A couple of weeks ago I posted
here explaining the common ways that users are having their passwords compromised by attackers.
We're now seeing an increase in the rate at which the attackers are stripping these accounts of their valuable items. As soon as we had the realm stability issues sorted out, we started work on new account security measures that should make it difficult for attackers to use stolen passwords to access your accounts.
I want to be completely clear - our security has not been breached. If our database had been compromised, the accounts that attackers would target first would be the most wealthy players, the high profile streamers or the developers. Imagine how much it'd be worth to compromise my account? Kripparrian's? The top people on the ladder? These people have not lost their passwords. There has been a 0% rate of developer accounts being accessed by overseas IPs. The accounts that are being targeted are generally mid-low playing accounts, typically associated with the usage of hack software. We often have users write into support complaining about side effects of their maphacks, only to later report the same day that their items have been stolen. It is worth pointing out that these hack programs are bannable, and while we haven't yet done a banwave, the thousands of people who use them will lose their accounts due to it if they are still running them as we turn on our countermeasures.
I've spent massive amounts of time going through logs of IP usage and talking to people who have been compromised. In almost every case, it was due to violating one of the security practices we've outlined in the post I mentioned at the top of this one. Players have been using the same passwords on insecure community sites, running malware, clicking phishing links and have pre-compromised machines that are part of botnets. Now that the attackers who have these passwords have some degree of automation, they appear to be stripping accounts more quickly than before, resulting in a big increase in the reports of hacking. We are mass-banning IP addresses that are used for this theft, but due to the use proxies, it's very hard to stop it in this way.
I'm not claiming that everyone that has lost items has run an illegal hack program. Many users have merely re-used passwords, had an insecure version of Java when browsing infected community sites, or accidentally clicked a bad link and logged into a fake version of our site. These are very easy mistakes to make unless you are extremely careful.
This situation is exactly why games have security systems in place to prevent people accessing accounts in this way. Path of Exile does not yet have such a system,
but it will do very soon. We're a very small team of developers and have been working long hours for the last month to address these issues and other stability ones (that are now thankfully much better). Within a week we expect to launch the account security improvements which would mean that even if you do have your password compromised, it's still hard for people to access your account. We may be able to deploy the first improvements that help with in the next 48 hours.
People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.
If our policy was to restore in a way that duplicated the items, this would be a free duplication method that people could easily use. If our policy was to take the items back from the attacker without duplicating them, then this would result in a free tradehack that anyone could use. In either case, the economy would be destroyed.
It's currently taking our staff the entire day just to process our existing volume of support requests. Not only would thoroughly investigating each claim take far too long, but the very fact we were doing it would encourage people to abuse it as hard as they can. For all of those reasons, it is not an option to restore items under any circumstances.
This whole situation is a lesson in why it is inadequate to assume that passwords are sufficient security. I am very, very sorry that we did not have better security measures to make stolen passwords useless when we entered Open Beta. Thankfully there are improvements to this coming very soon so that it won't be a problem in the future. I will work every evening and through the weekend to make sure that these fixes are deployed as soon as humanly possible. Although people will probably still lose their passwords, the attackers will hopefully not be able to actually get any items from it and then they'll stop bothering.
This is also a lesson in how many users are running infected software. Although we have an active community of over a million monthly users, we're seeing thousands and thousands of accounts running software that is known to be infected with keyloggers. Even if our security measures mean that this software doesn't result in your items being stolen, it will still result in your account being banned for trying to cheat.
If you're worried about having your items stolen and you have not run any strange software, just change your password, don't click weird links and don't use the same password on other sites. That's what I do and no one has hacked my account yet.
