GGG, I need urgent help

How do you know Falcord2 isn't a social engineering hack? Recently a Wired journalist blogger got hacked. GGG should exercise caution and act appropriately.

"

THEHORNEDRAT wrote:

How do you know Falcord2 isn't a social engineering hack? Recently a Wired journalist blogger got hacked. GGG should exercise caution and act appropriately.

A couple private messages with Charan would do. He knows me reasonably well, and he's an important member of the community.

Otherwise, GGG will likely have their own tools for that. My billing info may be a good start.

"

HappySoda wrote:

If GGG keeps password history, they should easily be able to restore it. I don't understand why everyone is saying that is not possible.

GGG have to store everyone's password in some manner in order to authenticate logins. For security purposes, passwords are often stored in a hashed format to make reverse engineering impossible.

So, if GGG keeps password history, and you send them your old password, they can easily run that password through their hash algorithm, and compare the result to the stored hash. Alternatively, they can restore the password in its hash form, and see if you can log in.

Of course, if GGG does not store password history, you would have to find another way, such as verifying certain information about the credit card you purchased the support package with.

Generally with modern systems passwords are encoded such that the stored passwords are not viewable by anyone for two reasons.

It protects you in case GGG goes rogue. They know your password and your email. While it shouldn't be true, for most people it is.

Secondly should their servers be compromised the passwords can not be retrieved for the same reason as above.

This is why for almost anything now a days if you "forgot" your password after proving your identity you will be given the option to create a new password.

This thread is an example why you should never use your email password for accounts that are linked to your email.

Also as pointed out this puts GGG in a precarious position as falcon2 could be an imposter trying to steal falcons account. As stated IP addresses are the best proof of fraudulent activity.

This thread is also why account sales are not allowed for pretty much any online game (unrelated, probably.)

GGG is awesome, but this is a delicate and complex situation. Please understand if it takes them some time to resolve this issue.

I am in no hurry. I can think of many ways my identity can be reasonably confirmed. I just hope for GGG to eventually present me one.

Thank you guys for giving some light to this.

Like others suggested, you should PM Support. You can find the link in my signature.

There are a few options that would allow you to gain back control of your original account.

Can't you use your email's password recovery/reset features to regain access and then use the email to regain access to your PoE account?

I mean, nearly every email provider out there has recovery features in case you forgot/don't know your password. Someone getting access to your email doesn't bar you from getting it back unless they go in and change all of your recovery options like security questions, registered phone number/alt email, etc. That is, of course, assuming you set those options up in the first place.

His email on the PoE account got changed; he got his email back, but not the PoE account.

Although it could be possible that Falcon only changed his account pw and email because someone hacked into his email; so he had to use a new email; and this Falcon2 is the hacker, trying to get the password reverted so he can get onto the account (less likely).


Anyway, hope whoever really owns this account get the account; and not some person who doesn't want to support GGG.

Sorry, maybe this wasn't clear enough:

I have access to my email, there are no problems with that. My email wasn't compromised. Simply, it was changed on the PoE account settings. So while I can easily access all the emails I got since I registered to PoE, none of the verification links work as the PoE account is currently linked to a made up email account.

"

falcord2 wrote:

Sorry, maybe this wasn't clear enough:

I have access to my email, there are no problems with that. My email wasn't compromised. Simply, it was changed on the PoE account settings. So while I can easily access all the emails I got since I registered to PoE, none of the verification links work as the PoE account is currently linked to a made up email account.

Either way, you should be able to easily prove who you are with the transaction history!

"

Saffell wrote:

Generally with modern systems passwords are encoded such that the stored passwords are not viewable by anyone for two reasons.

It protects you in case GGG goes rogue. They know your password and your email. While it shouldn't be true, for most people it is.

Secondly should their servers be compromised the passwords can not be retrieved for the same reason as above.

This is why for almost anything now a days if you "forgot" your password after proving your identity you will be given the option to create a new password.

That is correct. No properly developed system would store passwords in plain text. Rather, passwords are stored as hash codes. The reason is simple: hash codes are single-directional, i.e., converting hash codes back to passwords is impossible.

Sure, if someone has the hash code of an account AND direct access to the server side authentication API, then the account is done for. But other than that (and some other security holes), the actual password would always be needed to again access.

Some companies maintain a history of hash codes, such as Microsoft, as the risk of doing so is nearly zero. In fact, I would say it is good practice to maintain history of at least one previous hash code. There are many practical benefits to having such a history, one being for authentication purposes.

GGG can simply expose a temporary login page where a user can enter a previous password. The password would be converted into hash on the server side, compared with the target hash, and the result returned to GGG. If matched, then the user should be considered as PARTIALLY authenticated.

Additional authentication is still necessary to mitigate the risks of key logger hackers.