It always gets my attention when an MMOG of any significance is hacked. In particular, I find it interesting to see how the incidents are handled. As a result, I've had my eye on MapleStory Europe, where, for the past couple of weeks, Nexon's regional office has been dealing with what looks like a pretty sizable currency exploit.
For anyone who may not know what happened, the short version is two of the classes in the game have a skill called Meso Guard that they can employ to lose money instead of health when hit. Someone figured out it was possible to hack the data so as to tell the servers that a character took negative damage, the result of which was a currency gain instead of a loss. What's more, the amount could be as much as 2.1 billion per blow. So, as you can undoubtedly imagine, a lot of players (I haven't seen any credible numbers in this regard) took advantage, thereby shattering the game economy.
While the time frame when this exploit began wasn't immediately known, it was clearly sometime prior to February 1 when a notice was posted on the game's referring to "the recently erupted issue, Meso Exploitation". On that day, it appears Nexon stopped an unspecified number of accounts from trading, although the statement didn't explicitly say so.
The notice did state "we are well aware of the current situation and have compromised it well under." The latter part of this piqued my curiosity since it represented a rather curious choice of words, the meaning of which was unclear. If I were to interpret it with my rose-colored glasses on, I could choose to assume the exploit had pretty much been taken care of. However, it was also possible to put a highly negative spin on it; i.e. to think almost nothing had been done yet.
It struck me as odd that Nexon would use wording that was subject to such a wide range of interpretation, and then, as far as I know, not amend and clarify it in the two weeks since. This left me to guess. Did the company intentionally choose to be so vague? Did I read far too much into part of a sentence written by someone whose native language isn't English? Or was the reality of the situation something else, somewhere in between?
As for resolving this matter, my first thought was to roll back the servers. However, fast forward to February 7. Nexon posted a situation update saying that this option had been considered, but rejected because "considering the amounts of EXP and items that you all have gained throughout the days, we have decided against a roll-back as it may have eventually brought more harm than good to your gameplay." Again, rather vague.
Another day passed before Nexon announced what it had decided to do, which included taking a percentage of mesos away from all accounts regardless of guilt or innocence. Then, on February 9, the company posted another statement that said in part "January 5th was the day when abnormal amounts of Mesos have been tracked for the first time."
The latter date was disappointing to see in a couple of ways. One was obviously that the exploit went undetected for quite some time. While I don't expect MMOGs to be unhackable, I would have thought something like characters suddenly having billions more mesos wouldn't be especially difficult to spot rather than going unnoticed for nearly a full month. Admittedly, this is from someone who knows almost nothing about Internet security. But it appears Nexon fell down on two counts, both preventing the intrusion and identifying it promptly.
On the other side of the coin, I'm also disappointed no one reported the exploit for so long. This is an assumption on my part, but I can't imagine no action being taken sooner if anyone had. A lot of players used it, but I doubt it was everyone. And how likely is it that not a single one even knew about it? So, it seems certain that some people were aware of the hack, didn't take advantage of it themselves, but also didn't bring it to light. It's not the same, but I couldn't help thinking of the bystander effect, the one where a bunch of people witness a crime but no one calls the police.
In addition, while I understand that due to the length of time before Nexon became aware of the issue, it probably wasn't cost-effective to institute a perfect fix since that likely would have required examining who knows how many individual account histories. Still, since I don't have to worry about the company's bottom line, I can be and am less than fully satisfied with its decision not to bite the bullet.