Trending Games | The Crew | Elder Scrolls Online | Lichdom: Battlemage | Landmark

  Network:  FPSguru RTSguru
Login:  Password:   Remember?  
Show Quick Gamelist Jump to Random Game
Members:2,847,051 Users Online:0
Games:732  Posts:6,222,414
Turbine, Inc. | Play Now
MMORPG | Genre:Fantasy | Status:Final  (rel 04/24/07)  | Pub:Midway Games
PVP:Yes | Distribution:Download,Retail | Retail Price:n/a | Pay Type:Hybrid | Monthly Fee:$14.99
System Req: PC Mac | ESRB:TOut of date info? Let us know!

Lord of the Rings Online Forum » General Discussion » Lotro security hole makes game password hackable

3 posts found
  nosam9

Novice Member

Joined: 3/18/13
Posts: 21

 
OP  3/18/13 10:00:37 PM#1

Lord of the Rings Online currently has a security hole that makes possible for someone to get game usernames and passwords. Lotro forces players to use their game account names and passwords for the official forums. The forums used to use https but now only use http for login, and so now sends your username and password in plain unencrytped text. So anyone on a network or capturing data on a wifi network can catch a player's name and password for the game. At some point the forums at Lotro stopped using https and so now everything is sent unencrypted.

I play Lotro and am pretty concerned about this. A bunch of players have emailed about this to Turbine, but they have been silent on this and done nothing for more than a month. This seems like a pretty big security hole. I can't believe a company running one of the top MMOs would let this happen.

More information is here on the offcial forums. Apparently this would be pretty easy to fix, but Turbine has a tendency to let things go and not to fix game bugs and other forum problems.

I think people assume that games like LOTRO will protect your account and passwords better. Or are other MMOs this bad at security?

  Po_gg

Elite Member

Joined: 5/12/10
Posts: 1999

3/19/13 2:35:34 AM#2

There's an easy fix for that, don't use the forum :) (or use it with a separate, strictly forum account like I do)

I still remember before the server transfer there were pretty serious concerns about the forum over there, regarding both  Sapience and security. Same with my.lotro's security issues. Heck, the lotrocommunitiy page is started just because of that :)

So yep, after we got merged to a new Turbine acc I haven't even set a forum name on my accounts, nor activated my.lotro (lotteries aren't my style anyways). But I feel for those who actively use the forum, it's a pretty bad move to switch back for plain http. Someone posted though the https auth.php link which is still accessible.

  Fredelas

Apprentice Member

Joined: 11/30/10
Posts: 36

3/19/13 5:58:39 AM#3

I'll repeat here what I've said on the official forum, in case it gets lost or moved.

 

If you're concerned about your account's security, you can:

  1. Change your account password at https://myaccount.turbine.com/ (which is unaffected by this issue)
  2. And then safely log in to the community site at https://my.lotro.com/auth.php.

Depending on your browser's settings, the login page may look a little different than usual, but your account name and password will be securely encrypted.

Keep in mind that it might take some time for your new password to become active on the community site, but it should become active immediately for logging into the game.

If you've read this far, you probably wonder if you should take the word of a stranger regarding your account security and click on potentially unfamiliar links. Good for you, because the answer is no. I hope some other helpful community members will confirm these steps as safe.

This is not an emergency, and if your account hasn't been compromised already, these steps will help protect you.