Admin changed my password? Zos were you hacked?

BackAndAngry · November 2019

Hey ZOS, maybe it's time go public with that obvious data leak... this is going really bottom low

And this crap is really reassuring aswell

twev · November 2019

lordrichter wrote: »

JPS wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

1 - This could have and should have been communicated without people having to ask for an explanation. Like on top where the maintenance anouncements are. But I guess that was impossible since this one didn't affect just 'some people'.

2 - Am I understanding correctly that a company as big as Zos has to rely on a 3rd party vendor for their forum ? Is this a joke ???

1) ZOS was probably caught off guard, as well. This all started happening late on Friday, after normal business hours, so who knows if Vanilla attempted to contact someone, and whether that someone was monitoring their email on the weekend.

ZOS may have only known something was up when people started to comment on the issue, and their own accounts stopped working until the passwords were reset. I will suggest that she is considerably less pleased about what the "forum vendor" did than you are. Unscheduled things like this, on a weekend, can hit ZOS customer support and add to the support load.

2) Why does any company need to run their own forum? They are a game studio, not a social media provider.

The ESO forums are hosted by Vanilla, using their hosting. This means that ZOS pays them for the cost of running the server, including hosting and bodies.

Here is what happened.

https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

To your Point #1: If 'That Someone' (emphasis mine) WASN'T monitoring the email - that circles back to gross incompetence on the part of ZOS, again.

They're a company doing worldwide business 24/7/365 around the globe, yet they insist on a 9-to-5 EST customer service program only during the 5 'business' days per week?
Utter rubbish.

I got logged out of the forum mid day on the 16th, like many other people, hit the button to have my password reset, and only just got the automated email authorization at a little after 8AM EST this morning (less than an hour ago), while my email account was getting real-time email traffic all the while from other people I was communicating with?
More rubbish.

This reeks of corporate incompetence and zero accountability.
Whole echelons of suits at The Mother Ship aren't doing the job that the job requires.

Elsonso · November 2019

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

CassandraGemini · November 2019

lordrichter wrote: »

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

I believe all the anger here is directed more at the fact that we only got an official statement about this after it had already happened and also only when people actively started questioning it. The whole outrage does feel a bit artificially inflated at this point, though. I mean, who knows if ZoS even realized this would happen? And honestly, yes, a little heads-up would have been nice, if it was possible, but it's not like I'm going to lose sleep over this, so... meh.

Czekoludek · November 2019

lordrichter wrote: »

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

She lets us know couple hours after the issue occured, in that case we should get any info BEFORE that. If this is a proper communication for you, I feel sorry for your low standards of what a good communication between client and a company should be

BackAndAngry · November 2019

Aren't zos subcontractors as liable as them when managing ppl personal data?

SickleCider · November 2019

CassandraGemini wrote: »

lordrichter wrote: »

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

I believe all the anger here is directed more at the fact that we only got an official statement about this after it had already happened and also only when people actively started questioning it. The whole outrage does feel a bit artificially inflated at this point, though. I mean, who knows if ZoS even realized this would happen? And honestly, yes, a little heads-up would have been nice, if it was possible, but it's not like I'm going to lose sleep over this, so... meh.

Seems performative, even.

daemonios · November 2019

Versispellis wrote: »

CassandraGemini wrote: »

lordrichter wrote: »

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

I believe all the anger here is directed more at the fact that we only got an official statement about this after it had already happened and also only when people actively started questioning it. The whole outrage does feel a bit artificially inflated at this point, though. I mean, who knows if ZoS even realized this would happen? And honestly, yes, a little heads-up would have been nice, if it was possible, but it's not like I'm going to lose sleep over this, so... meh.

Seems performative, even.

Reactions tend to become inflamed when there is a succession of events that trigger them. Accusing players of being performative or artificially inflating their anger seems unfair and misguided when ZOS have collected an astonishing number of blunders in the past year, including the PC-EU server imploding regularly, queues being turned on and off with little to no communication, especially in-game, events being postponed, extended or cancelled, again with poor communication, a roadmap to improve performance that was years in the making and flopped spectacularly (new group finder, anyone?), a commitment to improving communication that had yet to be translated in concrete actions... Need I go on?

If you're happy with ZOS, that's fine. But don't shoot down and presume malice from those people who aren't.

BackAndAngry · November 2019

scorpius2k1 wrote: »

BackAndAngry wrote: »

Aren't zos subcontractors as liable as them when managing ppl personal data?

Yes. But you saw how quickly the finger was pointed to "The vendor we use" in Gina's response. Typical ZoS.

I don't care what Gina says. Hello letter of doom!

