Saw this post on RiftJunkies:
RIFT Junkies NOT The Source of Account Hacks
Despite the odd title (I guess people were accusing them?) they link to a thread in the official forums where someone claimed they’d found an exploit with the login system of Rift that let him log into a friend’s account without having his password:
Here’s a link to the post. It’s a huge thread so I’ll summarize. The person then said he’d been in contact with Trion and later, that a fix was incoming.
Assistant Community Manager Elrar responded in that thread:
All,
We have some things in the works right now and have been passing on your feedback, concerns, and thoughts throughout the day (no matter how radical or unlikely).
Sharing sensitive information about our actions (no matter how broad) naturally also informs those carrying out these attacks. This puts us in a tight spot with how much information we can provide, and the questions we can answer.
Apologies we can’t be more forthcoming at this time, but we appreciate your understanding – its always our goal to ensure you can play and enjoy the game securely, and unfettered.
Thanks everyone,
After this, the original poster referred non-believers to this thread which is about an emergency server restart having to do with Account Security (this was on the 18th).
Later still, the original post was back with, among other things, this to say:
Last but certainly not least, I must also sing the praises to Trion. Most companies do their level best to hide critical security issue sand sneak in fixes. Trion responded to the news by contacting me within the hour, discussing the details in detail, and responding within minutes of getting info that they verified the issue and were expediting a solution. A couple hours later, everyone gets to try out Coin Lock and the hole is plugged with steel-reinforced concrete under twelve feet of kevlar policed by sharks with frickin’ lasers on their frickin’ heads.
And later:
Got word back from Steve Chamberlin, the development lead for Rift. This hole is sealed.
That’s not everything but those seem to be the salient points.
It sounds like the hacks were more or less random. You could log into your account and then log into some other random account. If you had a piece of info (as yet unspecified but apparently not email or password) you could target a specific account, but it sounds like most using this exploit were just jumping into whatever account was randomly exposed to them.
So we’ll see. Hopefully things will be better now.
[Updates:
Zam has an interview with the user who discovered the exploit.
Scott Hartsman’s post about the situation.
]