Unfortunately, one of the ways these shops obtain items is by stealing them from other Path of Exile players. We have received several reports of people losing items, and we can see from our logs that these end up on accounts (generally accessed by Chinese IPs) that are used to supply RMT item sites.
After several days of painstakingly investigating these cases, we've identified quite a few ways that players are having their passwords stolen. I'd like to go through them one by one and explain how players can keep themselves safe and what we can do on our end to make these attacks more difficult.
I should stress that these problems are common to most online games and that they're problems that players can prevent with good internet security practices.
A phishing site is one that is set up to look just like pathofexile.com but instead sends your password to the attacker. We see people sending links to these sites in PMs or posting the links on the forum (these are often disguised as legitimate looking links). As soon as we discover these, we immediately delete them. We are probably going to change the forum and PM system so that external links either carry heavy warnings or just don’t work at all. To keep yourself safe from phishing links in the meantime, only enter your email/password on the official www.pathofexile.com site! You can tell it’s the official one by going to the login page and checking to see that your browser has a lock icon that says "Grinding Gear Games Limited" when you click it (i.e. is connecting via SSL and has a certificate proving it is us).
Malware in Cheat Programs
If you use a maphack tool (or other cheat program), we will ban you. If we don’t ban you in time, your account will be stolen due to the keyloggers that the program probably has. All maphacks that we have investigated currently have keyloggers. If you want to keep yourself safe, don’t try to cheat.
Posting Config Files
Your password (hashed, not in plaintext) is stored in your Path of Exile configuration file. Do not post this file online or allow other people access to this file. In the very near future we will make it so that this information does not allow other people to log into your account. If you want to be completely safe, untick the option that makes the game client save your password.
Don’t use the same password that you use on other services. It’s extremely common for fansites to be compromised, leaking a list of their users' email/passwords. Many of these can be used to log in to Path of Exile because people re-use passwords. Choose a new password! Make it long!
Already Compromised PC or Email account
A decent percentage of users have computers or email addresses that are already compromised and are part of a botnet. There’s nothing we can do about this. Please keep your computer clean and practice safe internet security.
If you give someone your account details so that they can power-level your character, they’ll probably steal your items. We will ban people who accept real money for Path of Exile items and services, so it’s likely your account will be banned if they have accessed it. Do not cheat!
In addition to the above steps, we’re also planning on having access to accounts from strange IP addresses require email or cellphone verification. This will hopefully mean that even if your password is stolen, the attacker needs access to your phone or email in order to log in.
Unfortunately, we cannot restore any items lost to theft. One of the most important things about Path of Exile is its online economy, and if we performed restorations on demand then the economy would be flooded with duplicated items. We've seen this in other games (where the game companies restore compromised items and create a massive economic problem in the game).
If someone compromises your account and deletes your characters, we’re currently unable to restore these characters. We are working on changing the game so that deletions are "soft" rather than "hard", which will allow us to restore deleted characters easily. If their items are stolen, however, then the character will be empty. This feature will be available in the future but is not ready yet!
I am very sorry that our policy is no help if you've lost items or characters. I sincerely wish that I could restore them for you, but to do so would undermine one of the most important aspects of the game. If you have been compromised, I strongly suggest:
- First, make sure your computer is malware free. A reformat would be the best bet. If you follow the following steps but still have malware, the attacker will just take your password again.
- Make sure that your email account is secure. Change its password! Set up two-factor (i.e. cellphone) authentication with your email provider. If the email is not secure, the attacker can still steal your account
- Set a Path of Exile password that is different from any other password you have used before. Make it long and complex.
- Don’t enter your password anywhere except the official site and the game client. Make sure the site says "Grinding Gear Games Limited" when you click the lock icon next to the address.
- Don’t download untrusted software or click untrusted links.
We take security very, very seriously. The website and game client both use secure encrypted sessions to handle logins. We don’t store credit card information on our servers. Passwords are stored hashed and salted. Even the backups of your data are encrypted so that thieves can't get anything if they steal the backups.
Please take steps to make sure your accounts are safe. It pains me greatly every time I read about lost items that we can't replace. With some development time on our end (as outlined above) and good security on the part of our users, your accounts will be much more secure and the item sales sites won't be able to steal our items.