Hacked Accounts

A couple of weeks ago I posted here explaining the common ways that users are having their passwords compromised by attackers.

We're now seeing an increase in the rate at which the attackers are stripping these accounts of their valuable items. As soon as we had the realm stability issues sorted out, we started work on new account security measures that should make it difficult for attackers to use stolen passwords to access your accounts.

I want to be completely clear - our security has not been breached. If our database had been compromised, the accounts that attackers would target first would be the most wealthy players, the high profile streamers or the developers. Imagine how much it'd be worth to compromise my account? Kripparrian's? The top people on the ladder? These people have not lost their passwords. There has been a 0% rate of developer accounts being accessed by overseas IPs. The accounts that are being targeted are generally mid-low playing accounts, typically associated with the usage of hack software. We often have users write into support complaining about side effects of their maphacks, only to later report the same day that their items have been stolen. It is worth pointing out that these hack programs are bannable, and while we haven't yet done a banwave, the thousands of people who use them will lose their accounts due to it if they are still running them as we turn on our countermeasures.

I've spent massive amounts of time going through logs of IP usage and talking to people who have been compromised. In almost every case, it was due to violating one of the security practices we've outlined in the post I mentioned at the top of this one. Players have been using the same passwords on insecure community sites, running malware, clicking phishing links and have pre-compromised machines that are part of botnets. Now that the attackers who have these passwords have some degree of automation, they appear to be stripping accounts more quickly than before, resulting in a big increase in the reports of hacking. We are mass-banning IP addresses that are used for this theft, but due to the use proxies, it's very hard to stop it in this way.

I'm not claiming that everyone that has lost items has run an illegal hack program. Many users have merely re-used passwords, had an insecure version of Java when browsing infected community sites, or accidentally clicked a bad link and logged into a fake version of our site. These are very easy mistakes to make unless you are extremely careful.

This situation is exactly why games have security systems in place to prevent people accessing accounts in this way. Path of Exile does not yet have such a system, but it will do very soon. We're a very small team of developers and have been working long hours for the last month to address these issues and other stability ones (that are now thankfully much better). Within a week we expect to launch the account security improvements which would mean that even if you do have your password compromised, it's still hard for people to access your account. We may be able to deploy the first improvements that help with in the next 48 hours.

People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.

If our policy was to restore in a way that duplicated the items, this would be a free duplication method that people could easily use. If our policy was to take the items back from the attacker without duplicating them, then this would result in a free tradehack that anyone could use. In either case, the economy would be destroyed.

It's currently taking our staff the entire day just to process our existing volume of support requests. Not only would thoroughly investigating each claim take far too long, but the very fact we were doing it would encourage people to abuse it as hard as they can. For all of those reasons, it is not an option to restore items under any circumstances.

This whole situation is a lesson in why it is inadequate to assume that passwords are sufficient security. I am very, very sorry that we did not have better security measures to make stolen passwords useless when we entered Open Beta. Thankfully there are improvements to this coming very soon so that it won't be a problem in the future. I will work every evening and through the weekend to make sure that these fixes are deployed as soon as humanly possible. Although people will probably still lose their passwords, the attackers will hopefully not be able to actually get any items from it and then they'll stop bothering.

This is also a lesson in how many users are running infected software. Although we have an active community of over a million monthly users, we're seeing thousands and thousands of accounts running software that is known to be infected with keyloggers. Even if our security measures mean that this software doesn't result in your items being stolen, it will still result in your account being banned for trying to cheat.

If you're worried about having your items stolen and you have not run any strange software, just change your password, don't click weird links and don't use the same password on other sites. That's what I do and no one has hacked my account yet.
Lead Developer. Follow us on: Twitter | YouTube | Facebook | Contact Support if you need help!
newmaps
Last edited by Michael_GGG on September 3, 2013 4:33 AM
"
Chris wrote:
I'm not claiming that everyone that has lost items has run an illegal hack program. Many users have merely re-used passwords, had an insecure version of Java when browsing infected community sites, or accidentally clicked a bad link and logged into a fake version of our site. These are very easy mistakes to make unless you are extremely careful.


Thanks for the update, Chris. I've had several people approach me about being hit and I didn't want to assume they were all engaging in nefarious practices. Naturally that was never the accusation but it was a strong option.

