Black Desert Online locks (some) player accounts in the wake of data breach

    
27

Black Desert Online appears to be in the midst of an account-security fiasco, as a recent forum post from GM Rhotaaz has announced that the “account information of a number of users has been posted publicly on various sites and platforms.” A subsequent investigation by Kakao Games “revealed that the account information came from a leak that was not associated with [the studio],” and therefore “it’s difficult for [Kakao] to verify [that] the list that was posted includes all affected accounts.”

In order to ensure the security of players’ accounts, all affected Black Desert accounts have had their passwords reset and have been locked “pending verification from the original owner.” In order to verify their identities, each player whose account has been locked must contact customer support from a new email address with a message that contains the original e-mail associated with his or her account as well as a photograph depicting his or her government-issued photo ID (to verify name and date of birth) alongside either a physical newspaper showing the current date or the player’s screen showing his or her open support ticket.

Needless to say, many players are less than pleased about this turn of events, with some users on the game’s subreddit balking at the prospect of handing over photos of identification documents (even with all but the necessary information — legal name and date of birth — redacted) in the wake of such a massive data breach. As for how the breach occurred in the first place, speculation runs rampant, but neither Kakao nor any other source has come forward with any information, though a Reddit post on the topic claims that the data “is unencrypted and validated data (i.e., working accounts). This doesn’t mean the data was stored in plain-text but was obviously stored in an easily solved encryption method.” [This claim has since been rebutted by Kakao; see update below.]

Source: Official Forums, r/BlackDesertOnline. Thanks, Pasha!
Update 12:30 PM EDT
We’ve spoken to a representative for Kakao, who has clarified for us that only affected users will see a password reset and account lock. Moreover, the breach wasn’t widespread. “Only a relatively small number of users were affected,” the rep told us, but he said he couldn’t reveal the exact number or the precise details on how the company encrypts player data: “Although we cannot go into detail on how we are encrypting our user’s data, we ensure you that we use the latest standards and technologies.”

27
LEAVE A COMMENT

Please Login to comment
  Subscribe  
newest oldest most liked
Subscribe to:
Reader
Kickstarter Donor
krieglich

Photo ID and a newspaper, they must be out of their fucking mind. How about some 419 Eater pics?

Godnaz
Reader
Godnaz

Accounts locked and passwords changed only for those affected.

*logs into account like normal.

Ah, okay. Cool.

Reader
Patreon Donor
Loyal Patron
Schlag Sweetleaf

.

hack desert online.gif
Reader
Daniel Miller

I wont knock them for doing it. I mean, lets take Equafax, or Socail Security. Both were massivly hit, even Sony. But no one reached out to verify it was you.

Or where your info was used. Korea does this often in breach takes place. Recently, you saw Lost ark do this to protect peoples personal info. While west got mad they couldn’t reverify as they bought illigal goods. It protects the real user.

Reader
Loyal Patron
Patreon Donor
Kickstarter Donor
Paragon Lost

““revealed that the account information came from a leak that was not associated with [the studio],” and therefore “it’s difficult for [Kakao] to verify [that] the list that was posted includes all affected accounts.”

WTH, how is that even possibly a possible factual statement by them? How can customer data, data that Kakao Games should have encrypted, hashed etc be out there and out in the open. 2019 people, how is this still an ongoing thing with businesses, gaming or not.

As an aside, locking down the accounts truly is their only real move at this time until they get their shit together. I know due to all the data breeches in recent years my wife and I keep our credit locked down and only unfreeze it when we want to purchase something big.

I think the last time I checked we were running close to or around 840 credit rating. Even with the pain in the ass of paying to unfreeze and refreeze it, it’s worked out well for us. At least until corporations start getting “real fines and jail time” for not taking IT security serious.

Reader
Tanek

If we assume Kakao is correct, there are multiple other ways the information could get out there. Fan sites, powerleveling, goldselling, or just constant reuse of the same login information have all been culprits in the past.

This is not to say companies in 2019 are not at fault many times, but the fact that customers in 2019 still willingly put their information at risk with 3rd party sites and questionable “services” is, to me, more shocking.

Reader
Loyal Patron
Patreon Donor
Kickstarter Donor
Paragon Lost

Good point, that’s also an issue that can’t be ignored as well.

Reader
Toy Clown

Neither of my accounts were affected. I wish they’d give us information on which site was the culprit for the breached accounts. However, I respect that they got word out immediately and locked down suspected pirated accounts.

I always change my passwords regularly and utilize extra-step protection where it’s offered, and I stay away from certain sites that want access to my game settings. While the gear-planning sites are probably legit, I’m not comfortable with the way some access character information. I also don’t buy or sell in-game currencies, which is where I highly suspect a lot of pirating of accounts comes from.

Reader
Kickstarter Donor
Patreon Donor
Alex Willis

This is actually one for the record-books. Outstanding.

10/10 would expose myself to even deeper privacy breaches again

Reader
Kickstarter Donor
Patreon Donor
Loyal Patron
BalsBigBrother

We had a data breach now give us even more detailed personally identifiable information for reasons. Yeah sure let me get right onto that because my trust has in no way been negatively impacted by these events.

Glad I never clicked with BDO because I would nope right out of this game as a result of this regardless of whether I was affected or not by this particular breach.

Good luck to anyone affected and I hope you all are able to resolve this without any bad happening.

Mordyjuice
Reader
Mordyjuice

Even in the desert your data isn’t safe from Tusken Raiders!

tuskenraider.jpg
lunamoonraker
Reader
lunamoonraker

Therefore, in order to ensure the security of players’ accounts, all existing Black Desert accounts have had their passwords reset and have been locked

Not excusing the very poor security at their end, this is however not what happened. The wording is poor, in fact from the official statement which reads:

All known accounts have had their password reset.
All known accounts have been locked pending verification from the original owner.

The important bit is known, as they did not reset most BDO accounts, only the ones they identified as breached (via the leaked lists I assume), not all. My account did not require any changes or any form of verification, nor those of my friends, so it looks like it was just those effected by the leak from the posts to Reddit etc.

Reader
wratts

Was wondering about this. I have two accounts, one of which is afk fishing now. Based on logging into the BDO main site, neither have been locked