[Colonol Dekker]

  We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers’ data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from these forum accounts on the system may have been compromised, as well as other information (if any) that you may have associated with your EA Account. In an abundance of caution, we have changed your password to ensure account security. Please visit this *snip* to reset your password immediately.  If your link has expired, click here to generate a new email.  We take the security of your information very seriously and regret any inconvenience this may have caused you. If your username, email address and/or password on your EA account are similar to those you use on other sites, we recommend changing the password at those sites as well. We advise all of our fans to always be aware of any suspicious emails or account activity and report any suspicious emails and account activity to Customer Support at 1-877-357-6007.  If you have questions, please visit our FAQ at http://support.ea.com/app/answers/detail/a_id/5367/ or contact Customer Support at the phone number above.  Aaryn Flynn Studio GM, BioWare Edmonton VP, Electronic Arts

I only have an EA account for my mss effect 2 dlc. (blackshark whoop) what I want to know is.....is this real, or HAAAAX!!

[Starman01]

Quite hard to say. I received the same, and I have myself registered on an old board with neverwinter nights, and I think even with my CD-Key. Also the Link is "https", though I don't know if that alone is a reason to trust it. I guess it's real, with all the current hacks going on, but I'm a little uncertain

Since I still receive daily WOW Pishing mails, I have decided to ignore this email. It says, they reseted my password. And If I really want to return to the forum, I guess I can simply ask for a new password via Email.

[Klaustrophobia]

i'm definitely not clicking the link in the email.  i might go to the website and check for myself later.

[Colonol Dekker]

Yeaahhhhh, It's legit 

http://support.ea.com/app/answers/detail/a_id/5367/

http://www.atomicmpc.com.au/News/261653,ea-and-bioware-the-latest-to-get-hacked.aspx


BLargH.

[Fury]

I got this message as well and it finally got me into overhauling my personal password security. I had been intending to do this for over a year now, but never got into it until now. See, I've been a bit lazy and used a collection of several passwords across low-security websites such as discussion forums. In places where compromised password would actually be a concern such as my server logins, Google or Facebook accounts I use unique passwords.

So what exactly I mean by overhauling my password security?
Step 1: Register to Dropbox and set it up. https://www.dropbox.com
Step 2: Install KeePass 2. http://keepass.info
Step 3: Create new database in KeePass 2 using both keyfile and master password, then export it to your Dropbox folder. Just avoid the Public and Photos folders.
Step 4: Review KeepPass settings as it offers quite a few security settings you can customize to your liking.
Step 5: Start changing all your passwords you have by creating a new entry per account in KeePass.
* While default 20 characters long random password suggestion offered by KeePass 2 is really secure, it's a ***** to type when copy&paste is not available. So I adopted a custom pattern of aaa\-aaa\-aaa\-aaa instead. It's like a cd-key. This is much more convenient when you need to use your phone to see your password and type it on a PC. 12 random lowercase alphanumeric characters separated by dash is a good compromise between security and convenience. There were about several places though that didn't accept either dashes or had limitations to password length.
* I could only remember so many places I might have an account at, so I combed through my email using keywords such as "account", "password", "register", "registration" and "happy birthday". 50 entries and half-a-day later I'm finally done. There can't be very many places left I haven't changed my password at if any.
Step 6: Use mobile phone authenticator where possible. See these for example:
* http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html
* http://us.blizzard.com/support/article.xml?locale=en_US&articleId=24660
Step 7: You can either install Dropbox and KeePass on other computers you personally use, or get one of those very small USB drives of thumbnail size. If you have supported phone, such as android phone you can also install Dropbox and KeePass on your phone. Since your encrypted KeePass database requires both master password and keyfile to be readable, losing your USB drive or phone is not catastrophic.

Is this worth spending half-a-day in front of your computer changing all your online passwords? Considering how many security breaches there have been in the last three months and it is quite likely you've been affected by at least one of these security breaches, I'd say yes. Especially if you so happen to share one or more passwords between multiple accounts. Same applies to Dropbox, even if someone gains access there, the password database is unusable without master password and keyfile.

At least after all this trouble I went through today with these steps, I know a security breach in one place won't compromise other accounts anymore. Even if I shared passwords only at places where compromised password wouldn't do much harm anyway, it's more like matter of principle.

[jr2]

Nice tut, Fury. 

[Rodo]

I got it myself as well, I was registered for NWN, but that account is so old I think it's no use for me to edit any of the information regarding it.

[Fury]

Not quite so. As far as I know, that same login is/could be used by Bioware and EA accounts (they're one and same these days). So if you've registered other Bioware or/and EA accounts, it could be one and same as the NWN one that got compromised.

As a matter of fact, the email notification sends you to EA account and not to NWN exclusive account.

[Grizzly]

I am quite certain that the decade old NWN one is quite seperate. It' sthe new bioware social forums which is intigrated into EA, but it does not affect Bioware.

[Mikes]

I was actually unable to log into my EA account with my usual password today. (Neither the Bioware/EA site linked from DA nor the regular EA worked)

I had to do a password reset to make it work again.

[SpardaSon21]

I have an EA account for Mass Effect 2 and Dragon Age but everything works fine for me.  I didn't even get sent an e-mail.

[BlueFlames]

I think that EA had a mechanism set up to import your account credentials from the old Bioware forums to the EA-hosted Bioware Social site.  Hence EA's concern - Anybody who hasn't changed their password since importing their old credentials could have their Bioware Social account compromised.

Looking at Bioware's website now, though, the old forums are gone completely.  Why they still had the database there at all seems worth questioning.

[Bobboau]

Dropbox

oh, you mean the place that let anyone access all of your files?

[Fury]

Yeah, I don't really care though because snafus happen. Even if it would happen again, it wouldn't compromise your KeePass database too much anyway due to strong AES-256+twofish combination encryption. Even GPU assisted cracking would require significant amount of time to crack the encryption. During that time you could have leisurely changed passwords many, many times f you so wanted since you got all of them in a nice list already.