Gameforge's data leak

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Mafkees wrote:

      My foremost question is the following: how can players know whether or not they have been affected and has GameForge notified every single affected user that there has been a security breach wherein their personal information was compromised?
      The this kind of data is only relevant to the .us boards in this matter, and all received the email cited above, those should check everything, yes. Luckily no other board or game was affected.

      I honestly do not know if all users could be notified - if, then not to my knowledge. I think you have to wait for another statement there, a few hours though as it is past midnight now.
      Gone as BA.


      Thank you ruby_kirby, you are a true artist. :)
      Be head to serve, not to reign(Bernard von Clairvaux)
    • umakhelwane wrote:

      Troll wrote:

      Tirnoch wrote:

      As far as user privacy is concerned, only email adresses of users on the .us board were leaked, as well as some support/ingame cases about some players.
      Not sure if you took the time to stroll through the data, but just for fun I did. And your claim is wrong.You can find, usernames, email addresses, previous email addresses (of people who have changed it) and IP addresses. I can currently tell you most of the BA/GO/SGO IP address since they are all listed there in a nice to read .xml format.You can find names of banned players, players that have received warnings (I know this is not so sensitive data, but it is data nonetheless.
      I urge you to take the time to look into the data before commenting.
      Not sure if you took the time to properly read the posts in this thread, but it's about passwords being leaked. I'm happy you got so excited after being able to click a download link and some html files, though.
      Not sure if you just like trolling or were actually born like that. I would go with the latter but what do I know...
      My reply was to the specific statement of Tirnoch claiming that ONLY email addresses and some support/ingame cases were leaked.
      I have made my point very clear, and yes, I can click a link. hurray me. But guess what, I can also read.


      Tirnoch wrote:

      Troll wrote:

      You can find, usernames, email addresses, previous email addresses (of people who have changed it) and IP addresses.
      Oh look I forgot to mention IP addresses, how dare I talk about things I don't know
      Which personally to me, is quite important.
      You do know your IP address is like a home address right?
      I wasn't being sarcastic, I was trying to educate the people reading this post not to take this matter as lightly as you seem to be, maybe you were not affected by the leak, good on you, but I was and so many other people as well.

      Take it as you will.

      The post was edited 1 time, last by Troll ().

    • Cassandra Vandales wrote:

      The this kind of data is only relevant to the .us boards in this matter, and all received the email cited above, those should check everything, yes. Luckily no other board or game was affected.
      Right, but most of the people who received the cited e-mail probably have no idea what's going on. In all brutal honesty: given the declining trend in OGame player count over the past several years now, odds are the majority of the people who received that e-mail are no longer interested in OGame. Therefore it's not fair to presume they will visit the boards and proceed to plow through the ever-changing board layout in hopes of finding an official statement regarding the matter.

      A situation like this warrants an official statement where it is GameForge's obligation to try their best to actually reach the affected people. A short board post does not suffice. An extensive explanatory e-mail should be sent, using the same target list that the hacker did.
      If every fool would wear a crown
      I would be a king and not a clown

      The post was edited 1 time, last by Mafkees ().

    • Mafkees wrote:

      Cassandra Vandales wrote:

      The this kind of data is only relevant to the .us boards in this matter, and all received the email cited above, those should check everything, yes. Luckily no other board or game was affected.
      Right, but most of the people who received the cited e-mail probably have no idea what's going on. In all brutal honesty: given the declining trend in OGame player count over the past several years now, odds are the majority of the people who received that e-mail are no longer interested in OGame. Therefore it's not fair to presume they will visit the boards and proceed to plow through the ever-changing board layout in hopes of finding an official statement in the matter.
      A situation like this warrants an official statement where it is GameForge's obligation to try their best to actually reach the affected people. A short board post does not suffice. An extensive explanatory e-mail should be sent, using the same target list that the hacker did.

      I actually don't disagree :) The .us boards are currently not available, the information here and on other boards was simply for the users here and the other boards (all GF boards were taken down for the weekend), the .us boards are being handled differently.

      I know of course that many .org people are also over at .us, and I absolutely understand the need for clarification. It is a mess for sure, I saw that files myself, but I can assure it was really "only" the .us boards, and the news here was only because of the downtime.

      I guess that a COMa statement can come as of tomorrow (a few hours from now), not before.
      Gone as BA.


