What happened?
Recently, we became aware of a compromise of the LOTRO forum database.

Were my payment details or credit card number exposed?
No payment information was contained within the forum DB.

How did it happen?
A bug in our forum code allowed unauthorized access to the forum database.

What did you do about it?
We turned off the forums and conducted a full analysis of the issue. As part of our review we brought in experts to help address any findings. We were able to find and fix the bug and took specific additional actions to further strengthen the security of our web applications.

Why didn't I hear about this sooner?
Rather than speculating, we wanted to fully understand the situation before communicating details to our players.

I received an email regarding LOTRO from BlueHornet with links to the MyAccount page instructing me to change my password. Is this email legitimate?

We have sent emails to all players informing them of the security issue and suggesting appropriate action for their particular accounts. If you ever have concerns about whether any communications are not legitimate, you should contact customer support.

My email didn't say to change my password; it said it had been changed. Why?

Out of an abundance of caution we've reset the passwords of a small number of players. These players have received an email notifying them of this change and how to recover their accounts.

Why were there two emails?

Emails were tailored to each account situation. The most important message from both communications was to change your password to one that is strong, unique, and hard to guess.

How do I pick a strong password?