Privacy Notice: Personally Identifiable Information leak

Where game and project announcements are made.


Post Reply
User avatar
AnonDuck
TMW Adviser
TMW Adviser
Posts: 653
Joined: 02 Jan 2009, 04:19
Location: Catland

Privacy Notice: Personally Identifiable Information leak

Post by AnonDuck »

It has come to our attention that Personally Identifiable Information of TMW users has been shared on the Discord chat service by automated TMW administration processes.

The password recovery form at https://www.themanaworld.org/recover/password communicates with a Discord API to notify the Manasource Team when a user has reset their password. The information sent includes username and IP address of the requestor.

This is a breach of the TMW Privacy Policy. We should not have shared this information with a third party data aggregator (Discord).

I would like to stress that this was obviously done with the best of intentions - keeping TMW secure is a top priority of the Manasource Team. Monitoring for suspicious password reset activity is a good thing.

We are currently working on locating and removing the code that performs this action. We will also be carefully examining our code and processes for any other information leaks of this type, both past and present.

The security and safety of our users is important to us and we sincerely apologize for this oversight.

Head of the TMW Illuminati
Top
User avatar
AnonDuck
TMW Adviser
TMW Adviser
Posts: 653
Joined: 02 Jan 2009, 04:19
Location: Catland

Re: Privacy Notice: Personally Identifiable Information leak

Post by AnonDuck »

Update:
The code has been located. It'd been in place since February 2020. Logging to Discord has now been entirely disabled.

If you have performed the following actions On TMW(Classic/Original/Legacy/Evol) since February 2020 your IP address and TMW username been shared with Discord:

  • Password reset
  • Username change
  • Using Vault (ManaLauncher or the website) to create an account

The following actions were sharing IP address and sometimes session ID or numeric user ID:

  • Triggering various rate limits such as trying to authenticate too many times in a short period
  • Linking or unlinking accounts to Vault

As far as I can tell there is no way to reliably remove this information as it's been sent via a Discord "app". Discord's data retention policy only seems to apply to messages sent by users, not apps. It would be prudent to assume that they will retain this data forever and that the data will at some point be used to train AI models.

Head of the TMW Illuminati
Top
Post Reply

Return to “News”