General Discussion - Hacked Accounts - Forum

" dashgalaxy86 wrote: No one with a unique password has been hacked unless they did something to ask for it (like illegal modding). Except for all the people who were. Basically what you're saying is, it's impossible for a small indie team to potentially overlook a security flaw in their program, even though it happens with blockbuster games that could have afforded to throw millions of dollars at security. You're stating that, even though the same password is linked to both the forums and the game, it's impossible for either of those to be potentially compromised in any way. You're suggesting that, even though less than two months ago you could steal someone's password just by sniffing their connection, the game must be perfectly secure in every way, despite the overwhelming evidence to the contrary. Yeah, you should probably stick to threads that deal with something you're actually informed about. Last edited by AzraelX#7235 on Mar 5, 2013, 8:39:00 PM	Posted by AzraelX#7235 on Mar 5, 2013, 8:35:43 PM Quote this Post
Morgawr, AzraelX, as you both presented fairly compelling cases I decided to investigate your accounts to make sure there wasn't anything unusual going on (as I have done with other random accounts when I get the chance). I wanted to share my findings with you in the hopes that it helps explain the situation. In both cases your accounts were compromised during a sweep of login attempts, and in both cases yours were the only logins that succeeded from the respective IPs performing the login attempts (out of the half-dozen or so accounts they tried in each attempt). In each case only 1 login attempt is made per account, suggesting they are using a list of email/password combinations and are not brute forcing the passwords. None of the other accounts they tried even have PoE accounts associated with them, suggesting this list did not come from us. A quick google search of your registered email addresses shows that both are used elsewhere on the internet. I cannot guess as to how they got your passwords, especially if they were randomly generated specifically for PoE - however if they had somehow been obtained from us it wouldn't make any sense for them to try all the non-existent email addresses at the same time (tinfoil hat theorists please stay in off topic). These findings are consistent with everything we've seen and reported so far, I make a point of investigating cases which sound suspicious and so far none have raised alarms. Also, before people start saying "Why don't you just block them from trying all these accounts?", we do have limits in place for login attempts which is why they only tried half a dozen or so per IP. The problem is we need to allow enough slack in the system for legitimate users to get their email/password wrong a few times without being instantly blocked - and the hackers (or crackers if you prefer) have over 270,000 IPs to do these tests from. We are however coming up with other ways to combat them, and will continue to do so until they are no longer a problem.	Posted by Thomas on Mar 5, 2013, 9:21:32 PM Grinding Gear Games Quote this Post
@ Azrael, someone already knew your email address and guessed your password, get over your lack of knowledge on internet security. Your email address doesn't need to be 'compromised', someone merely needs to know your email address to attempt to log in to your account. A unique password alone is not good enough, I don't why it needs to be repeated so many times and everyone that hacked ignores it like it doesn't matter - YOU NEED TO USE A UNIQUE EMAIL ADDRESS FOR EACH AND EVERY ONLINE GAME YOU PLAY AND NEVER NEVER NEVER NEVER NEVER PROVIDE THAT ADDRESS TO ANTONE ELSE OR TYPE IT IN ANYWHERE OTHER THAN THE GAME OR WHEN LOGGING INTO THE ACCOUNT. If you didn't do the above, then yes its your fault you got hacked. If you use the same email address anywhere else on the internet like a third party forum, you run a very significant risk of it being nicked, because every site you sign up to is an extra method through which your email address can be stolen. GGG need to make it clearer when making new accounts NOT to use an email account that's already in use and to make a new UNIQUE account. (b) Personal abuse, foul language, inappropriate subject matter, obscene, harassing, threatening, hateful, or discriminatory or defamatory remarks of any nature ... are not permitted. - PoE TOS. Last edited by bhavv#7360 on Mar 5, 2013, 9:33:18 PM	Posted by bhavv#7360 on Mar 5, 2013, 9:30:38 PM Quote this Post
" AzraelX wrote: " Grymlish wrote: i just got this in the mail "Your Path of Exile account has been locked because someone logged in from a location that you don't typically play from - "Xingyi, Guizhou, China". To play again, you'll need to type or paste the following access code into the game client after logging in: *--** If you didn't just log in from a new location, then someone else has your account password! You should change it immediately which can be done on our website. If you have any problems with this process, please contact customer support by replying to this email." i just wonder if it is legit I just got the same thing yesterday, from "Jilin, Jilin, China". I'm pretty competent with computer security, my rig is as clean as the day it was built. I run new programs in a virtual environment to ensure they won't impact my system, and even then, only run programs from a trusted source. I have Adblock Plus and NoScript ensuring pages won't compromise me, and have Malwarebytes Pro and Avast Antivirus scanning webpages on top of that, and I don't click on unfamiliar links or visit other Path of Exile sites, aside from the PoE wiki. I just finished running various scanners and cleaners, since that's generally the first thing I suggest to others after an account breach, and the results of these tests confirm my system is still in pristine condition, as always. I also use a unique password for logging into Path of Exile, meaning I don't use it for anything else, and I haven't actually had the time to log in for over a week now. To take it a step further, when I