CCP recently discovered an SSO (single sign-on) bug with EVE Online’s test server. The good news is that CCP fixed it. The bad news is the same bug somehow reoccurred on Tranquility, the game’s live server, leading to the possibility that players could have unintentionally logged into each others’ accounts. As a result of the login bug, says CCP,
“[S]ome users once again were given valid authentication tokens for accounts that were not their own. This gave them the ability to log into the accounts in question and perform any action the owner of the account would have been able to in-game. We haven’t found any evidence that unauthorized access to other services was possible or has taken place, but we are continuing to investigate to confirm that this is the case.
As soon as the issue was identified to be occurring on Tranquility we shut down the login server, preventing any further errant authentication tokens from being given out. Since that meant that players couldn’t log into the game, and that those with existing errant authentication tokens would still be able to access other accounts, we also decided to instigate emergency downtime on Tranquility while we resolved the issue. Our next steps were to purge all authentication tokens, making the errant authentication tokens useless, and rollback the login server update so that the issue did not reoccur.”
If this bug sounds familiar, that’s because it’s pretty much what happened to Steam over Christmas. Unlike Valve, however, CCP explained the situation and apologized immediately. Everyone will need to log in again when using any EVE-related servers using SSO, third-party services included; the studio is still sorting out which accounts were affected and by how much.
We are compiling a list of affected accounts, and our customer service and security teams are working on verifying the integrity of the accounts and assets contained therein. We will be in touch with those affected in due course, so you are not required to file a support ticket. However, if you feel that you have been adversely affected by the issue, you are still welcome to submit a ticket.