I just checked my email to find a rather alarming message from Square Enix. I almost skipped it, as it came from “autoinfo_us,” but thankfully I read the subject line “Important Information Regarding Your Square Enix Account” before heading out for the day. The email said this:
Thank you for your continued support of the Square Enix account.
As a result of an investigation, we have determined that a number of Square Enix accounts were compromised by a third party. Therefore, to prevent any misuse of accounts potentially compromised during this incident, we have changed the password for all of those affected.
We apologize for the inconvenience, but we ask that you change your password through the URL listed below:
https://secure.square-enix.com/account/app/svc/reminder
As a precaution we are notifying you of this potential breach. This e-mail has been sent out for your information only. Please do not reply to this e-mail address.
Thank you for your understanding and we again apologize for any inconvenience caused.
SQUARE ENIX Support Center
http://support.na.square-enix.com/
As you can imagine, I immediately assumed my account had been hacked and changed the password right away (after checking the URLs, the Blizzard phishing scams are educational, at least). After that, ran a virus scan and came up clean. Once I was sure I wasn’t going to re-compromise myself, I logged into the game to assess the damage. Nothing was missing. I logged in at the same place I’d left my baby lala’fell last week. No one in my linkshell reported seeing me or anything unusual. I hadn’t been touched.
Odd. Why would I get this email? I decided to do a little digging and have come to the conclusion that there must be something internal, or at least that they don’t know much about, going on. Here’s my train of thought:
- Facts first: Square acknowledges that an undisclosed number of accounts were “compromised” by a third party. I was apparently one of those, even though I hadn’t been hacked.
- One would assume that compromised would mean hacked, but it’s also used in bank parlance when “third parties” have accessed credit card numbers and bank account information. “Your card may have been compromised,” etc.
- The lodestone doesn’t mention anything about these emails; however, over the last two days they have posted two separate security reminders. The first is the standard “don’t make your password ‘password'” set of rules. The second says this:
- Recently, a small number of customers outside of North America have reported that their accounts were compromised. Upon investigation, we found that many of these users used the same name and password for their Square Enix Account as for another company’s online service which recently experienced a data breach. Knowing that many users use the same name and password for multiple services, it appears an unknown third party was able to gain unauthorized access to some Square Enix Accounts.
- I find it of note that yesterday they claim it happened because of players using the same password for multiple games and “that other company” had a data breach. Today, on the other hand, as the “result of an investigation” even players experiencing no troubles elsewhere are effected by this password change.
- I don’t use the same password for multiple games and each one is terribly convoluted. I’m also extremely careful not to do anything that would pick up a keylogger and run multiple security programs just in case.
What this all comes down to is that I don’t think the security breach is on the user’s end here. Maybe it is for some, as we’ll always be less secure than mega-corps like SE, but certainly not for all. I appreciate that they took action against my account, just in case, but what was it that flagged me? The answer is that I, someone who by all rights shouldn’t be at risk, was included in a pool of compromises. Did someone in my LS get hacked, so they sent it out to all of us? That would be fair. Or did Click-and-Buy finally prove themselves disreputable enough to warrant some concern? I’m exaggerating, but you get my point.
To be fair, I’m not angry, or annoyed, or anything. I simply think we deserve a little explanation on what’s going on here. When you’re talking people’s account information, it’s a touchy subject and the least we deserve is the information needed to protect ourselves. Who or what is this third party — software viruses or outright hackers — and what should be look out for? Most players will want to know if they’re at risk and what they can do about it.
So please, Square, give us a clue. What’s up?
8 pings
Skip to comment form ↓