PSA: Check Your PayPal — Found an Unauthorized Xsolla Charge on My PoE Account

"

Marrond#4432 wrote:

Happened to me just moments ago. Worst thing is, I don't think I was using same password with anything else using this email...

Yeah it's not an account hack thing, they just have your PayPal data and they can do whatever they want with it, simple as that.

"

Sosk#0844 wrote:

"

Marrond#4432 wrote:

Happened to me just moments ago. Worst thing is, I don't think I was using same password with anything else using this email...

Yeah it's not an account hack thing, they just have your PayPal data and they can do whatever they want with it, simple as that.

they don't have your paypal access, only POE, which in turn use Xosolla without any 2-factor to pay for purchase via paypal autopayment

So that they can only purchase poe 2 and giveaway key, instead of just buy a lot of crypto

According to GGG there is 2FA for PoE, to quote them in their email response to me:

"Two-factor authentication is enabled by default for Path of Exile accounts with email addresses associated with them in the form of the unlock code system. If anyone attempts to access the game from a new location using an email address and password they will need access to that email address to retrieve the verification code. Enabling two-factor authentication on that email address further enhances this security."

If that is true then it makes no sense that someone logged in to my PoE account to make a purhcase without me getting any emails or needing to verify by a code.

So the conclusion must be that there is an exploit on the Xsolla end of things, maybe if you have someones PoE credentials you can use Xsolla to bypass all the PoE safeguards and make a purchase that way, no idea how they get the key after doing the purhcase though, maybe that is also something you can get via Xsolla somehow.

But if you unlink Xsolla from your Paypal and if they don't have your credit card details then it shouldn't be possible anymore.

"

Rawnei#1506 wrote:

So the conclusion must be that there is an exploit on the Xsolla end of things, maybe if you have someones PoE credentials you can use Xsolla to bypass all the PoE safeguards and make a purchase that way, no idea how they get the key after doing the purhcase though, maybe that is also something you can get via Xsolla somehow.

It's not "Someone", it is "Xsolla"!

I'm not 100% sure about the key purchase thing, maybe with interests involved from the fraud payments they can get enough money for keys?, in that case they're basically scamming GGG, not us, since we either get our money back or our money's worth of in game coins.

I could be wrong though, but atleast that makes sense to me.

"

Rawnei#1506 wrote:

But if you unlink Xsolla from your Paypal and if they don't have your credit card details then it shouldn't be possible anymore.

Hopefully.. and that's a big, BIG "Hopefully".

Worst case scenario you're already in their history and they can still make use of that, either PayPal cut ties with Xsolla or we're all still in danger lol.

Just happened to me guys.

Not even played POE since January so like a year ago.

I've sent a paypal screenshot, ggg acount payment screenshot

also a shot of this thread.

$30 xolla transaction.

This has really ruined my morning. I also don't feel like I can trust this company anymore with my payment information which is a huge shame.

I also contacted XSolla support to ask them to investigate the transaction, they are completely useless, make you jump through hoops and then just say that a refund was issued, there is no understanding that there might be a breach on their side even after clearly explaining it and seemingly no interest to investigate it.

So both GGG and Xsolla are pretending like nothing unusual is happening.

"

Rawnei#1506 wrote:

I also contacted XSolla support to ask them to investigate the transaction, they are completely useless, make you jump through hoops and then just say that a refund was issued, there is no understanding that there might be a breach on their side even after clearly explaining it and seemingly no interest to investigate it.

So both GGG and Xsolla are pretending like nothing unusual is happening.

It clearly POE account system issue.


If hacker got access Xsolla directly, they won't just buy POE 2 key.


Note that if you got Xsolla's refund, and in turn charge back GGG, you may still got a ban....

"

neohongkong#0222 wrote:

"

Rawnei#1506 wrote:

I also contacted XSolla support to ask them to investigate the transaction, they are completely useless, make you jump through hoops and then just say that a refund was issued, there is no understanding that there might be a breach on their side even after clearly explaining it and seemingly no interest to investigate it.

So both GGG and Xsolla are pretending like nothing unusual is happening.

It clearly POE account system issue.


If hacker got access Xsolla directly, they won't just buy POE 2 key.


Note that if you got Xsolla's refund, and in turn charge back GGG, you may still got a ban....

Refund was provided by GGG as I already wrote and GGG does not recognize that there is any issue.

"

as I already wrote

like

"

I also contacted XSolla

"

a refund was issued

"

neohongkong#0222 wrote:

"

as I already wrote

like

"

I also contacted XSolla

"

a refund was issued

Let me make things crystal clear for you then.

- An unauthorized transaction happened on my account (and many others has the same thing happening as you can see in this thread)

- A purhcase of PoE 2 Early Access for $30 was made with XSolla as payment provider via PayPal

- XSolla email confirmation was in Chinese, downloaded account data from GGG confirms purhcase was made from Asia

- When contacting GGG support about the unauthorized purchase they issued a refund

- GGG support says that it "likely" happened because my account was compromised

- At the same time let me quote what GGG support wrote to me regarding 2FA: "Two-factor authentication is enabled by default for Path of Exile accounts with email addresses associated with them in the form of the unlock code system. If anyone attempts to access the game from a new location using an email address and password they will need access to that email address to retrieve the verification code. Enabling two-factor authentication on that email address further enhances this security."

- GGG thus is contradicting themselves, if my account was compromised how did a purchase happen without 2FA, because 2FA request never happened for the purchase, so either 2FA was circumvented or you can make purchases without activating 2FA, both are potential serious issues that should be addressed

- GGG considers the matter resolved and don't seem all that concerned to investigate the issue further

- Since XSolla was the payment provider I unlinked XSolla from my PayPal to minimize exposure and risk

- I also contacted XSolla about this since it's a potential security issue somewhere, either at GGG or Xsolla

- XSolla saw that the purhcase was refunded already, communicated that to me and don't seem interested to investigate further

- So this has happened and still is happening to multiple people as we can see in this thread (not everyone will come here and write about their experience so there's probably more people affected that we don't know about)

- Neither GGG or their payment provider seems that keen on investigating it further

- This will most likely keep happening until whatever security hole is used is addressed

If I was GGG I would at least make 100% sure that you can not make any purhcases without 2FA authentication, even if someone has my account name and password purhcases should not be possible without 2FA!