Jump to content
[DE]Drew

Web Account Breach & How to enable Two-Factor Authentication

Recommended Posts

Tenno, 

Last week we were made aware of a potential web server breach that occurred in November 2014. At the time, we believed this to be a phishing scam as our account server was secure.  After a thorough review of the data we received, we can confirm that a list of 775,749 email addresses were acquired through a Drupal SQL exploit that was patched by Drupal two weeks after the breach occurred. The stolen data DID NOT include any account passwords, variations of passwords, hashed passwords, game account data or personal player information such as full names, addresses or other billing and payment information. Note that while there were hashes in the stolen data these were meaningless hashes of Alias names.

We take account and game security very seriously and are constantly working to improve and plug any exploits we find.  As part of our continued efforts to improve the security of Warframe, over the last year and a half we have added two-factor authentication (2FA) and also replaced Drupal with a custom website system that no longer stores any account information to avoid exposing ourselves to these sorts of attacks.

We would like to remind players to be weary of phishing sites and email scams that request your password.  Digital Extremes never requests your password by email or other forms of communication. The only site players should use their Warframe login information is on Warframe.com.

(please note: XB1 & PS4 passwords or emails are never stored on our servers and two-factor authentication is unavailable in this way)

Digital Extremes recommends that all Warframe players take the time to review and reset their passwords frequently.

For steps on how to enable two-factor authentication, see the images below. 
 
To enable Two-Factor Authentication, go to Warframe.com and select “Account Management” from the menu beside your account name (log in if necessary). 

1RDvFEW.jpg

On your account management page, you should see the option to enable Two-Factor Authentication.
NGf7P4Y.png

You’ll receive an email with a link to confirm. Click the link, and you’re all set!

 

To update your password, use the “CHANGE PASSWORD” button on the left.
GkFHtxG.png

 

 

Edited by [DE]jaywalker
Slight tweaks for clarity
  • Upvote 30

Share this post


Link to post
Share on other sites
6 minutes ago, [DE]Drew said:

we can confirm that a list of 775,749 email addresses were acquired through a Drupal SQL exploit that was patched by Drupal two weeks after the breach occurred.

What does that means ?

I play since the closed beta, so someone got my email adress, nothing more ? So i suppose its not dangerous and i don't have do change anything right ? 

Thanks

Share this post


Link to post
Share on other sites

Restricting the characters for use in passwords like DE has done doesn't make them more secure.

You should really just increase the minimum length required rather than putting in requirements like extra symbols, numbers or capitalisations. Restrictions that can actually decrease the security of the password system.

This is a fine suggestion at least:

19 minutes ago, [DE]Drew said:

...
Digital Extremes recommends that all Warframe players take the time to review and reset their passwords frequently. 

 

  • Upvote 2

Share this post


Link to post
Share on other sites

Question: Will you be notifying the people who are on this list of "stolen" addresses directly?

  • Upvote 5

Share this post


Link to post
Share on other sites
5 minutes ago, (PS4)MakoPriest said:

Huh ps4 players kinda screwed on that security .

PS4 and XB1 players are unaffected by this as your accounts are created with Sony and MS using the Warframe website only as a conduit.  DE only gets your email address if you choose to enter it to receive our e-newsletter. 

  • Upvote 2

Share this post


Link to post
Share on other sites
10 minutes ago, [DE]jaywalker said:

PS4 and XB1 players are unaffected by this as your accounts are created with Sony and MS using the Warframe website only as a conduit.  DE only gets your email address if you choose to enter it to receive our e-newsletter. 

Ahh okie dokie thanks for the reply , News letter is on a completely different email then account for security purposes 

Share this post


Link to post
Share on other sites
1 hour ago, clemza said:

What does that means ?

I play since the closed beta, so someone got my email adress, nothing more ? So i suppose its not dangerous and i don't have do change anything right ? 

Thanks

Correct, they only got your username (in hashed form) and email address.  If you receive an email asking for your password for Warframe, do not respond.  It is a phishing expedition.