      Thank you ruby_kirby, you are a true artist. :)
      Be head to serve, not to reign(Bernard von Clairvaux)
    • Since I am on .us been 11 months since my last log in and on origin I only got one email. I read most of the discord chats and looked over some of what was taken and.
      and I am pretty sure some .us and game players and will be going to jail. and board users as well. do I know who what why and how no I don't I am under an assumption.
      of an event from 8 months ago. and another about a year ago. but again it seems to be fixed and the boards are back up. I have no doubt the fine will be in the 25kk range. and the wake up call may get some things fixed in short order. so if your not on .us or .De then don't worry about it.


      ogame.support.gameforge.com/en
    • Troll wrote:

      You do know your IP address is like a home address right?
      lol no that's totally inaccurate, your IP address on the internet is the location where your ISP is providing the service from, generally it's close by - well mine is 15 miles away, your ip-address also changes every time you power off the router (or get a power cut) ... personally I didn't click on the link in the email - that is a very risky way to live as the simple rule is never open links from people you don't know, it could contain malware / virus / ransomware etc ... I changed my password about 15 seconds after I had read the email ...


      Best Solo - 1.4bn Profit - Uni1.us
      #3
      Best ACS - 5.7bn Profit - Rigel.org #1
    • Well, if you want to get technical about it, lets. Your internal IP address does change since it is a dynamic IP (In most cases).
      As a norm, your ISP IP address is a fixed IP address that does not change (unless your ISP decides to). You can reboot your router as often as you want. Try it. At least not in the UK. (There, I leaked my location)
      Your ISP IP does give out a geolocation of the area you live in (It does pin point an exact address, although it might not be accurately yours). Mine is a scary 2/3 miles out. Enough to make anyone nervous. So I'm not totally inaccurate. Comparing an IP address to a home address is just a simple way to explain it.
      And about clicking on the link? I love living on the edge :D
    • I'm not surprised this happened, in fact only surprised it didn't happen sooner tbh

      After all, some should remember what happened to Blackmass' Quantum account last year, who at the time was also .org's BA. Luckily, nothing happened to the boards that time.

      piink wrote:

      This affects users of OGame US and OGame Origin only.
      This is an interesting statement, when we're often driven to Origin for stuff like new game mechanic suggestions, bugs and whatnot. And let's face it, many players play or have played in both .org and .us, at some point or another. So I'd say a part of org has also been affected by this.


      Worse than having a problem, is to underestimate it and not deal with it properly. If nothing is done, this may not be the last case of security breaches...

      Anonymous Potato wrote:

      I'm sorry, we don't offer support for ogame anymore as the DPA prevents us
    • I find Gameforge's reply on their Twitter account interesting, and it sort of confirms the way they meet their user base.


      Gameforge Twitter wrote:



      We put more emphasis on actually addressing the issue and fix the leak rather than posting more on Twitter about it!There was no hacking of any server sinvolved, however, "only" a compromised admin account. For further information please check your respective forum
      This statement would obviously be relevant, had the hack actually happened on the 14th of September when the boards were shut down in panic. But no, the hack was done several months back and thereby the data was already out there.

      This is the real mystery here, and I suppose also why the original hacker also decided to share the information directly to all users, to make them aware of what had happened more then 1 month back.


      GDPR wrote:

      The lower level of fine, up to €10 million or 2% of the company’s global annual turnover, will be considered for infringements listed in Article 83(4) of the General Data Protection Regulation.
      This includes infringements relating to:
      • Integrating data protection ‘by design and by default’
      • Records of processing activities
      • Cooperation with the supervising authority
      • Security of processing data
      • Notification of a personal data breach to the supervisory authority
      • Communication of a personal data breach to the data subject
      • Data Protection Impact Assessment
      • Prior consultation
      • Designation, position or tasks of the Data Protection Officer
      • Certification

      Their statement is directly against gdpr regulations, where the user affected should be informed that their data was leaked.

      Not Only did it take them over 1 month to come forward with it, they weren't open about it either by NOT including that, among other information, people's ip-adresses were leaked.

      This is not good, and I see over at the us.board they start to censor it now by closing down threads, so the user base can't properly discuss the matter
    • There are several points in this discussion that cleary show some of the things are not understood so I'll try to clarify as much as I can.
      To start with, the source of the leaked data.
      It was a single admin's account what got compromised. This is public information share on Twitter by Gameforge so it is can be read by anyone, but just in case here is the link to the clarification message.
      Our databases were not hijacked externally, but through this compromised account.
      This admin had also special access to the Origin forum, but he was not an Origin admin. No user data from Origin was mailed anywhere, just certain tools, guides/how tos, script discussions and other relevant info for any admin of OGame and their daily business in the community.

