Hacked Accounts

ban whole asia plx, no more hacks or goldsellers =)

"

torion wrote:

ban whole asia plx, no more hacks or goldsellers =)

Trolls nowadays. . . .

"

Drago81 wrote:

"

Gya wrote:

"

Justinan wrote:

Since Today my account is locked every so often, because POE thinks that someone from a different region tries to lock in which isnt true as i changed my password several times and my e-mail password aswell. I hope GGG will fix this bug fastly because its frustrating to say the least.

I got the exact same problem everyday. I'm not sure how works the localisation system exactly, but it seems to not always be accurate, each time i checked the mail to get the validation code, the person who supposedly tried to log into my account was living very close to me or even in the same city. I live in France by the way, not sure if this detail really helps.

The same thing has been happening to me the past couple of days. My account gets locked every day because it was accessed from another location, but it's always a city pretty close to where I live, and no items are stolen. I'm checking my PC for malware. I don't use any add-ons or hacks for PoE and my windows installation is just over a month old. I suspect it's a bug, but I'm not sure.

Its affecting Dynamic IP for all I know.

I was attempting to post this in the pertinent thread, but it got locked while I was writing this and redirected here, so hopefully the op will see it.

"

Morgawr wrote:

Read up on cryptography, bruteforcing complexity and bruteforcing algorithms, you will then understand how wrong you are.

lol

I think that someone definitely needs to read up on brute forcing passwords. The last time I had to crack a 14 character password that was just random letters and numbers took 41 minutes, and that was in 2003. Since then, processors have gotten a lot more powerful, hackers have figured out how to get their video cards (the ultimate number cruncher processors) to crack for them, and processors are now multi-cored - doubling, tripling, quadrupling or more their capability to crunch numbers simultaneously.

The fact you did not use any symbols at all in your password shows you are not as security conscious as you think you are. The addition of a single symbol instead of just numbers and letters increases that same 14 character password brute force cracking to days if not more than a month. Combinations and permutations of 26+26 (upper and lowercase letters) + 10 numbers gives a total pool of characters of only 62, add in symbols and that original pool goes into the hundreds, if not thousands (depending on the character set you introduce).

The resulting pool of possible passwords becomes beyond astronomical as you increase the base set of characters.

Most brute forcing routines allow you to set the character pool, and most crackers only attempt to crack passwords that are only using upper and lowercase letters and numbers, if that fails, they move on to next account to attempt cracking because to attempt a full brute force with all possible symbols would be a waste of time.

If that was not enough, you definitely log in to the website here using a browser program. Even in Linux, these are constantly getting security updates and fixes due to people figuring out how to circumvent internal safeguards.

I know its frustrating that you got hacked, but to point fingers without really researching possible causes is irresponsible.


TLDR: The fact that random accounts and not the most visible and richest accounts are being "Hacked" invalidates the assumption that there was a security breach on GGG's part.

Morgawr was also trying to refute other people's anecdotes with a single, one-off anecdote relying on our belief that he's infallible.

I wouldn't worry too much on pushing that argument forward.

Users make mistakes and it hurts the user. The user cannot recognize this, and instead blames someone else, in this case, GGG.

"

Punkonjunk wrote:

Morgawr was also trying to refute other people's anecdotes with a single, one-off anecdote relying on our belief that he's infallible.

I wouldn't worry too much on pushing that argument forward.

Users make mistakes and it hurts the user. The user cannot recognize this, and instead blames someone else, in this case, GGG.

Yep, that guy is a noob.

Guy prob entered his information on some china gold poe site or something.

Or downloaded some poe hack and didn't know it was infested with a keylogger, then he crys and blames GGG for it? Fvcking LOL!

This whole thread is full of kids crying cuz of their own dam fault, Chris is spending way to much of his time with you guys, grow up and learn how the internet works for crying out loud, this shit is getting pathetic.

"

Nightwing55 wrote:

I think that someone definitely needs to read up on brute forcing passwords. The last time I had to crack a 14 character password that was just random letters and numbers took 41 minutes <snip>

So are you suggesting that the hashes were leaked and people are bruteforcing them locally or are you saying that GGG has a poor lockout policy and a lack of bruteforce detection on their servers? Neither of these possibilities reflect too well on GGG.

"

monkuar wrote:

Yep, that guy is a noob.

If you want to berate someone as a newcomer you should probably check first to make sure that they haven't been here six times longer than you.

"

monkuar wrote:

Guy prob entered his information on some china gold poe site or something.

Or downloaded some poe hack and didn't know it was infested with a keylogger, then he crys and blames GGG for it? Fvcking LOL!

Sounds like you're speaking from experience. I know personally that Morgawr refuses to use Stash Analyzers, even one made by a mutual friend who is quite trustworthy. I daresay he is paranoid if anything.

"

monkuar wrote:

This whole thread is full of kids crying cuz of their own dam fault

And ignorant nay-sayers like yourself who only serve to lower the signal-to-noise ratio of this thread. I'm certain that there are plenty of people in this thread who were compromised by their own negligence but that is no excuse to just blindly victim blame everyone and advocate not investigating the possibility of provider-level breaches.

"

monkuar wrote:

this shit is getting pathetic.

I agree. It's sad to see a potentially great game brought down by a vitriolic community.

