Potential User Data Breach

MFA?
Settlers master craft service Settlers My IGN TreeOfDead
https://www.pathofexile.com/forum/view-thread/2037371 Vouch
Settlers veiled crafting all service all crafts mods
Settlers SC master craft service Settlers SC craft mod!
Veiled crafting Service Settlers craft PM: TreeOfDead
"
TreeOfDead wrote:
MFA?


Multi-Factor-Authentication..

Regards..
First: thanks a lot to GGG for letting us know.
Unbreakable security does not exist, you can only hope to make it "strong enough". Everything that's connected to the internet is at risk. But it shows great convictions/morale/strengh of character to admit a security breach: GGG is an example on how to do it right (Yahoo is a great example of why covering up is bad).

"
whitelytning wrote:
Can someone explain what "salted and hashed" means to non-computer people. Sounds like a delicious breakfast option to me.

Salted means they mix your plaintext password with something (their secret salt) that is unique to your account and hashed means they recalculate/encrypt the password before storing. This is security best practice 1-0-1. Never store plaintext passwords.
This means that breaking those passwords is going to be long and difficult for the thieves, and hopefully they will not succeed: that's why long/difficult passwords are important, the longer and more weird symbols your password has, the more difficult it will be to reverse engineer them.
If you cannot remember those long complicated passwords, use a tool like KeePass.

To the people asking for second passwords and such:
Second passwords don't add more security, that's why security people advocate 2FA/MFA.
The idea behind this that you need to hand over 2 different things for authentication.
passwords = something you know
code sent to your mobile/mail = something you have
fingerprint = something you "are" (biometrics)

Stealing 2 passwords is easier than stealing your password AND access to your mail account. Hence why it is so important to have different passwords and different mails for different things.
__________________________

"
hunter_AS wrote:
This does not inspire a lot of confidence. If you severed internet connections and started immediately reformatting without performing imaging on the affected systems, it shows that you clearly do not have capable incident responders on staff. With that being known, I sincerely doubt the security measures you put in place are adequate, unless you have identified root cause, which is once again hard to do when you immediately start erasing evidence. Along with this, if there was potential proof that sensitive information was accessed, you are wiping this out as well.

We don't know if they did a bit-by-bit copy of their systems before wiping. Assuming things when we don't have intel is pointless/fear-mongering. It would be counterproductive to the investigation if they were telling us any details: I don't know about NZ law, but EU law would require that you leak NO information about an ongoing investigation/prosecution (that's lawyer 1-0-1).

As the specialist you claim to be, you should know that all companies need to weigth risk vs. reward. In this case: risk of erasing breach-intel vs reward of catching the hacker (worldwide, extradition, ...) and getting compensation (Blizzard? Russians/NSA? Script-Kiddy? Aliens?). Risk of loosing customers due to service being down, vs reward of restoring quickly to keep the business running and apologizing to customers.
__________________________

Something that worries me a lot after reading all of these posts is:
nearly everybody seems concerned about their gaming experience... hacked PoE/Steam accounts, loss of items, characters, ...

The hackers might well not care about our virtual pixels in a free game that finances through a bunch of cosmetic microtransactions.

Another possible use of potentially leaked informations, is identity theft and phishing.
If a falsified mail is sent to you, by pretending to be your bank, trying to look authentic/trustworthy by telling you some personal data (spear phishing) and asking you log into forged websites to steal your online banking access.

A lot of gamers need to wake up and realize that their characters in a game are not as critical as personal data that could be the first stage to the theft of their bank account!
Last edited by SpectralVortex#7988 on Apr 2, 2017, 9:37:45 AM
"
SpectralVortex wrote:
First: thanks a lot to GGG for letting us know.
Unbreakable security does not exist, you can only hope to make it "strong enough". Everything that's connected to the internet is at risk. But it shows great convictions/morale/strengh of character to admit a security breach: GGG is an example on how to do it right (Yahoo is a great example of why covering up is bad).

"
whitelytning wrote:
Can someone explain what "salted and hashed" means to non-computer people. Sounds like a delicious breakfast option to me.

Salted means they mix your plaintext password with something (their secret salt) that is unique to your account and hashed means they recalculate/encrypt the password before storing. This is security best practice 1-0-1. Never store plaintext passwords.
This means that breaking those passwords is going to be long and difficult for the thieves, and hopefully they will not succeed: that's why long/difficult passwords are important, the longer and more weird symbols your password has, the more difficult it will be to reverse engineer them.
If you cannot remember those long complicated passwords, use a tool like KeePass.

