Data Breach Notification

How is it possible that GGG only knows of this since "last week"?
The Community already knew that something was going on since last year when the first people complained about getting hacked, that should have triggered an alarm at GGG to check Staff Accounts for unauthorized access. You even locked Accounts of this people when they notified you about this, and these accounts are still locked, for over 1 Month now.

Also why are we receiving a Forum Post about a Databreach?
This is nothing that should only be a Forum post, but instead a Mail that notifies every Customer...
This is clearly a violation of the GDPR since you only had 72h after you noticed the breach, and i think everyone here knows that you have known about this for longer than "last week"

Sad to see that even GGG doesn't give a damn about Privacy of his costumers.

Thanks for the transparency, It's always the unexpected that gets you eh?

The severity of this is ofc lessened by the fact that you are dropping the "We'll get there" attitude about 2FA and pushing it up to be launched at once.

Part of the process of the 2FA is likely also that you won't be asking users for complete transaction histories from their banks punishing long time users compared to new users since you ask for bank statements that predate the logs that banks keep, making account recovery impossible for long time fans.

Oh wait... none of this is happening is it?

So what will this mean for the massive GDPR breach?

Will you guys get fined millions or lawsuits or something?

This is a big oof.

What this post does NOT say is, how we all should react now to ensure our steam account safety. I mean... they say so themselves:

"

The attacker also viewed account information for a significant number of accounts through our portal.

For those accounts they got access to the following private information:

Email Address if the account had one associated
Steam ID if the account had one associated
IP Addresses that the account had used
Shipping address if the account had previously had physical goods sent
Current Unlock Code for unlocking accounts locked due to logging in from a different region

...

In addition there are some accounts where the attacker looked at transaction history which would have shown a list of previous purchases.

E-Mail Adress, SteamID, Shipping Adress... maybe even paypal-mail-accounts in the list of previous purchases? Even with 2FA on steam, that could be more than enough information to reset an account... I'm honestly sick to my stomach right now in fear of getting my Steam Account stolen with that information.

GDPR called, they want stored personal data.

Probably someone else also, about not informing us directly and instantly.

A lesson to learn from. Never let login in admin account or access administrative functions from any IP except corporate VPN IP. Also 2FA on top of this.

This entire situation is just one thing after another including how its being handled

Not even a global email? A forum post is how people find this out?

Honestly would rather just get a refund and go on my way at this point

"

I really look forwarding to 2FA available to the wider player base to bolster the security of the entire PoE community.

Has nothing to do with this

"

A lesson to learn from. Never let login in admin account or access administrative functions from any IP except corporate VPN IP. Also 2FA on top of this.

Did you even read the post? Social engineering has nothing to do with VPN or 2FA. You people are lost

"

topsen_#5879 wrote:

"

A lesson to learn from. Never let login in admin account or access administrative functions from any IP except corporate VPN IP. Also 2FA on top of this.

Did you even read the post? Social engineering has nothing to do with VPN or 2FA. You people are lost

Only one being lost is you.
If Staff account login is only possible with a specific IP from Corp only VPN everything could have been avoided.
Even if you got the login data+PW you can't login with that Staff account (and in best case that account will be autolocked) since your IP doesn't match one of the expected ones.