We've deployed the 0.10.1d patch which adds several security features. Many users have been arriving at Path of Exile pre-compromised because their usernames/passwords are on giant lists that are leaked from other games or websites in the past. The changes in today's patch will mean that people from remote locations can not log into your account even if they have the password. We're planning to add plenty more security features so that users can opt to make it harsher (limiting it to a specific IP rather than city) or even disable it if they have confidence they can keep their password safe. Please choose unique passwords for Path of Exile that are not the same as passwords you have used for other services. Read on for more explanation about our security policies.
Because the stolen items were being sold by RMT sites, these changes help constrain their supply of items. We're continuing the aggressive bans on their IPs, mule accounts and spam accounts.
The first security feature introduced today is that saved passwords only work from the IP that they were saved on. Some users have commented that they want the saved passwords to work from any IP, so we're considering allowing that as an option if the user wants to risk their account for this convenience.
The second feature is a much more important one - accounts become locked if someone logs into them from a different city. An unlock code, which is sent to the account's registered email address, is required to unlock the account. If you get this email when you haven't logged in from a remote location then you should change your password immediately and investigate how someone learned your password (scan for malware, etc).
Users have commented that they'd like to change "city" to "country" or "exact IP". We'll see what we can do about adding these as options in the near future. We wanted to get the feature in so that users are protected as soon as possible, which is why we picked "city".
Some games have a policy of restoring the items on an account if the user lost their password and someone else took the items. We can't do this because either of the two policies would be devastating to Path of Exile:
a) If we restore the items in a way that duplicates them then users are able to arbitrarily copy their items by presenting a plausible looking case to our support department. This is actively abused in other games and their playerbases know that they can duplicate items at will through customer support.
b) If we restore the items, removing them from the people who got them, then users are able to tradehack each other by performing trades and then requesting that support restore their items. This would undermine the entire trust in the trade community because items could vanish at any time after you receive them in trade.
As you can see, both of these options are completely unacceptable. If we perform restorations then the incentive to report fake compromises is even higher. If users know that other people are having success at duplicating or tradehacking items by claiming they were hacked, then the amount of fake claims would skyrocket. We're already seeing very suspicious claims and that's with our existing no-restoration policies.
We're a small company and only have 8 customer support staff at the moment. To handle even 1% of our customer base claiming fraudulent compromises that need to be sufficiently investigated would take hundreds of support staff.
The policy of no restoration for password loss is there because:
a) All the restoration options destroy the game by letting users duplicate or tradehack items through fake claims.
b) It's completely impossible to sufficiently investigate such claims, especially if users were incentivised to make them. It's very easy to use proxies to make a fake claim look exactly like a real theft.
c) The password losses are due to users losing their passwords. The most common reason is they used the same password with another game or service. We can help with this by adding security measures like the ones added today. We cannot take responsibility for your own password security.
I'd really love to be able to help users who have lost all their items and hard work, but I just can't see a plausible solution that doesn't have the absolutely devastating consequences that restoration does. It's a really tough situation to be in, but the plan of improving user password protection and keeping the game economy intact is the only future we can allow Path of Exile to have.
I am very sorry that we didn't have account lockout features earlier. We got them in as quickly as we could and it required a lot of late nights. We plan to devote substantial effort in the future to more features that help keep users safe even if their passwords are already compromised.
Thankfully, things on the security front look great now that the location locking is in place. This will both help attack RMT and also keep your items safe from intruders. Thanks again for your patience and I look forward to seeing you in-game.
