Maintenance for the week of March 25:
• [COMPLETE] Xbox: NA and EU megaservers for patch maintenance – March 26, 6:00AM EDT (10:00 UTC) - 12:00PM EDT (16:00 UTC)
• [COMPLETE] PlayStation®: NA and EU megaservers for patch maintenance – March 26, 6:00AM EDT (10:00 UTC) - 12:00PM EDT (16:00 UTC)
• ESO Store and Account System for maintenance – March 28, 9:00AM EDT (13:00 UTC) - 12:00PM EDT (16:00 UTC)

Admin changed my password? Zos were you hacked?

  • SeaGtGruff
    SeaGtGruff
    ✭✭✭✭✭
    ✭✭✭✭✭
    JD2013 wrote: »
    A small heads up before it happened would have been nice ...

    No kidding---at the very least. What's next, our credit card information being compromised?

    You have your credit card information on your forum account?
    I've fought mudcrabs more fearsome than me!
  • Rave the Histborn
    Rave the Histborn
    ✭✭✭✭✭
    The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

    @ZOS_GinaBruno

    Do you think next time that happens you could, ya know, update you playerbase about it? I spent the last day dealing with expired password changes no matter when I clicked on the reset link.
  • idk
    idk
    ✭✭✭✭✭
    ✭✭✭✭✭
    The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

    @ZOS_GinaBruno

    First of all our forum credentials were not always completely separate from the game/website which I expect Zos is aware. Less than a year ago I reset my password on the website and that action changed it for both the game and forum.

    Further, either Zos or the contracted agent should have taken the professional step to inform us we would have to change our password before it happened so we did not think Zos has been hacked.

    If it was the contractor that failed to act appropriately Zos needs to require them to step up their game or get tossed with the trash. This is 2019 and Cyber Security needs to be taken seriously by Zos and your contractors. Especially since many of us trust your website with our credit card and other personal information. Time to get serious.
  • VaranisArano
    VaranisArano
    ✭✭✭✭✭
    ✭✭✭✭✭
    SeaGtGruff wrote: »
    JD2013 wrote: »
    A small heads up before it happened would have been nice ...

    No kidding---at the very least. What's next, our credit card information being compromised?

    You have your credit card information on your forum account?

    In the interests of clarifying, according to the info on the Vanilla Forums status post, the data that could possibly be available for people looking at the network requests/API/HTML is as follows:

    Usernames.
    Passwords (salted & hashed) Our hashing mechanism is BCRYPT with a cost of 10; Users connected over a SSO (Single Sign On) connection or through social connect don't have this data stored with Vanilla, and could not have had this field shared.
    Emails
    IP addresses
    User preferences
    Users roles and ranks

    My Note: this wasn't a data breach. Its just that the above info was being attached erroneously to quote chains, so someone could have possibly found that info via looking at the network requests/API/HTML of quote chains.

    So the potential risk is mainly for players who reuse the same account info for the forums and somewhere else. Which sucks, but we know that's generally not recommended anyways.

    Source: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj
  • Ackwalan
    Ackwalan
    ✭✭✭✭✭
    ✭✭✭✭✭
    Was really a bad weekend for ZOS. On top of the normal lag and crash issues, they had to cancel the event, a forum mishap, and an exploit involving a crown costume. That Monday morning meeting is going to be exciting.
  • TequilaFire
    TequilaFire
    ✭✭✭✭✭
    ✭✭✭✭✭
    I love it, the original thread in the general help section which was made before this one and was civil gets shut down by the mod that was originally asked because "there is already another thread".
    Skipping over the fact he never answered at all. smh
  • virtus753
    virtus753
    ✭✭✭✭✭
    ✭✭✭✭
    Thank you to those of you posting updated information on behalf of both these companies.

    There should have been *two* emails in our inboxes, one from each company, and a banner and sticky here before most users even got to the point of realizing they were logged out. A vague notification about our accounts being reset “most likely” by some equally vague “admin” is as alarming in its casual lack of information as in its existence and implications. Gina’s acknowledgment is appreciated, but the lack of a banner and a discrete announcement with up-to-date information is disturbing.

    I would have thought security would rate more highly than this on both companies’ parts.
  • Sylianwe
    Sylianwe
    ✭✭✭
    Thank you for the update.

    Though, it would indeed be beneficial to have a forum of this magnitude moderated 24/7. This includes a diversity of global moderators to ensure that communications towards customers and forum goers alike, is an ongoing process. There is always something that can go wrong, with any company, whether they are at fault or not, providing correct communications towards customers is key.

    My only remaining question would be:

    "GDPR requires organisations to demonstrate that their password reset processes are secure"

    ..is it?
    Edited by Sylianwe on April 11, 2021 2:07AM
    The mind is a walled garden, even death can not touch the flowers blooming there 🌹
  • Jayman1000
    Jayman1000
    ✭✭✭✭✭
    on the bright side now everyone had to change their password. in the end security increased and the empire prospered.
  • beadabow
    beadabow
    ✭✭✭
    pdblake wrote: »
    117Dios wrote: »
    Zos found out EUPCs server problems was one dude with a 256 character password.

