Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Lotro security hole makes game password hackable

nosam9nosam9 Lafayette, CAPosts: 21Member

Lord of the Rings Online currently has a security hole that makes possible for someone to get game usernames and passwords. Lotro forces players to use their game account names and passwords for the official forums. The forums used to use https but now only use http for login, and so now sends your username and password in plain unencrytped text. So anyone on a network or capturing data on a wifi network can catch a player's name and password for the game. At some point the forums at Lotro stopped using https and so now everything is sent unencrypted.

I play Lotro and am pretty concerned about this. A bunch of players have emailed about this to Turbine, but they have been silent on this and done nothing for more than a month. This seems like a pretty big security hole. I can't believe a company running one of the top MMOs would let this happen.

More information is here on the offcial forums. Apparently this would be pretty easy to fix, but Turbine has a tendency to let things go and not to fix game bugs and other forum problems.

I think people assume that games like LOTRO will protect your account and passwords better. Or are other MMOs this bad at security?


  • Po_ggPo_gg Twigwarren, WestfarthingPosts: 2,859Member Uncommon

    There's an easy fix for that, don't use the forum :) (or use it with a separate, strictly forum account like I do)

    I still remember before the server transfer there were pretty serious concerns about the forum over there, regarding both  Sapience and security. Same with my.lotro's security issues. Heck, the lotrocommunitiy page is started just because of that :)

    So yep, after we got merged to a new Turbine acc I haven't even set a forum name on my accounts, nor activated my.lotro (lotteries aren't my style anyways). But I feel for those who actively use the forum, it's a pretty bad move to switch back for plain http. Someone posted though the https auth.php link which is still accessible.

  • FredelasFredelas Omaha, NEPosts: 36Member

    I'll repeat here what I've said on the official forum, in case it gets lost or moved.


    If you're concerned about your account's security, you can:

    1. Change your account password at (which is unaffected by this issue)
    2. And then safely log in to the community site at

    Depending on your browser's settings, the login page may look a little different than usual, but your account name and password will be securely encrypted.

    Keep in mind that it might take some time for your new password to become active on the community site, but it should become active immediately for logging into the game.

    If you've read this far, you probably wonder if you should take the word of a stranger regarding your account security and click on potentially unfamiliar links. Good for you, because the answer is no. I hope some other helpful community members will confirm these steps as safe.

    This is not an emergency, and if your account hasn't been compromised already, these steps will help protect you.

Sign In or Register to comment.