t need to worry should the forums get compromised.
I didn’t get an email, but I changed my password just the same, Thanks for the heads up everyone.
He!.
Lets remember this the next time somebody talks as “Game Software as a Service”. Game companies run services like monkeys on crack run moster-trucks on a parking.
postdata:
Sorry for the full quote. But this is a W. T. F. of epic proportions that required a fullquote.
I’d pay to watch this.
I got this mail. I also got one from SOE (bleh) about one of my old SWG accounts being closed for too many failed login attempts. So hm. It does turn out my old LOTRO account has the same username as that SWG account. So this is what I did.
-
Changed all my passwords to random (sort of) numbers, letters, symbols on -everything- I can still access.
-
Left my SOE account closed. Fuck you anyway, Sony.
-
Took all my payment things off of Xbox Live. Which turned out to be really easy for me as compared to all the stories I’ve heard otherwise.
-
Called my bank, canceled my CC for one with a new number.
So, I think the new rule is, if you’re gonna make an MMO, secure your shit, would ya? FFS.
I dropped a note to Turbine to delete my CC particulars.
This is the first authentic break-in mail I have and its made me rethink giving my CC particulars to just about anyone.
I had my LOTRO account hacked once (fun times to lose all my junk, but hey, it’s just digital stuff), and changed the password yet again.
I just don’t understand why everyone seems to make removing CC info so damn hard.