General Discussion - 2011-10-03 Path of Exile brute force attack incident report - Forum

Over the weekend our servers were subject to a brute force attack in an attempt to guess login details for Path of Exile. The attacker used a database of 2,257,699 unique email addresses and attempted 20,396,984 times to log into Path of Exile using these email addresses and guessed passwords. Of the email addresses that were used, only 191 actually corresponded to Path of Exile accounts. Unfortunately the attacker successfully guessed the passwords of 16 user accounts, 1 of which had access to the Path of Exile beta. We have emailed the 16 accounts in question informing them that their account has been compromised, and that they need to change their password to something more secure. While we had always intended to add a login attempt limit to our login servers, we had not yet implemented one and this is why the attacker was able to make so many attempts within such a short period of time. We will be making the following changes in response to this incident: 1) We will be adding a limit on the number of login attempts that are allowed from a single IP address within a given time frame. We will also restrict login attempts to a particular account within a given time frame. 2) We will be adding the ability to lock an account until the password has been changed in the case that we suspect that an account has been compromised in the future. We take the security of your account very seriously and as such we take many precautions such as not saving your passwords in clear text in our databases but ultimately your account is only as secure as your password. We would advise everyone to reconsider how strong their password is, and change any weak passwords to stronger ones. Path of Exile II - Game Director Last edited by Jonathan#0000 on Oct 3, 2011, 3:06:54 PM	Posted by Jonathan on Oct 2, 2011, 10:53:58 PM Grinding Gear Games Quote this Post
Sad, sad people out there in the world. Good to see an announcement and adequate response. Closed Beta/Alpha Tester back after a 10-year hiatus. First in the credits!	Posted by WhiteBoy#6717 on Oct 2, 2011, 10:56:22 PM Alpha Member Quote this Post
Agreed, its a shame what people have become. Thanks for the timely response tho :) ....._______ ..../...........\ ...\|.............\|_____...._........… ...\|......o................V..VVVVV..\ ...\|.............________________/ ....\_______/ KEYSUS	Posted by Ataleo#3974 on Oct 2, 2011, 10:57:13 PM Quote this Post
Sheesh. I mean, the game is excellent, but attacking the servers to try and guess a password? IRON MAN	Posted by Dreggon#7708 on Oct 2, 2011, 10:58:16 PM Quote this Post
Brute force attack. This tells me that the compromised beta account probably had a very poor password. To those who are unaware, here is a website that can be of use in choosing a proper password to protect yourself and others (in this case GGG) from dealing with unfortunate bullshit. https://www.grc.com/haystack.htm	Posted by Ludicrous__Speed#4171 on Oct 2, 2011, 11:02:39 PM Quote this Post
At least it was a relatively simple unsophisticated attack that can easily be blocked. As the game continues to grow more popular this will only become a bigger problem. Forum Sheriff	Posted by tpapp157#0336 on Oct 2, 2011, 11:09:54 PM Alpha Member Quote this Post
Perhaps have the option to "lock account" when you log off would be a good idea. The only way to get it unlocked would be to click a confirmation email sent to the email address. The loop hole in this being obviously, that if you email password is the same as your PoE password, there ya go. It's common practice for those who know, to keep all passwords different and completely unrelated to yourself. I.E Your name is John Doe, don't make your password Johndoe1232, likewise with your birth date etc. Keep it completely random, use a password generator. To avoid keylogging, save your password to a word document, whenever you log in, just copy it and paste it. Last edited by lagnugget#0810 on Oct 2, 2011, 11:35:14 PM	Posted by lagnugget#0810 on Oct 2, 2011, 11:32:02 PM Quote this Post
Thank you for the quick, efficient response, GGG. The steps you are taking should be sufficient, although I would recommend you also include the requirement that people include at least one (1) number and one (1) capital letter in their passwords. In this day and age with the ability to do things like brute force over proxy servers, change MAC addresses, and other such tools, an attacker who is more sophisticated could still cause problems attacking all accounts, with simple passwords. (123456, password, etc.) These kinds of attacks are incredibly common and fairly easily mitigated and I'm very glad nothing was seriously compromised. Your detailed incident reports and your ability to be honest, forward, and list a plan of action in rectifying the situation is stellar customer service and only reflects well on you. Thanks a bunch :) My writing/adventures through Path of Exile http://ryukaki.com	Posted by Ryukaki#3127 on Oct 2, 2011, 11:43:56 PM Quote this Post
Bravo on handling this quickly and efficiently. Keep up the good work, GGG! ;D. Praise Beta Keysus! Or else.	Posted by Lightwind#6457 on Oct 3, 2011, 12:54:32 AM Quote this Post
Thats what the beta timer does to people! Turns them into criminal wannabes :D oh no! As always, great job on communicating these issue. Keep it up!	Posted by Starcraft42#1303 on Oct 3, 2011, 1:02:43 AM Alpha Member Quote this Post