Account Security and Theft Policy - READ THIS

I just got on 2pm AUST. Account cleared out of currency and 4L/5L items.

On sunday I got a friend request by someone with only numbers in their name and I stupidly accepted it and when I tried to remove him from my friends it wouldn't allow me. I checked just now and the friend is no longer on my list and all my shit is gone.

suggestion:

how about implementing an alert box that comes up on YOUR screen when someone tries to login while your online?!?!?!

instead of just kicking us off the server when the hackers go to login like happened to me earlier without warning

and no this isnt some map hack excuse that everybody is using to save face. id be willing to bet the huge majority of players that got hacked over the past few hours didnt look up, install, read about, or even think about any of those things being mentioned on the forums as reasons why we got our stuff stolen.

but yea, how about that alert box, denying access to the 2nd party trying to login when the account is already in use? makes sense right?

Wow i took a hour break from farming and when i came back not only was 9 pages of stash cleared of anything that wasn't junk all but 2 of my lower lvl chars where deleted.

it sucks because i really like this game but now i just cant bring myself to play.

My account has been compromised and I'd really like to find out how. Needless to say it is not for reasons listed in the OP. I use unique, strong, randomly generated passwords to access stuff online. These are protected by multifactor authentication. I browse the web in a sandbox, but don't click dodgy links anyway. I make good use of disposable email addresses. I'm paranoid and security savvy.

So, the issue remains how did my account get compromised? This is of great concern to me and should be to GGG.

You actually think GGG cares? Have you ever seen a company respond so lightly to hacking? They don't even try to help us, as it has been proved by their support.

You've been hacked? You get nothing back, even though we can easily roll everything back to the save in our database from a few days ago when you weren't hacked.

Also, to those that actually bought something: everything leaves a paper trail. I'd go ahead and change my PIN/password to my accounts if I were you.

Logged on for the first time in about a week: stash is cleared of currency, everything else untouched. Really kills my drive to play, and that's a shame because I liked the game despite pretty major desync issues.

Guess I'll go play minecraft instead until they add 2 factor authentication or something.

Hi here are my advices for account security:

- no 3partysoftware anykind
- Disable Java in your Browser and maybe other addons (adope,...)
- Close all Browser windows
- Dont use "save password" in poe // delete the hash out of the .ini
- Dont type password there is one other possiblity to do it(takes long but efficent)// clear cache after
- Dont let the Browser save your password
- Use a unique password
- use good antivir, for example "spybot search&destroy" makes you pc immune to most backddors and trojs. search your pc every week.
- never go on game related sites even high traffic game sites can take you password away, for example with advertisments. This inculdes Build-links ... Any game related links any kind
- never use things like PoE helper
- hold Windows up to date
- dont accept (curiosly) strager friend requests, its an indication that your account data is already compromised // change pass+scan+clear all caches


Example how they get your Password/Hash with Java:

You search on google "PoE builds" > You klick first link (big site) > Site is loading >
* > Account data gone > You search your pc with antivirussoftware > no result

* (not stored password) temporary keylooger > You log in


Stealed accounts (Passwors/Hash) are sold on the "black market", customers buy them in big packets (Hack waves).

I just got hacked too. All my gear is gone. Everything. It would seem like something happened today as there has been an exceptional number of people being hacked.

"

Raelys wrote:

suggestion:

how about implementing an alert box that comes up on YOUR screen when someone tries to login while your online?!?!?!

The problem with that solution is that in case you lose connection to the server while playing the game might think you are still logged in and therefore deny your attempt to login again.


Besides that:

I think that GGG is doing a good job protecting our data by encrypting every sensible information.
Making sure that the system is safe as long as the players make sure that noone besides them knows their password is about everything you can expect from them and from what is stated in the OP they are doing all they can in that regard.
If they were saving our passwords in plain text and let some hacker steal their database (which is exactly what i had to experience in a game run by a much bigger company), there would be reason to blame them but if the account thefts originate outside of their control (i.e. because of something the players did), it simply isnt their fault.

On the policy of not restoring stolen items:
While it may be possible to give every single item a unique id in order to move it back to their original owners in case of an account theft, this would use up additional capacities that currently can instead be used in ways that benefit all players and not just the ones who managed to get their accounts stolen. In other words: The majority of players would suffer from measures that protect those who don't pay enough attention to keeping their accounts safe...

Another problem with the concept of moving items back to their original owners is that by the time this would happen, the item might already be in posession of someone who obtained it through a completely legitimate trade. An example:
Player 1 gets his account stolen by a hacker.
Player 2 buys the stolen goods by said hacker.
Player 3 buys the stolen goods via ingame trade from Player 2, unknowing that they originally were obtained illegaly.

If now the stolen goods were moved back from Player 3 to Player 1, Player 3 would be punished without having done anything wrong while Player 1, who most likely lost his stuff in the first place because he failed to do all he could to keep his account safe would be recompensated for his loss.

In the end the only one who would suffer from that whole incident would be a person that never did anything wrong.

I don't see any justice in that outcome!

The current system in contrary gives everyone the possibility to make sure to not lose anything by taking appropriate security measures.

Of course you can also decide to avoid the effort it takes to ensure your safety but then you will have to do that at your own risk.
I am not being sarcastic here: If following all the guidelines mentioned in the OP sounds like too much work for you, feel free not to do it. If you just try to stay away from phishing sites and have an AV on your system, your chances of not losing your account are quite good. Just remember that you are taking a risk and be prepared to live with your loss in case you run out of luck. ;)


To everyone who got hacked and wants to make sure that his system is safe again:

The only way to be sure that your system is safe is to completely wipe everything(!) off your harddrive and perform a fresh install from scratch!

Just doing a virus scan will do the job as well in most cases but there is no garantee that your system is infected in a way that prevents AV software from finding it.

If you still decide to not to a complete reinstall, you might consider getting a bootable cd/dvd with linux and an up to date virus scanner to do the scan from outside of the infected system.


Another advice for everyone:

Always make sure that your browser plugins, especially java and flash are up to date. Those plugins often contain security wholes that allow websites to gain control over your system without you doing anything wrong at all (besides opening an infected site, which can even be a completely legitimate one that happens to include an ad with malicious code).

By always keeping your software up to date, you can protect yourself from most of those exploits, except for the most recent ones that have just been found and are not closed yet.

Also using an ad blocker might be a good idea. While this is not so good for the websites you are using (if you block their ads, they get no money), it prevents you from a lot of the above mentioned exploits because often hackers hide their malicious code in ads that can show up on sites that actually are safe themselves.
If you want to support a website that you consider safe and that uses an ad provider that you consider safe as well, you can always exclude those sites from your filter. :)

Got my chars deleted 2 days ago and stash cleared, suprise suprise GGG dont care, ok i was thinking first that was totally my fault, so i checked my computer with 2 different virus scan and 2 malware software and nothing... then i notice i was clicked remember pw button, i start wondering where this game saves it and what is form on it... not have to look long then i find config file production_config.ini ... Bingo... there is line hashed_password= and 2 lines later was my email... me and my friend testted i send hashed_password=XXXXXXXXXX line to my friend machine and he change it to his ini and my email too,, and vola he was logged in my account... its not hard to even make dataminer cookie what checks spesific place like "my documents/my games/path of exile dir and just pick those 2 lines needed to stole account...

played my main char to 70 lvl and GGG cant restore it bcause game policy, im quite happy i only use 20 dollars to buy extra space to stash and only use 2 weeks my time on this game, and not more... enjoy my 20 dollars bcause u dont get anything else for me.. im out!