Fractured Online Hacked!

[Scumstation]

From The discord:

Hi everyone, we have just been the victims of a serious attack. A hacker managed to log into an admin account - my account, specifically - and used it to delete all player cities. This wasn't done by compromising my PC and stealing my data, but via a backend hack.

We have no idea what could drive a person to do something like this, but it happened. Cities will be restored partially by taking data from a previous save, partially by had by Game Masters.

Logins are suspended now. We will keep you updated on the progress of the investigation.

Fractured - The Dynamic MMO

November 19 Attack Breakdown
November 20th, 2023 at 6:24 pm

A due overview of the attack that happened on Sunday, what we’ve been doing about it and what is coming next.

Hi all,

here comes a due overview of what happened on Sunday, what we’ve been doing about it and what is coming next.
What Happened

In the morning of Sunday 19, 2023, a hacker managed to login with the character of an administrator, and used its admin powers to destroy all player cities (yes, he/she teleported around the world and used the admin command “unclaim city” on all player cities).

The violation didn’t involve stealing admin login credentials (email / password), but a game auth token that could be used to login an admin character. The token wasn’t harvested from the PC of the administrator or the company network, but by exploiting a vulnerability in the server that hosted one of the game’s external services.

We have no indication there has been a database violation for the time being. Since some users have raised concerns about how we store passwords in case there was a violation, we store them (technical explanation ahead) hashed and salted with a slow hashing algorithm (bcrypt). An 8-character password stored this way takes centuries to be brute-forced – and we’re using a password with the minimum number of characters allowed ( as an example here.
Reconstruction

Due to an issue in world saves, we haven’t been able to restore player cities as they should have been restored – that is, as they were ~30 minutes before the hack took place. Instead, we had to roll them back to the previous patch, i.e. as they were in the late evening (EU time) of November 17. This means player cities effectively suffered a rollback of 1.5 days, while the rest of player and world progress was untouched.

We are aware this is an atypical response to the issue (the typical one would have been a full rollback), but we felt it was the right decision to minimze damage. Our GM team will help groups who have lost their city (or lost buildings within it) to reclaim it and rebuild it, including rebuilding player land parcels within the city.
What Now?

This is what we’ve done so far:

We’ve separated the API servers that serve requests from game clients from those that serve requests from game servers.
We are working with multiple IT security specialists (penetration testers, white-hat hackers) to find possible additional issues in our backend.
We have changed specifics of the functioning of game auth tokens.
We have fixed the issue in world saves that prevented us from having a small rollback of 30m max for players cities too.

This is what is coming next:

We continue with the security research and reinforcing our backend.
We start reinforcing our game client too – there are a few exploits there which are non-critical but can be very unpleasant for other players when exploited by cheaters.

Community Response

The response of the Fractured community during this ordeal has been… just incredible – I don’t know how else to define it.

The amount of supportive messages and displays of appreciation for the game (and personal) we’ve received, ranging from guild masters speaking on behalf of groups to single players, has been simply incredible. The supportive attitude extended even outside of our internal channels, such as on reddit (1 – 2), where people had been mostly critical of the game during our first launch one year ago.

We were afraid we could be hit by a wave of negative reviews on Steam, but only a couple of those showed up, and recent reviews remained steady around 80% positive. After reopening today, CCU (=players connected at the same time) hit a new peak of 1100, continuing the positive trend that saw the game slowly gain players every day since launch.

I know it sounds cliché to say that the community – you – are our biggest asset but… it’s true. You gave us the energy to work non-stop on solving this, and continue to do so. THANK YOU!