"

Punkonjunk wrote:

Morgawr was also trying to refute other people's anecdotes with a single, one-off anecdote

The thing about anecdotes is you don't refute them. They are completely meaningless unless they suggest something wildly different from the norm. "Works for me" is a fairly pointless statement, "Works for me so I don't believe it doesn't work for you" is completely moronic.

"

Punkonjunk wrote:

relying on our belief that he's infallible.

That would be a mistake (though I strongly doubt that was his intention). It would be much safer to rely on your belief that GGG is infallible.

"

Punkonjunk wrote:

Users make mistakes and it hurts the user. The user cannot recognize this, and instead blames someone else, in this case, GGG.

There are many situations where I would say the same, however I do not feel that GGG is taking account security seriously enough. Why can we not view our access logs? Trade logs? Stash logs? Party logs? These would make it trivial for victims to do the detective work themselves and put forward the suspicious accounts to support staff for them to investigate repeat "offenders".

I'm not saying there should be recompense, Chris is right on the money in that that would instigate falsified claims. I'm saying there should be retribution, and that claims of security breaches should be investigated rather than drowned out by the Volunteer Defence Force with their "nothing to see here" attitude towards posting.

"

Nightwing55 wrote:

TLDR: The fact that random accounts and not the most visible and richest accounts are being "Hacked" invalidates the assumption that there was a security breach on GGG's part.

I'm not going to bother with the whole "lel I cracked 14 char random pass in 41 mins XDDDD" because it's idiotic by itself, you're not taking into account latency, remote requests (and response), anti-bruteforce/spam countermeasures that I hope are enabled on GGG's system (else I *seriously* hope they add such a thing because.. what the fuck, it's 2013 already).

I fully acknowledged that my password wasn't the "strongest" of them all, but it did contain multiple numbers and upper/lower case letters. That alone would make it strong against dictionary attacks, rainbow table attacks, poor hashing/salting and generic bruteforcing increasing the space of collisions for passwords by a decent amount (not the perfect, as I already stated, but strong enough for a simple videogame, this isn't my bank after all).

With all this said, I'm not going to bother to reply to all the other personal attacks from other posters as Birdulon pretty much said what I wanted to say and I appreciate it.

I never tried to complain that my account was hacked hence I should've gotten something back, let me reinstate: I do not give a rat's ass about 3x stacks of chaos orbs that were stolen. I play this game for fun, I don't really mind *at all* (although I play on the Hardcore server, it's still for fun).

I just wanted to point out that I'm almost positive that the security was breached somehow and that the admins and developers should be more conscious about it before labeling it as a user's error. Yes, it *could* be my error, I acknowledged that plenty of times already in the other thread, but knowing myself I see it very very very unlikely.

You guys are free to believe whatever you want, that won't give me any chaos orbs back and I don't really care, but going around telling everyone who might have a legit claim that they are "noobs" and they don't know what they're talking about is very counterproductive. (Trust me, I do know what I'm talking about, I find penis-waving on the internet to be ridiculously idiotic so I won't do that here but I know what I am talking about way more than the common forum poster)

"

Morgawr wrote:

"

Nightwing55 wrote:

TLDR: The fact that random accounts and not the most visible and richest accounts are being "Hacked" invalidates the assumption that there was a security breach on GGG's part.

I'm not going to bother with the whole "lel I cracked 14 char random pass in 41 mins XDDDD" because it's idiotic by itself, you're not taking into account latency, remote requests (and response), anti-bruteforce/spam countermeasures that I hope are enabled on GGG's system (else I *seriously* hope they add such a thing because.. what the fuck, it's 2013 already).

I fully acknowledged that my password wasn't the "strongest" of them all, but it did contain multiple numbers and upper/lower case letters. That alone would make it strong against dictionary attacks, rainbow table attacks, poor hashing/salting and generic bruteforcing increasing the space of collisions for passwords by a decent amount (not the perfect, as I already stated, but strong enough for a simple videogame, this isn't my bank after all).

With all this said, I'm not going to bother to reply to all the other personal attacks from other posters as Birdulon pretty much said what I wanted to say and I appreciate it.

I never tried to complain that my account was hacked hence I should've gotten something back, let me reinstate: I do not give a rat's ass about 3x stacks of chaos orbs that were stolen. I play this game for fun, I don't really mind *at all* (although I play on the Hardcore server, it's still for fun).

I just wanted to point out that I'm almost positive that the security was breached somehow and that the admins and developers should be more conscious about it before labeling it as a user's error. Yes, it *could* be my error, I acknowledged that plenty of times already in the other thread, but knowing myself I see it very very very unlikely.

You guys are free to believe whatever you want, that won't give me any chaos orbs back and I don't really care, but going around telling everyone who might have a legit claim that they are "noobs" and they don't know what they're talking about is very counterproductive. (Trust me, I do know what I'm talking about, I find penis-waving on the internet to be ridiculously idiotic so I won't do that here but I know what I am talking about way more than the common forum poster)

+1 but people will just have bad things to say.

I guess he liked your shop

"

Morgawr wrote:

I just wanted to point out that I'm almost positive that the security was breached somehow and that the admins and developers should be more conscious about it before labeling it as a user's error.

You did not account for the most common case: password re-use.
I don't support telling people that they're idiots, nor any of the people who have used this thread for trolling.
I do support investigating all probable causes before assigning blame.