Trion Worlds Account Database Hacked

👤by Tim Harmer Comments 📅23.12.2011 04:14:12

Earlier today Elrar, Community Manager at the Trion Worlds forum for popular MMO Rift, announced that a database storing personal information had been accessed by unauthorised parties. The database contained information including:

User names,
Encrypted passwords,
Dates of birth,
Email addresses,
Billing addresses,
The first and last four digits and expiration dates of customer credit cards.

A veritable goldmine of information for identity thieves. Early reports on twitter is that they have also not contacted former subscribers and previous account holders who don't currently have an active account. - Update: e-mails to lapsed account holders are in the process of being sent

TrionWorlds state that they have no evidence to suggest full credit card information was compromised, and so long as Trion made sure that PCI protocols remained in place your CC should be okay, but you may wish to take usual precautions. The language of their statement indicates that apart from account passwords none of the information was encrypted or hashed, which whilst being up to US Law doesn't exactly fill one with confidence. It does appear that Trion have notified their current account holders within a short period of discovering the breach, so deserve credit in that regard.

The full text of TrionWorlds Advice and Guidance can be seen here and is partially mirrored below.

Important notification concerning your Trion Worlds account

We recently discovered that unauthorized intruders gained access to a Trion Worlds account database.

The database in question contained information including user names, encrypted passwords, dates of birth, email addresses, billing addresses, and the first and last four digits and expiration dates of customer credit cards.

There is no evidence, and we have no reason to believe, that full credit card information was accessed or compromised in any way. We have already taken further action to strengthen our systems, even as we, with external security experts, continue to research the extent of the unauthorized access.

You will notice on your next log in to our website that you will be required to change your password, and existing Mobile Authenticator users will also need to reconnect their Authenticator. When you log in, you will be prompted to provide a new password, security questions and answers, and be given the option to connect your account to our Mobile Authenticator to enhance your account’s security.

If you have used your username and password for other accounts, especially financial accounts or accounts with personal information, we suggest you change your passwords on those accounts as well. We recommend that you carefully review your statements, account activity, and credit reports to help protect the security of those accounts. If you need information on how to obtain your credit report or believe any such accounts have been breached, please see below for more information.

You should have continued, uninterrupted access to RIFT, and we do not anticipate any disruptions to your playing time.

Nevertheless, if you own the RIFT game, you will be granted three (3) days of complimentary RIFT game time once you update your password and security questions.

Additionally, once you update your account and set a new password, your account will be granted a Moneybags’ Purse, which increases your looted coin by 10%, even if you have not yet purchased RIFT.

Please log in to (and we recommend that you copy and paste this link into your browser to access the site) to update your password, security questions and Authenticator.

We apologize for any inconvenience this may have caused you. If you have further questions, please visit our website,

(emphasis theirs)