Gameforge's data leak

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Gameforge's data leak

      Hi everyone,

      I am surprised to see that noone has raised any questions regarding the recent information we got from our CoMa about the hack & temporary closure of the boards.

      As Piink stated, "an admin-account got compromised at ogame.US and thereby user-data was accessed by those individuals responsible for the hack.
      "Unfortunately some data got out through this entry point. This affects users of OGame US and OGame Origin only. The data that was accessible contains users' mail address as well as their nicknames and also some sections of the forums that were not supposed to be openly accessible. "

      What Piink didn't inform the users here on ogame.org (and the same message went out to ogame.us) was that it wasn't just users e-mail addresses and nicknames that was leaked.

      The hack was actually done up until the 09th of August it seems, judging by the data shared on the 14th of September (all users registered on ogame.us got this email from "no-reply@gameforge.com", myself included). This was when all gameforge boards suddenly went offline, even though there is confirmation in the data leaked that gameforge KNEW about the hack on the 02th of August?Included in the files is user information such as Nickname, E-mail addresses, IP-addresses, login times, detailed description of admin-tools, scripts, personal messages from high-positioned GF operatives etc etc. piinks original message saying that this was a small and limited breach is as wrong as it gets. This is a serious breach of user data and Gameforge is not being open about it right now.

      I am Posting this to bring the matter into light, and to get some honest replies from Gameforge what was actually compromised? Since the recent message from them was less then fully honest.

      I have tried to DM Piink on 2 occasions now but had no reply whatsoever and also contacted Gameforge's official twitter account only to be waved off with some poor excuse that their priority was to fix the leak and not inform the affected users, which I would understand if it wasn't for the fact that I know (and others as well) that this leak is not recent knowledge. In fact all of the staff was advised to change their passwords according to the leaked data.

      Gameforge has been aware of the data leak back in August and decided NOT to inform any of the affected people which I include myself in.

      I would like to hear from an official Gameforge member on this matter as I take my personal information privacy very seriously, even if Gameforge doesn't.

      Thank you

      The post was edited 1 time, last by Troll ().

    • Well I assume no personal data was leaked the first few times else they should have told us due to strict legislation.
      However apparantly something was obtained else it wouldn't have been a breach in the first place. Someone saw things. I share your concerns.
      At least now they informed us on the other hand they had no choice. But I wonder what kind of legal implications this has because as Piink wrote, some people's personal information got out. And especially if you're staff it could be used against you for threats.

      I can haz super cheap



    • Well something sure happened both on the 14th of september when it all went public and in early August judging by the data disclosed. But why didn't Gameforge react until September notifying the users?

      Someone did see things, and now the cat is out of the bag, everyone affected now see it.
    • I'm curious as to how this plays out because as GameForge undoubtedly knows: due to recent European privacy law, companies face HUGE fines if they fail to report data breaches to the authorities. As far as I can tell, THAT is the accusation, the failing to report the breach to the authorities.

      The fact that we were left in the dark by our CoMa, or at least that was the intention, honestly didn't come as a surprise to me. :youcrazy:

      Oh, here's the mail we all received by the way. I'm wondering if they will censor this or ban me for spreading the truth.
      For the sake of board regulations I think it is safe to assume that the hacker gave me permission to share his PM :beer:



      ..::Edit by NoMoreAngel| In Case you are wondering what happens when you type the link into your browser, nothing happens. The File has been taken offline|17.9.2018|22:48:30::..
      If every fool would wear a crown
      I would be a king and not a clown

      The post was edited 1 time, last by NoMoreAngel ().

    • To Piink and gameforge if they ever bother to read this:

      Why was this allowed to happen in the first place?

      Why weren't we told straight away?

      Did anyone else get three emails in the space of 30 minutes?

      Whats going to happen now?

      What reassurances will we get so this doesn't happen again?

      Why was it ogame.us and origin forums that were compromised? Is it because whoever got hacked had accounts on both of those forums?

      Thundersheep, you are the ogame.us game admin, is there anything you can tell us on how seriously gameforge is taking this?

      I'm not going to lie, I don't expect much from gameforge, if you research into how the CoMa on their other games such as Tera, soulworker etc are to their community well you'll understand.
    • Indeed, "was". I'm just another user like you guys nowadays.
      I should update my profile, been a while since I posted here.

