Data Breach Notification

Ty for the transparency!

"

loksins#4854 wrote:

W transparency

lol they legally have to tell people :)

"

mbitsu#0616 wrote:

what a shame.
Under KRIS this didn't happen.
And now that you have new owners and all the resources of the world, you let the Thief into your garden so easily.
But don't worry, relax, it's Christmas holidays right? Peace and love to all. (and dupes)

This could have happened at any time. This account was setup like this for so long and only compromised a few months ago.

Chris wouldn't have saved this.

This is honestly more information than they needed to give about the breach.

"

Enver7722#4665 wrote:

"The PoE account in question was linked to an old steam account that was created by a developer for testing a long time ago, and didn't have any purchases on it. The compromise occurred when the attacker was able to supply enough information to steam support to steal the account."
I can't wrap my head around this, how can a hacker have access to this information? How can they find your old admin Steam account, how can they provide your admin information to Steam and take over the account?

A LOT of company emails are just name.surname@company.com find a list of people at the company and look for accounts that are related to that person's name.

If you knew my name you'd be able to spam my work email EASY. Then go and try to access accounts I made with that email.

We have MFA on everything we login to directly associated with our company, but some things are not directly linked with our company and thus are accessed with an account made on that platform itself.

It's possible, and seeing how frustrated, angry, saddened by the event Jonathan was when talking about it live I don't doubt they are taking everything into review to plug up all these holes. 10 years of debt is rough.

It seems like you have a list of accessed accounts from your webserver logs.

Will you inform these individuals?

Could you focus on unlocking the affected accounts instead of letting them rot for weeks?

Since nothing could have been done on the user side to prevent this (even if your password was unique and complex, the hacker had a button to just change it) - will there be any compensations?

How do you ensure that the stolen data is not used later on to recover accounts from your support?

"

Issarelias#2701 wrote:

"

Enver7722#4665 wrote:

"The PoE account in question was linked to an old steam account that was created by a developer for testing a long time ago, and didn't have any purchases on it. The compromise occurred when the attacker was able to supply enough information to steam support to steal the account."
I can't wrap my head around this, how can a hacker have access to this information? How can they find your old admin Steam account, how can they provide your admin information to Steam and take over the account?

A LOT of company emails are just name.surname@company.com find a list of people at the company and look for accounts that are related to that person's name.

If you knew my name you'd be able to spam my work email EASY. Then go and try to access accounts I made with that email.

We have MFA on everything we login to directly associated with our company, but some things are not directly linked with our company and thus are accessed with an account made on that platform itself.

It's possible, and seeing how frustrated, angry, saddened by the event Jonathan was when talking about it live I don't doubt they are taking everything into review to plug up all these holes. 10 years of debt is rough.

10 years isn't enough, this is 20 years behind at least. If I had things this open when I did my certs back then, I would have failed them on the first step where a business critical account was accessible from an outside network with no MFA at all.

If you (GGG) didn't setup logging correct from the get-go and never checked if the logs are sane in the first 15 years of production? If you don't manage your devices used to access BC accounts? If you don't have whitelisted machines inside the office being the only ones able to access the support system? If you have not setup tunneling through VPN to access said machines from the outside with MFA only for remote work purposes? No alerts on "significant number of accounts" being accessed in a manner that is not normal for a human?

You messed up.

Next you'll tell me that they've never actually tested their backups for recovery and not checked if their NFC readers on the front door are not tampered with?

You know, here's a free security audit: walk to any machine at the office and wiggle the mouse, one of them will be left unlocked, open the browser, go to admin page and usee the saved credentials on the machine to login to it. If this didn't work, I'll be amazed.

Actually shameful that it had to take almost a month to solve... Now hackers can have a whole list compiled of adresseses, payment info, steam id, ... nice

Also still no players MFA, Every other launcher/portal/service is giving their users that. Why are we treating GGG like a small indie dev still?

so its many more than you said in the interview...
Sad that you didnt come out with that desaster first. Only after it was leaked on reddit.
Trust is meanwhile zero in ggg