Hacked Accounts

"

Selanmer wrote:

"

daveg3d wrote:

I understood that quite well.. either way I am frustred by the entire situation and just being told.. oh well.

thanks for your input though, it really showed me the error of what i was feeling.

Hmm.. my sarcasm detector blinks yellow.

"

azurarutlan wrote:

Positive. He showed me how he could easily download the entire server files and run his own server if he so chose.

"

tvari wrote:

"

azurarutlan wrote:

Positive. He showed me how he could easily download the entire server files and run his own server if he so chose.

Why aren't people running private servers then? Surely there are people who would be keen for that...

"

azurarutlan wrote:

2 reasons:

1. Someone else I know and myself both asked the person in question not to because we loved this game and want to see GGG succeed.

2. Using stolen server files instead of an emulated server is IP theft and depending on how access was gained, and the fact that GGG is not in the US, means it would be a very serious criminal offense.


However I would like GGG to change their policy on compromised accounts though, and if my cooperation will help them fix their current situation and make those changes I would be happy to help.

"

tvari wrote:

"

azurarutlan wrote:

2 reasons:

1. Someone else I know and myself both asked the person in question not to because we loved this game and want to see GGG succeed.

2. Using stolen server files instead of an emulated server is IP theft and depending on how access was gained, and the fact that GGG is not in the US, means it would be a very serious criminal offense.


However I would like GGG to change their policy on compromised accounts though, and if my cooperation will help them fix their current situation and make those changes I would be happy to help.

Err if you want to see GGG succeed, shouldn't you report such a serious breach to them rather than just ask your friend not to do it? I mean if it's that easy how long until someone else steals all the passwords and server files.

"

Chris wrote:

The people who were compromising the majority of the accounts have:
a) A botnet with at least 270,000 IPs we've seen so far.
b) A list with over 5 million email addresses and passwords, almost all of which are not people who have ever heard of Path of Exile.

They try the passwords on our website and are IP banned pretty quickly, which is when they change IP.

This email and password list has not come from us. It contains users from many other web services and is probably a concatenation of stolen lists from dozens of sites and games. They are trying it against Path of Exile because it gives them free accounts if they do stumble in to any. This is why it's important to use a unique password. I'm not saying every compromised account came from their use of this list, but it's certainly the bulk of them.

Since we deployed the security patch in 0.10.1d, the rate of account compromise dropped off almost completely because they have no way to log into an account from a different location.

There is a patch coming soon (probably 0.10.2) that will add the same lockout code to the website too.

To users worried that we have had our security breached: Don't worry! We would tell you as soon as we had any evidence of that happening. Our server security is excellent and there have been no signs so far of any attempts, yet alone successful ones. Even if they did gain access to public-facing servers, there would be an awful lot of work (that we could see) before they got anywhere near the accounts database. Also, we do not save credit card numbers on our servers. Our payment provider handles that.

To azurarutlan who claims that he knows someone that breached our servers: Such claims can be very damaging to a company. Do you have any evidence of this? Please get in touch if you do, I'd be very interested in discussing it.