SecuritySituationStory

ARTIX

The "Security Situation" Backstory

Artix | Friday, May 3, 2024

Hi guys,
So flying back from the funeral on Wednesday, I was surprised to discover the sheer quantity of drama unfolding.

If you are someone who has made up your mind that we are an evil soulless company, then this post is not for you. If you are a long-time fan of our games, our community, and our commitment to creating fun game worlds, then this might be a fun read for you. 

Just to be clear, had there been an actual issue with the game or account security, we would not have called this “drama” at all.

The Recent “Security Situation” and Staff Attacks

Thursday morning, we spent time deleting posts made by fake social media accounts named after our team members. We cleaned up the spam across our incoming email inboxes, social media comments sections, and have been tracking a small number of people who have been attempting to social engineer members of our team to gain access to accounts that are not theirs.

Then, the Denial of Service attacks started on the servers. These were really quite problematic from 2015 - 2019. But our defenses have gotten so much stronger; we have grown and improved. Realizing those attacks were not working, they started targeting specific APIs in an attempt to overload them. See, this is why I hate talking about them in detail. The team identifies what is happening and creates or adds throttles to help improve against these attacks. Because every time I address an issue, I have to include what we have done to prevent them.

To be fair, we have to do this every day but this sudden spike comes at the tail end of a long and fascinating story.

So this has been building up for several months now. It all centers around one guy (and a few of his online acquaintances) who wanted an account… at all costs. Look, while there are no hard feelings from my end, we are not giving the account back. We are just going to continue making video games. That is why we are keeping this vague. Because the people who are doing this will see the post, but we are not calling anyone out. We are telling the story without names, to keep the peace but address the community's questions and make sure everyone knows the reality of the situation.

Last Week's Misrepresented “Security Situation”

Last week we publicly addressed player concerns about a list posted on social media. It showed 500 compromised game accounts. It should be noted AdventureQuest Worlds has 45 million registered accounts. These accounts were not compromised by hacking our database. We wrote a post to explain the situation and were frankly horrified at the response. We were accused of everything from a corporate coverup to blatant lying. So once again, I just want to state that our accounts and databases were not hacked. These accounts, most of which were old, were the result of certification stuffing. If you have never heard of the term, do not worry. It just means they looked up the passwords of other compromised accounts on the web and used that information to try to gain access to game accounts on our website. We protected the accounts that were posted and Player Support has been helping anyone concerned about account safety (like they do every day).

We handle a huge amount of problems behind the scenes every day. Most of them are pretty standard, like in any other company. Some of them though... are worth a long story post to give you more context and information. Like this one. Starting a few months ago, I got a large number of messages indicating that people were attempting to access my social media accounts. They were clearly trying to access my and other team member accounts. After attempting to access my stuff and assuming the info of other staff members, then we just started getting all of these Player Support email requests. They were trying to apologize and get access to other accounts. The velocity of this is what was so troubling. Then when they get told no, they go and start messaging other people, trying to get into the DMs of other staff members, they suddenly invent problems that urgently need attention. They know the older staff members know who they are… but the newer ones do not. They have not been trained on how to handle these things. They just respond helpfully. And because these guys use different identities, it takes a while to filter back up to the higher admins who know what is going on. 

If you are asking, “why does someone do this? Why so much effort to just get an account in AdventureQuest Worlds?" (or AdventureQuest 3D, or one of our other games) you are not alone. It is a fair question! Sometimes it IS their account they want back. Sometimes there is a seller or buyer who will pay real money for an account. Sometimes it is a bet. And sometimes it seems it is just for sport. In this particular case, these people have done this for a decade and a half or more. Maybe they do it because it is habit, or it reminds them of the old days. Regardless, when they do not get what they want, they escalate and head to social media.

That is what happened here. We saw the post, then took immediate action internally to investigate and protect the accounts because we do not take these things lightly. But if there really were a problem, people would be walking around as Artix, Alina, Captain Rhubarb, Nythera, and our other admins because they had gained access to their accounts. To be clear: this has not happened. This is not an issue. 

