John Leyden reports:
Atari has apologised to gamers following a security breach that exposed their names and email addresses, leaving users at heightened risk of spam as a result.
The gaming outfit blamed the fairly minor breach (no credit cards or mobile phone numbers were exposed) on problems introduced during a migration to a new cloud-based server platform. The breach came to our attention via an Atari email (extract below) forwarded by Reg reader Troy, who commented: “Well, this sounds like fun, might explain all the recent spam I have been getting”.
Read more on The Register, although I would point out that as previously reported on this blog, Square Enix changed their assessment of the intrusion and its most recent update of December 19 affirms:
As a result of our continuing investigation, we have now confirmed that the database in which we store personal information was NOT accessed during the recent server intrusion. Therefore, your personal information was NOT compromised by an unknown third party.
This is another breach from a gaming site(s). I often wonder if these breaches are all related to the type of or version of forum software or an access control, or even the coder/programmer that may have worked in these organizations that may have hopped from job to job. Not to say that the person is bad, maybe just bad at the code they have produced or “Plauge”erized.
If I had a well established forum or board that had a high number of visitors, and I see other gaming sites getting whacked, the FIRST thing I would not say is, ahhhh thats too bad, haha.
They should be dialing up the operations team and asking them how many versions are they behind when it comes to the version of PHP, MYSQL and the forum software. I am sure there is a glitch somewhere that doesn’t do bounds checking, and the hackers are getting in.
Some sites do win the Bozo award for having lax security when it comes to passwords. I have seen many a writeup of passwords being extremely easy. It DOES start with the companies that make items, setting passwords to something very easy. Its just as easy to create some step that requires the new equipment to have the password changed immediately upon accessing it for the first time. Then about 10% of the breaches may not happen.
Sites that have username and passwords with admin level functions need to be closely watched.Ensure the root, admins and general users of the *SQL databases, and access to the admin side of the forum/website have strong passwords that are changed out at least every 6 months, and are not used anywhere else.
With the ton of breaches that have occurred, its important to note that if a username and password combo is used in more than one place, the likelihood of it staying secure somewhere else is probably not very good at all.
Hackers like the shock and awe of having massive numbers affected when they do a breach. I am sure thats not the only reason they do what they do, but it definately makes heads turn when they do.
These places get comfortable with the cash, and lose grip on security of the site at hand. Then, they end up handing that fistful of cash over to fines, reconstruction or cleanup costs and such. Its like they like the challenge or possibility of being hacked.
Its not all about new and shiny technology that will save them ; that as well will only be as good as the security that surrounds it.