Account Security and Theft Policy - READ THIS

"

yka01 wrote:

its not hard to even make dataminer cookie what checks spesific place like "my documents/my games/path of exile dir and just pick those 2 lines needed to stole account...

You're right, it's not hard to make a cookie do that, it's impossible.

Though you might be right saying that it's easy to steal your account, once someone gets hold of your config file with the hashed password (as stated in the OP), it's actually not as simple to do the latter as you think.

The obvious conclusion is that there is either another vulnerability in your system that you don't know about or you unknowingly gave your password to the hacker in another way...

I've meet many jerks in game trying to steal my account. I warn people not to share any type of stuffs with people or at least not the one you fully trust. I know it's common sense but some people actually give out info and such. I've seen it happen.

"

kappikarpfen wrote:

Hi here are my advices for account security:

- no 3partysoftware anykind
- Disable Java in your Browser and maybe other addons (adope,...)
- Close all Browser windows
- Dont use "save password" in poe // delete the hash out of the .ini
- Dont type password there is one other possiblity to do it(takes long but efficent)// clear cache after
- Dont let the Browser save your password
- Use a unique password
- use good antivir, for example "spybot search&destroy" makes you pc immune to most backddors and trojs. search your pc every week.
- never go on game related sites even high traffic game sites can take you password away, for example with advertisments. This inculdes Build-links ... Any game related links any kind
- never use things like PoE helper
- hold Windows up to date
- dont accept (curiosly) strager friend requests, its an indication that your account data is already compromised // change pass+scan+clear all caches


Example how they get your Password/Hash with Java:

You search on google "PoE builds" > You klick first link (big site) > Site is loading >
* > Account data gone > You search your pc with antivirussoftware > no result

* (not stored password) temporary keylooger > You log in


Stealed accounts (Passwors/Hash) are sold on the "black market", customers buy them in big packets (Hack waves).

As I have said before in other posts on the subject I use randomly generated, unique strong passwords. They are stored in a crypt (that is not even on my PC) protected by multifactor authentication. I don't even know what my password for PoE is. I use a sandboxed browser.

I'd like to see GGG require re-authentication when a user logs in from a new location. In some ways its better than multifactor as it can be implemented unilaterally and does not require a buy in from the user.

I got hacked and got my stash and char decently cleared. Totally my fault as I had my PW set to one I use on sites I just randomly sign up to. I usually never do this but when I signed up for PoE I didn't know what it was so I used my trash PW and haven't bothered changing it.

The people who hacked me got some humor though, they replaced a 14% Quality lvl 1 gem I had with the same gem but no quality and lvl 2 in the exact same spot in my stash. They also put random stacks of Portal scrolls in different tabs in my stash.

Luckily I didn't lose my character and only lost 3 skill gems for skills I didn't relaly use in my ES shield. All in all I lost quite a bit of orbs and some of the better ES gear I had. I laugh about it :p.

"

ldthope wrote:

I got hacked and got my stash and char decently cleared. Totally my fault as I had my PW set to one I use on sites I just randomly sign up to. I usually never do this but when I signed up for PoE I didn't know what it was so I used my trash PW and haven't bothered changing it.

After reading your post, i decided to change my password now. I also had used my trash password because i didnt know yet how much i like this game... ^^

Besides that, im glad you still got your characters, would have been a pity if you lost those as well! :)

got hacked too.. same exact thing happebnd to me, my char and gears still in there. only my orbs some gems and gears are lost...

"

malvar wrote:

"

ldthope wrote:

I got hacked and got my stash and char decently cleared. Totally my fault as I had my PW set to one I use on sites I just randomly sign up to. I usually never do this but when I signed up for PoE I didn't know what it was so I used my trash PW and haven't bothered changing it.

After reading your post, i decided to change my password now. I also had used my trash password because i didnt know yet how much i like this game... ^^

Besides that, im glad you still got your characters, would have been a pity if you lost those as well! :)

Good that my tragic lazyness can inspire others to find energy to do things! :p And yes I am glad my characters are still there, if they were lost I would most likely had quit.

Lovely how everyone blames the players that were affected without knowing anything.

So points i heard was to not use my real account for both the game and this website...WTF? So it isn't safe enough to use my GGG account on GGG's website? = not my problem, they have a security issue

another is malware, etc, etc. gamed long enough, moderated games, etc etc. I know what happens and the sites PoE related that i went were poeex and poe.xyz.is WHICH Krips went to as well, therefore either a larger amount of people including Krip should be hacked or going to be as well if that is to blame - if so, then i will take fault in losing my stuff, BUT that has not been the case.

Its stupid blaming the players and calling them idiots for losing their account because you have an ASSUMPTION they did something to lose their account, which is generally a problem; however, the account hack issue was all within a few hours. So it was a one night, hack sweep.
Guild Wars 2 had account hacking issues like crazy when they began. Was it the players fault they were getting hacked? Even MMOBomb's (a game review site that quite well known) had an account hacked when your pretty sure they know what they're doing.

I haven't used another sites PoE related or phishing like sites beside those 2 PoE ones, and haven't used 3rd party programs, first time hearing about that map thingy.

Only thing I did before i logged off for 3 hours was do a trade for Anger, and the only thing i saw fishy ingame was a guy with 11249083 or w.e added me as a friend I accepted thinking it was a person that wanted to trade with me, and if that was the cause...#'s or not, they can make a another name and do it again >.>

If the GGG isn't saying that anything is wrong with their side, then only 2 things are happening. 1. They are keeping it quite and letting it wash over. 2. There is a in-game bug/glitch/hack way or w.e that allows them to access something.

Recently happened to me as well--last night. I don't have any malware (Just checked) but my password was stored on the splash screen. I got some random friend requests last night before I logged out, but I declined them.

Anyway, chainging password and no longer storing it--hopefully that works.

They took my currency, but didn't kill my HC character, so it's not a total loss, i suppose. And some 5l stuff.

The only PoE related sites i visit are this one and --link removed--.

The only game sites I visit are mmo-champion and wowhead.

Changed everything, hopefully it won't happen again.

"

qiy wrote:

Recently happened to me as well--last night. I don't have any malware (Just checked) but my password was stored on the splash screen. I got some random friend requests last night before I logged out, but I declined them.

Anyway, chainging password and no longer storing it--hopefully that works.

They took my currency, but didn't kill my HC character, so it's not a total loss, i suppose. And some 5l stuff.

The only PoE related sites i visit are this one and PoEex.info.

The only game sites I visit are mmo-champion and wowhead.

Changed everything, hopefully it won't happen again.

The password being stored on the splash screen doesn't matter because of how they encrypt to the servers and its only a hash of your password not the actual password that is saved.