have logged in, I only ever did so from my home connection, which has multiple types of security preventing others from connecting to it, not the least of which is mac filtering. Yet yesterday, I received this message, informing me that someone from "Jilin, Jilin, China" has logged into my account and now has my password, which hasn't been used by me for over a week, aside from the forum where I'm already logged in. As for the checklist offered, I'll go through it just to show that I have, in fact, given this considerable thought: " Phishing Links/PMs I haven't received any PMs or emails, and even if I had, my spam filter is exclusive (ie, it deletes emails that aren't on a list of accepted addresses). I also don't click links posted on the forum, partially due to security, but mostly because I genuinely have no interest in viewing anything randomly linked to by an anonymous stranger. In general, I don't click links unless I specifically sought them out (and for Path of Exile, I've never had a reason to search outside the forums or wiki). I haven't even bothered looking at the currency rate site that's constantly linked to, since you can get a better grasp on values in-game, and there are threads on the forum repeating the information anyways. " Malware in Cheat Programs This is the first I've heard about cheat programs, and I wouldn't have used one regardless. The same goes for any other third-party utilities, legal or otherwise; I haven't downloaded anything related to the game, and in the hypothetical event I had, they'd have been run in a virtual environment anyways. " Posting Config Files I haven't uploaded, shared, or even viewed any of the files in the Path of Exile folder. " Non-unique Password The password was created specifically for Path of Exile, and has not been used for any other purpose at any point in time. " Already Compromised PC or Email account I have numerous programs regularly running a full scan for potential threats; active monitoring by numerous programs checking for malware, viruses, suspicious webpages, or any other suspicious activity; a virtual environment for opening all new programs in, which are only downloaded from trusted and verifiable sources in the first place; I have Adblock and NoScript preventing webpages from performing malicious activity, although I have no reason to visit potentially malicious pages in the first place; I use a dummy email address which deletes and forwards my messages to my primary email address, which has never been used for anything or given out to anyone; and the IP logs from both of those email accounts indicate that I'm the only person to ever access either of them. That being the case, no, neither my PC nor email account are compromised. " Power-levelling Services Lol. Furthermore, I've never had any account compromised for any game or other service in the past. This is the only place in which my password was ever compromised, due to the extremely thorough precautions I take to ensure my system remains clean, secure, and running at top performance. At the same time, this exact same thing is happening at an alarming frequency to others who've claimed it couldn't be their fault. Like many people, I thought "Ha, they must not be very computer savvy, and did something stupid to compromise their system." However, having now witnessed one of the most secure accounts possible be affected, it's evident that it's not simply a massively wide-spread case of irresponsibility. It's not simply a coincidence that such a significant number of accounts have been compromised within a relatively short time frame, all from the same location. Clearly there's a security hole somewhere which isn't on the user's end. Perhaps there's a method for brute forcing passwords with such a high volume of attempts that they can actually crack passwords 8+ characters long in a reasonable amount of time? I'd like to think that neither the site nor game have made it possible to achieve an unlimited number of failed log-in attempts. At any rate, I wish the devs the best of luck in figuring it out. In the meantime, I've changed my password to yet another unique code, and I'll unlock my account at some point in the future, after the game's security has been updated sufficiently. To anyone who reads this that hasn't had their account compromised: If you're using the same password for Path of Exile that you use for anything else, you should change it immediately. You can quickly change it through the forums using https://www.pathofexile.com/my-account/change-password. So your comp is fort knox eh? Bet you have java installed. . . . . right? I mean we all need minecraft. http://www.pathofexile.com/forum/view-thread/298833 - Mods doing what mods do best http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/3/ Cause i bet if everyone did waht they say inhere or god forbid you required a 8 char minimum password less accounts would be comprised	Posted by mcwaffle#3878 on Mar 5, 2013, 9:31:06 PM Quote this Post
" Thomas wrote: Morgawr, AzraelX, as you both presented fairly compelling cases I decided to investigate your accounts to make sure there wasn't anything unusual going on (as I have done with other random accounts when I get the chance). I wanted to share my findings with you in the hopes that it helps explain the situation. In both cases your accounts were compromised during a sweep of login attempts, and in both cases yours were the only logins that succeeded from the respective IPs performing the login attempts (out of the half-dozen or so accounts they tried in each attempt). In each case only 1 login attempt is made per account, suggesting they are using a list of email/password combinations and are not brute forcing the passwords. None of the other accounts they tried even have PoE accounts associated with them, suggesting this list did not come from us. A quick google search of your registered email addresses shows that both are used elsewhere on the internet. I cannot guess as to how they got your passwords, especially if they were randomly generated specifically for PoE - however if they had somehow been obtained from us it wouldn't make