Integration glitch with Vanilla forums may have compromised account security
Bethesda have an Elder Scrolls Online beta stress-test lined up for this weekend, and have therefore been inviting thousands of new users to participate.
If you were one of the lucky few to wake up yesterday to an invite, you might have risen today to a less pleasant sight – an inbox full of password reset emails from Vanillaforums.com, the folk who host the Elder Scrolls Online community.
The techies at Vanilla have been quick to act, identifying the bug responsible for the issue, but not before customers received hundreds of messages. From the folk we’ve spoken to, we’re talking about anything between 5-600 emails. As a result of this, email services such as Gmail and Outlook.com have begun to mark these messages as spam. Whoops.
A mass mail incident in itself is forgivable, who hasn’t forgotten to close a loop in their code and wreaked havoc that one time. Rather unfortunately though, these password reset emails include lots of other customer email addresses in the CC line, potentially allowing anyone in the group to receive the message to reset another users password. Not cool.
As a precaution, Luc Vezina, CEO of Vanilla, assures us that the company will issue password resets on potentially compromised accounts.
We’ve reached out to Bethesda/Zenimax for comment, as emails are considered to be public personally-identifying information we hope they handle the situation appropriately. In data protection terms here Bethesda/Zenimax is the data controller, Vanilla is merely one of their data processors, so the buck stops with them. We will provide an update when we hear back.