    Source?

    I asked an Alfiq in a sack. They said they were trustworthy.

    That lumpy sack has been in my inventory for weeks. Do think it's suffocated yet?

    Well, don't let the cat out of the bag!
  • RefLiberty
    RefLiberty
    ✭✭✭✭✭
    The only correct way this should be handled is to post the Notification on top of the Forum, where the server update notifications are, that due to Vanilla patches from their side, the forum users will be prompted to reset the password, with the link to Vanilla Incident report and everything would be fine.
    https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

  • Ohtimbar
    Ohtimbar
    ✭✭✭✭✭
    So glad I got an email explain-oh, wait, that didn't happen. That’s totally normal. :|
    forever stuck in combat
  • VaranisArano
    VaranisArano
    ✭✭✭✭✭
    ✭✭✭✭✭
    Malfoy wrote: »
    Thank you for the update.

    However, I'd like to point out that it would indeed be beneficial to have a forum of this magnitude moderated 24/7; this includes a diversity of global moderators to ensure that communications towards customers and forum goers alike, is an ongoing process, it is quite concerning to see that this isn't provided here.
    There is always something that can go wrong, with any company, whether they are at fault or not, providing correct communications towards customers is key.

    My only remaining question would be:

    "GDPR requires organisations to demonstrate that their password reset processes are secure"

    ..is it?

    The password reset procedures are fine. They weren't related to the problem - that was actually part of the solution, as scary as it seemed to get that red message.

    The Vanilla Forums people patched a vulnerability in their latest update, and to make sure that accounts weren't left vulnerable, reset the passwords for anyone who was even possibly affected on any of their forums. Source: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

    In short, the password reset procedure worked exactly as intended, and the security of that part isn't in doubt.

    If you reused your forum info for other stuff like email or your game account, you might want to change those, but that's just good password security regardless.


    Now, the communication of said password reset wasn't anywhere near as smooth, and whether you point fingers at Vanilla Forums, ZOS, or both seems to depend on the person and how frustrated they are.
    Edited by VaranisArano on November 17, 2019 11:38PM
  • nk125x
    nk125x
    ✭✭✭✭✭
    me too
  • MasterSpatula
    MasterSpatula
    ✭✭✭✭✭
    ✭✭✭✭✭
    Considering that this is a forum that once suspended me for making a self-deprecating joke, I get really nervous when I read that an "administrator" is making changes to my account.
    "A probable impossibility is preferable to an improbable possibility." - Aristotle
  • Arcon2825
    Arcon2825
    ✭✭✭✭✭
    ✭✭
    As soon as we receive more information from the vendor, we'll pass it on.

    @ZOS_GinaBruno: Is this still the case? Because we’re still lacking an update on the issue.
    Xbox EU
    CP 1400+:
    Laeleith - Magicka Sorcerer DD, Vampire
    Maryssía - Stamina Dragonknight Tank
    Thaleidria - Magicka Templar Healer
    Zemene - Magicka Necromant DD
    Poohie - Magicka Warden DD
    Elyveya - Stamina Nightblade DD
  • ZOS_GinaBruno
    ZOS_GinaBruno
    Community Manager
    Just to follow up on this issue, our vendor has confirmed that there was no personal data shared as part of the previously mentioned security issue. For instructions on how to access your forum account due to the password being reset, please visit this Support article.
    Gina Bruno
    Senior Community Manager
    Dev Tracker | Service Alerts | ESO Twitter | My Twitter
    Staff Post
  • Alomar
    Alomar
    ✭✭✭✭✭
    Same, now for the first time my ingame pass is different from my forum one. WTF is going on ZOS
    Haxus Council Member
    Former Havoc Commander
    Former DiE officer
    Alomar: 5 Stars - Beast: 3 stars - Kurudin: 5th NA emperor
    Awaiting New World, Camelot Unchained, and Crowfall
  • VaranisArano
    VaranisArano
    ✭✭✭✭✭
    ✭✭✭✭✭
    Just to follow up on this issue, our vendor has confirmed that there was no personal data shared as part of the previously mentioned security issue. For instructions on how to access your forum account due to the password being reset, please visit this Support article.

    Thanks for the follow-up and the reassurance that our personal data wasn't shared!
  • EmEm_Oh
    EmEm_Oh
    ✭✭✭✭✭
    Same happened to me as well; an explanation would be welcome.

    I doubt they were hacked. More than likely...it was database related when some scrubbing had to occur to get everyone on the same page, as passwords could have been fragmented.

