http://www.nu.nl/tech/3500845/online-game-sleepte-minderjarige-rechter-tonen-lek.html


Hans Schröder and a friend in 2011 discovered a weakness in the help system of Habbo Hotel. Who create an account at the hotel will automatically receive a login for the help system. But who is an account in the help system had been automatically as an employee of Habbo Hotel and was labeled with all information of users.
"You could at data from 15,000 people who will help tickets had created. Then saw your username, email address, title of the message and the content," says Schröder to Nutech. "You could just export all information. Here you can properly abuse it and that had to be reported."

it's in dutch and the translate is pretty sure so i won't post it all. i remember seeing this posted n another site where he was trying to sell it before a few years ago (if it was him) lol

It's really worrying when even children can discover an exploit in such systems lmao.

Good news about the sueing though.

Well, did not expect this at all. Been a while since that happened.

poor guy

#CutForHans

Didn't understand half the translate but sounds like Habbo ****** up... again... lol.... :|

I think Sulake are playing with fire here. I was affected by the leak with personal info stolen. I had preliminary discussions about opening a legal case against Sulake which I won't discuss in detail. The information stolen here led to me being harassed at work, at home and over social media. I almost lost my job as a consequence of what people were able to do with my personal data. If I had lost my job, I would have undoubtedly taken decisive action.

Anyway, under the Data Protection Act Sulake are expected to do the following:


Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen - they didn't.

Therefore, the rights of the individual in the same act states that:


A right to claim compensation for damages caused by a breach of the Act.

Essentially, Sulake are expected to take measures to keep their systems secure. Okay, so the obvious argument is that it is Zendesk and not Sulake. However, Sulake are still legally responsible. They chose to remove their internal system and out source it to Zendesk. This decision ensured that a 15 year old boy could access thousands upon thousands of emails, phone numbers and credit card information.

They can sue people but they should have taken a lot more responsibility than they did. They never told me my information was stolen which also breaks the law. I had contact with Sulake staff in Finland who made it pretty clear they knew parts were stolen but did not know what, when or how. All of which I have email proof of.

If this game wasn't played mostly by teenagers who don't understand how dangerous this loss of information could be then they would have been sued and fined as and when it happened.

Was it just an exploit or did they get users passwords and stuff?

Was it just an exploit or did they get users passwords and stuff?

they got anything you submitted to the help tool lol. how didn't you hear of this!

I did hear it but like I dunno if they got passwords or not

they got anything you submitted to the help tool lol. how didn't you hear of this!

I think Sulake are playing with fire here. I was affected by the leak with personal info stolen. I had preliminary discussions about opening a legal case against Sulake which I won't discuss in detail. The information stolen here led to me being harassed at work, at home and over social media. I almost lost my job as a consequence of what people were able to do with my personal data. If I had lost my job, I would have undoubtedly taken decisive action.

Anyway, under the Data Protection Act Sulake are expected to do the following:


Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen - they didn't.

Therefore, the rights of the individual in the same act states that:


A right to claim compensation for damages caused by a breach of the Act.

Essentially, Sulake are expected to take measures to keep their systems secure. Okay, so the obvious argument is that it is Zendesk and not Sulake. However, Sulake are still legally responsible. They chose to remove their internal system and out source it to Zendesk. This decision ensured that a 15 year old boy could access thousands upon thousands of emails, phone numbers and credit card information.

They can sue people but they should have taken a lot more responsibility than they did. They never told me my information was stolen which also breaks the law. I had contact with Sulake staff in Finland who made it pretty clear they knew parts were stolen but did not know what, when or how. All of which I have email proof of.

If this game wasn't played mostly by teenagers who don't understand how dangerous this loss of information could be then they would have been sued and fined as and when it happened.

This guy pretty much has it in the bag. They're aware that the leak happened, but are still unsure of what exactly was leaked. Similar incidents have happened before, and Sulake do have meetings over this.

From a leaked presentation about a similar incident a number of years ago, it's apparent that they chose not to alert users as to not cause a ruckus and distress within the hotel, this itself is a poor choice as if they made the choice based on that this time, then they've broken laws.

Sulake did a bad thing here!

It's disgraceful that they tried to hush it down and basically pretend it didn't happen. Feel sorry for those who ended up being phoned up and harassed. They are incapable of keeping our details safe. Will never use the helptool again.

sounds like the information he gained wasn't particularly harmfull

sounds like the information he gained wasn't particularly harmfull

You're right. Credit card details, mobile phone numbers, names, ISPs, addresses, emails, not that harmful.

right.

You're right. Credit card details, mobile phone numbers, names, ISPs, addresses, emails, not that harmful.

right.

Tons of people got the file, most harmful information was taken out at the beginning before it was shared/sold (most probably by the 15 year old). The majority of other people just had the bare bones, like emails, foreign mobile numbers, ban appeals etc.
Not sure what a 15 year old could do with private information, but I would believe that he couldn't do much..