SickleCider · November 2019

daemonios wrote: »

Versispellis wrote: »

CassandraGemini wrote: »

lordrichter wrote: »

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

I believe all the anger here is directed more at the fact that we only got an official statement about this after it had already happened and also only when people actively started questioning it. The whole outrage does feel a bit artificially inflated at this point, though. I mean, who knows if ZoS even realized this would happen? And honestly, yes, a little heads-up would have been nice, if it was possible, but it's not like I'm going to lose sleep over this, so... meh.

Seems performative, even.

Reactions tend to become inflamed when there is a succession of events that trigger them. Accusing players of being performative or artificially inflating their anger seems unfair and misguided when ZOS have collected an astonishing number of blunders in the past year, including the PC-EU server imploding regularly, queues being turned on and off with little to no communication, especially in-game, events being postponed, extended or cancelled, again with poor communication, a roadmap to improve performance that was years in the making and flopped spectacularly (new group finder, anyone?), a commitment to improving communication that had yet to be translated in concrete actions... Need I go on?

If you're happy with ZOS, that's fine. But don't shoot down and presume malice from those people who aren't.

Please don't be so hyperbolic. The mild inconvenience that people have experienced over the password resets has nothing to do with any of those other issues. Keep the stuff separated from the stuff.

VaranisArano · November 2019

Here's the Vanilla Forums incident report on what happened: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

My takeaway?
1. It wasn't a data breach, so much as a bug causing quote chains to link more personal info than they ought to if you looked at the network requests/API/HTML. The sign out/password reset was definitely done by Vanilla, so we don't have to worry about that being the ZOS admins or a hacker.

2. If you use the same password for the forums on other sites or your account, it would be a wise precaution to change those...but then, we all know that's normal password security regardless.

3. To my personal amusement, ZOS isn't the only company who only posts incident reports after the fix is done.

CassandraGemini · November 2019

daemonios wrote: »

Versispellis wrote: »

CassandraGemini wrote: »

lordrichter wrote: »

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

I believe all the anger here is directed more at the fact that we only got an official statement about this after it had already happened and also only when people actively started questioning it. The whole outrage does feel a bit artificially inflated at this point, though. I mean, who knows if ZoS even realized this would happen? And honestly, yes, a little heads-up would have been nice, if it was possible, but it's not like I'm going to lose sleep over this, so... meh.

Seems performative, even.

Reactions tend to become inflamed when there is a succession of events that trigger them. Accusing players of being performative or artificially inflating their anger seems unfair and misguided when ZOS have collected an astonishing number of blunders in the past year, including the PC-EU server imploding regularly, queues being turned on and off with little to no communication, especially in-game, events being postponed, extended or cancelled, again with poor communication, a roadmap to improve performance that was years in the making and flopped spectacularly (new group finder, anyone?), a commitment to improving communication that had yet to be translated in concrete actions... Need I go on?

If you're happy with ZOS, that's fine. But don't shoot down and presume malice from those people who aren't.

Yes, but this is a whole seperate issue, isn't it? This has nothing to do with the game and its performance (which I certainly haven't always been happy with, even though the PS4 EU server seems to be better off than some others), it's about the forum, where very likely a different set of ZoS employees is concerned. And also: This is my personal opinion, it was a bit of an inconvenience, yes, and I didn't know what was going on, but it was remedied quickly and I experienced no further problems because of it. So for me, the way people are getting worked up over this feels artificially inflated, that's all.

If for whatever reason you feel personally attacked by that, that might really be more your problem than it is mine. But of course random finger-pointing is a big thing in this forum.

Toanis · November 2019

No big deal password resets happen, especially after an update that fixes a possible security issue. No matter whether there was actually a (known) leak, reseting passwords should be #1 priority. Good job on the part of the forum guys.

What needs improvement is communication. The info that this password reset is legit should be a pinned post or a notification, not a page 3 response in a discussion opened by users.

It also should be made clear that ZOS outsourced forum handling and that we can and should use separate passwords for game and forums.

Elsonso · November 2019

CassandraGemini wrote: »

I believe all the anger here is directed more at the fact that we only got an official statement about this after it had already happened and also only when people actively started questioning it. The whole outrage does feel a bit artificially inflated at this point, though. I mean, who knows if ZoS even realized this would happen? And honestly, yes, a little heads-up would have been nice, if it was possible, but it's not like I'm going to lose sleep over this, so... meh.

Sometimes that happens. This caught people by surprise.

Czekoludek wrote: »

She lets us know couple hours after the issue occured, in that case we should get any info BEFORE that. If this is a proper communication for you, I feel sorry for your low standards of what a good communication between client and a company should be

Yes, Gina's comment seemed to be fine, honestly. Something happened, she obtained the information about what was going on, and she posted it.

