Elder Scrolls Online forum bug causes mass-mailing nightmare


WANT MORE?      FOLLOW PIXEL DYNAMO                 Google+

Integration glitch with Vanilla forums may have compromised account security

Bethesda have an Elder Scrolls Online beta stress-test lined up for this weekend, and have therefore been inviting thousands of new users to participate.

If you were one of the lucky few to wake up yesterday to an invite, you might have risen today to a less pleasant sight – an inbox full of password reset emails from Vanillaforums.com, the folk who host the Elder Scrolls Online community.

The techies at Vanilla have been quick to act, identifying the bug responsible for the issue, but not before customers received hundreds of messages. From the folk we’ve spoken to, we’re talking about anything between 5-600 emails. As a result of this, email services such as Gmail and Outlook.com have begun to mark these messages as spam. Whoops.

A mass mail incident in itself is forgivable, who hasn’t forgotten to close a loop in their code and wreaked havoc that one time. Rather unfortunately though, these password reset emails include lots of other customer email addresses in the CC line, potentially allowing anyone in the group to receive the message to reset another users password. Not cool.

As a precaution, Luc Vezina, CEO of Vanilla, assures us that the company will issue password resets on potentially compromised accounts.

We’ve reached out to Bethesda/Zenimax for comment, as emails are considered to be public personally-identifying information we hope they handle the situation appropriately. In data protection terms here Bethesda/Zenimax is the data controller, Vanilla is merely one of their data processors, so the buck stops with them. We will provide an update when we hear back.

  • http://wyveres.de Wyveres

    correct the 600 :) i have got 7558 e-mails they bombed my liddle inbox away … :)


  • http://www.pixeldynamo.com Steve

    That’s a pretty unreal number, how many were in the CC: field?

    • http://wyveres.de Wyveres

      So like 50 other e-mail. i have already deleted all the e-mails.

  • http://rdj.se rdj

    Yeah they only cared for the part left of the @ sign in E-mail addresses. So if peter@something.com made a password reset a mail was sent to peter@something.com but everyone who had an E-mail matching peter@*.* was added to CC.

    So the more popular ‘username’ you had as E-mail account the more mails you got.