NCsoft Master Account Security Issues

Steps to addressing this --

1.) Lock out all master accounts.
2.) Stop charging play-time to players until this is resolved.
3.) Send an email and update the login page notifying players of the temporary lock out, that they are being compensated and need not worry about subscription times running out.
4.) For people trying to create new accounts, post a web page apologizing for the delay in creation and offer a free 7 day subscription code applicable to any new game code or game update code.
5.) Squash the problem.

LOL, looking to change my password at plaync.com, I got this message:

Quote:

500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, you@example.com and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log.

Quality database administration, to be sure

Edit: now it's working, thank goodness.

No, it's not. That's part of the bug. The problem apparently is that there is a tiny chance that instead of that page, you'll be sent to the account page of someone else. Where you can then do anything you want - copy all their contact info, change their email and passwords for everything, possibly even cancel billing on their games. (And once you've changed their passwords, you can login and strip all their characters of anything valuable.)

This is a major security hole, especially since it *doesn't matter* what you do about it as a customer. You can change your password to a 36 character monster that uses ancient Sanskrit instead of the normal alphabet, and it won't help. The bug *bypasses* the normal login. I enter my password, get glitched, and can access *your* account. If it happens, even if they don't touch your account they've got your name, email address, and physical address. All they need to do is find a way to phish a few other pieces of info out of you, and they've got everything they need for ID theft.

Has anyone been able to replicate this yet? I haven't. All that has happened to me is that I either see my account page, or I get an error message (probably because tons of people are hammering the F5 key).

Until I see pics or whatnot, this is just F.U.D. Even Massively.com admits it's still a rumor.

Out of curiosity, is there anything we could do to help bring this issue to the attention of someone that actually cares and can do something about getting it fixed? Since this is a problem with the NCSoft account interface, I don't think filing a support claim through CoH will really do anything - it's not a Paragon Studios problem. (Aside from the fact that it's not their job to handle rumor control, which probably all that this could be considered until after your account has actually been stripped.)

If there is indeed something to be fixed (which is still questionable AFAICT), a PM to a Community Rep such as Niviene or TheOcho would be sufficient.

So, is this affecting CoH players, or only GW players? Has CoH had to update their security or login procedures? I only ask because I only play CoH and not GW.

It doesn't really matter what NC games you play if anyone can randomly end up on your master account page.

I think it's more likely that key loggers and gold buying sites are more likely culprits than PlayNC.com. They're probably looking for accounts that happen to use the same username/ password for their GW accounts as their PlayNC accounts. Once you have the info, it's not hard to do by hand, yet alone through an automated program.

Good points. Forbin's screenie didn't really answer anything in regards to PlayNC.com specifically, and although I don't see any proof so far that anything is happening, that doesn't mean there might not be a problem... just one that's very hard to replicate. Still, there's no doubt that NCSoft is probably looking into any potential exploit on PlayNC.com, especially now that Massively.com is reporting on the rumor.

KillTenRats is run by a guy who was my old Everquest guildmate. (Or maybe it's just one of the writers, I forget.) ^_^ The Grove, Test Server, R.I.P.

Studying their author list, there are several people. I know Julian and Oz were guildmates. Maybe some of the others are going by names different from what I knew them by.

I hope that, since they're looking into vulnerabilities anyhow, they start letting us use non-alphanumeric characters for passwords. I have a really strong password I like to use that involves theses characters and can use it on other secure sites... but not for my main NCSoft account, for some bizarre reason.

Which still leaves me as potentially doomed if the bug is real. I have a GW account, and I tried the Aion beta before it went live. The Aion account is therefore seriously dead, but there's no way to delete it or remove it from the rest of the account.

At this point, if you at least have some evidence that its your account you will at least have something to take to NCsoft CS if things go wrong.

This just happened to me in march. Took 4 days to get it straightened out again. Apparently it's not over yet.

Just yesterday I got the automated email saying someone had changed the contact info on my Aion account. I don't even have an Aion account! What's up with that??

Sounds and looks like a scam, I wouldn't click on the link or anything and just report it to NCsoft.