On March 17th, at 6:03 PM EDT, LBP Union Research & Development informed me that a data leak occurred related to Beacon services. Here is what we know so far:
When matchmaking with LittleBigPlanet, your PlayStation or PC running RPCS3 will search for other users that are currently online. When you connect to another person, a peer-to-peer session is initiated. This means that your computer or PlayStation is directly connected to them, not just to the server. This means that your IP address is exposed to them during that time. This is normal behavior and occurs on the official servers and other P2P multiplayer video games as well.
However, we discovered a vulnerability that allowed a malicious user to abuse the matchmaking endpoint to grab many more IP addresses than would normally be possible from users who were online. We are aware of 717 IP addresses and 649 users that were affected, less than 10% of the total population of Beacon. This leak only affects RPCS3 players. In addition, players who only use LBP1 and LBP Vita were unaffected.
We responded by immediately shutting down the dive in service on Beacon. Developers worked quickly to create a patch to prevent the issue from continuing, and we were able to successfully restore dive in service to Beacon.
We will be sending emails to all users affected by the exploit as soon as possible. If you have played on Beacon with any game except LBP1 since March 4th, here are our official suggestions that you should take to protect yourself:
- Understand that your IP address is not your exact location. At best, your IP address may reveal the city that you connected to the server from.
- If you are hosting any web servers on your local network, consider taking steps to change your IP address or check your firewall rules to prevent abuse. Some ways to change your IP address are:
- Unplug your modem from the wall for a few minutes and plug it back in. It’s possible your ISP may assign you a new IP address after you reconnect to the network.
- Contact your ISP and request a new IP address.
- Only play P2P multiplayer sessions with players that you trust. When dive in matchmaking is available in the future, remember that your IP address will be exposed to anyone you play with. This same principle applies for any P2P video game.
I and the rest of LBP Union take full responsibility for this leak. If we had done a better job at handling the matchmaking service, this never would have happened. LBP Union has failed you. Despite that, I’m not going to stop fighting. Script kids have terrorized this community for years. We’re done running and hiding. We’re going to keep fighting for this community so that everyone can play LittleBigPlanet online safely — so everyone can relive their childhood without fear. We are in this with you, and I refuse to give up.
To follow updates on this issue, you have a few options:
- Follow this page for updates. We will post in depth updates to this page as our work on a patch progresses.
- You can join our Discord server and subscribe to the Beacon Notifications role to get a push notification when updates arrive.
- Follow us on Twitter or on Mastodon to receive updates.
I am holding a live Q&A session tomorrow at 1:30 PM EDT on our Discord server stage channel tomorrow Monday, March 18th where you can ask questions about this incident. Minister of Technology Zaprit will be joining me for the session.
