Hacked Accounts

"

dag71 wrote:

Just adding my voice to the chorus. I logged in after a week away to find my account stripped.

Pretty much same thing happened to me, although I was gone couple months came back for the new patch and all my characters were striped...First time Ive had an account to my knowledge hacked. (Including D2 which was/is infested with scams ect)

I came back playing again after hibernating for a few months. Before playing back, I did:


- Reformatted my PC and installed all from scratch.
- Enabled 2-tier security on my e-mail account.
- Did not installed Java/Java Run-time Environment.

I hope the RNG hacker(s) spare me this time.

"

TheHeffNerr_ wrote:

"

hzflank wrote:

The whole point of encryption is that it cannot be decrypted without the salt.

If salt = key, then yes. If no, you have no idea what you're talking about.

It is my understanding that salted hashes can be cracked as well. They start by attacking short passwords which gives them clues about the salt then they move on to longer passwords. It just takes more time. That is assuming hackers got their hands on the encrypted password file to begin with.

"

wonko33 wrote:

"

TheHeffNerr_ wrote:

"

hzflank wrote:

The whole point of encryption is that it cannot be decrypted without the salt.

If salt = key, then yes. If no, you have no idea what you're talking about.

It is my understanding that salted hashes can be cracked as well. They start by attacking short passwords which gives them clues about the salt then they move on to longer passwords. It just takes more time. That is assuming hackers got their hands on the encrypted password file to begin with.

It depends on your salting policies, but it can be done. Main issue is when you add the salt, randomized each time, etc. Also, you don't need salt but it helps.


SQL injection can be amazing for getting the password tables. Hard to find in logs unless you know what you're looking for. And no, I'm not saying you can use SQL injection on GGG's server, just saying it can be amazing.

"

SenecaHaze wrote:

well i just got hacked today i dont know what to do =( this is terrible. I dont use any fansites i only use the main path of exile. i dont even talk to people in game. sigh and im guessing nothing can be done.

I'm just checking in to make sure GGG still offers no support and blames us for being hacked.

Yep.

Anyone other than me that would appreciate a simple feature:
IP locking?

Opt-in feature via website.
Once you enable the feature, auto-enables the last IP you logged in from.
Blocks access from all other IPs.

To disable the feature requires email verification (presumably you use a different email password).

Now, this feature would only help those of us who play from a single location that has a static IP address (ie, cable internet).
But it would help, and shouldn't be too hard to add on top of any other planned measures.

"

wyldmage wrote:

Anyone other than me that would appreciate a simple feature:
IP locking?

Opt-in feature via website.
Once you enable the feature, auto-enables the last IP you logged in from.
Blocks access from all other IPs.

To disable the feature requires email verification (presumably you use a different email password).

Now, this feature would only help those of us who play from a single location that has a static IP address (ie, cable internet).
But it would help, and shouldn't be too hard to add on top of any other planned measures.

As someone that has a dynamic IP, I will still like this feature but adjust so that I could specify a range of IP addresses. Not quite as secure, but still usable.

What may be some extra security to someone who does not want to write down a hard password but still have a long, non logical password.
Autohotkey might be an idea (this does NOT protect against keyloggers etc) but allows you to set a very long password, that you can use with a short key combination on the PC the script is installed.

I personally use it so that i don't have to memorize all my passwords (and i have a good antivirus so keyloggers are generally not a problem) For me i have 1 password for maybe 30 accounts, but the script turns that simple "password" i input into the actual password for the account.

And for abbreviations (like "brb", when i type those letters, the script automatically writes down "be right back"

It's a really simple method of getting a more secure password without the fear of forgetting it or having to look it up.

"

If our policy was to take the items back from the attacker without duplicating them, then this would result in a free tradehack that anyone could use.

Can somene explain this to me? Why is it not reasonable to get the items back from the thief to the owner, if it was 100% clear that the items were indeed stolen? This does not involve any item duplication.

So basically when an act of item theft is found, the thief is banned, and support says to the victim: "Sorry, can't get your items back, against our policy, go suck a lemon!", is that correct?

I imagine many people already quit the game because of that.

"

"

If our policy was to take the items back from the attacker without duplicating them, then this would result in a free tradehack that anyone could use.

Can somene explain this to me? Why is it not reasonable to get the items back from the thief to the owner, if it was 100% clear that the items were indeed stolen? This does not involve any item duplication.

So basically when an act of item theft is found, the thief is banned, and support says to the victim: "Sorry, can't get your items back, against our policy, go suck a lemon!", is that correct?

I imagine many people already quit the game because of that.

They already told you why, with how their account management system works now, they can't restoring it without the stolen items being deleted and restored.

This would be a indirect "dupe hack" since the stolen items can be tossed around to proxy accounts.