"
Or, now hear me out guys... , GGG could implement two factor authentication like it's the 21st century.
Yeah there’s really no excuse for this. Great game developer, but they need to hire some people who know what they’re doing when it comes to security.
And virtual auction houses.
|
Posted byBlasphemous84#2190on Dec 30, 2024, 12:30:56 PM
|
|
I would hope there's a rate limit or other protections against brute forcing passwords.
The scope of the hacks seems small. Hopefully it's just a combo of reused passwords and lack of the account lock from new login location triggering and not malicious code in popular PoE 1 third party tools.
|
Posted byDiabloImmoral#7632on Dec 30, 2024, 12:54:00 PM
|
if we had MFA
it would be exponentially harder for accounts to be popped
"
"
"
Change your password now - make it unique(as in never used before). Go for 24+ characters.
"QW3TY@!2EA5" is not a password, it's a blaring 'kick me' advert.
Same goes for repeated-use and low entropy passwords.
ppl taking about high entropy pswrds like brute forcing is the common way of attack. really makes you think about OPs credentials here lol
At my work (cyber security almost 9 years) we have phased out passwords for the most part, it is a weak point in security
For PoE, I randomly generate a password with KeePass.
Changing the password every 30-45 days, while inconvenient, can also be useful. We gotta work with what we have to protect ourselves. Multi-Demi Winner
Very Good Kisser
Alt-Art Alpha’s Howl Winner
Former Dominus Multiboxer Last edited by Manocean#0852 on Dec 30, 2024, 3:16:17 PM
|
Posted byManocean#0852on Dec 30, 2024, 3:09:32 PM
|
|
if they made a lil dongle with a chaos orb on it in a 3d design and charge $100 they would make a fucking killing
better yet- make a gizmo that has a socket for a soul core. to login you plug in the soul core and gizmo lights up in red aztec symbols
Last edited by AintCare#6513 on Dec 30, 2024, 4:21:33 PM
|
Posted byAintCare#6513on Dec 30, 2024, 3:50:54 PM
|
"
Or, now hear me out guys... , GGG could implement two factor authentication like it's the 21st century.
ngl would be about time that after 11 years lol, the launcher could really need one.
Last edited by Afura#6483 on Dec 30, 2024, 4:19:25 PM
|
Posted byAfura#6483on Dec 30, 2024, 4:19:13 PM
|
"
1. Change your password - make it unique(as in never used before). Go for 24+ characters.
2. Don't do RMT. Those responsible for this campaign are very likely RMT traders. Don't go to the websites, click on the links, talk to them, don't do any such thing.
3. Try to stay away from open-source software like trade macros and such for the time being, unless you know how to read the source code, check for vulnerabilities, or very much trust the dev.. This is not to accuse the devs of these apps of being malicious, nor to say they aren't, but these may not be safe.
4. Try to stay off of any PoE related third-party content sites for the time being. Including sites popular for build guides and such wikis.
these sites could be vulnerable to numerous exploits(XSS, CSRF, etc). Try to stay off of anything that could be leveraged against you in a Watering-Hole type of attack.
(You can use something like https://www.browserling.com which will give you a browser window in a virtual machine, so your machine is not exposed).
5. If you have been compromised, reset your browser to its default settings, removing any and all cookies and extensions. Delete any accounts or software you've made/installed before you were breached, go back to step 1.
----------
Hopefully this is just ppl being hacked b/c they are clicking on ads for RMT, or re-using/using weak passwds. Hopefully there was no data breach at GGG or anything.
The rest is up to GGG, they must implement modern security best practices as soon as possible.
Stay safe, Exiles.
I think we can all agree it is highly probable at this point the loss of control of account is likely to be RMT related. These sites prey on the people silly enough to think currency buying is needed. They want those orbs back and anything free is a bonus. Like it or not these folks are never gonna tell you the one thing they have in common and GGG would have already remedied the situation if it was on their end. Vacation or not !
Let this thread die and the punishment is fit.
You don't have to like my opinion, but it is mine and you can't change it !!
You can find me at youtube.com/@poe2boss
If you come at me raging and spewing hate for being nice and trying to help I will bring the troll from under the bridge!
|
Posted byMFQUANT#4363on Dec 30, 2024, 5:54:53 PM
|
"
I think we can all agree it is highly probable at this point the loss of control of account is likely to be RMT related.
RMT traders thrive on repeat business.
|
Posted byMouser#2899on Dec 30, 2024, 7:42:51 PM
|
"
if we had MFA
it would be exponentially harder for accounts to be popped
At my work (cyber security almost 9 years) we have phased out passwords for the most part, it is a weak point in security
For PoE, I randomly generate a password with KeePass.
Changing the password every 30-45 days, while inconvenient, can also be useful. We gotta work with what we have to protect ourselves.
Change my mind about KeePass and those other tools. I've used passwords of my choosing since the 90s and updated them over time, but tools that make more complex unreadable passwords just seem like they'd be vulnerable for the same reason, one simple password you use to access the rest. Effectively just putting them all in one place. I feel like my brain is safer, and when a password gets leaked I can safely blame myself for not being careful on the sites I registered for.
|
Posted byAetherSolace#2274on Dec 30, 2024, 8:30:20 PM
|
"
"
if we had MFA
it would be exponentially harder for accounts to be popped
At my work (cyber security almost 9 years) we have phased out passwords for the most part, it is a weak point in security
For PoE, I randomly generate a password with KeePass.
Changing the password every 30-45 days, while inconvenient, can also be useful. We gotta work with what we have to protect ourselves.
Change my mind about KeePass and those other tools. I've used passwords of my choosing since the 90s and updated them over time, but tools that make more complex unreadable passwords just seem like they'd be vulnerable for the same reason, one simple password you use to access the rest. Effectively just putting them all in one place. I feel like my brain is safer, and when a password gets leaked I can safely blame myself for not being careful on the sites I registered for.
KeePass is good. It is local and encrypted, so someone would need to be on your computer and know your password to get into it, there are other techniques but KeePassXC is even more secure against such techniques.
|
|
"
"
"
if we had MFA
it would be exponentially harder for accounts to be popped
At my work (cyber security almost 9 years) we have phased out passwords for the most part, it is a weak point in security
For PoE, I randomly generate a password with KeePass.
Changing the password every 30-45 days, while inconvenient, can also be useful. We gotta work with what we have to protect ourselves.
Change my mind about KeePass and those other tools. I've used passwords of my choosing since the 90s and updated them over time, but tools that make more complex unreadable passwords just seem like they'd be vulnerable for the same reason, one simple password you use to access the rest. Effectively just putting them all in one place. I feel like my brain is safer, and when a password gets leaked I can safely blame myself for not being careful on the sites I registered for.
KeePass is good. It is local and encrypted, so someone would need to be on your computer and know your password to get into it, there are other techniques but KeePassXC is even more secure against such techniques.
who has the key? i wont believe their service doesn't have at least a copy of it, and that they don't keep track what you accessing. if they get compromised wouldn't that make everything of yours compromised too? even if the key is 100% local, dev back doors exist, exploits exist. if something happen to that service wouldn't you get locked out of everything you have there? the question here is, why would you do this if you can do the exact same yourself. having middle steps for security only generates vulnerabilities.
|
Posted byAintCare#6513on Dec 30, 2024, 11:44:15 PM
|
