The 0.10.1d account changes

my computer and browser are clean. i don't click stupid links or open fake emails. my account details aren't shared anywhere. i have 3 years of college in computers, with a focus in cisco networks and network security.

i find it absurd that GGG is taking this stance and not claiming any responsibility for the recent screw-up with the implementation of 10.1d. my account got hacked only AFTER 10.1d was released, BEFORE i logged in under the new update! suspicious timing indeed!

GGG broke rule number one in network security: never disclose what you are doing. well, GGG let us all know ahead of time that this was going to be a security update! thanks for the warning GGG! you just told all the hackers "hey, if you're sitting on a bunch of account details that don't belong to you... we know how hackers like to sit on those things for a long time... well now's the time to use them and cash in before we lock you out with this new feature that will require email verification"

the above wouldn't have been so bad if the actual patch came with one glaringly absent security check! GGG should have had every single person who logged in after 10.1d to first verify through email. GGG did not do that. that's where GGG messed up.

and where did these hackers get these account details? if you fanbois and blowhards think that everyone who got hacked was just some rookie, you're in denial.

the fact that GGG just can't own up to this, and the fact that they expect us to just live with it because they only have 8 employees, and they can't possibly check into every case... its BS. you can check into it, but you just won't bother. i live in kansas city. i bet the person who stole my items logged in from another country and I'm sure GGG has the records to prove it, but fuck it. policy is set in stone so what are we going to do? wait for it to happen again, with another blame on how its our fault our account details got into hacker hands?

I put in over $150 into this game to support GGG during closed beta, and what do i get in return? I know you have a free to play game here, but you can't run a service at a scale like this with a skeleton crew of 8 guys. its absurd.
i now know that GGG is running a skeleton crew, and nobody is going to lose their job, but let me tell you -

in the real world of network security, if you were the guy who went live with a software patch, and forgot to implement the missing security check that 10.1d was missing, you wouldn't have a job the next day. that's guaranteed.

so GGG, you need to get your shit together. it goes without saying "don't let that happen again" but i'm still upset that... you aren't even acknowledging that this security check SHOULD have accompanied the release of 10.1d. you should never have let anyone log in to 10.1d on faith. especially since you publicly posted that you were introducing new security features with this patch. it just allowed the hacker one last chance to hack some accounts before email verification would be required.

i'm not the only one who woke up late and tried to login to 10.1d hours after it was released, only to find out some hacker logged in before me... and now my ip/city is somehow "new" and "different" than what you have on file! its outrageous you would put one on file without an email verification....

you have the nerve to tell the players they are to blame, but this falls squarely on GGG's shoulders!


to GGG:
fyi, i suggest you implement what i described above, because as of now, hackers are probably still able to hack people without said email confirmation, so long as those players haven't logged into the game since the 10.1d patch, and i'm sure there are still thousands of players who have an account but haven't logged in in the last few days.

their accounts are still not secure because you are failing to ask for a simple email verification upon first try post-10.1d!
Who stole, stole just orbs from me, no uniques or qual gem, soo we can think its a bot, and added one guy to mine friend list PIXARART prob to transfer itens, just check the trades from his trades i dunno.


Anyway, as i said to others ppls, "shit happens" soo just back to game and have fun xD
When I played Diablo2, my shit got stolen off my account at least 5 times. When I played WoW, twice. My email accounts were broke into as well.

I know EVERY SINGLE REASON why I was targeted, and each time it was my fault.

Now I change my passwords monthly, they are decently complex, and I use a different password for each website differently. Its been several years and nothing I have ever done was touched.


Learn to use passwords, and learn that no matter what, nothing is 100% safe. To even remotely think this is ignorant.
IGN JimansNotSummoner
Yeah well iev got a clean browser etc etc im pretty cautious got like a 14 mixed worded password and after this patch i log in and my stash is almost completely cleaned out and this was after the patch so either someone happened to get on my account take my crap or the patch deleted my stuff.
Guys, why do you have to come up with convoluted security measure when proven and reliable methods of securing accounts are so commonly available? These unlock codes for ip changes are always going to be an inconvenience to somebody.
What you can do is add support for http://code.google.com/p/google-authenticator/ into your game and allow users to authenticate an ip for, say, a week. This kind of security is the most convenient and foolproof way of securing accounts.
"
infected wrote:
my computer and browser are clean.

my wife isn't cheating me either, i'm sure.
how are you so sure your computer being clean. do you scan regularly from a uninfected boot-system? you're sure your router hasn't got the upnp vulnerability in his firmware?
never ever met a serious network security expert who runs windowns and says he's clean.

