Hacked Accounts

"
Thrombo wrote:
"
MonstaMunch wrote:
"
Mark_GGG wrote:
This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.


Thanks Mark. I fully agree that it's clear brute force attacks aren't the cause of the recent issues.

Just for a bit of extra peace of mind, would it be possible to get some sort of clarification regarding the possibility of session hijacking? More specifically, whether under the current setup a hacker would even need a password to impersonate an account if they were able to intercept the session ID.


To be clear - you don't need a user's password to log in as that user. You can do that with their password hash itself by copy/pasting it in to your own ini file and treating it as a saved password. In that respect GGG may as well be storing the password in the clear locally.

Additionally, it appears that the password hash is stored in memory throughout the execution of the program and not just during the challenge/login process. As such, you'd need only an exploit to gather information about the process in-memory (easier than a rootkit or general remote code execution). With such an exploit, a hacker would effectively only need to paste in the user's hash into his/her own client with the account name for access.

It's not hard to believe in a beta client such exploits exist as bugs and have been overlooked. Hopefully GGG will either directly address these, if they exist, soon, or come out with authenticators or a similar rotating key-based auth mechanism.

Very insightful post.

This could also be changed by salting the hash with something on the machine, so that transferring the hashed stored password wouldn't work (if this isn't already the case).
GGG just hit another rock bottom today.

"

People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.


And then...

When a famous streamer got hit...

"

Okay. I am very glad we caught this fast. Thank you very much for posting this thread with info.

Someone impersonating the account owner persuaded one of our support workers to change the email address on the account. This has only happened to this one account and this will never happen again. We have clear policies on this to keep accounts safe and we will not tolerate the policies being broken by our staff.

Our policy is to never trust incoming email as a source of proof of account ownership. In this one case a spoofed email was trusted by a customer support agent. We have talked to customer support and they now fully understand about spoofed emails.

My initial reaction that the account was sold/stolen was based on the email address being changed (which requires the owner of the account to do so).

We have restored the account, characters and its items. Thankfully there was no economic impact. We will restore his character's hardcore ladder position but this may take several days. In this case it is 100% our fault that it was compromised and I am deeply sorry.

On a happier note, the work on the new security measures we're implementing is going very well and the "one week" estimate that I posted about here may be just 1-2 days. As I explained in that post, almost all "hacked accounts" are due to people losing passwords because the passwords are used with other online services (or because there's malware installed). This case here with Prozon's account is very different than normal hardcore deaths and/or password theft because it was directly due to our customer support member making a mistake.


So, if a famous streamer get hacked, GGG will restore his/her account. Instead, if a random nobody gets hacked, they will say "We have this restore policy etc etc so no reroll."

Another rock bottom, guys. Another rock bottom.
Here's the link for the Chris's quote above.
"
Thrombo wrote:
To be clear - you don't need a user's password to log in as that user. You can do that with their password hash itself by copy/pasting it in to your own ini file and treating it as a saved password. In that respect GGG may as well be storing the password in the clear locally.

Additionally, it appears that the password hash is stored in memory throughout the execution of the program and not just during the challenge/login process. As such, you'd need only an exploit to gather information about the process in-memory (easier than a rootkit or general remote code execution). With such an exploit, a hacker would effectively only need to paste in the user's hash into his/her own client with the account name for access.

It's not hard to believe in a beta client such exploits exist as bugs and have been overlooked. Hopefully GGG will either directly address these, if they exist, soon, or come out with authenticators or a similar rotating key-based auth mechanism.

My point was that while your information is entirely correct, if sessions can be hijacked simply by intercepting the session ID, there is no reason to believe that passwords have been stolen (hashed or not), or that end user PC's have been infected with anything, kind of like you're describing in your second paragraph.

That's why I'd like some confirmation as to why we're so sure that all these issues are the fault of the players and that nothing is being intercepted before it even gets to them.

Edit: I just saw the post above mine. Dear lawd, this is going to get ugly. What happened to "we don't have the functionality to restore characters. We never restore items, no exceptions"? This is just messed up.
Last edited by MonstaMunch on Feb 21, 2013, 12:02:12 AM
"
darkro90 wrote:
GGG just hit another rock bottom today.

