Hacked Accounts

"

Elynole wrote:

"

MacantSaoir wrote:

You guys were warned in CBT that hackers would come Chris, you guys were warned. I warned you, as did many other users. Once the economy mattered, they would attack in full force and you didnt listen to us. We told you to authenticate, you didnt listen to us. Now behold the shit storm of CS issues that will take you forever to sort out and respond to. Not only that but you have infuriated many gamers with you response on not restoring items, all from something easily preventable if you guys just took the time to do it before launching. You guys were warned, you didnt listen feel the rage.

Not restoring items I feel is a pathetic response to the issue at hand. Telling the person they're out on their ass. Especially over something you were warned, and you acknowledged to us in CBT. It's not like you didnt see it coming, dont lie because we talked about it during CBT. You cannot claim ignorance on this issue. 'Tis impossibru.

Everyone seems to be a certified security penetration specialist here, hind-sight is 20/20 btw.

"

Charan wrote:

"

Moeses wrote:

$10 says if Kripps account was hit, it would be restored in a heartbeat.

I'd take that bet and raise it a grand. Hell, it's Thursday. Two grand.

In fact, I'd pay a grand right now just to see it happen. Because if one of the prominent, in-the-spotlight players got hit, it would prove a lot of things.

And I like seeing proof. Not enough of it lately, from either side.

"

altaccount wrote:

"

FrodoFraggins wrote:

"

Ruefl2x wrote:

PS: the real problem are people who actualy buy the currency for real money. without them none of this would even happen!

So what? People keep talking about that like it's some great revelation.

Probably 95% of hacks could be prevented by:

1) Not reusing your password ANYWHERE else - prevents a majority of stolen accounts
2) Using a strong password - prevents brute force
2) Don't download maphacks/bots - prevents most trojans/keyloggers

We already know where most hacks come from. It's very very very rare that a games entire account-name/password database gets compromised.

Nice guessing. Let me join you. What about the other probable 5%? Users with unique login/pw, clean systems and proper security habits?

I've already spent countless workhours on my free time reviewing my home network's firewall logs, file access logs (a nightmare on windows server) for the PC I play POE on, searching through password hash databases that could somehow contain my POE pw hash (I don't even use the same login/password anywhere else) and looking for any obscure vulnerabilities I might've missed. I'm actually worried for my security here, but I can't find any problems whatsoever.

All the while support replies are in the vein of "sorry, your fault, we also won't tell you anything" when they're not just a copypasted stock reply. Extremely frustrating.

"

altaccount wrote:

"

FrodoFraggins wrote:

"

Ruefl2x wrote:

PS: the real problem are people who actualy buy the currency for real money. without them none of this would even happen!

So what? People keep talking about that like it's some great revelation.

Probably 95% of hacks could be prevented by:

1) Not reusing your password ANYWHERE else - prevents a majority of stolen accounts
2) Using a strong password - prevents brute force
2) Don't download maphacks/bots - prevents most trojans/keyloggers

We already know where most hacks come from. It's very very very rare that a games entire account-name/password database gets compromised.

Nice guessing. Let me join you. What about the other probable 5%? Users with unique login/pw, clean systems and proper security habits?

I've already spent countless workhours on my free time reviewing my home network's firewall logs, file access logs (a nightmare on windows server) for the PC I play POE on, searching through password hash databases that could somehow contain my POE pw hash (I don't even use the same login/password anywhere else) and looking for any obscure vulnerabilities I might've missed. I'm actually worried for my security here, but I can't find any problems whatsoever.

All the while support replies are in the vein of "sorry, your fault, we also won't tell you anything" when they're not just a copypasted stock reply. Extremely frustrating.

"

crazypyro wrote:

"

darkro90 wrote:

I've also tried this for not only 10 times, 20 times, with reasonable delay in each password input since if you're entered it repeatedly, you will get warning message of "trying to login too much in a short time period". And guess what, when I tried my own password after the 20 tries, it still get me logged in.

This is exactly how you counter brute force attacks you moron.

"

MacantSaoir wrote:

They were told it would happen, there was a simple preemptive solution to prevent it happening which EVERYONE knows about (authentication) and it was not taken. It's on GGG not the userbase. It's common knowledge at this point in gaming that a majority of people play on compromised machines or fail at account security. This is why we have Authentication so you can play even with all the compromised bullshit going on and not get dinged.

So common knowledge: Majority of people can be compromised, authentication prevents the compromise from happening, why not authenticate?

"

VideoGeemer wrote:

Hackers will likely take WHATEVER they can get. What if their system doesn't let them target just rich players? Besides, if all they did was target those individuals, it would be more obvious that this was the work of a hacking group and not just some users that didn't know what they were doing.

"

MonstaMunch wrote:

"

Thrombo wrote:

To be clear - you don't need a user's password to log in as that user. You can do that with their password hash itself by copy/pasting it in to your own ini file and treating it as a saved password. In that respect GGG may as well be storing the password in the clear locally.

Additionally, it appears that the password hash is stored in memory throughout the execution of the program and not just during the challenge/login process. As such, you'd need only an exploit to gather information about the process in-memory (easier than a rootkit or general remote code execution). With such an exploit, a hacker would effectively only need to paste in the user's hash into his/her own client with the account name for access.

It's not hard to believe in a beta client such exploits exist as bugs and have been overlooked. Hopefully GGG will either directly address these, if they exist, soon, or come out with authenticators or a similar rotating key-based auth mechanism.

My point was that while your information is entirely correct, if sessions can be hijacked simply by intercepting the session ID, there is no reason to believe that passwords have been stolen (hashed or not), or that end user PC's have been infected with anything, kind of like you're describing in your second paragraph.

That's why I'd like some confirmation as to why we're so sure that all these issues are the fault of the players and that nothing is being intercepted before it even gets to them.

"

Edit: I just saw the post above mine. Dear lawd, this is going to get ugly. What happened to "we don't have the functionality to restore characters. We never restore items, no exceptions"? This is just messed up.