Data Breach Notification
|
So is it necessary to change our passwords? I see the attacker is unable to see our passwords.
|
|
|
No mention of steps that will be taken to contact victims, heck it doesn't even seem like GGG knows how many victims there are beyond the several dozen who had their passwords changed. No telling how many accounts got their emails/addresses/IPs/steam IDs swiped. And why did this unhelpful notification take so long to come out? This issue was mentioned in the POE2 QA two days ago and even on Sunday the devs made it sound like they had already known about this for a while, how long does it take to assess the damage before you start contacting people whose personal info was stolen?
I wanted to be charitable, but sorry isn't good enough. Security obviously was not a priority for GGG and now your customers are paying the price for your incompetence. How 3rd party connections were even allowed for admin accounts is utterly baffling and should give any decent security manager a panic attack, not to mention the lack of 2fa for even your internal admin accounts. You guys aren't a small indie studio making a glorified D2 clone anymore, you're a major digital company with access to hundreds of thousands if not millions of people's personal info from all over the world. Act like it. |
|
|
To everyone in this thread complaining about transparency, you are missing a pretty key part of cyber security. "Knowledge is power".
If you publicise an issue too soon, when you aren't fully aware of the attack vector or the scope of the damage, especially with a circumstance like this where you end up with a sleeper actor in your network who has potentially had access for an indeterminate amount of time; you DO NOT want to give that attacker information that allows them to react before you take action. GGG Should only be telling us the bare minimum in this situation, and if affected people are to be "Compensated", they should be reached out to privately. There would also need to be work done to determine which of these accounts are compromised as a result of this malicious actor, and which are a result of general account breaches which happen as part of regular user account management. It's also worth noting that it was explicitly stated that customer support CANNOT see your passwords. They can only reset your password to a randomly generated one, my experience would suggest that this is done via a triggered email to the primary one listed on the USER account, and remains invisible to customer support through the entire process. 2FA would do nothing for an attack of this nature, as a customer support account would be able to reset 2FA. |
|
" coverup ? attempt ? let say this would have happened with blizzard/activision or any big AAA for a matter of fact, we wouldn't have heard A SINGLE WORD. |
|
" Wait isn't this one time code? Does it not expire? |
|
|
POE2 has taken too much priority, check your backdoor, check your security, move away from this "fix on fail"... cause guess what, it failed and now you can't even identify the damage this has done let alone how to fix it.
|
|
|
Some of you are entirely too sweaty and should grow up. Jesus Christ.
|
|
|
This is really bad and doesn't show professionalism. There is way more to this than GGG shows and they are downplaying it with this lame statement. Why does it take so long to make a statement like this? In the livestream they were already talking about it and knew it for a while. They made it seem like a really big complicated explanation was in the making and this is the result? Breaches like this need to be reported asap.
All our accounts are compromised and public information has been leaked due to this bad design. There are laws around information protection which GGG didn't follow. People forget that 99% of the hacked accounts we saw on Reddit had a reasonable wealth. You are saying me that they were so lucky to log into 66 accounts and find hundreds divines in them instead of Elon his main account who is in act1? They now have a dump of all our data. All our addresses (not 66) if we bought something. All our email, all our other basic information etc etc. |
|
" 2fa would have prevented access to the admin account. Proper 2fa would have prevented anybody's items from being stolen. Regardless, with the info being visible, people can steal your accounts via recovery methods on ggg's own site, you're downplaying how serious this is, ggg doesn't need more shills with a messup this bad. |
|
" 2FA would not have prevent a steam customer support agent giving access to a steam account, which a person could then use to access a connected service. I've not downlplayed the seriousness of this issue, what I've suggested is that "Transparency" is not a good thing when it comes to security. You should not be publicising information any faster than is absolutely required, if they did then that bad actor is then able to take all of the information they've collected and start burning down the house, before GGG can lock all the doors. |
|
