On Friday, April 16th, 2021, Splinterlands became aware that a number of player accounts were accessed by an unauthorized attacker who transferred the game cards and other assets out of the accounts without the account owners' permission.
It appears that the attacker was using a very large list of email addresses - possibly obtained from a hack of some other website or service - and was using a script to try to determine whether any of those email addresses were also linked to a Splinterlands account. The attacker was then able to access some of the accounts via the email and password login mechanism provided by Splinterlands. It is important to note that the email/password login only provides access to the private posting key for the player's Hive account and not any other keys, which is why players who had enabled the setting to require the active key for transactions of monetary value were not affected.
We are still looking into how the attacker was able to access the accounts, however there is no indication at this time that any Splinterlands systems or services were breached or compromised in any way.
Updated Security Measures
As a result of this attack, Splinterlands has implemented an additional security measure of requiring the private active key for each account to be used for any transactions that would transfer any assets out of the account. Please note that this only applies to accounts that have purchased the Summoner's Spellbook and have created their own Hive blockchain account.
Players may still play the game, combine cards, open packs, make purchases, and anything else that does not send assets out of the account using the posting key or email/password login, but any transactions that send assets externally, such as transferring cards, tokens, packs, and listing cards for sale on the market, will require the private active key for the account. Please note that this setting can still be disabled by players so that cards and assets can be transferred using the posting key, however we strongly advise that players do not disable this setting or they risk losing their assets.
While this may present an inconvenience for a number of players, especially initially as they get used to the change, we felt that it is necessary to prevent additional players from losing their assets as a result of their email/password login being compromised.
We plan to keep this change in place going forward and will be working on updating the UI and instructions, especially for new accounts, to make sure players understand the different blockchain account keys and how they can be safely used and stored.
This change will especially affect mobile app users as it is much more difficult to use private keys on mobile devices and tools like Hive Keychain are not available. We will be working on improving the mobile app UI to handle this as much as possible, but in the meantime mobile app users can switch to the desktop website when/if they need to transfer cards or other assets out of their account.
We have also implemented a number of changes that will make it much more difficult for a similar attack to be performed in the future, and we are actively reaching out to some third-party security experts to perform a comprehensive review of the entire application.
"Locking" Cards & Other Assets
One other feature which has been suggested even before this incident is to allow players to "lock" cards and other assets for a period of time. This is something we think would be good to add into the game and the recent events have made implementing this feature a top priority.
This feature would allow players to choose certain cards and other assets in the game and lock them for a period of time chosen by the player. Those assets can then still be used as normal - cards can be used in battles, or delegated - but they will not be able to be transferred or listed for sale on the market until they are unlocked, which will take the amount of time specified when the assets were locked.
This way players can be assured that their locked Splinterlands assets will not be able to be transferred even if their Hive blockchain account keys were to be compromised, and they will have time to recover their account before the cards become unlocked. We also plan to provide a system so that players can receive a notification when their assets become unlocked so that they can respond to any unauthorized access to their account and respond accordingly.
For any accounts that were affected by this attack, we recommend the following action items:
Contact firstname.lastname@example.org via email to report that your account was compromised. Please include your account name and what, if any, assets were stolen in the email.
Use the "Forgot Password" option on the login screen on the Splinterlands website or mobile app to change the password on your account to a strong password that you have not used on other websites or services.
Go to https://wallet.hive.blog, log in with your Hive account name and master password/key, and choose the "Change Password" option to change the master password and keys for your Hive blockchain account. Please understand that once you change your Hive master password and keys WE CANNOT RECOVER THEM FOR YOU SO IF YOU LOSE THEM YOU WILL LOSE ACCESS TO YOUR ACCOUNT AND ALL OF THE ASSETS WITHIN IT.
Asset Recovery & Reimbursement
The Splinterlands team has been able to successfully recover a portion of the stolen cards and other assets and we will return those to the rightful owners' accounts as soon as they contact us and we can ensure that their accounts have been adequately secured.
We are still working with various third parties to see if there is a way to recover the remaining assets, however we are committed to reimbursing the players who had assets stolen as part of this attack from our own funds if we are unable to recover them.
We do not currently know the timing or additional details of the reimbursement and we ask that players affected by the incident be patient as it will take some time to get everything sorted out and resolved.