SSO Issues and Unscheduled Downtime on February 8, 2016

By CCP Logibro

Hello Players

Today (8 February) we applied an update to Tranquility’s login server (also known as Single Sign-On or SSO). We had previously deployed this update to Singularity and discovered an issue whereby two database tables were conflated by the SSO and therefore users were given valid authentication tokens for accounts that were not their own. At the time, Singularity was down and so no other data was compromised. We fixed the issue, cleaned up the mess, tested the fix thoroughly, and deployed the fixed version to Tranquility today.

Unfortunately, it seems that the issue reoccurred when the update was deployed to Tranquility, and some users once again were given valid authentication tokens for accounts that were not their own. This gave them the ability to log into the accounts in question and perform any action the owner of the account would have been able to in-game. We haven’t found any evidence that unauthorized access to other services was possible or has taken place, but we are continuing to investigate to confirm that this is the case.

As soon as the issue was identified to be occurring on Tranquility we shut down the login server, preventing any further errant authentication tokens from being given out. Since that meant that players couldn’t log into the game, and that those with existing errant authentication tokens would still be able to access other accounts, we also decided to instigate emergency downtime on Tranquility while we resolved the issue. Our next steps were to purge all authentication tokens, making the errant authentication tokens useless, and rollback the login server update so that the issue did not reoccur.

As such, all players will need to login again when using any our services that utilize SSO, including third-party services and the game launcher. We are compiling a list of affected accounts, and our customer service and security teams are working on verifying the integrity of the accounts and assets contained therein. We will be in touch with those affected in due course, so you are not required to file a support ticket. However, if you feel that you have been adversely affected by the issue, you are still welcome to submit a ticket.

We apologize for any inconvenience caused due to this issue.