"

People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.


And then...

When a famous streamer got hit...

"

Okay. I am very glad we caught this fast. Thank you very much for posting this thread with info.

Someone impersonating the account owner persuaded one of our support workers to change the email address on the account. This has only happened to this one account and this will never happen again. We have clear policies on this to keep accounts safe and we will not tolerate the policies being broken by our staff.

Our policy is to never trust incoming email as a source of proof of account ownership. In this one case a spoofed email was trusted by a customer support agent. We have talked to customer support and they now fully understand about spoofed emails.

My initial reaction that the account was sold/stolen was based on the email address being changed (which requires the owner of the account to do so).

We have restored the account, characters and its items. Thankfully there was no economic impact. We will restore his character's hardcore ladder position but this may take several days. In this case it is 100% our fault that it was compromised and I am deeply sorry.

On a happier note, the work on the new security measures we're implementing is going very well and the "one week" estimate that I posted about here may be just 1-2 days. As I explained in that post, almost all "hacked accounts" are due to people losing passwords because the passwords are used with other online services (or because there's malware installed). This case here with Prozon's account is very different than normal hardcore deaths and/or password theft because it was directly due to our customer support member making a mistake.


So, if a famous streamer get hacked, GGG will restore his/her account. Instead, if a random nobody gets hacked, they will say "We have this restore policy etc etc so no reroll."

Another rock bottom, guys. Another rock bottom.
Here's the link for the Chris's quote above.


This was a totally different situation. The account wasn't hacked. GGG gave the information to someone completely different to the account. The account comprimised didn't manage to trade off taken items, so returning the items had no affect on the economy.

Support staff are now informed of people posing as account owners, and will not make the mistake again (hopefully).
"Minions of your minions are your minion's minions, not your minions." - Mark
"
ciknay wrote:


This was a totally different situation. The account wasn't hacked. GGG gave the information to someone completely different to the account. The account comprimised didn't manage to trade off taken items, so returning the items had no affect on the economy.

Support staff are now informed of people posing as account owners, and will not make the mistake again (hopefully).


I didn't see any one saying the items were not traded off... he had more then enough time to trade the items off. He is a high ladder player so GGG has no problem hunting down his items deleting them, and restoring them back.

"Unfortunately, we cannot restore any items lost to theft." Unless you are a well known streamer then we will do anything for you.
"
ciknay wrote:
This was a totally different situation. The account wasn't hacked. GGG gave the information to someone completely different to the account. The account comprimised didn't manage to trade off taken items, so returning the items had no affect on the economy.

Support staff are now informed of people posing as account owners, and will not make the mistake again (hopefully).


I can't believe you're going to try and defend this. GGG claimed it wasn't even possible to restore characters. Clearly that was a lie. I don't use the word lie lightly. I've had a lot of chats with Chris and he's someone I have a lot of respect for. However, this is simply indefensible.

This was phishing, and they already said they can't/won't restore accounts that are hack to phishing attempts. The fact it was GGG who fell for the phishing instead of the user means they are saying if it's their fault you get hacked, then you get everything restored.

Given that it's entirely possible that a lot of the recent hijackings were no fault of the end user, it creates a bit of an awkward situation, don't you think?

Btw, love Prozon, have more respect for him than almost anyone in the game and glad he got his stuff back. Still it's bullshit.
I have never seen GGG claim it is impossible to restore items, characters, etc.

What do you think they did when they transitioned from Closed to Open Beta? They deleted all of our characters and then remade them at level 1.

Anyway, here's the key statement from the Prozon incident:

"
Chris wrote:
Someone impersonating the account owner persuaded one of our support workers to change the email address on the account....

This case here with Prozon's account is very different than normal hardcore deaths and/or password theft because it was directly due to our customer support member making a mistake.


Of course they restored all the lost shit. It was their fault it was lost. Entirely. Hell, this should technically not even be discussed in this thread -- it's not about a hacked account, but a tricked support staff member.
https://linktr.ee/wjameschan -- everything I've ever done worth talking about, and even that is debatable.
"
MonstaMunch wrote:


Given that it's entirely possible that a lot of the recent hijackings were no fault of the end user, it creates a bit of an awkward situation, don't you think?