The forum is hyper sensitive and filled with all manner of conjectures, some posted seriously, and some posted in jest. People are feeding off of that and totally ignoring the fact that Gina posted what happened and reassured people that this did not affect their game accounts.

VaranisArano · November 2019

Toanis wrote: »

What needs improvement is communication. The info that this password reset is legit should be a pinned post or a notification, not a page 3 response in a discussion opened by users.

To be honest, I have to wonder if the Devs think that the forum users use the Dev Tracker more than they actually do. Its pretty much the first thing I check when there's a issue.

Deohjo · November 2019

Last year's Twitter was interesting

daemonios · November 2019

Versispellis wrote: »

daemonios wrote: »

Versispellis wrote: »

CassandraGemini wrote: »

lordrichter wrote: »

.

Czekoludek wrote: »

ZOS_GinaBruno wrote: »

The vendor we use to power the ESO forums reset all user passwords for partners that had upgraded to their most recent software version, which included the ESO forums. You are required to reset your password as a security precaution to address a potential security issue in their forum software. Please be aware that ESO forum accounts are completely separate from your ESO game account, so your existing credentials can still be used to access the game. To log into your forum account, simply go to the sign in screen and reset your password. As soon as we receive more information from the vendor, we'll pass it on.

Can you tell me how it is ossible to have so huge problems with communication after the outrage of event canceling and promisies that you will improve on that field? Seems a bit unprofessional

Wait, are you responding to Gina letting people know what is happening with a complaint that ZOS is not letting people know what is happening?

I believe all the anger here is directed more at the fact that we only got an official statement about this after it had already happened and also only when people actively started questioning it. The whole outrage does feel a bit artificially inflated at this point, though. I mean, who knows if ZoS even realized this would happen? And honestly, yes, a little heads-up would have been nice, if it was possible, but it's not like I'm going to lose sleep over this, so... meh.

Seems performative, even.

Reactions tend to become inflamed when there is a succession of events that trigger them. Accusing players of being performative or artificially inflating their anger seems unfair and misguided when ZOS have collected an astonishing number of blunders in the past year, including the PC-EU server imploding regularly, queues being turned on and off with little to no communication, especially in-game, events being postponed, extended or cancelled, again with poor communication, a roadmap to improve performance that was years in the making and flopped spectacularly (new group finder, anyone?), a commitment to improving communication that had yet to be translated in concrete actions... Need I go on?

If you're happy with ZOS, that's fine. But don't shoot down and presume malice from those people who aren't.

Please don't be so hyperbolic. The mild inconvenience that people have experienced over the password resets has nothing to do with any of those other issues. Keep the stuff separated from the stuff.

Yes, they are all separate. Failings in communication. Failings in performance in stability. Failings in third party providers. They are all minor inconveniences. Move along, citizen - nothing to see here. And don't forget to buy your clowns.

ZOS_JesC · November 2019

Greetings, we've removed a handful of bashing or inappropriate comments. This is a friendly reminder to adhere to our forum rules and remain civil when posting. Personal insults are never appropriate for the ESO forums. Thank you for your understanding.

anitajoneb17_ESO · November 2019

VaranisArano wrote: »

Here's the Vanilla Forums incident report on what happened: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

My takeaway?
1. It wasn't a data breach, so much as a bug causing quote chains to link more personal info than they ought to if you looked at the network requests/API/HTML. The sign out/password reset was definitely done by Vanilla, so we don't have to worry about that being the ZOS admins or a hacker.

2. If you use the same password for the forums on other sites or your account, it would be a wise precaution to change those...but then, we all know that's normal password security regardless.

3. To my personal amusement, ZOS isn't the only company who only posts incident reports after the fix is done.

Thank you. Although I don't understand everything they say (SSO connection ?) it looks like the combo ID+PW *could* have leaked to third parties, so I changed both my passwords (game and forum) and made them different (they used to be the same).
I truly hope digital identification and security will make some innovation in the near future, because passwords are a PITA, especially if you try and follow the general guidelines (different one for each site, not in dictionary, change often, etc.) because then you simply forget them. Oh and you're not supposed to write them down anywhere, of course.

As to your 3rd point, I actually understand why a company does not publish a security hole issue BEFORE it's patched, it simply makes sense...

ChefZero · November 2019

Happened to me too.

NotaDaedraWorshipper · November 2019

I honestly don't see why some people are flipping over this. It's not even ZoS fault but the company that host this forum.
Who knows when ZoS knew about or if they even did until players started talk about it.

