Hacked Accounts

"

TehHammer wrote:

"

altaccount wrote:

There is no such correlation - People have lost their primary accounts, people who are security-conscious, people who are closed beta players, people who have bought microtransactions. And like you said it yourself, there are exceptions to the "average stupid player".

People absolutely did SOMETHING for this to happen. They're just too stupid to know what it was, most likely because they were tricked into it.

But you're making a lot of assumptions by declaring that so strongly. In the last several pages of this thread, there have been a few really good examples of ways that could theoretically be used to snag passwords or hijack sessions, which have nothing to do with anything the player did, or could do differently.

Why discount that these are even possible? When you say that they all did *something* ... well, they did choose to play PoE. But other than that, I don't know. A lot of them probably did do something wrong, but you can't say, with positivity, that they all did, given many of the reports in this thread.

"

Feriluce wrote:

"

furryseedman wrote:

hahahahahahahaha all these -edit- dling obv hacks and playing it off by saying someone hijacked their account

I am currently trying to pry my palm away from my face.
I have to commend you though. At least you're up front about your stupidity.

I think his assessment was fairly accurate, although I'm pretty sure the hackers were smarter about how they attained some of the emails/passwords. I'd argue that anyone who thinks otherwise is deserving of an extended facepalm for their stupidity.

"

TehHammer wrote:

"

Thrombo wrote:

TehHammer, you are mistaken here. While it is true that most username/password tuples are gleaned in this fashion, there are often software exploits that involve vulnerabilities in the software itself. Nobody gets a rootkit installed on their machine because they got their WoW password phished, for example. It's naive to think that these two methods are the only ways to compromise an account, and saying so is damaging in this context, because doing so attempts to discredit other valid points that GGG really needs to look into.

Edit: If there is a vulnerability, you may need only to log in to be exposed. I suppose you can argue that is "SOMETHING".

I am arguing that you are completely wrong in your assessment of how people are getting hacked. There is no way people are simply "logging in" to get hacked. If that was the case, the high end players with tons of currency would be the first to get hacked as that's where the profit lies. The sample of who is getting hacked is absolute proof that they aren't hand picking those who "log in" and stealing their info. People are getting hacked because they are doing something stupid, in many cases, they don't KNOW they're doing something stupid. That's called ignorance. Of course they claim they did nothing wrong, they don't KNOW that they did something wrong.

but i have been doing the same thing every since closed beta back in august when i started, and i have never been hacked in closed beta... only now in open beta have i gotten hacked, and i dont nothing new at all, same routine everyday, the only difference is that i played even more when open beta came out... zzz

"

VideoGeemer wrote:

But you're making a lot of assumptions by declaring that so strongly. In the last several pages of this thread, there have been a few really good examples of ways that could theoretically be used to snag passwords or hijack sessions, which have nothing to do with anything the player did, or could do differently.

Why discount that these are even possible? When you say that they all did *something* ... well, they did choose to play PoE. But other than that, I don't know. A lot of them probably did do something wrong, but you can't say, with positivity, that they all did, given many of the reports in this thread.

And you're making a lot of assumptions believing that any of those examples would actually work in the real world. The communication between client and server is secure for a reason (same with web browser and web server).

"

Dyrus wrote:

but i have been doing the same thing every since closed beta back in august when i started, and i have never been hacked in closed beta... only now in open beta have i gotten hacked, and i dont nothing new at all, same routine everyday, the only difference is that i played even more when open beta came out... zzz

When someone uses a map hack and knows they did something wrong, they deny, deny, deny. That's obvious. When someone get pwned from a phishing attempt, if done right, they don't even know they got hacked, hence why so many people think they got hacked because of GGG's lack of security. It all boils down to users knowing what they're doing, using unique passwords and not downloading nefarious software. Everyone who got hacked falls into those 3 categories, if they claim otherwise, they're proving which category they're in, the ignorant one.

