|
Just got a email saying that someone from "Jiaxing, Zhejiang, China" tried to login. Didn't see any foreign ips on my email account so I guess I'm safe. Also changed my password.
|
Posted byAqualung#6823on Mar 5, 2013, 3:41:45 AM
|
"
GuessICantCurse wrote:
"
Chris wrote:
The people who were compromising the majority of the accounts have:
a) A botnet with at least 270,000 IPs we've seen so far.
b) A list with over 5 million email addresses and passwords, almost all of which are not people who have ever heard of Path of Exile.
They try the passwords on our website and are IP banned pretty quickly, which is when they change IP.
This email and password list has not come from us. It contains users from many other web services and is probably a concatenation of stolen lists from dozens of sites and games. They are trying it against Path of Exile because it gives them free accounts if they do stumble in to any. This is why it's important to use a unique password. I'm not saying every compromised account came from their use of this list, but it's certainly the bulk of them.
Since we deployed the security patch in 0.10.1d, the rate of account compromise dropped off almost completely because they have no way to log into an account from a different location.
There is a patch coming soon (probably 0.10.2) that will add the same lockout code to the website too.
To users worried that we have had our security breached: Don't worry! We would tell you as soon as we had any evidence of that happening. Our server security is excellent and there have been no signs so far of any attempts, yet alone successful ones. Even if they did gain access to public-facing servers, there would be an awful lot of work (that we could see) before they got anywhere near the accounts database. Also, we do not save credit card numbers on our servers. Our payment provider handles that.
To azurarutlan who claims that he knows someone that breached our servers: Such claims can be very damaging to a company. Do you have any evidence of this? Please get in touch if you do, I'd be very interested in discussing it.
Doesnt matter whos fault it was or what you have done for security since. You turned your back on any player that was hacked. You lost my and everyone i know's respect.
So they lost the respect of 3 people and probably gained the respect of Thousands of people.
A good tradeoff if you ask me.
“Demons run when a good man goes to war"
|
Posted bySneakypaw#3052on Mar 5, 2013, 3:54:32 AM
|
|
They didnt gain shit bud. Your nose was already up their ass.
|
|
"
GuessICantCurse wrote:
They didnt gain shit bud. Your nose was already up their ass.
You underestimate the amount of people who respect them for standing by their principals "bud"
“Demons run when a good man goes to war"
|
Posted bySneakypaw#3052on Mar 5, 2013, 4:01:07 AM
|
"
Sneakypaw wrote:
"
GuessICantCurse wrote:
They didnt gain shit bud. Your nose was already up their ass.
You underestimate the amount of people who respect them for standing by their principals "bud"
"We wont help our players" Yea stand by that shit. Bad company is bad.
|
|
"
GuessICantCurse wrote:
"
Sneakypaw wrote:
You underestimate the amount of people who respect them for standing by their principals "bud"
"We wont help our players" Yea stand by that shit. Bad company is bad.
Just because you don't understand their reasoning doesn't mean they are bad.
When you grow up and get smarter you will see all the good things about GGG.
“Demons run when a good man goes to war"
|
Posted bySneakypaw#3052on Mar 5, 2013, 4:19:28 AM
|
"
Sneakypaw wrote:
"
GuessICantCurse wrote:
"
Sneakypaw wrote:
You underestimate the amount of people who respect them for standing by their principals "bud"
"We wont help our players" Yea stand by that shit. Bad company is bad.
Just because you don't understand their reasoning doesn't mean they are bad.
When you grow up and get smarter you will see all the good things about GGG.
Just because you think you understand their reasoning doesn't mean they aren't bad.
When you grow up and get smarter you will see all the bad things about GGG.
|
|
|
FFS why do you guys still think it's a server breach? Srsly come on.
Funny these people that are saying it's impossible for their computer to be compromised, no one actually contacted me or even tried what I suggested on checking their computer.
Last edited by Ultralisk153#1735 on Mar 5, 2013, 4:39:03 AM
|
Posted byUltralisk153#1735on Mar 5, 2013, 4:36:08 AM
|
"
GuessICantCurse wrote:
"
Sneakypaw wrote:
"
GuessICantCurse wrote:
"We wont help our players" Yea stand by that shit. Bad company is bad.
Just because you don't understand their reasoning doesn't mean they are bad.
When you grow up and get smarter you will see all the good things about GGG.
Just because you think you understand their reasoning doesn't mean they aren't bad.
When you grow up and get smarter you will see all the bad things about GGG.
Haha, thanks "bud", that made me laugh.
Well, you don't seem to understand. Keep on hating if it pleases you but please don't fill the forum with this crap ok? Thanks.
“Demons run when a good man goes to war"
|
Posted bySneakypaw#3052on Mar 5, 2013, 5:10:36 AM
|
Ignoring the immature children who keep bickering at each other, which is very detrimental to this conversation (please guys, just drop it and go someplace else).
"
Chris wrote:
The people who were compromising the majority of the accounts have:
a) A botnet with at least 270,000 IPs we've seen so far.
b) A list with over 5 million email addresses and passwords, almost all of which are not people who have ever heard of Path of Exile.
They try the passwords on our website and are IP banned pretty quickly, which is when they change IP.
This email and password list has not come from us. It contains users from many other web services and is probably a concatenation of stolen lists from dozens of sites and games. They are trying it against Path of Exile because it gives them free accounts if they do stumble in to any. This is why it's important to use a unique password. I'm not saying every compromised account came from their use of this list, but it's certainly the bulk of them.
Since we deployed the security patch in 0.10.1d, the rate of account compromise dropped off almost completely because they have no way to log into an account from a different location.
There is a patch coming soon (probably 0.10.2) that will add the same lockout code to the website too.
To users worried that we have had our security breached: Don't worry! We would tell you as soon as we had any evidence of that happening. Our server security is excellent and there have been no signs so far of any attempts, yet alone successful ones. Even if they did gain access to public-facing servers, there would be an awful lot of work (that we could see) before they got anywhere near the accounts database. Also, we do not save credit card numbers on our servers. Our payment provider handles that.
To azurarutlan who claims that he knows someone that breached our servers: Such claims can be very damaging to a company. Do you have any evidence of this? Please get in touch if you do, I'd be very interested in discussing it.
Chris, I don't really know how we can believe you. I, personally, have been using a unique password, different from my email (and anything else). A lot of people have reported the same. I am a Linux user and developer, I am familiar with the concept of Internet security and have been playing MMORPGs since I was 12 (I am 23 now). I have never been hacked and I have strong reasons to believe my accounts have never been compromised in the past. My computer is clean (running Linux is a great advantage to this) and I am 100% sure of this.
There seem to be no reasons *at all* for somebody to be able to get into my account, and yet it happened. I am confused to this, I do not want to doubt your security or anything but seeing the huge rate of hacked accounts (far greater than your usual phishing and scamming attempts on other mmorpgs), there seem to be good reasons to believe there is something wrong and these guys are obtaining the login credentials some other way.
What's also very fishy is the fact that we keep getting "hacked" and there is no way to know the trade history of our accounts or anything like that, why won't you guys do anything about it? It's not hard to just tell us which characters have traded with who and what. Let us handle the rest. |
Posted byMorgawr#2086on Mar 5, 2013, 6:01:54 AM
|