These things can happen with forums and it's better they do the safety measures as soon as possible rather than hold off until they have informed everyone. Besides, unless you have the same password for both the forum and the game (Which is not wise) it isn't that big of a deal.

Anyhows, would information been nice? Yes if they knew about it, but better safe than sorry.

Rake · November 2019

What a bs

Alinhbo_Tyaka · November 2019

A few comments have been made about the timeliness of ZOS knowing about the reset. ZOS didn't have to know, though I don't believe the vendor would have made such a move without informing its customers first. In any event the website hosting company should have put a notice up to the website that passwords had been reset and that user would be asked to utilized the reset process when they attempted to login. It could have been posted in the same manner as ZOS post their maintenance status. Regardless there is an obvious communications problem between ZOS, its vendor and the user base that needs to be looked into with the result being a change in their procedures.

Hallothiel · November 2019

So even after information is posted from various sources explaining it was nothing to do with Zos, people still getting arsey with Gina & co? Really?!

How do you cope when serious things go wrong in your real life & you can’t blame Zos?!

TheRealPotoroo · November 2019

Versispellis wrote: »

Everyone making a mountain out of a molehill. Security protocol and required password resets are pretty standard fair for web services. My bank account requires me to regularly reset my password, and I don't need to ask, because I know it's security protocol. The message about an "admin making changes to your account" is probably one of several generic notification messages that get kicked out the door and don't necessarily mean anything.

No, pissing off your user base with an entirely unexpected security update combined with disturbing messages about admins making unforeseen changes to your account for no apparent reason is totally not OK.

Hallothiel · November 2019

TheRealPotoroo wrote: »

Versispellis wrote: »

Everyone making a mountain out of a molehill. Security protocol and required password resets are pretty standard fair for web services. My bank account requires me to regularly reset my password, and I don't need to ask, because I know it's security protocol. The message about an "admin making changes to your account" is probably one of several generic notification messages that get kicked out the door and don't necessarily mean anything.

No, pissing off your user base with an entirely unexpected security update combined with disturbing messages about admins making unforeseen changes to your account for no apparent reason is totally not OK.

Read the thread see if you can find the actual explanation before getting arsey with the wrong people.

TheRealPotoroo · November 2019

Hallothiel wrote: »

TheRealPotoroo wrote: »

Versispellis wrote: »

Everyone making a mountain out of a molehill. Security protocol and required password resets are pretty standard fair for web services. My bank account requires me to regularly reset my password, and I don't need to ask, because I know it's security protocol. The message about an "admin making changes to your account" is probably one of several generic notification messages that get kicked out the door and don't necessarily mean anything.

No, pissing off your user base with an entirely unexpected security update combined with disturbing messages about admins making unforeseen changes to your account for no apparent reason is totally not OK.

Read the thread see if you can find the actual explanation before getting arsey with the wrong people.

I read it and it doesn't change the fact that the way it was handled was not OK and we have good reason to be upset, contra Versispellis.

TheRealPotoroo · November 2019

Dupe

SickleCider · November 2019

TheRealPotoroo wrote: »

Hallothiel wrote: »

TheRealPotoroo wrote: »

Versispellis wrote: »

Everyone making a mountain out of a molehill. Security protocol and required password resets are pretty standard fair for web services. My bank account requires me to regularly reset my password, and I don't need to ask, because I know it's security protocol. The message about an "admin making changes to your account" is probably one of several generic notification messages that get kicked out the door and don't necessarily mean anything.

No, pissing off your user base with an entirely unexpected security update combined with disturbing messages about admins making unforeseen changes to your account for no apparent reason is totally not OK.

Read the thread see if you can find the actual explanation before getting arsey with the wrong people.

I read it and it doesn't change the fact that the way it was handled was not OK and we should be upset, contra Versispellis.

Ooo! That sounds like the name of a black metal band. I like it.

Jaraal · November 2019

Hallothiel wrote: »

So even after information is posted from various sources explaining it was nothing to do with Zos, people still getting arsey with Gina & co? Really?!

How do you cope when serious things go wrong in your real life & you can’t blame Zos?!

They should have sent an email saying 'Forum provider reset all passwords due to a potential exploit, no you're not being phished, go ahead and reset your password and all is good.' Instead, you have people thinking they got banned, hacked, trolled, whatever..... until they happen to make it back in and read a few threads to find the "official" report buried on the third page of a user post, instead of being pinned where everyone can see it.

Fortunately, those of us in this discussion still have our original email accounts we signed up with, followed the instructions, and are back in business. Those who don't are forever condemned to the e-void, or will soon be coming back with new accounts and Soul Shriven titles, or only to be told they already have an account, can't make a new one, contact customer service, and may Sithis have mercy on your message board deprived soul.