Hacked today. Certainly on GGG's end.

I can't take those acusations of downloading speed- or maphacks any longer. Please stop assuming that everyone in here is a cheater and deserves to get hacked. Who can tell me for 100% that there has not been a SQLi on the website in the past?

Seriously guys you should open your eyes. There are new threads about this every hour.

"

buttseckz wrote:

Lask001, you are actively disregarding and denying each and every thread people create about this hack wave. Do you have this much more information on the behind-the-scenes of GGG then we have? Because you could share it with us....

All people are saying, whether you believe it or not that they know what they are talking about, is that the usual motives and excuses used by every single company online when hack claims are made, do not fit every user, and it is too much of a coincidence that those users got hacked at the same time that the users they claim to have been using hacks or infected.

Are you that narrow-minded that you can`t think that GGG is at fault at all? Why exactly are you so sure that there is no exploitable feature on the site or game that could allow someone to get account info?

Whether it is done by a java exploit, by keyloggers, rootkits or whatever, if it is able to grab a password that haven`t been typed for weeks, I don`t believe the public is at fault here. As you so wisely put it over and over again, not everyone is a security expert, and because of that, shouldn`t be expected to patch or disable JAVA because of exploits or whatever, shouldn`t be able to detect rootkits from ads or suspicious scripts. This goes to GGG pile too.

He's just a forum troll, don't bother.

Regarding not typing your password, it is actually easier to steal the password this way. Look at your documents folder\My Games\Path of Exile\production_Config.ini. There's your password hash. It's much easier for an exploit to read this file than it is getting your PC infected with a keylogger.

After getting my account compromised, I've been looking for possible causes that might apply to my case, but I haven't yet found any flaws in my security.

"

buttseckz wrote:

Lask001, you are actively disregarding and denying each and every thread people create about this hack wave. Do you have this much more information on the behind-the-scenes of GGG then we have? Because you could share it with us....

All people are saying, whether you believe it or not that they know what they are talking about, is that the usual motives and excuses used by every single company online when hack claims are made, do not fit every user, and it is too much of a coincidence that those users got hacked at the same time that the users they claim to have been using hacks or infected.

Are you that narrow-minded that you can`t think that GGG is at fault at all? Why exactly are you so sure that there is no exploitable feature on the site or game that could allow someone to get account info?

Whether it is done by a java exploit, by keyloggers, rootkits or whatever, if it is able to grab a password that haven`t been typed for weeks, I don`t believe the public is at fault here. As you so wisely put it over and over again, not everyone is a security expert, and because of that, shouldn`t be expected to patch or disable JAVA because of exploits or whatever, shouldn`t be able to detect rootkits from ads or suspicious scripts. This goes to GGG pile too.

I believe that I have a greater understanding of what goes on in a datacenter than many of the people claiming that GGG is at fault. I'm a SQL DBA, and I have worked as a sysadmin for about 6 years as well. I do not think that GGG is infallible, and in fact I realize if someone actually targeted them specifically, they could probably breach their security. Only have 17 employees does that. I do think if that happened, they would tell us, and that an intelligent hacker will always take the shortest, and easiest, path to success, the users.

The reason I so fervently defend them is two fold, one being that I genuinely enjoy arguments, especially if someone can force me to think about my position and get me to change my mind. Second, because not a single person has given a reasonable piece of evidence that would point out GGG being hacked. You say "so many people have been hacked" but in reality is a statistically insignificant amount. We have morons like geld saying "IT COULD BE A SQL INJECTION ATTACK" and he doesn't even know if they use SQL. And worst, we have people so cocky that they say things like "I 100% know that I'm not compromised, and even if I had a keylogger, it wouldn't matter because I haven't typed my password in weeks". The config file has your hash saved, and all they need to do is grab it, and to claim your computer is 100% clean is asinine. The second you connect to the internet, you are opening yourself up to the world, and there are people a hell of a lot more clever than you or I out there that can take your information if they want to. Lastly, I bring up this point, and is by no means proof, but it really fits the narrative - These hackers as you seem to think are pretty brazen, mass hacking accounts. If they had access to GGG's server, why wouldn't they take from the top of the ladder instead of randoms?

All I'm asking for is one piece of evidence it's on GGG's side. Give me one, I've been asking for 2 weeks and not a single person can do it.

"

We have morons like geld saying "IT COULD BE A SQL INJECTION ATTACK" and he doesn't even know if they use SQL.

Since you don't know it either why blaming me? instead you just keep insulting ppl that got hacked. As a self claimed dba you should know the risks of SQLi. Oracle had plenty of zero day exploits in the past that made 10g an easy target.

Also it makes sense that they did not attack the top10 players, because that would prolly mean a total rollback of the servers because noone wants bad publicity.

I got hacked within the last 18 hours as well.

Came home from a trip to find that all my currency is gone, luckily my character is left alive.

I'm going the self-doubt road and not pointing any fingers right now.

Have done scans for the last few hours, nothing.

I haven't used any third party software outside the Planner Pinned on the forums.

Nor have I signed up on random sites to have them snatch my password or forums.

I haven't touched the password since it was automated since day one of beta launch. [remember password]

I could care-less about the currency I lost, its all pixels to me. I just don't feel like I want my time to be wasted if I've invested into something.

The most important is feeling un-secure.

So I feel you. Like I said, i'm giving the benefit of the doubt, and prosecuting myself first before I jump anywhere.

"

geldmacher wrote:

"

We have morons like geld saying "IT COULD BE A SQL INJECTION ATTACK" and he doesn't even know if they use SQL.

Since you don't know it either why blaming me? instead you just keep insulting ppl that got hacked. As a self claimed dba you should know the risks of SQLi. Oracle had plenty of zero day exploits in the past that made 10g an easy target.

Also it makes sense that they did not attack the top10 players, because that would prolly mean a total rollback of the servers because noone wants bad publicity.

"you don't even know if they are using sql"

Evidence is something that can be verified, not just a guess

Well, I see no evidence from either party.
I'm willing to believe I compromised myself in some way, but really, it could be GGG for all we know, yet you require no evidence from them?

"

Zegasu wrote:

Well, I see no evidence from either party.
I'm willing to believe I compromised myself in some way, but really, it could be GGG for all we know, yet you require no evidence from them?

The burden of proof really isn't on GGG, as they haven't made the claim. The only thing they have said is almost every account compromise they have investigated could be attributed to cheating or phishing. I don't know what the other ones might have been.

Also, you always start troubleshooting at the weakest point, not the strongest. I never said that GGG was invincible, just that there is zero evidence they have been hacked, and they have claimed repeatedly they have not been compromised. How can you seriously suggest we take your word over theirs, when they have been extremely transparent throughout development, even admitted to an earlier security problem they did have.