Update on Recent Player Account Hacks

in #splinterlands27 days ago

On Friday, April 16th, 2021, Splinterlands became aware that a number of player accounts were accessed by an unauthorized attacker who transferred the game cards and other assets out of the accounts without the account owners' permission.

It appears that the attacker was using a very large list of email addresses - possibly obtained from a hack of some other website or service - and was using a script to try to determine whether any of those email addresses were also linked to a Splinterlands account. The attacker was then able to access some of the accounts via the email and password login mechanism provided by Splinterlands. It is important to note that the email/password login only provides access to the private posting key for the player's Hive account and not any other keys, which is why players who had enabled the setting to require the active key for transactions of monetary value were not affected.

We are still looking into how the attacker was able to access the accounts, however there is no indication at this time that any Splinterlands systems or services were breached or compromised in any way.

Updated Security Measures

As a result of this attack, Splinterlands has implemented an additional security measure of requiring the private active key for each account to be used for any transactions that would transfer any assets out of the account. Please note that this only applies to accounts that have purchased the Summoner's Spellbook and have created their own Hive blockchain account.

Players may still play the game, combine cards, open packs, make purchases, and anything else that does not send assets out of the account using the posting key or email/password login, but any transactions that send assets externally, such as transferring cards, tokens, packs, and listing cards for sale on the market, will require the private active key for the account. Please note that this setting can still be disabled by players so that cards and assets can be transferred using the posting key, however we strongly advise that players do not disable this setting or they risk losing their assets.

While this may present an inconvenience for a number of players, especially initially as they get used to the change, we felt that it is necessary to prevent additional players from losing their assets as a result of their email/password login being compromised.

We plan to keep this change in place going forward and will be working on updating the UI and instructions, especially for new accounts, to make sure players understand the different blockchain account keys and how they can be safely used and stored.

This change will especially affect mobile app users as it is much more difficult to use private keys on mobile devices and tools like Hive Keychain are not available. We will be working on improving the mobile app UI to handle this as much as possible, but in the meantime mobile app users can switch to the desktop website when/if they need to transfer cards or other assets out of their account.

We have also implemented a number of changes that will make it much more difficult for a similar attack to be performed in the future, and we are actively reaching out to some third-party security experts to perform a comprehensive review of the entire application.

"Locking" Cards & Other Assets

One other feature which has been suggested even before this incident is to allow players to "lock" cards and other assets for a period of time. This is something we think would be good to add into the game and the recent events have made implementing this feature a top priority.

This feature would allow players to choose certain cards and other assets in the game and lock them for a period of time chosen by the player. Those assets can then still be used as normal - cards can be used in battles, or delegated - but they will not be able to be transferred or listed for sale on the market until they are unlocked, which will take the amount of time specified when the assets were locked.

This way players can be assured that their locked Splinterlands assets will not be able to be transferred even if their Hive blockchain account keys were to be compromised, and they will have time to recover their account before the cards become unlocked. We also plan to provide a system so that players can receive a notification when their assets become unlocked so that they can respond to any unauthorized access to their account and respond accordingly.

Affected Accounts

For any accounts that were affected by this attack, we recommend the following action items:

  1. Contact support@splinterlands.com via email to report that your account was compromised. Please include your account name and what, if any, assets were stolen in the email.

  2. Use the "Forgot Password" option on the login screen on the Splinterlands website or mobile app to change the password on your account to a strong password that you have not used on other websites or services.

  3. Go to https://wallet.hive.blog, log in with your Hive account name and master password/key, and choose the "Change Password" option to change the master password and keys for your Hive blockchain account. Please understand that once you change your Hive master password and keys WE CANNOT RECOVER THEM FOR YOU SO IF YOU LOSE THEM YOU WILL LOSE ACCESS TO YOUR ACCOUNT AND ALL OF THE ASSETS WITHIN IT.

Asset Recovery & Reimbursement

The Splinterlands team has been able to successfully recover a portion of the stolen cards and other assets and we will return those to the rightful owners' accounts as soon as they contact us and we can ensure that their accounts have been adequately secured.

We are still working with various third parties to see if there is a way to recover the remaining assets, however we are committed to reimbursing the players who had assets stolen as part of this attack from our own funds if we are unable to recover them.

We do not currently know the timing or additional details of the reimbursement and we ask that players affected by the incident be patient as it will take some time to get everything sorted out and resolved.

Sort:  

Wow, "from our own funds".

You guys are seriously awesome and committed to maintaining good PR and a high reputation for the game. Well played.

Agreed

Champion effort. Time-locking will make a huge difference. I know I'll have a lot more peace of mind.

Seems like a good response and well resolved. Good job!

Wouldn't it be safer/better, though, to implement a universal delay in trading ay assets out of the SLs/admin control and to somewhere unrecoverable? sort of like a 48 hour delay on transferring out cards but not transferring in. It don't think that would be terribly burdensome on players to wait 2 days to xfer assets to a another dex or something, and if something happened in the future and it was reported in time, devs should be able to track the card within their domain of control and recover it.

As always, #1 customer service in the Blockchain industry!!!

i like the card lock and notification when unlocked idea

I also applaud the effort and dedication to the players! Like the locking feature idea.

As a new player I was surprised there is no 2FA. Is that worth considering or does the "require active authority" setting effectively serve this purpose?

Why not just hardfork and reverse all the transfers to the hacker's account? This is similar to the DAO hack on eth

Sorry to hear about this, and for anyone who lost assets. Kudos to admin for taking quick action, and going as far as offering to reimburse assets, and implement sensible changes to the system to prevent future issues - even if it will require some extra clicking on the player end. Safety first...

You're doing all that can be done and beyond under the circumstances.

Asset locking will be a very powerful security feature.

That is great customer service, trust the process and you even go above and beyond by personally reimbursing players - I am with a great organisation. I know breaches happen but very few times have I seen an organisation actually compensate people for their loss, thank you splinterlands for doing the right thing, thats why I love this game.

Thanks for the efforts. I trust in Splinterlands.

Best customer service there is! Also, love the new security feature!

I just started playing the other day but this is great to see from a community!
Thank you for being so transparent 😅

I would love to see the locking feature. It will come in handy to a many of the users.

you guys are amazing