Security Disclosure - Data Leak

[lazypenguin]

Dear Player,

 

It was disclosed to us last week that our login service was leaking email addresses and we worked swiftly to resolve the issue. Unfortunately, we misidentified the source of the problem and unbeknownst to us the leak persisted until we received a second disclosure yesterday (Dec 20, 2022). Additionally, we received more details that partial passwords could be included in the leaked data as well. As such, we made the decision last night to shutdown the servers to prevent anymore data leaks.

 

If you logged into the game anytime between December 13th and December 20st your email and, potentially, part of your password may have been leaked. If you share passwords across services we recommend you CHANGE PASSWORDS immediately and change your passwords at roseonlinegame.com as well.

 

To clarify, our systems HAVE NOT been compromised. We securely store your passwords in our system following best practices which include encrypting passwords using a strong hashing algorithm with a salt and only store them fully encrypted.

 

The data leak originates from our login service which due to a bug was not correctly clearing data, which in turn would result in some data leaking under certain circumstances. As many of you are aware, we inherited a large and old code base when we started this project. It appears that this data leak has existed in this code for a very long time, predating our acquisition of it, but has seemingly gone unnoticed. Thank you very much to our community member that responsibly disclosed it to us.

 

Here are the details:

• After logging in a player's credentials were not cleanly wiped from memory 
• An attacker could repeatedly request a login and would potentially get some of the player's login data due to the memory issue (this is the data leak) 
• If the player's email was 24 characters or more in length then only their email address could be leaked 
• If the player's email was less than 24 characters, then  the part of the player's password could be leaked in addition to the full email address

 If the player's email and password combined were less than 24 characters then the full credentials could be leaked

NOTE: You would only be impacted by this leak IF you logged in to the game using the game client during this time period (Dec 13, 2022 - Dec 20, 2022)

 

We have already implemented a fix for the data leak but are taking this opportunity to add additional security around the login process. We thank you for your patience and we sincerely apologize for this incident. We are working hard to bring this game back to all our players and are actively addressing all issues during our Early Access period.

Thank you,