http://support.ea.com/app/answers/detail/a_id/5367/
the nwn forums were breached ....

QUESTION
Questions & Answers About the NWN Forums Breach

ANSWER
Q: How extensive was EA/BioWare’s data breach?
A: The data breach was extremely limited. The only server system known to have been affected by the unauthorized attack was that associated with BioWare Edmonton’s Neverwinter Nights forums. Approximately 18,000 accounts were affected—a very small percentage of total users.

Q: When did EA/BioWare learn about the unauthorized access to the server system associated with the Neverwinter Nights forum?
A: June 14. We quickly assessed the exposure, communicated to our fans and re-issued accounts we believed may have been compromised.

Q: What has EA/BioWare done in response to this breach?
A: We acted immediately to secure the server system associated with Bioware Edmonton’s Neverwinter Nights forums. We also launched an ongoing evaluation of the seriousness of the breach. To further enhance security, we have disabled all legacy BioWare accounts that were affected, and reset the passwords of any EA Accounts that were affected. Emails have been sent to all affected users alerting them to the issue with instructions on how to change their passwords and/or create new accounts (as applicable).

Q: Is my information now safe?
A: Yes, we have taken the appropriate steps to secure the data in the server system associated with the Neverwinter Nights forums.

Q: Why did this happen?
A: The server system associated with the Neverwinter Nights forums was the target of a highly sophisticated and unlawful cyber attack. We have moved swiftly to secure your data, and are conducting further evaluations now.

Q: What exactly was breached?
A: Account names, email addresses, passwords, country and birth dates may have been exposed. No credit card data was exposed and we have never collected Social Security numbers. If you linked your legacy Bioware account with an EA Account, then additional information that you associated with your EA Account (if any) may have been accessible as well. Such information could include your name, mailing address, billing address, language, game entitlements and games played, and other game-specific account information depending on your use of your EA Account.

Q: Was my account breached?
A: If you did not receive an email from us, or if your password still works for your EA Account, your username and password were not compromised and your account was otherwise unaffected.

Q: How many accounts were affected?
A: Approximately 18,000 accounts—a very small percentage of total users of the Neverwinter Nights forums.

Q: What will EA/BioWare do now?
A: We value the trust you've placed in us, and we are taking all the necessary steps to evaluate the seriousness of the breach. We will continue to do what is needed to protect your personal information.

Q: Who should I contact for more information on this?
A: Customer Support is standing by to assist you at 1-866-543-5435 between the hours of 7am and 9pm CST.

I hope they don't GOG and steal my game shelf. :(

No problem. Here are some screws for you to secure your shelf :)

Thanks, that will help protect my GOG shelf. But to be extra safe, I'll also be in my GOG rocking chair on my GOG porch all night long, stroking my GOG shotgun.

I feel somewhat awful for saying so but I've kind of been waiting for things like this to start. Security hasn't been taken seriously since the birth of the internet, and cybercrime has been a lucrative business with no real repercussions. I can validate both statements: the only two browsers currently seeming to take security with more than a grain of salt are Opera and Chrome, both browsers with niche appeal and very small marketshare. All other current browsers have at least one longstanding serious security hole as long as you discount tools like the *nix links2 (text-only browsers are by their very nature as secure as is possible). Meanwhile there are hundreds of large botnets but you only very rarely hear about one being taken down. When's the last time you heard of someone disseminating viruses being brought to justice? It's a rare day to hear about child porn traffickers (the traffickers, mind, not the consumers) on DCC++ and similar anonymized services being thrown in prison. Not to mention the hordes of Nigerian 411 scams and the like throwing innocent, honest people into debt they'll never climb out of for being suckered in by having a good heart. And this stuff all makes money in some fashion.