  • Upvote 4

Share this post


Link to post
Share on other sites
4 minutes ago, [DE]jaywalker said:

Correct, they only got your username (in hashed form) and email address.  If you receive an email asking for your password for Warframe, do not respond.  It is a phishing expedition.

Thank you for the informations :)

Edited by clemza
"for"
  • Upvote 1

Share this post


Link to post
Share on other sites

Thank you for making this Drew. I tried suggesting this to another user worried about hackers. 

I am sure at the end of the day even hardcore hackers could bypass what feels like flawless security, but it should stop most in their tracks while giving the game a chance to lock their victim's account for safety. 

Share this post


Link to post
Share on other sites

What kind of 2 Factor system did I just sign up for?  Will I receive e-mail when I attempt to log in?  Text messages?

I'd prefer FIDO, since hardware tokens are cheap ($6) and also protect your Google, Dropbox, and Box accounts.  They're sufficiently cheap that I should buy a few spares… just in case my house burns down or something.  Another option is Yubico OTP in challenge-response mode, which doesn't (necessarily…) require out-of-band proof of user presence, but has the benefit of being a plug-and-forget solution.

Also, I desperately want a special-edition Yubi-void-key.  :D

  • Upvote 3

Share this post


Link to post
Share on other sites

Thank you for letting us know this

Edited by CKNPOTPIE
I realized i'm an idiot and misread

Share this post


Link to post
Share on other sites
17 hours ago, [DE]Drew said:

Tenno, 

Last week we were made aware of a potential web server breach that occurred in November 2014. At the time, we believed this to be a phishing scam as our account server was secure.  After a thorough review of the data we received, we can confirm that a list of 775,749 email addresses were acquired through a Drupal SQL exploit that was patched by Drupal two weeks after the breach occurred. The stolen data DID NOT include any account passwords, variations of passwords, hashed passwords, game account data or personal player information such as full names, addresses or other billing and payment information. Note that while there were hashes in the stolen data these were meaningless hashes of Alias names.

I'm rather concerned that this took you almost 2 years to come forth and publish this openly.  This ranks up there with Cryptic's debacle that occurred back around the time of the breach that had happened several years prior.  While it might be a good thing that it was have only been Usernames (encrypted) and E-Mail addresses (which apparently was in the clear), disclosure to the user base is as important as security -- particularly when it comes to breaches.  

I would think that between Sony's problems as well as many other AAA Gaming Companies in the last decade that smaller companies would have some sort of faster disclosure to the affected user-base instead of waiting for them to stumble across such news in their various feeds and then finding out that it was (almost) 2 years prior when it occurred.  

While it's fortunate that I often change my passwords on accounts when it comes to in-game currencies and/or personal account information; I would think that as a customer, I would be informed directly by you -- the company --(as I was part of the community when this occurred) and not finding out my information from second-hand sources.  

Edited by MBaldelli
Editing issues.
  • Upvote 2

Share this post


Link to post
Share on other sites

Thank you for switching away from Drupal. You have increased account security ten-fold just by using a web system with a smaller attack surface.

Share this post


Link to post
Share on other sites
2 hours ago, MBaldelli said:

I'm rather concerned that this took you almost 2 years to come forth and publish this openly.

"Last week we were made aware of a potential web server breach that occurred in November 2014."

Sounds like DE were only informed last week that this occurred, not 2 years as it seems like Drupal didn't tell them what actually happened until now. 

  • Upvote 4

Share this post


Link to post
Share on other sites
19 hours ago, Chrome_Dragon said:

What kind of 2 Factor system did I just sign up for?  Will I receive e-mail when I attempt to log in?  Text messages?

 

I want to know the same thing to be honest. 

  • Upvote 1

Share this post


Link to post
Share on other sites
2 hours ago, EgoLion said:

I want to know the same thing to be honest. 

Yes. You receive a code by email when you login to the warframe client in a new location.

Share this post


Link to post
Share on other sites
10 minutes ago, Prototype_X9 said:

Yes. You receive a code by email when you login to the warframe client in a new location.

thank you for the reply :) 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...