If Artix Entertainment were an episode of The Office, anyone listening in to our team meetings would hear how much people are helping each other or working to make sure the devs have what they need to make fun updates. At the end of the day, what really matters is our mission and our values. We create and run videogames. Our players, some who have been with us for 20 years, love that we are funny, good-hearted, and that even through difficult times, we never give up.

We have made mistakes in the past. We may in the future. But you cannot create and evolve without making mistakes. You correct them when you find them, you try to prevent them from reoccurring, but you have to keep creating. AdventureQuest Worlds and our other games are not for everybody. Our games are for the people who love them, and those are the people we want to keep building and improving them for.

Additional fires addressed this week you may not even be aware of

  1. Throughout the history of the company, we have given bug bounties to players who help us find any legitimate security concerns. This is similar to what companies like Google and Microsoft do. That is not commonly known, but is important to share with you right now, as players are posting and misrepresenting screenshots of Captain Rhubarb getting reports and discussing bounty rewards.
    There have been times that warranted giving money, an item reward, or in extreme instances, granting other reward requests to a person who helped solve a really big issue that impacted the community. If the rewards result in serious unintended consequences, the rewards may be replaced by something close in value.
  2. Any team member found exploiting their ability to get accounts banned or muted, or leaking private conversations with the team, will be removed. Unlike the internet, we do give second chances (hell, sometimes third or fourth) but trust and integrity in the team is one of our core values.

Challenges of Sharing Information

The biggest challenge writing these posts is what I call the “Superman problem.” While the bad guys can make up accounts, say anything they want, post screenshots out of context, send us threats by email and then go onto social media and claim they are the victim… we cannot. We do not name names. We do our best not to single people out, not to name names, or slander our attackers. We do not share the email messages that they send us. In this case, I really wish we could. It is hilarious how we have gotten threats, bribes, blackmail, and then peace offerings just within the past week from the same individuals. But trying to do the right thing has always put us at a disadvantage in situations like this. And if you are one of the people watching from the sidelines in situations like this, and thinking “oh man, why don’t they say something?” I am about to tell you, but in sharing, one of my biggest concerns is that we are going to create more questions than we actually answer. Because I could give a TED Talk on each of these points.

  • First, it makes us look like the same kind of bad guy that is attacking us.
  • Second, it shines a spotlight on people who WISH the attention was on them.
  • Third, responding to BS in no way helps us focus on or build the games.
  • Fourth, and we do not want to give away how troublemakers are doing this in our explanation.

Non-Story Real-Talk Interjection

The most disheartening part is when these groups started making private and public attacks against different team members. Look, if you want to attack anyone, I am fair game but leave the rest of the staff alone. It is completely inappropriate to post people’s home addresses, phone numbers, images of them or their family, their Facebook accounts or and of those things owned by their children or other family members... it is downright despicable.

I do not block very many people on social media; I love seeing your screenshots and what you think of the game updates. But just like we tell you to report and block people who are harassing you in-game, I am officially reversing this policy for myself. If somebody is spamming our accounts, if they are seeking attention, I am just from now on… going to remove them from our feeds. We want to hear from players who genuinely love the game; all of your feedback is important, both the positive and negative. We do not need to hear from people whose only contribution is to be the loudest voice possible. ​

Conclusion

I had mentioned above that every day we have to put out fires. This situation has been a huge amount of smoke but no fire. None of this is going to take away our energy and focus; our mission is to keep building and improving the games. We are here to serve people who love our games, humor, and weekly releases. People who want us to keep making the games better every week. To finish what we have started. And in the future, to build even more new things for them.

The culture of our game community is around art, and being funny and different. Even if there were actually a problem, we would fix it and get back to building the games.

PS: Dear Reddit friends – I just discovered on that post in /r/AQW that I come from a rich Montana rancher family! I shot Pepsi out of my nose upon reading this. Not even my mother knew we had any family there. How do people come up with this stuff?

More News

Comments