Just to make sure I'm clear, is this discussing how Habbo's help tool was basically hacked/broken in to? And for this boy who has been sued, when did this actually occur? As in when was the help tool compromised. Was it two years ago?

---------- Post added 15-06-2013 at 06:53 PM ----------


I think Sulake are playing with fire here. I was affected by the leak with personal info stolen. I had preliminary discussions about opening a legal case against Sulake which I won't discuss in detail. The information stolen here led to me being harassed at work, at home and over social media. I almost lost my job as a consequence of what people were able to do with my personal data. If I had lost my job, I would have undoubtedly taken decisive action.

Anyway, under the Data Protection Act Sulake are expected to do the following:


Encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen - they didn't.

Therefore, the rights of the individual in the same act states that:


A right to claim compensation for damages caused by a breach of the Act.

Essentially, Sulake are expected to take measures to keep their systems secure. Okay, so the obvious argument is that it is Zendesk and not Sulake. However, Sulake are still legally responsible. They chose to remove their internal system and out source it to Zendesk. This decision ensured that a 15 year old boy could access thousands upon thousands of emails, phone numbers and credit card information.

They can sue people but they should have taken a lot more responsibility than they did. They never told me my information was stolen which also breaks the law. I had contact with Sulake staff in Finland who made it pretty clear they knew parts were stolen but did not know what, when or how. All of which I have email proof of.

If this game wasn't played mostly by teenagers who don't understand how dangerous this loss of information could be then they would have been sued and fined as and when it happened.
Interesting post, and that last sentence is very true.

Just to make sure I'm clear, is this discussing how Habbo's help tool was basically hacked/broken in to? And for this boy who has been sued, when did this actually occur? As in when was the help tool compromised. Was it two years ago?

---------- Post added 15-06-2013 at 06:53 PM ----------


Interesting post, and that last sentence is very true.

I think he compromised the help tool in habbo Netherlands, because i remember someone offering to sell it on another site. But i know the help tool for the .com hotel had been compromised multiple times also

Tons of people got the file, most harmful information was taken out at the beginning before it was shared/sold (most probably by the 15 year old). The majority of other people just had the bare bones, like emails, foreign mobile numbers, ban appeals etc.
Not sure what a 15 year old could do with private information, but I would believe that he couldn't do much..

Does that matter? I know where it was posted, and checked for my own details. Irrespective of what details were removed, the details had been leaked. It is a serious matter.

SitchJon; phone numbers on it lol, poor guy

This may have happened when Sulake first took the top links out, making it so that only people who knew links could use the help tool, if so then this could mean, this happened some time last year. Nov., Dec. maybe?

Jesus this kid could of made a lot,
nonetheless it was a stupid move to see this in Habbo!

You're right. Credit card details, mobile phone numbers, names, ISPs, addresses, emails, not that harmful.

right.


"You could at data from 15,000 people who will help tickets had created. Then saw your username, email address, title of the message and the content,

i just read from that, simmer down

Sulake are a million euro company, surely they can invest in better security software.. it says a lot if a 15 year old can discover an exploit in their services. :P

I think I remember this, my account was locked for like a few weeks as a safety precaution from the hack and when I attempted to get days lost in VIP back Sulake refused to compensate lol, even though they were the ones who locked my account.

I just re-read the article and some comments from someone else on a different site, is this genuinely true (as this is what the translation also suggests):


15-year old boy finds a exploits in the Help Tool. He tried several times to contact Sulake but he couldnt get in touch with them. They asked him his IP-Address to search easier and let him download the information so they would know where to look ... All the time he was helping them to located the exploit so they could fix it and when they heard the court wouldn't prosecute him they went to the police and made their statement.

And look at this

"At one point an employee demanded that the boy would not call about the problem."

""Initially thanked Habbo Hotel Schröder for reporting, but return later shared with the boy and the friend did for computer intrusion."

Like what... you don't ask a kid to help you out with an exploit and then prosecute him for doing something YOU asked him to do. I'm not too sure how it got leaked out massively, but by asking him to download the data they already messed up...

Absolutely disgraceful if that is true and I don't blame anyone for not trusting Sulake after that.

Yeah, it does make me lose a lot of faith in not only how Sulake stores our information but how they treat individuals also. Again, without going into much detail because Sulake asked me not to. I found an exploit in Uservoice. I could have used it to access accounts. I didn't. I sent it to Sulake and they were very thankful. It would appear this guy tried to help too but perhaps didn't have the correct contacts.

The whole thing irritates me no end. Especially when I spoke to client staff about it and their response was essentially, "Oh well, information is available in public directories". Yeah, because the Yellow Pages holds my IP, ISP, phone number, email and card information.

Truly shocking.