    Was time for me to change my password anyway.
    Edited by EmEm_Oh on November 21, 2019 3:42AM
  • Vanos444
    Vanos444
    ✭✭✭✭✭
    Same here and even the website doesn't work. GG bethasada
  • Sixsixsix161
    Sixsixsix161
    ✭✭✭
    Since the other post was closed, I wanted to take the time to thank who explained to me what happened. Was not aware of this situation.

    Thanks again.

    6
  • purple-magicb16_ESO
    purple-magicb16_ESO
    ✭✭✭✭✭
    Same here day before yesterday. In 6 years this the 1st time. Strange...
    Give 'er eh!
  • Ilision
    Ilision
    ✭✭✭
    Lumenn wrote: »
    Why else would an admin change my (and others) password? I rotate my passwords randomly on my own but in the years I've played have never HAD one changed. Have our accounts been compromised? Just the forums or game too? Shouldn't this be something we should know?

    I am not really sure what actually happened but I also had to change my password the other day because I could not log in. When I checked my email, I found a link to change my password. There was no explanation as to why just that I could not log in with my old one.

    I do however like to know why was my password changed without ZOS notifying me? Even as simple as "There was an attempt to access your account from a different location, please be advised that ZOS team had changed your password. To create a new password please use the link provided in your email. Thank you and have a great rest of the day ;) "

    ZOS team with love.
  • AhPook_Is_Here
    AhPook_Is_Here
    ✭✭✭✭✭
    Mine was changed too. It might have been because they were too short or insecure, my old one as an example was "x". I can't remember my new one, but i guess it is secure.
    “Whatever.”
    -Unknown American
  • Indoril_Nerevar
    Indoril_Nerevar
    ✭✭✭
    BEHOLD THE START

    TO A REPUTATION SYSTEM

    CHECK OPTIONS IN GAME (ACCOUNT HAS BEEN ADDED)

    YOU WILL SEE THEY LINKED YOUR ACCOUNT TO THE FORUMS
    Edited by Indoril_Nerevar on November 21, 2019 8:13PM
  • Ydrisselle
    Ydrisselle
    ✭✭✭✭✭
    Ilision wrote: »
    Lumenn wrote: »
    Why else would an admin change my (and others) password? I rotate my passwords randomly on my own but in the years I've played have never HAD one changed. Have our accounts been compromised? Just the forums or game too? Shouldn't this be something we should know?

    I am not really sure what actually happened but I also had to change my password the other day because I could not log in. When I checked my email, I found a link to change my password. There was no explanation as to why just that I could not log in with my old one.

    I do however like to know why was my password changed without ZOS notifying me? Even as simple as "There was an attempt to access your account from a different location, please be advised that ZOS team had changed your password. To create a new password please use the link provided in your email. Thank you and have a great rest of the day ;) "

    ZOS team with love.

    This is the explanation:
    The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

    ZOS didn't change any forum password, it was the company behind the forum engine. ZOS didn't have any information about the security problem, therefore they couldn't notify anybody. Every password was forced to change in this forum.
  • VaranisArano
    VaranisArano
    ✭✭✭✭✭
    ✭✭✭✭✭
    Mine was changed too. It might have been because they were too short or insecure, my old one as an example was "x". I can't remember my new one, but i guess it is secure.

    No, it was a general reset done Vanilla Forums, the company who runs the forum software in response to a vulnerability that needed to be patched.

    Via Dev Tracker from earlier this thread
    Gina's comment: https://forums.elderscrollsonline.com/en/discussion/comment/6463909#Comment_6463909
    Follow-up: https://forums.elderscrollsonline.com/en/discussion/comment/6471160#Comment_6471160
  • SirAndy
    SirAndy
    ✭✭✭✭✭
    ✭✭✭✭✭
    BEHOLD THE START TO A REPUTATION SYSTEM ...

    Cool, i win yet again ...
    w00t.gif

  • Merlin13KAGL
    Merlin13KAGL
    ✭✭✭✭✭
    ✭✭✭✭
    Nice to know there were no data issues. Nice that it was finally passed along.

    In future, I'd recommend:
    • An in game/login screen notice - people probably going to be there more often than here.
    • A banner announcement at the top of the forums - again, should catch your attention.
    • A link in the pop up, directing to the the Dev post indicating what happened.

    All of those would be short, sweet, and to the point. They'd explain what happened, why it's no big deal, and would save much explanation in the form of CSR support tickets that ultimately do the same thing.

    I never an email, and had the 4 reply ticket I created not pointed me here, I still wouldn't have known the 'why?'

    (Most people aware of security are not just going to automatically and arbitrarily reset their password without knowing why, as that password reset could be spoofed or hacked just as easily as the real thing.)

    Anyway, glad all is well. Thanks for letting us know. Just step it up one notch next time.
    Just because you don't like the way something is doesn't necessarily make it wrong...

    Earn it.

    IRL'ing for a while for assorted reasons, in forum, and in game.
    I am neither warm, nor fuzzy...
    Probably has checkbox on Customer Service profile that say High Aggro, 99% immunity to BS
Sign In or Register to comment.