Skip to main content

Bioware Account Breach

I got an email the other day, one I wasn't expecting to receive, because I wasn't even aware that the organization had a data breach.  (But then, how could I?  They've been coming fast and furious for a while now.)

The email looked like this:
We recently learned that hackers gained unauthorized access to the decade-old BioWare server system supporting the Neverwinter Nights forums. We immediately took appropriate steps to protect our consumers' data and launched a thorough ongoing evaluation of the breach. We have determined that no credit card data was compromised from the servers, nor did we ever have or store sensitive data like social security numbers. Our investigation shows that information such as user names, encrypted passwords, email addresses, mailing addresses, names, phone numbers, CD keys and birth dates from accounts on the system may have been compromised, as well as other information (if any) that you may have associated with this forum account. In an abundance of caution, we have disabled your legacy Account. To create a new account please visit

We take the security of your information very seriously and regret any inconvenience this may have caused you. If your username, email address and/or password on your Neverwinter Nights account are similar to those you use on other sites, we recommend changing the password at those sites as well. We advise all of our fans to always be aware of any suspicious emails or account activity and report any suspicious emails and account activity to Customer Support at 1-877-357-6007.

If you have questions, please visit our FAQ at or contact Customer Support at the phone number above.

Aaryn Flynn
Studio GM, BioWare Edmonton
VP, Electronic Arts

Now, to be honest, I didn't even realize that I had an account at the Bioware forums.  I haven't actually played Neverwinter Nights in almost 7 or 8 years.  As a result, I'm not even sure what my username or password would have been.

I suppose that's the first lesson for me, I should be more diligent about logging where I have accounts.   I've started that recently by beginning to use LastPass, but prior to that, the odd email that arrived often reminded me that I had an account with a given service provider.

The breach was discovered on June 14th, 2011.  The first place they notified customers was on the forum itself.  Which is great for people who still use the resource, but doesn't do much for the rest of us.

My email came on June 23rd, 2011.  It contained a link to the EA customer support site.   (I wasn't even aware that EA had purchased Bioware.)

I'm not concerned about it taking a week to let me know about the breach.  First of all, the accounts compromised got locked down according to EA.  And they notified current users via their forum.   As a past user, there isn't much that I could have done to protect myself, and I make sure that I have unique passwords on each site I use so my other accounts shouldn't be at risk. (You do that too, right?)   I'd much rather a bit of a delay in warning me, than a constant back and forth about what data was actually taken.

So, in the end, the attackers have my:

  • user name

  • encrypted passwords

  • email addresses

  • mailing addresses

  • names

  • phone numbers

  • CD keys

  • birth date

The username, email address, encrypted password and CD key I'm not as worried about, I've moved a few times since I registered the account, so my address or phone numbers don't bother me.  I am concerned about my birth date and real name, but I can't easily change them...


Popular posts from this blog

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.

Reminder: Increase the maximum available memory on your Lotus Notes client JVM today!

Yup, that's right.  Public Service Announcement time. If you haven't increased the maximum memory available to your Lotus Notes JVM yet, what are you waiting for? By default, the Notes JVM only has 256mb of memory available to it.  On a system with 4GB+ of memory, you should be easily able to increase it to 1/4 to 1/3 of the system memory and improve the end user performance. Here's how: Shut down Lotus Notes. In order to make sure that all processes are stopped, run this command:  Start -> Run Type: C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe -kill Open: C:\Program Files (x86)\IBM\Lotus\Notes\framework\rcp\deploy\ Open the "" file in a text editor like notepad.  You will possibly require Administrator permissions. At the beginning of the file, you will see text surrounded by a lot of pound signs ####. The first ‘property’ after the last # sign is: vmarg.Xmx=-Xmx256m Change 256m to 1024m so that the line reads: vmarg.X