      Thundersheep wrote:

      Well I assume no personal data was leaked the first few times else they should have told us due to strict legislation.
      However apparantly something was obtained else it wouldn't have been a breach in the first place. Someone saw things. I share your concerns.
      At least now they informed us on the other hand they had no choice. But I wonder what kind of legal implications this has because as Piink wrote, some people's personal information got out. And especially if you're staff it could be used against you for threats.
      If there was an issue with internal data leaked in US in August if anything is a topic from the US community. I personally was not aware of any of these issues before 14th of September for a very simple reason: each community has its community manager who handles the community topics. I can tell, believe it or not, I haven't received any notification about any of this before Friday's report.

      Now, after this whole investigation all I can say is that I asked the OGame US CoMa and yes, the issue was addressed back then in August, access were modified for certain usergroups in the forum and the forum was deeply checked, obtaining as result that no data from the administration was leaked before. I can only assume if anything was leaked it had to be what is considered internal information or internal discussions through accounts with access to this information but I am not the OGame US CoMa nor this is the OGame US community. In any case,again, this problem does not belong in the ORG community as none of the ORG data was affected at any point.

      Mafkees wrote:

      I'm curious as to how this plays out because as GameForge undoubtedly knows: due to recent European privacy law, companies face HUGE fines if they fail to report data breaches to the authorities. As far as I can tell, THAT is the accusation, the failing to report the breach to the authorities.

      The fact that we were left in the dark by our CoMa, or at least that was the intention, honestly didn't come as a surprise to me. :youcrazy:

      Oh, here's the mail we all received by the way. I'm wondering if they will censor this or ban me for spreading the truth.
      For the sake of board regulations I think it is safe to assume that the hacker gave me permission to share his PM :beer:
      Just because we do not write in the statement that we are taking legal actions it doesn't mean we failed to report it to the authorities. If it is relevant for you for any reason to know we are reporting the issue, yes, we are.

      None of you have been left in the dark, the ORG community is not affected by the issue and that has been clarified from the start.
      Also, you should be more careful with what you share, if what you attempted to share was the file itself you are contributing to spread leaked players' information that doesn't belong to you.
      In any case, as NoMoreAngel wrote, the file has been taken down from the server.

      I am not quoting all the comments, but just a few to answer all questions. The following quote I'll reply directly within the quote itself:

      Upset wrote:

      To Piink and gameforge if they ever bother to read this:

      Why was this allowed to happen in the first place?
      If you refeer to why did we allow to have the info leaked, that's something we do not allow. We did react when we realized the access was compromised right away on Friday 14th of September.
      Why weren't we told straight away?
      We took care of addressing and sealing the issue which for us was more important at the point we got the report. That was Friday night. The investigation run throughout the weekend and was done by people, not robots. People have limitations and lifes also on the weekend and not all resources are available during the weekend as they are during the week. In any case, by Monday afternoon the forums were available and the statement was done. We reacted as fast as we could.
      Did anyone else get three emails in the space of 30 minutes?
      The mail was sent to the US userbase. Do you have 3 multies there?
      Whats going to happen now?
      As this forum is not affected, nothing else will happen here. I really don't know what are you expecting from us here at ORG while the issue happened somewhere else. Please, if you have more concerns and are affected by this issue refeer to the US community.
      What reassurances will we get so this doesn't happen again?
      The same reassurance we can give you when we mention to keep your password safe at all times.
      Why was it ogame.us and origin forums that were compromised? Is it because whoever got hacked had accounts on both of those forums?
      Correct. But once again, Origin userbase was not leaked. Only information that is relevant for people working with OGame tools and OGame teams that should not be available for players.
      Thundersheep, you are the ogame.us game admin, is there anything you can tell us on how seriously gameforge is taking this?
      -
      I'm not going to lie, I don't expect much from gameforge, if you research into how the CoMa on their other games such as Tera, soulworker etc are to their community well you'll understand.
      I'm sorry to hear that. You should not judge all employees globally based on a single bad experience as I do not judge all players based on a single bad experience. We are individuals doing our job the way we think is best on our own way.

