Some important questions on the security incident / data leak

[Fietsopa]

Let me start by saying that I am not active on the ROSE Online Discord, as such I have been fed information from people active there, mainly through screenshots. 

Having heard about the security incident and data leak, I have a few questions swirling in my head that I think other players might be interested in knowing the answers to as well. 

While it is good to see that the team is actively communicating with the player base on this, I would like to point out the obvious here: this is their legal responsibility by virtue of the applicable data protection legislation, especially the GDPR, which is a regime that covers my personal data as a citizen of the European Union. This level of communication is the bare minimum needed to meet the legal obligations imposed on data controllers and data processors. As such, I urge players to avoid commending Rednim on doing its legal obligations in this case as that is expected of them by default. Also, players should have some patience as the team works through this mess - having been involved in data leak incidents in the past, I am well aware of the amount of work needed to address them. I do hope that the good communication we've seen from the team will continue, together with any additional legal requirements, filings and notifications required of them pursuant to the applicable legislation. 

The last Discord post I have seen is the one below:

 

Here are my questions:

1. At the start, the Discord post states that "If you logged into the game anytime between December 13th and December 20st your email and, potentially, part of your password may have been leaked". Towards the end, the Discord post has a list, and one of the points reads "if the player's email and password combined were less than the 24 characters then the full credentials could be leaked". These two statements do not make sense together - is the leak only of partial passwords or is the leak of full passwords as well?
   Although I have used burner passwords on both my accounts, this is perhaps pertinent information for some players.
    
2. The post states that "our systems HAVE NOT been compromised", however, is the login server not one of your core systems? Or do you mean that your systems have not been breached, but rather data access was "tricked" by external actions?
   Your team has to be very careful with your wording here as you don't want to give people affected by the data leak the wrong impression. This is particularly the case where you make posts claiming that Y has NOT happened. Please understand that people reading such posts would hang onto every word and something as simple as "our systems HAVE NOT been compromised" may be misinterpreted by them to mean "I'm safe". 
    
3. There have been quite a few references to "old code" and "inherited code" throughout the Discord and Forum posts I have seen. When I first heard of this server launch, and particularly when it was confirmed that the server will be "official" (and the server was advertised as such), I naturally assumed that the server will start on the basis of the modern naROSE code, which should have had these issues patched long ago. Can we get a confirmation if this is the case or not? How old is the code that this server is running? How old was the piece of code that caused this incident and why did Gravity not provide an updated version, assuming one exists, for such a key feature/fix?
    
4. If the server is running much older code, why has the label "official" been continuously pressed? I do not mean to offend here, but please understand that a lot of players would naturally link "official" with the naROSE version given the alleged permission obtained from Gravity, ergo certain expectations about the age and state of the code would have been made by these players. For example, I had an expectation that the most up-to-date code would be run and this is what Gravity brought to the table when they agreed for Rednim to launch this server. My experience at launch (not talking about the network issues - these are to be expected) was of a much, much older version of evoROSE, missing a ton of QoL features present in naROSE for quite some time. Is my assumption about the code used and Gravity's input wrong then, and can you please clarify?
    
5. If the game and servers are prone to security vulnerabilities stemming from old code, shouldn't a closed/semi-closed, controlled beta be run first before early access release? Do you have any plans for that?
   For the people who will jump at me from the rooftops - early access is not the same as a beta, no matter how much indie companies on Steam like to push this narrative. Early access means "this is ready for release from a core technical features standpoint, but the content is not there yet". Beta means "both the core technical aspects and the content are still under development". Crucial difference with a big effect on users. Things like personal data security should trump any desire by players to get their hands early on an unfinished product. While you might enjoy the game 3 months earlier, someone's life could be ruined by identity theft from leaked data. It's not worth it, so please don't debate on this. 

 

Thanks a lot for reading through this and I hope we can get some answers on these points. Good luck with the fixes!

[DoubleRose]

I commend any company that meets onerous regulations imposed by boomers in a failing government conglomeration who don't know the first thing about tech. Always word things carefully when it comes to law. The company's lawyer should be revising everything put out or even be the one writing it. Document everything.

I don't know what Gravity sold Rednim, but Gravity may have mischaracterized what was for sale as a sound product when it in fact had critical issues. Gravity ran the game with garbage code the entire time. It probably leaked data constantly too, but the company had no transparency.

[Andramias]

This send us 2 possibilities u.u =

Or gravity leaves the game with missing "leaking" code wich gravity never fixed.

Or the code just broke when the redim team put new features.

 

Maybe the option 2 is something to consider due the "ingame code security", but why there is so much "private servers" and how they do the job so well, meaybe is because the version of the game...?

[Sparx]

6 hours ago, DoubleRose said:

I commend any company that meets onerous regulations imposed by boomers in a failing government conglomeration who don't know the first thing about tech. Always word things carefully when it comes to law. The company's lawyer should be revising everything put out or even be the one writing it. Document everything.

I don't know what Gravity sold Rednim, but Gravity may have mischaracterized what was for sale as a sound product when it in fact had critical issues. Gravity ran the game with garbage code the entire time. It probably leaked data constantly too, but the company had no transparency.

I'm convinced there's a reason here why Gravity decided to ditch countries regulated by GDPR.

[mikenuun]

What really baffles me is the choice for using email+password in the client as a combination (When they might know the client is easy to tamper with)

That could easliy be tried on multiple websites if the info leaks in some way (Which it kinda did)
I know everybody is responsible for 2FA/Good passwords and not the same password everywhere, but still. could have been avoided.
(Example   Make   game acc trough website)
 

[rayun]

old Rose from Gravity had lots of things/logic what made 0 sense from point of security or other sides, it wasnot different before either as then their main focus was just selling item mall and do minimal about game security or other things

Edited December 23, 2022 by rayun
too many typos :p

[Fietsopa]

Hope everyone had a nice time so far during the holidays.

Just bumping this to see if we can get some answers, in particular to the first question as it's still unclear to me whether the leaked data is partial or could be whole. The email sent after the Discord post was essentially the same, so it didn't provide an answer.

If there is interest in answering the remaining questions - awesome. If not, then at least people wondering about this can get some closure that there won't be an answer by staff.

Wishing everyone safe holidays.

[Ilúvatar]

i hope no payment details have/can be accessed, (from name reserve and IM) with very little light shed on the situation its just a case of having to wait til a member of staff responds