Indeed it does...if you can prove that there's no fault on the end user's behalf.

Which is amazingly difficult. And given how honestly Chris posts when GGG does fuck up (as is now evident) I genuinely believe if any of these latest hack atempts/successes were at the hands of GGG, he'd admit it and do something about it.

You say you've talked to him many times...so talk to him again.
https://linktr.ee/wjameschan -- everything I've ever done worth talking about, and even that is debatable.
"
ciknay wrote:
"
darkro90 wrote:
GGG just hit another rock bottom today.

"

People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.


And then...

When a famous streamer got hit...

"

Okay. I am very glad we caught this fast. Thank you very much for posting this thread with info.

Someone impersonating the account owner persuaded one of our support workers to change the email address on the account. This has only happened to this one account and this will never happen again. We have clear policies on this to keep accounts safe and we will not tolerate the policies being broken by our staff.

Our policy is to never trust incoming email as a source of proof of account ownership. In this one case a spoofed email was trusted by a customer support agent. We have talked to customer support and they now fully understand about spoofed emails.

My initial reaction that the account was sold/stolen was based on the email address being changed (which requires the owner of the account to do so).

We have restored the account, characters and its items. Thankfully there was no economic impact. We will restore his character's hardcore ladder position but this may take several days. In this case it is 100% our fault that it was compromised and I am deeply sorry.

On a happier note, the work on the new security measures we're implementing is going very well and the "one week" estimate that I posted about here may be just 1-2 days. As I explained in that post, almost all "hacked accounts" are due to people losing passwords because the passwords are used with other online services (or because there's malware installed). This case here with Prozon's account is very different than normal hardcore deaths and/or password theft because it was directly due to our customer support member making a mistake.


So, if a famous streamer get hacked, GGG will restore his/her account. Instead, if a random nobody gets hacked, they will say "We have this restore policy etc etc so no reroll."

Another rock bottom, guys. Another rock bottom.
Here's the link for the Chris's quote above.


This was a totally different situation. The account wasn't hacked. GGG gave the information to someone completely different to the account. The account comprimised didn't manage to trade off taken items, so returning the items had no affect on the economy.

Support staff are now informed of people posing as account owners, and will not make the mistake again (hopefully).


I'll accept the reason for making the exception (and think its 100% justified), but my question is how many other examples of a CSR getting duped could exsist in the 100's of hack complaints that have been piping up?

In this case it was caught in the middle of the theft because the person in question was a popular name but for the average joe it would just go unoticed and written off as "its the users fault". It certainly looks like favoritism at some level because another player most likely would have been blown off.

I was hacked as well at some point in the last 24 hours, and while I can't garentee I wasn't compromised I take the basic proper actions that have been posted. I know GGG is limited on staff, so I understand they don't have the resources to look at every one of these instances in depth. It is very frustrating regardless, especially when a top player gets immediate and positive attention to get to the root of the problem for their issue.
"
MacantSaoir wrote:
You've not challenged a single point of anything I've said? They were told it would happen, there was a simple preemptive solution to prevent it happening which EVERYONE knows about (authentication) and it was not taken.
...
Complacency that's why. The only answer to it. So now they get to feel the rage of *insert number* gamers because of pure complacency. As I stated prior, I refuse to further support the game with more players or currency until this severe oversight is addressed.


I have indeed challenged "a single point" - that of assumption.

So, fair call - authentication is the solution that would have preemptively dealt with the issue. You were right.

What I am challenging is your assignation of motive to GGG's decisions. Now you're saying they were complacent and it's "the only answer". What about lack of resource? Chris said to some dude that they were taking stuff onboard but that doesn't mean that at crunch time, when the player base was whining because Open Beta was already delayed, they could afford the resource to fix issue no. 666. There are enough people whining that desync should have been top of the list. Who's whine should top the list? Wouldn't it be a great exercise to watch this community try and run a group endeavour of the scope of PoE.
IGN: ScrubcoreRulezBitch
Alt: HardcorePwnsScrubcore
Last edited by mkmaddage on Feb 21, 2013, 12:29:48 AM

Report Forum Post

Report Account:

Report Type

Additional Info