      Though I keep close tabs on what goes on there cause damn did i put my heart and soul in there and all the lovely people there.
      It hurts to see how .us is under fire though. I'd say it's pretty serious for some but to the average user I think it's okayish, maybe even beneficial depending if you like or hate GF? As you can see in the email they seemed to target the staff and some collateral damage was done.
      But don't forget it was a huge slap in the face to GF as well. Think legal, think reputation, think security, think sensitive info, think privacy.
      Let's give them the benefit of the doubt for now and see how they proceed. I think they said you could contact support if you have questions but yeah i'd be cool if they could make a general statement. I expect one but i wait patiently for now.

      I can haz super cheap



    • My biggest concern is not privacy, it is security. I have my bases covered personally but it is a given fact that many people use their passwords repetitively. The password to their OGame user account might very well be the same as their board accounts, and that same password might be used for their personal Facebook page, their e-mail address or even their online bank account. Please note that both OGame log-in data AND private e-mail addresses were compromised. In addition to repetitive password usage, most people use their actual e-mail inbox as a place of storage for passwords to other applications. The trouble some people might be in because of this is unimaginable.

      I couldn't care less about legal ramifications to GameForge GmbH. It is a huge company and I refuse to feel sympathy for a company like that which fails to cover basic security precautions.

      My foremost question is the following: how can players know whether or not they have been affected and has GameForge notified every single affected user that there has been a security breach wherein their personal information was compromised?
      If every fool would wear a crown
      I would be a king and not a clown

      The post was edited 1 time, last by Mafkees ().

    • Mafkees wrote:

      Please note that both OGame log-in data AND private e-mail addresses were compromised.
      This is not true, no OGame log-in data was compromised, especially no passwords. The leaked data show that the "hackers" had access to a BA account and it's not possible for a BA to see passwords, especially no ingame login data.
      Rumors are carried by haters, spread by fools, and accepted by idiots.

      Developer of AntiGameReborn - Virgo.de #1
    • Tirnoch wrote:

      This is not true, no OGame log-in data was compromised, especially no passwords. The leaked data show that the "hackers" had access to a BA account and it's not possible for a BA to see passwords, especially no ingame login data.
      Please refer to the screenshot of the e-mail that I posted below.
      I quote: ''(...) including personal identifying information for all registered accounts over two months ago.''

      Of course, this is claim might be false, but it is all we have to go with.
      If every fool would wear a crown
      I would be a king and not a clown
    • Tirnoch wrote:

      As far as user privacy is concerned, only email adresses of users on the .us board were leaked, as well as some support/ingame cases about some players.
      Since your claim is lacking a source, I suppose we have to wait for an official in-depth response to know for sure.
      If every fool would wear a crown
      I would be a king and not a clown
    • The registered part might simply be the one concerning the boards.

      I know GF is aware of everything and that this thread has been read.

      And she is right, only .us and the .origin were affected. Boardwise.
      Gone as BA.


      Thank you ruby_kirby, you are a true artist. :)
      Be head to serve, not to reign(Bernard von Clairvaux)
    • Tirnoch wrote:

      As far as user privacy is concerned, only email adresses of users on the .us board were leaked, as well as some support/ingame cases about some players.
      Not sure if you took the time to stroll through the data, but just for fun I did. And your claim is wrong.
      You can find, usernames, email addresses, previous email addresses (of people who have changed it) and IP addresses. I can currently tell you most of the BA/GO/SGO IP address since they are all listed there in a nice to read .html format.
      You can find names of banned players, players that have received warnings (I know this is not so sensitive data, but it is data nonetheless).
      I urge you to take the time to look into the data before commenting.
    • Troll wrote:

      Tirnoch wrote:

      As far as user privacy is concerned, only email adresses of users on the .us board were leaked, as well as some support/ingame cases about some players.
      Not sure if you took the time to stroll through the data, but just for fun I did. And your claim is wrong.You can find, usernames, email addresses, previous email addresses (of people who have changed it) and IP addresses. I can currently tell you most of the BA/GO/SGO IP address since they are all listed there in a nice to read .xml format.
      You can find names of banned players, players that have received warnings (I know this is not so sensitive data, but it is data nonetheless.
      I urge you to take the time to look into the data before commenting.
      Not sure if you took the time to properly read the posts in this thread, but it's about passwords being leaked. I'm happy you got so excited after being able to click a download link and some html files, though.
      Merkur.de - Chewbacca
      Relocate timeback: ogmem.com/show/334008
      57G super advanced: ogotcha / ogmem
      #6 ogame.de 137G TD/64G profit: https://ogmem.com/show/349679
      #7 ogame.de 130G/48G profit: ogmem.com/show/452903