any sense for them to try all the non-existent email addresses at the same time (tinfoil hat theorists please stay in off topic). These findings are consistent with everything we've seen and reported so far, I make a point of investigating cases which sound suspicious and so far none have raised alarms. Also, before people start saying "Why don't you just block them from trying all these accounts?", we do have limits in place for login attempts which is why they only tried half a dozen or so per IP. The problem is we need to allow enough slack in the system for legitimate users to get their email/password wrong a few times without being instantly blocked - and the hackers (or crackers if you prefer) have over 270,000 IPs to do these tests from. We are however coming up with other ways to combat them, and will continue to do so until they are no longer a problem. "While we continue to ignore those who were effected." You forgot that. Last edited by GuessICantCurse#1561 on Mar 5, 2013, 9:58:53 PM	Posted by GuessICantCurse#1561 on Mar 5, 2013, 9:54:53 PM Quote this Post
" GuessICantCurse wrote: "While we continue to ignore those who were effected." You forgot that. They aren't ignoring people. They stated their policy, and have repeated demonstrated how it has been the users own fault their account got compromised. They've also repeatedly explained why they won't restore lost items. In the interests of disclosure, mine did too. Now I know I recycled a particular email/password combination used for WoW that got compromised about 4 years ago. This situation is going to become more and more common. A few years back you didn't have the scale of organised cracking with massive botnets. Its up to us to wisen up or suffer the consequences. If every Indie Studio had to take responsibility for stupid decisions made by their users, including me, they wouldn't have the resources left to make the damn game. 2-factor authentication live within days? Thanks GGG. These guys are currently raising the bar on dedication.	Posted by wyaeld#5604 on Mar 5, 2013, 10:26:55 PM Quote this Post
It seems to be that the main connection between hacked account is "short" password. People who hacked assure that they used a unique password and that their computer is clean. However no one mentioned that they used a long and complex password. Password needs to be unique, long and complex. It seems like the hackers (or crackers) are able to crack the passwords in a large scale. IP should be blocked for x amount of time after x failed attempts.	Posted by Selanmer#4881 on Mar 6, 2013, 12:12:59 AM Quote this Post
My account was not hacked but I'm sorry for everyone who was. It can happen very easy and often you won't realize when your PC has been compromised. In my opinion GGG is doing the right thing by not restoring items. Deleted chars should be restored if possible in any way. " azurarutlan wrote: " Morgawr wrote: " Ruefl2x wrote: I'm not saying it's impossible for GGG getting hacked but their database is well secured and encrypted so in 99% of all cases you can be quite certain that you just haven't paid enough attention or used your e-mail / password somewhere else, where this info was stored in plain text (or weak encrypted). And how do you know this, did GGG tell you personally? I have second-hand information (was shown through teamviewer) that GGG's servers have been compromised in the past, both the game server and database server with the login information. There's a lot that GGG is not telling us, and continuing to take this stance that if someone accesses our account that the losses are our problem is just not fair when they cannot even keep their own servers secure. I'd like to see evidence of this, otherwise I'm calling BS. PS: Oh yeah and lol at the guy claiming to brute force a 14 digit PW with lower and upper case letters and numbers in 40 minutes. Last edited by Boroness#5081 on Mar 6, 2013, 12:28:23 AM	Posted by Boroness#5081 on Mar 6, 2013, 12:25:54 AM Quote this Post
I received an automated e-mail earlier stating that someone logged in my account a few hours ago, but I didn't seem to have lost anything important apart from my ranger losing all the loot in her inventory (but not her equipment with all the gems, oddly enough). Still, I'm having doubts about this. I feel it's partly my fault because I used my old password from another account I made 5 years ago, but on the other hand, I have no idea how a compromised database on a completely unrelated site (last.fm) would affect my security in this game. Can someone tell me how these hacking networks work? Is there a real system that consolidates all passwords from obscure forums that somehow gets sent to hacking communities? Say, I were to use a user/password combination in some obscure BDSM fetish site (just an example to show how absurd it is, of course); How the hell would hackers know that I play PoE as well? I didn't even use the same username... I'm really speaking out of ignorance and am genuinely interested in how these networks work. Do phishing sites "sell" these information randomly? Last edited by cerial13#5254 on Mar 6, 2013, 6:42:33 AM	Posted by cerial13#5254 on Mar 6, 2013, 6:40:29 AM Quote this Post
" cerial13 wrote: Can someone tell me how these hacking networks work? Is there a real system that consolidates all passwords from obscure forums that somehow gets sent to hacking communities? Say, I were to use a user/password combination in some obscure BDSM fetish site (just an example to show how absurd it is, of course); How the hell would hackers know that I play PoE as well? I didn't even use the same username... For one, you log in with e-mail/pass. Username isn't part of your auth. As for how credentials get passed around after a db/site hack or large phishing incident, they're either freely available (if the original hack was done for fun or to shit on the security of some company) or sold in bulk. Password re-use is easily the biggest modern security problem, since it only gets worse (surface area increases) as time goes on and is completely silent.	Posted by pneuma#0134 on Mar 6, 2013, 7:12:04 AM Alpha Member Quote this Post