GGG user data leak?

As before speaking for me: i always get auth code even if i change PC at home
(so same ip address, same location; same everything except for the device).
I agree that most of the time problem is between chair and keyboard but
safety first and this must be a "must" also for GGG (as you wrote you didn't received playing from different location)

"

simoc74#4499 wrote:

Well speaking about data leak probably is misleading but something strange happened.
I can also be a n00b player on PoE but spent years on IT/cloud/networking and
i speak only if there are data and here looks like we have it:

Go to Google and type "site:www.pathofexile.com account hacked" and if you wish
set the query only to get result from last week.

Well to my eyes it sound little bit strange that lot of people with different
client (Steam or PC), with or without 3rd party software running experienced
same issue without getting hit by unlock code that normally is sent when if play
from different location or, i can speak for my self, when you play from two different
pc on same lcoation (ny house)

Im not fingerpointing anything or anyone, just reporting raw data here

Only blame i can raise (but sitting on my chair from my home) is the way GGG act
when someone report an hacked account but again i run different (but similar) business
and i know it's hard (or better it's impossible) to make all happy.

There are tools for POE1 which require your session token to pull data from your stash tabs - these tools are claim they are not sharing info, but there is zero verifiability of this data not being harvested and stored. I will take a guess one of these tools got popped and they did in fact harvest and store the ID's and thus we're here.

That's one part of it and other part is just all these new tools for "price checking" coming out of like 10 sources, some of which are closed source and they graciously ask for your login info just to search the trade site. You can guess where this thought is going.

Third, password reuse, but this is a problem old as time.

Thanks for pointing me to these 3rd party software, im trying to figure out if they can
use token to bypass MFA auth but looks very strange they can keep open some background session if you shutdown the PoE2 client.
BTW lot of hacked people report they never used this kind of tools but sometimes it's better
to sweep the dust under the rug and do fingerpointing against some evil-corp.
But in my head something is telling me there are things to be fixed also on GGG.
We'll see....

"

Sadaukar#2191 wrote:

I don't know about hacked accounts or leaks or anything, but it seems to be true that PoE2 does indeed not trigger the email activation if u're logging in from a different location.

At least in my case I had to do the verification process for PoE1 very regular because of dynamic IP, but not once did I have to do it in PoE2. Just type in the PW again, but no email verification. Kinda odd.

So if people are using weak passwords or get their pw leaked through 3rd party tools/phishing, they are most likely fucked.

I had my stuff leaked most likely due to having my standalone which was unused from 2014 connected to my steam account due to the funky league launch. Unfortunately I had forgotten to change the password as I continued using steam and did not think of the possibility that they could bypass 2FA.

However I did receive an email from GGG saying that someone was accessing my account from a unusual location and sent an access code. However somehow the 'hackers' managed to bypass that feature (or it was disabled) and many other people seem to have the same occurrence where no verification code seemed to be required.

(Also I logged onto the wrong account for the EA but that's another thing)

"

simoc74#4499 wrote:

Thanks for pointing me to these 3rd party software, im trying to figure out if they can
use token to bypass MFA auth but looks very strange they can keep open some background session if you shutdown the PoE2 client.
BTW lot of hacked people report they never used this kind of tools but sometimes it's better
to sweep the dust under the rug and do fingerpointing against some evil-corp.
But in my head something is telling me there are things to be fixed also on GGG.
We'll see....

The ID, called POESESSID, is factually and functionally you. It will bypass any and all secondary authentication methods. If you login to the forums, you can just get it out of your cookies through dev console and if you login through something like the Overwolf overlay, they get the same cookie and thus your token. You cannot directly log into the client with it, but you can use the ID to just bind to an another Steam account and use that to login as the victim and job done.

From my experience in the field of CS and QA is that people lie on bug reports more often that they don't purely because they are embarrased that they did a stupid thing and now got punished for it, even moreso if they were duped to do said stupid thing (phishing etc).

You can read more on GGG's post about the session ID -> https://www.pathofexile.com/forum/view-thread/3328601

Addendum: As stated, the session ID expires every time you log out and you are granted a new one when you login.

I have a feeling that GGG kept expiring session ID's on a timer because they are being harvested and misused every 5 minutes and it was a migitation procedure to try and prevent at least some of the damage. This can be one reason why everyone kept getting booted offline and are still getting booted on the regular. Also, if true (big if) it'd support session ID's being harvested via external software.

I'm betting a lot of new players are getting lost when trying to look at how to trade since people are used to in-game trade houses these days. The might end up googling it, finding a phishing site, and putting their login information in it, effectively losing their account. Would be nice if they added something in-game for that instead of the system that currently exists which was outdated in 2004 with the creation of World of Warcraft.

Nobody speaking on this but a lot of loot filter stuff and other things are going right to github and could be malicious even by mistake. They should release some "official" loot filters and other 3rd party used things or suggest ones that are most likely to be trusted. This has me very hesitant now to use a loot filter for poe2 or anything else for that matter.

I'm not worried, my password has always been really easy and I've never been hacked before [Removed by Support]

I mean we pretty much know by now it was 3rd party tools and in some cases RMT websites that also scam you to connect your account.

How glorious if it really is the RMT websites doing the "hacks". That would mean they scam their "customers" twice which is actually hilarious and deserved.

If GGG can't do anything against them, maybe this lesson will have an effect :D