Dear Istarians, Players, and Friends,

Some of you may have heard of instances of item thefts, account break-ins, and the like. We’re confirming that some of these instances have indeed taken place.  We have been analyzing the situation carefully and have come to an understanding of how this is happening.

Before going further, we’d like you to know that Istaria’s account systems and database are secure. Some Istaria players’ accounts were accessed because they had used the same password on other sites. Those sites were listed in third party email / password lists.

Let’s talk about passwords so that the background is better understood.

When you create an account on the internet, it is very important to not use the same password on any other website.  This practice is very inconvenient, but please understand that it helps to protect all of your accounts.

When you use the same password on multiple sites, a data breach at any one of those sites may expose your password.  Once your password is exposed, a third party may try logging into all of your other accounts at other sites with that password.

For those reading between the lines, that’s exactly what appears to have happened to our community.

A third party was able to access some Istaria accounts. The victims’ email addresses appeared on a well-known list of compromised email / passwords.

What should you do to protect yourself?

First, visit https://haveibeenpwned.com and search your Istaria account email address (and any other email addresses you have). In addition to searching email addresses, it also allows you to search a specific password.  This site has a vast collection of exposed accounts/passwords, and will tell you if your email address shows up in any of them.

If your email address was exposed, and you think you might be using the same password for Istaria as any other sites, please change your password now.  You can change your password at https://accounts.istaria.com  This is for Istaria and all other sites that share the same password.

Second, when choosing passwords, make sure they are unique and also consider using some tools to make your life easier:

Between password managers and paper, you should be able to find a comfortable medium that works for you.

Finally, when choosing passwords, resist the temptation to use things relating to you, dictionary words, names, etc.  For example, “love1234” would be a bad password.  Where possible, use passphrases or a random selection of words (see diceware link below).  Also where possible, focus on length and usability, not complexity.  Those “complexity rules” we’ve grown up with?  They make using passwords hard.  XKCD sums this up quite nicely. https://xkcd.com/936/

For a better way to generate passwords, you can opt to try using diceware. This generates multiple random words for stronger passwords. https://www.rempe.us/diceware/#eff 

If you feel you have been a victim of these attacks, please submit a support ticket at https://support.istaria.com with an explanation.  We’re hard at work behind the scenes, but can’t get every case, as it’s not always obvious what’s wrong and what isn’t.

Thank you for your understanding and continued support!

Istaria Development Team