This stuff here is small-time but it's hitting people, a lot of people, where it counts. 18k may be a small percentage of total users, but how many users can there possibly be on any given site? And that's what people will think when they hear that. It may be a "small percentage" but that's too close to home for me, pal, no dice, fix your shit up. Trust in most companies will plummet without an increased focus on security. I hope it continues, possibly even hitting the big fish like Microsoft in the nads, until the world gets a grip and realizes that the internet is just one gigantic meatgrinder eating peoples' lives through identity theft, phishing scams, malware, security holes, vulnerabilities and laziness -- and they need to stop it. Of course, this will mean people on the server-end needing to be accountable for the data of their users.

it just saddens me that after all that's happened, they still haven't learned to store the password as a salted hash. I'd be sympathetic if this were the first breach, but by now people who are responsible for these things should have been reading all the articles which have said how the password should have been stored.

This is just gettting ridiculous all these attacks just now. I hope someone hacks the hackers and gives them a taste of their own medicine.

Well, I checked, and it seems my account wasn't hit.
This is just out of hand.
I can't believe after the cluster-fuck with Sony and after the hacking attempts the past few days that these companies haven't been going over their networks for weakness with a fine-tooth comb.

And these hackers...
There's no rhyme nor reason to do what they're doing beyond waving their dicks around and shouting, "Mine's bigger than yours!"
A witch hunt needs to be started on these assholes.

Well, seems my account was unaffected.

Not sure what to make of the whole thing... I'm very surprised that, after the disaster at Sony, other companies haven't doubled/tripled/quadrupled their security and taken all possible measures to prevent it from happening to them. Just goes to show that most digital entertainment companies don't know as much about security as they like to think. Or as they should.

You're all overreacting.

Companies probably did react and try to fill holes in their security after Sony's troubles, but that takes time, and their teams are probably overstretched right now.
It's no surprise that they prefer to secure important stuff first and forum accounts that are linked to no important personal information are likely very low priority.

Furthermore, companies can only do so much. As long as most people on the Internet don't take their own security seriously, then their accounts can be compromised no matter what.

How many of the hacked accounts had obvious passwords, or ones that hadn't been changed in months if not years, or ones that are shared with a lot of other sites?
Most of them I'd bet.

The accounts weren't hacked - the server was. I accept they can't just flip a switch and have security, but hashing passwords is not a huge change, they should have been able to do this. The only reason I can think of that they might not is if they have some sort of legacy SSO system which is then calling through to some other forums server. Even then, it's very poor.

EA support is unaware of this issue as far as I can tell. I did get an email, it was from an unusual address (EA@em.ea.com) and I called the support line and asked. The rep said they were not aware of any emails sent out, possibly they have not all been informed but I find that unlikely, and so I have not followed the link.

I did, however, take the time to log in via the Origin client and change my EA/Origin password that way. If you suspect there is an issue I highly recommend this method instead as you will be using their client to access their database directly and won't be relying on a sent link or some other potentially spoofed website.

It still may be true, I may have a 'good' email from BioWare, but I know that my EA/Origin PW is changed and secure and since that is what I use to purchase things that one is what was important to me.

The link looks valid, it's just a URL, no dodgy bits after it to do any XSS stuff, and it's in the right domain. Furthermore if I go to http://www.ea.com and search their help for "NWN Forums Breach" the page comes up. So this is looking real. However that doesn't mean that the email you've been sent is real. However it might be, I'd call support back and talk them through the steps to find that page.

EDIT:oh you mean the link in your mail. No - don't follow that unless you trust the email.

EDIT 2: The page does say "Emails have been sent to all affected users", so if support aren't aware of any emails being sent then they're just asleep.

When Sony got some slaps on the wrist for removing Linux I was like okay, that makes some sense. When they went after people, not Sony, I was like okay, you went too far despite Sony deserving it.

Now with all these random attacks on video game sites we see these people have zero point, reason or morals, they just want personal data or want to fuck with people for their own amusement. It's sad and pathetic, and honestly the ONLY thing this will accomplish is making the government look twice at regulating more of the internet.

i would not trust the emails not until, for a few days