Hacked Accounts

2 things, firstly if anyone got hacked because they used their path password here and on some other dodgy website, thats your own fault , its basic internet security and how is this the first time this has happend to you.

Secondly, can we stop calling it "hacking" when these "hackers" didnt actually hack anything, they were given passwords, at no point was actual hacking involved.

"

irok wrote:

2 things, firstly if anyone got hacked because they used their path password here and on some other dodgy website, thats your own fault , its basic internet security and how is this the first time this has happend to you.

Secondly, can we stop calling it "hacking" when these "hackers" didnt actually hack anything, they were given passwords, at no point was actual hacking involved.

You're correct, it shouldn't be called hacking.

The reason, however, is wrong. This is called "Cracking" since it's done with malicious intentions.

But yeah, this is besides the point and is just semantics.

"

st0rmbreaK wrote:

Hey, I was just about to start playing PoE, but this thread has gotten me a bit worried, when d'you think this problem can be sorted out?

When people learn to keep their computers clean. And start using strong and unique passwords in combination with an email address which wasnt spammed over ALL the internet.

in other words: YOU are responsible if your account is hacked. GGG cant protect people from their own stupidity.

"

Grymlish wrote:

i just got this in the mail


"Your Path of Exile account has been locked because someone logged in from a location that you don't typically play from - "Xingyi, Guizhou, China".

To play again, you'll need to type or paste the following access code into the game client after logging in:

***-***-***

If you didn't just log in from a new location, then someone else has your account password! You should change it immediately which can be done on our website.

If you have any problems with this process, please contact customer support by replying to this email."

i just wonder if it is legit

I just got the same thing yesterday, from "Jilin, Jilin, China".

I'm pretty competent with computer security, my rig is as clean as the day it was built.

I run new programs in a virtual environment to ensure they won't impact my system, and even then, only run programs from a trusted source. I have Adblock Plus and NoScript ensuring pages won't compromise me, and have Malwarebytes Pro and Avast Antivirus scanning webpages on top of that, and I don't click on unfamiliar links or visit other Path of Exile sites, aside from the PoE wiki.

I just finished running various scanners and cleaners, since that's generally the first thing I suggest to others after an account breach, and the results of these tests confirm my system is still in pristine condition, as always.

I also use a unique password for logging into Path of Exile, meaning I don't use it for anything else, and I haven't actually had the time to log in for over a week now.

To take it a step further, when I have logged in, I only ever did so from my home connection, which has multiple types of security preventing others from connecting to it, not the least of which is mac filtering.

Yet yesterday, I received this message, informing me that someone from "Jilin, Jilin, China" has logged into my account and now has my password, which hasn't been used by me for over a week, aside from the forum where I'm already logged in.

As for the checklist offered, I'll go through it just to show that I have, in fact, given this considerable thought:

"

Phishing Links/PMs

I haven't received any PMs or emails, and even if I had, my spam filter is exclusive (ie, it deletes emails that aren't on a list of accepted addresses). I also don't click links posted on the forum, partially due to security, but mostly because I genuinely have no interest in viewing anything randomly linked to by an anonymous stranger.

In general, I don't click links unless I specifically sought them out (and for Path of Exile, I've never had a reason to search outside the forums or wiki). I haven't even bothered looking at the currency rate site that's constantly linked to, since you can get a better grasp on values in-game, and there are threads on the forum repeating the information anyways.

"

Malware in Cheat Programs

This is the first I've heard about cheat programs, and I wouldn't have used one regardless. The same goes for any other third-party utilities, legal or otherwise; I haven't downloaded anything related to the game, and in the hypothetical event I had, they'd have been run in a virtual environment anyways.

"

Posting Config Files

I haven't uploaded, shared, or even viewed any of the files in the Path of Exile folder.

"

Non-unique Password

The password was created specifically for Path of Exile, and has not been used for any other purpose at any point in time.