To the people asking for second passwords and such:
Second passwords don't add more security, that's why security people advocate 2FA/MFA.
The idea behind this that you need to hand over 2 different things for authentication.
passwords = something you know
code sent to your mobile/mail = something you have
fingerprint = something you "are" (biometrics)

Stealing 2 passwords is easier than stealing your password AND access to your mail account. Hence why it is so important to have different passwords and different mails for different things.
__________________________

"
hunter_AS wrote:
This does not inspire a lot of confidence. If you severed internet connections and started immediately reformatting without performing imaging on the affected systems, it shows that you clearly do not have capable incident responders on staff. With that being known, I sincerely doubt the security measures you put in place are adequate, unless you have identified root cause, which is once again hard to do when you immediately start erasing evidence. Along with this, if there was potential proof that sensitive information was accessed, you are wiping this out as well.

We don't know if they did a bit-by-bit copy of their systems before wiping. Assuming things when we don't have intel is pointless/fear-mongering. It would be counterproductive to the investigation if they were telling us any details: I don't know about NZ law, but EU law would require that you leak NO information about an ongoing investigation/prosecution (that's lawyer 1-0-1).

As the specialist you claim to be, you should know that all companies need to weigth risk vs. reward. In this case: risk of erasing breach-intel vs reward of catching the hacker (worldwide, extradition, ...) and getting compensation (Blizzard? Russians/NSA? Script-Kiddy? Aliens?). Risk of loosing customers due to service being down, vs reward of restoring quickly to keep the business running and apologizing to customers.
__________________________

Something that worries me a lot after reading all of these posts is:
nearly everybody seems concerned about their gaming experience... hacked PoE/Steam accounts, loss of items, characters, ...

The hackers might well not care about our virtual pixels in a free game that finances through a bunch of cosmetic microtransactions.

Another possible use of potentially leaked informations, is identity theft and phishing.
If a falsified mail is sent to you, by pretending to be your bank, trying to look authentic/trustworthy by telling you some personal data (spear phishing) and asking you log into forged websites to steal your online banking access.

A lot of gamers need to wake up and realize that their characters in a game are not as critical as personal data that could be the first stage to the theft of their bank account!


For some of us there is more to lose on our PoE account than our bank account. Just saying.
Carry on my waypoint son, there'll be peace when maps are done.
Lay your portal gem to rest, don't you die no more.

'Cause it's a bitter sweet symphony this league.
Try to make maps meet, you're a slave to the meta, then you leave.
"
silumit wrote:
"
NanoDestiny wrote:
"
Rhow wrote:
Simply put, just having long passwords, which you can memorize is enough. 12-16 letters, all lowercase, even is there are no numbers in your password, this will take exponentially more time to crack than 6-8-random-symbols-crap.


This isn't necessarily true. Yes, if they are all symbols, it doesn't matter as that is still one character set.

However, from a brute-force perspective, you can determine a Charset you want to use. Whether that is lalpha, ualpha, numeric, mixedalpha-numeric, etc. The number of calculations is drastically different.

Different combinations = number of possible characters ^ password length

It's much easier to change the number of possible characters from 26 (lalpha or ualpha) to 52 (mixedalpha) by changing a single character from lalpha to an ualpha.

E.g.
16 characters in lalpha = 26^16
17 characters in lalpha = 26^17
16 characters in mixedalpha = 52^16

Far easier, and drastically more calculations to just double the character set.

Regardless, I came here to say thank you to GGG.

Thanks for the insight GGG.
Even easier if that 12-16 letters are actually 2-4 common words concatenated together.


That's obvious that concatenated words are the "key feature". =)
Interestingly enough, the more words combined in such a password are UNrelated, the more they are unique and easier to memorize. Imagination is the limit.
"
destrock wrote:
I use a 30+ character one because I been hacked in the past :D I cant even remember it it's too hard, I have to copy past it from a file hahaha ! Look like it was a good idea from my part :P


Never ever copy and paste passwords! That completely negates the safety of a long password!

Most harmful software will be viewing/sending the clipboard first of all which will hold your precious password if you do that.

Things like keyloggers will also get it when you type. There is a way around most of those by using an on-screen keyboard. :P
Carry on my waypoint son, there'll be peace when maps are done.
Lay your portal gem to rest, don't you die no more.

'Cause it's a bitter sweet symphony this league.
Try to make maps meet, you're a slave to the meta, then you leave.
Hey Chris, have you looked into Blockchain tech and how it might help you with this situation?
PoE-TradeMacro - https://github.com/PoE-TradeMacro/POE-TradeMacro/
ExileTrade - http://exiletrade.github.io/

Report Forum Post

Report Account:

Report Type

Additional Info