I changed my password today and unchecked the save password feature, finally (I am so lazy). Although I figure most thieves would take one look at my stash and curse themselves for wasting the time, it can't hurt to be a little more secure. :)



Defunct account. The Kiwisignal no longer means anything. I only use this account to update the Avatar Gallery.

Contact me at CharanJaydemyr.
(Stickying this for now.)
If you were helped, please pay it forward.
"Fun" is not a winner-takes-all game.

"[1.3.0] Too Many Clones! -- PvE Templar Archer Summoner": /view-thread/1127263
Thanks for taking this issue seriously and for admitting the short-comings in the current system. Hopefully this will silence some of the complainers.
Until Open Beta hit and PoE gained popularity over night, the extra security issues were not needed in CB. So live and learn, adapt to the needs.

Thanks for rolling out extra measures to protect people so quickly, sorry that it is taking your precious time to do it but it is apparently needed badly.
"the true way to a man's heart is six inches of metal between his ribs. Sometimes four inches will do the job, but to be really sure, I like to have six.”
― Laurell K. Hamilton, Narcissus in Chains

Contact support@grindinggear.com to report issues relating to the game or forum. Thanks!
Great post, really sheds some light onto the situation.
Thank you Chris and thank you to the rest of the GGG team for being so committed!
"Tangata ako ana i te whare, te turanga ki te marae, tau ana"
"
Completed 1 Challengesewerside wrote:
Great post, really sheds some light onto the situation.
Thank you Chris and thank you to the rest of the GGG team for being so committed!


This.
Paranoia just made me change my PW, too. ;)
No problems....yet, think i will change my pass regardless though.

I've been posting about java plugins for your browser being compromised in many of the "hacked" posts but it's good to see that you mention it...very easy to disable it
The spirit is weak

It's only when a mosquito lands on your testicles that you realize there is always a way to solve problems without violence.

Another thing to consider is that attackers can purchase bulk lists of leaked passwords from various services that have been hacked before. It'd make sense for them to go through those lists of email/password combinations to see which ones correspond to valid Path of Exile accounts.

True story time:
One day last year, I was playing Diablo 3 and I got kicked off my account because someone logged into it. I logged back in and changed the password, interrupting the theft of whatever bad items my D3 character had. I knew that I had never run any malware or clicked any bad links, but yet they had my password. After a lot of investigation, I worked out that it was the same password I used for my bitcoin account at Mtgox. Their entire site had been hacked the year before, revealing all the passwords. I managed to find the mtgox leaked password list, and sure enough, mine was on it. I obviously changed all my passwords in response to this and there were never any other problems. This is exactly the type of situation that could have occurred for many Path of Exile users who have been good about not installing hacks or clicking bad links. The account security measures we're adding soon will stop attacks like this.
Lead Developer. Follow us on: Twitter | YouTube | Facebook | Contact Support if you need help!
newmaps
Last edited by Chris on February 20, 2013 12:59 PM
So when are you refunding me? I find it really funny that no one has directly contacted me yet I'm one of the only posters that make any legitimate post. Basically what I'm saying is you don't care, you say sorry blah blah blah but it means nothing to you.

The duplicate items issue you bring up is a poor poor poor poor excuse for treating paying customers this way. This will not crash the games eco system and never has in any game. D3, eco doesn't suck because blizzard allows roll backs. WoW eco system is not wacked out because blizzard replaces hacked items. these are the only 2 games I have experience in playing when it comes to hacked items so it'a all I can use.

Easy enough to check, if it took a few days for you to check everything to get my items back that would be fine.

I promises I have not been to china in my life, so if there was a Chinese IP that accessed my account.. 99% sure that it wasn't me and would be easy to find that item.

Like I've posted in my other comments, I personally don't give a shit about the orbs that are missing. The items that are gone make my only farming toon unplayable. if every one got 3-4 items restored and you were able to remove the old one (even if you weren't able to) The game will but out into anarchy and the game be over ran. This is absurd that you would think this.

1740 hours in open beta, 900 hours or so of played time. 800 hours of unplayed time. Am I High or low played?

have fun with your new game Jay Wilson. Wait even Jay Wilson gave people at least 1 free roll back... Maybe you should hire him, he knows what customer service is at least.
"Unfortunately, we cannot restore any items lost to theft." Unless you are a well known streamer then we will do anything for you.
Last edited by TheHeffNerr on February 20, 2013 1:29 PM

Report Forum Post

Report Account:

Report Type

Additional Info