"

TehHammer wrote:

"

VideoGeemer wrote:

But you're making a lot of assumptions by declaring that so strongly. In the last several pages of this thread, there have been a few really good examples of ways that could theoretically be used to snag passwords or hijack sessions, which have nothing to do with anything the player did, or could do differently.

Why discount that these are even possible? When you say that they all did *something* ... well, they did choose to play PoE. But other than that, I don't know. A lot of them probably did do something wrong, but you can't say, with positivity, that they all did, given many of the reports in this thread.

And you're making a lot of assumptions believing that any of those examples would actually work in the real world. The communication between client and server is secure for a reason (same with web browser and web server).

The packet gets decrypted in memory on your machine. If you like, I can give you the text area offset after that happens and you can print the packet in the clear with a debugger. My point is that it's utterly ignorant to boldly state that everything is secure and people hacked are universally "stupid".

I might add that this-or-that person getting hacked or not getting hacked absolutely does not constitute proof of anything in any capacity.

"

TehHammer wrote:

"

Dyrus wrote:

but i have been doing the same thing every since closed beta back in august when i started, and i have never been hacked in closed beta... only now in open beta have i gotten hacked, and i dont nothing new at all, same routine everyday, the only difference is that i played even more when open beta came out... zzz

When someone uses a map hack and knows they did something wrong, they deny, deny, deny. That's obvious. When someone get pwned from a phishing attempt, if done right, they don't even know they got hacked, hence why so many people think they got hacked because of GGG's lack of security. It all boils down to users knowing what they're doing, using unique passwords and not downloading nefarious software. Everyone who got hacked falls into those 3 categories, if they claim otherwise, they're proving which category they're in, the ignorant one.

oh you're right sorry i was hacked so i must have downloaded hacks/ went on websites that said i won 1 billion dollars on poe, and also uses the pasword: 12345 for everything, wewps sorry my bad, my apologies bro, there coulnd't have been any other reason to as why GGG cant even implement a system to stop programs from guessing my password 1,000,000 times a secound w/o getting d/ced or stopped,because the programs can do that. dont beleive me? type in the wrong password and press enter 1,000 times u wont be locked.

The fact that high profile accounts haven't yet been hacked is not a clear indication that none of these recent hacks are going through the game client or GGG backend infrastructure.

For example, a counterargument: If someone found a bug in the game client (say through a chat or party invite message), they may well begin exploiting that bug by logging in to the game and chatting/inviting people they see in chat or the instance's player list. The targets would, therefore, appear to be somewhat random. Since the percentage of players who are high profile streamers or developers is very small, what is the percentage chance that one of these players would be included in the 'random' sample?

Indeed, if this is how the recent hacks were launched, we would _expect_ that streamers and devs would not be hit first.

Now, to argue that hackers would be too smart to target players at random would be a mistake. We can only guess what their motives and methods are, and I've witnessed plenty of hackers do terribly stupid things.

"

Thrombo wrote:

The packet gets decrypted in memory on your machine. If you like, I can give you the text area offset after that happens and you can print the packet in the clear with a debugger. My point is that it's utterly ignorant to boldly state that everything is secure and people hacked are universally "stupid".

I might add that this-or-that person getting hacked or not getting hacked absolutely does not constitute proof of anything in any capacity.

So it's in the clear in memory on your computer, big deal. Debugging ANYTHING that uses a password will get you that, if you know what you're doing.

The password isn't sent in the clear over the internet, so this is irrelevant, if people are getting their passwords hacked because their systems are compromised, it goes back to that people being "stupid" thing.

"

Dyrus wrote:

oh you're right sorry i was hacked so i must have downloaded hacks/ went on websites that said i won 1 billion dollars on poe, and also uses the pasword: 12345 for everything, wewps sorry my bad, my apologies bro, there coulnd't have been any other reason to as why GGG cant even implement a system to stop programs from guessing my password 1,000,000 times a secound w/o getting d/ced or stopped,because the programs can do that. dont beleive me? type in the wrong password and press enter 1,000 times u wont be locked.

So you're saying, with absolute certainty that they guessed your password using brute force? So how'd they get your email address? Yup...