"
infected wrote:
in the real world of network security...

bigger and more unprofessional fuckups happen, companies go bancrupt because of this, you name it but you probably just have finished studying.
and chris has apologized for not implementing this earlier, what more do you expect him to do? come to cowboy country to apologize personally? give back your items?

seriously, calm down. you got hacked because somebody learned your account details.

"
infected wrote:

GGG should have had every single person who logged in after 10.1d to first verify through email.

isn't there a verification when registering? and if you applied while closed beta you needed a valid email address to get the code sent to you.

"
infected wrote:

GGG is just recording the hometown/ip of the first login and subjecting all following logins to match the first. this doesn't help in the slightest bit when the hacker is the first one to login to your account.

where's the problem?
if you don't login into 0.10.1d the new security fixes don't apply to you.
ggg needed to announce the new security measures in advance so people update and login asap.

if you got screwed before the update just try to login, get the unlock-code from your email account and log on again and so correct your hometown-ip entry on the server.


age and treachery will triumph over youth and skill!
geredon, you have reading comprehension problems.

it doesn't matter if you've been a member of this website for over a year, GGG is just now implementing this feature. clearly GGG has no record of your ip/city/hometown until you login to 10.1d. otherwise i would not have been told by an email that i was logging in from a new city that they did not have on file!

if GGG had that info prior to 10.1d then the hacker wouldn't have been able to bypass the new security measure by logging into 10.1d before me. yeah man, if i had just been online the very minute 10.1d went live i might have beat the hacker and locked him out... (because i know my email account isn't compromised and had the hacker been subjected to email verification the hacker wouldn't have got squat)

the fact is that i don't care about getting my items back. i care that GGG hasn't patched 10.1d to secure everyone's accounts from hackers. as of now the only way to force the new features to protect you is to login... well there are thousands of inactive players who have not logged in yet.... and that is allowing the hackers to continue to hack those accounts without being subjected to the email verification... BECAUSE GGG is allowing the first attempt at login to go through no questions asked.

i said that i got hacked AFTER 10.1d was released.... the security measures added do not stop hackers from attacking "inactive" players (players that have yet to login since the update). if GGG wanted everyone's accounts to be safe with the current features, then GGG would force every account that tries to login for the first time since the update to do an email verification.

its now been days and GGG hasn't even acknowledged that loophole exists. a loophole that can only be closed by GGG. until then the hackers are going to continue to target "inactive" accounts. i'm sure we all have friends who haven't logged on in the last couple days... they aren't safe. you've been warned.
A new, immediate, patch should enforce email verification to any user, upon their 1st attempt to login using this patch, before being able to login to their account. An inconvenience for most, but will save from lots of hacker attempts based on hacked user catalogs. It should also disable the ability of changing the email address, using the website login. Simple as that and I believe can be implemented fast enough, to secure the thousands of users who have not yet used the 0.10.1D patch. Could also introduce the ability to disable the city/IP check (make it optional), after the 1st email verification.
*Specifically about changing the password using the website, this should 100% be enhanced, by having to use email verification again, before changing the password.
*Same for changing the email address.

* In the future, a smartphone validating application could be introduced, for both.
Last edited by aryosgr#3381 on Feb 24, 2013, 8:57:18 AM
"
infected wrote:
clearly GGG has no record of your ip/city/hometown until you login to 10.1d.

true, your first login initializes the security measures.

true, the attack on you had a unlucky timing. in your case it would have been helpful if everybody patching to 0.10.1d would have to verify his location by using the unlock code in the email first.

ggg was probably assuming that an account is not generally hacked and having all users verify their email by locking per default would have brought massive support work especially from people who haven't logged in for a longer time and so didn't know about the new security measures.
as it was implemented they can continue playing without interrruption.

i'm really not a ggg fanboi (sry for trolling in the first post) but i still think how it was implemented is the best way for all to go.

@reading comprehension problems, true, i'm a bit stressed at the moment.
age and treachery will triumph over youth and skill!

Report Forum Post

Report Account:

Report Type

Additional Info