November 19 Attack Breakdown
November 20th, 2023 at 6:24 pm
A due overview of the attack that happened on Sunday, what weâve been doing about it and what is coming next.
Hi all,
here comes a due overview of what happened on Sunday, what weâve been doing about it and what is coming next.
What Happened
In the morning of Sunday 19, 2023, a hacker managed to login with the character of an administrator, and used its admin powers to destroy all player cities (yes, he/she teleported around the world and used the admin command âunclaim cityâ on all player cities).
The violation didnât involve stealing admin login credentials (email / password), but a game auth token that could be used to login an admin character. The token wasnât harvested from the PC of the administrator or the company network, but by exploiting a vulnerability in the server that hosted one of the gameâs external services.
We have no indication there has been a database violation for the time being. Since some users have raised concerns about how we store passwords in case there was a violation, we store them (technical explanation ahead) hashed and salted with a slow hashing algorithm (bcrypt). An 8-character password stored this way takes centuries to be brute-forced â and weâre using a password with the minimum number of characters allowed (
as an example here.
Reconstruction
Due to an issue in world saves, we havenât been able to restore player cities as they should have been restored â that is, as they were ~30 minutes before the hack took place. Instead, we had to roll them back to the previous patch, i.e. as they were in the late evening (EU time) of November 17. This means player cities effectively suffered a rollback of 1.5 days, while the rest of player and world progress was untouched.
We are aware this is an atypical response to the issue (the typical one would have been a full rollback), but we felt it was the right decision to minimze damage. Our GM team will help groups who have lost their city (or lost buildings within it) to reclaim it and rebuild it, including rebuilding player land parcels within the city.
What Now?
This is what weâve done so far:
Weâve separated the API servers that serve requests from game clients from those that serve requests from game servers.
We are working with multiple IT security specialists (penetration testers, white-hat hackers) to find possible additional issues in our backend.
We have changed specifics of the functioning of game auth tokens.
We have fixed the issue in world saves that prevented us from having a small rollback of 30m max for players cities too.
This is what is coming next:
We continue with the security research and reinforcing our backend.
We start reinforcing our game client too â there are a few exploits there which are non-critical but can be very unpleasant for other players when exploited by cheaters.
Community Response
The response of the Fractured community during this ordeal has been⊠just incredible â I donât know how else to define it.
The amount of supportive messages and displays of appreciation for the game (and personal) weâve received, ranging from guild masters speaking on behalf of groups to single players, has been simply incredible. The supportive attitude extended even outside of our internal channels, such as on reddit (1 â 2), where people had been mostly critical of the game during our first launch one year ago.
We were afraid we could be hit by a wave of negative reviews on Steam, but only a couple of those showed up, and recent reviews remained steady around 80% positive. After reopening today, CCU (=players connected at the same time) hit a new peak of 1100, continuing the positive trend that saw the game slowly gain players every day since launch.
I know it sounds clichĂ© to say that the community â you â are our biggest asset but⊠itâs true. You gave us the energy to work non-stop on solving this, and continue to do so. THANK YOU!