      Mafkees wrote:

      My biggest concern is not privacy, it is security. I have my bases covered personally but it is a given fact that many people use their passwords repetitively. The password to their OGame user account might very well be the same as their board accounts, and that same password might be used for their personal Facebook page, their e-mail address or even their online bank account. Please note that both OGame log-in data AND private e-mail addresses were compromised. In addition to repetitive password usage, most people use their actual e-mail inbox as a place of storage for passwords to other applications. The trouble some people might be in because of this is unimaginable.
      Passwords were not leaked. Read @Tirnoch s answer as it is quite accurate.

      Tirnoch wrote:

      Mafkees wrote:

      Please note that both OGame log-in data AND private e-mail addresses were compromised.
      This is not true, no OGame log-in data was compromised, especially no passwords. The leaked data show that the "hackers" had access to a BA account and it's not possible for a BA to see passwords, especially no ingame login data.

      FarfetchD wrote:

      I'm not surprised this happened, in fact only surprised it didn't happen sooner tbh

      After all, some should remember what happened to Blackmass' Quantum account last year, who at the time was also .org's BA. Luckily, nothing happened to the boards that time.

      piink wrote:

      This affects users of OGame US and OGame Origin only.
      This is an interesting statement, when we're often driven to Origin for stuff like new game mechanic suggestions, bugs and whatnot. And let's face it, many players play or have played in both .org and .us, at some point or another. So I'd say a part of org has also been affected by this.

      Worse than having a problem, is to underestimate it and not deal with it properly. If nothing is done, this may not be the last case of security breaches...
      Once again, userdata from Origin was not leaked. @NoMoreAngel clarified this already in a previous answer in this very same thread.


      Since this community has not been affected by the issue, for those of you who are affected please follow the US statement. The past part of it is slightly different than the statement doe for all non affected forums.

      Thank you.
    • Hi Piink.

      Thank you for clarifying all the points raised.

      Many players have accounts in both .org and .us (myself included), so receiving a disturbing email like that when we were all oblivious to what was happening does, for obvious reasons, raise a lot of questions.

      Although I understand the .org was not affected, it was still a gameforge (doesn't matter which branch of it was) issue that affected real people's personal information.
      My OP was not aimed at the community here per se, I do use the .Org board way more than anything else and it was aimed at flagging the issue that affects customers (which we are in a sense) of a company, being it in the US , Eu, China...

      Happy to see that in here we get some answers, in .US board, well, not so much.

      Thanks again for clarifying.
    • To piggy back off what Piink has said,
      This was my statement on the matter on the .us forums.

      The former leak was investigated thoroughly by COMAs (gameforge) and it was believed to be internal. IE a former staff member sharing info with someone they shouldn't have. The information that got out was insignificant and did not contain personal information about any user of this forum. To be more specific it contained general information about a staff member (who has been notified) Measures were taken to ensure even more limited people had access to personal data or the users after this. All information was internal because it only effected staff members. This is why you have not heard about it because at the time with the information we had, it did not effect you.


      Board Admin - Ogame.us
      SMOD / GO - Ogame.se
    • piink wrote:

      No user data from Origin was mailed anywhere, just certain tools, guides/how tos, script discussions and other relevant info for any admin of OGame and their daily business in the community.
      Could you please explain me how it was possible that my email address amongst the email adressess of all registered accounts on the us board were leaked? And why wasn't I notified of this by GF? Isn't that what the GDPR, for example, is all about?

      It's shocking that GF is even denying that part of the leak..
    • Thank you for the clarification Piink.

      I did not intend to share the link by the way, just the e-mail itself. I reported my post shortly afterwards when it was brought to my attention that the link was indeed in the picture. My bad on that one.
      If every fool would wear a crown
      I would be a king and not a clown
    • so i am noob, i dont open emails lol, so i just read here what people say, and let me see if i can summarise this "situation"

      some1 basically looged into a board account on .us.

      that .us account was a BA.

      BA account have access to email address's, ip address's and BOARD account passwords and some login time information?

      that some1 then took that information? and sent it to alot of people?

      lol doesnt sound bad at all?

      oh no some1 knows my email account.......oh no some1 knows my ip address......oh no some1 knows my board login info.

      am i bothered? no not really. my board account and game account have different pass.

      people on here acting crazy over an email address and IP address.

      if people want to know my ip address so they can come to my house......i will get the bbq ready



      thanks for the sig blackadder you nubber