"

Already Compromised PC or Email account

I have numerous programs regularly running a full scan for potential threats; active monitoring by numerous programs checking for malware, viruses, suspicious webpages, or any other suspicious activity; a virtual environment for opening all new programs in, which are only downloaded from trusted and verifiable sources in the first place; I have Adblock and NoScript preventing webpages from performing malicious activity, although I have no reason to visit potentially malicious pages in the first place; I use a dummy email address which deletes and forwards my messages to my primary email address, which has never been used for anything or given out to anyone; and the IP logs from both of those email accounts indicate that I'm the only person to ever access either of them.

That being the case, no, neither my PC nor email account are compromised.

"

Power-levelling Services

Lol.

Furthermore, I've never had any account compromised for any game or other service in the past. This is the only place in which my password was ever compromised, due to the extremely thorough precautions I take to ensure my system remains clean, secure, and running at top performance.

At the same time, this exact same thing is happening at an alarming frequency to others who've claimed it couldn't be their fault. Like many people, I thought "Ha, they must not be very computer savvy, and did something stupid to compromise their system." However, having now witnessed one of the most secure accounts possible be affected, it's evident that it's not simply a massively wide-spread case of irresponsibility. It's not simply a coincidence that such a significant number of accounts have been compromised within a relatively short time frame, all from the same location.

Clearly there's a security hole somewhere which isn't on the user's end. Perhaps there's a method for brute forcing passwords with such a high volume of attempts that they can actually crack passwords 8+ characters long in a reasonable amount of time? I'd like to think that neither the site nor game have made it possible to achieve an unlimited number of failed log-in attempts.

At any rate, I wish the devs the best of luck in figuring it out. In the meantime, I've changed my password to yet another unique code, and I'll unlock my account at some point in the future, after the game's security has been updated sufficiently.

To anyone who reads this that hasn't had their account compromised: If you're using the same password for Path of Exile that you use for anything else, you should change it immediately. You can quickly change it through the forums using https://www.pathofexile.com/my-account/change-password.

Thanks Chris for the thorough explanation. I don't think anything further needs to be added.

It just dawned on me that my PoE password wasn't unique. I also used it about a year ago for a f2p game website called netmarble.com. Along with that same Email. Cheers all.

"

AzraelX wrote:

https://www.pathofexile.com/my-account/change-password.

Gotta love the link to the "change your password" after all the advice you had about being safe. Lovin it!!!!!

Kids don't click this at home

Right, because posting a legitimate link (which you could hover over, right click, highlight and copy, or quote to verify) to a secure page, for people who can't be bothered to take five seconds to navigate to the page themselves, somehow contradicts anything that's been said.

The best part is, you actually quoted it and verified the link was legitimate, then warned "kids" not to use it anyways.

I think your talents would be better served in a less serious thread.

Hi, new to the thread.

Just one question: How are people so dumb?
If you lost your account, that's purely your fault, and GGG is not to blame for sticking to their guns on this. If they reimbursed every hacked player for what they claimed they had in their stash or inventory, that'd be extremely broken and would mean anyone could set up "getting hacked" and then ask for their stuff back...

Most of the people who got their account hacked, I think, were using mods like the maphack which the devs have warned against. The rest were using passwords they used on other sites. No one with a unique password has been hacked unless they did something to ask for it (like illegal modding).

Why not implement a OTP device like the yubikey ( www.yubico.com ) they offer a free sdk to anyone that wants to implement it into their product. Plus you can use it for other stuff like some websites, and I think lastpass uses it.

"

dashgalaxy86 wrote:

Hi, new to the thread.

Just one question: How are people so dumb?
If you lost your account, that's purely your fault, and GGG is not to blame for sticking to their guns on this. If they reimbursed every hacked player for what they claimed they had in their stash or inventory, that'd be extremely broken and would mean anyone could set up "getting hacked" and then ask for their stuff back...

Most of the people who got their account hacked, I think, were using mods like the maphack which the devs have warned against. The rest were using passwords they used on other sites. No one with a unique password has been hacked unless they did something to ask for it (like illegal modding).

Good job on fanning the flames and completely overlooking(or not understanding) Chris(GGG staff)'s explanation, numpty. This thread should be closed and Chris's post made sticky somewhere. Just saying.