[2023] Hacked Accounts

A couple of weeks ago I posted here explaining the common ways that users are having their passwords compromised by attackers.

We're now seeing an increase in the rate at which the attackers are stripping these accounts of their valuable items. As soon as we had the realm stability issues sorted out, we started work on new account security measures that should make it difficult for attackers to use stolen passwords to access your accounts.

I want to be completely clear - our security has not been breached. If our database had been compromised, the accounts that attackers would target first would be the most wealthy players, the high profile streamers or the developers. Imagine how much it'd be worth to compromise my account? Kripparrian's? The top people on the ladder? These people have not lost their passwords. There has been a 0% rate of developer accounts being accessed by overseas IPs. The accounts that are being targeted are generally mid-low playing accounts, typically associated with the usage of hack software. We often have users write into support complaining about side effects of their maphacks, only to later report the same day that their items have been stolen. It is worth pointing out that these hack programs are bannable, and while we haven't yet done a banwave, the thousands of people who use them will lose their accounts due to it if they are still running them as we turn on our countermeasures.

I've spent massive amounts of time going through logs of IP usage and talking to people who have been compromised. In almost every case, it was due to violating one of the security practices we've outlined in the post I mentioned at the top of this one. Players have been using the same passwords on insecure community sites, running malware, clicking phishing links and have pre-compromised machines that are part of botnets. Now that the attackers who have these passwords have some degree of automation, they appear to be stripping accounts more quickly than before, resulting in a big increase in the reports of hacking. We are mass-banning IP addresses that are used for this theft, but due to the use proxies, it's very hard to stop it in this way.

I'm not claiming that everyone that has lost items has run an illegal hack program. Many users have merely re-used passwords, had an insecure version of Java when browsing infected community sites, or accidentally clicked a bad link and logged into a fake version of our site. These are very easy mistakes to make unless you are extremely careful.

This situation is exactly why games have security systems in place to prevent people accessing accounts in this way. Path of Exile does not yet have such a system, but it will do very soon. We're a very small team of developers and have been working long hours for the last month to address these issues and other stability ones (that are now thankfully much better). Within a week we expect to launch the account security improvements which would mean that even if you do have your password compromised, it's still hard for people to access your account. We may be able to deploy the first improvements that help with in the next 48 hours.

People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.

If our policy was to restore in a way that duplicated the items, this would be a free duplication method that people could easily use. If our policy was to take the items back from the attacker without duplicating them, then this would result in a free tradehack that anyone could use. In either case, the economy would be destroyed.

It's currently taking our staff the entire day just to process our existing volume of support requests. Not only would thoroughly investigating each claim take far too long, but the very fact we were doing it would encourage people to abuse it as hard as they can. For all of those reasons, it is not an option to restore items under any circumstances.

This whole situation is a lesson in why it is inadequate to assume that passwords are sufficient security. I am very, very sorry that we did not have better security measures to make stolen passwords useless when we entered Open Beta. Thankfully there are improvements to this coming very soon so that it won't be a problem in the future. I will work every evening and through the weekend to make sure that these fixes are deployed as soon as humanly possible. Although people will probably still lose their passwords, the attackers will hopefully not be able to actually get any items from it and then they'll stop bothering.

This is also a lesson in how many users are running infected software. Although we have an active community of over a million monthly users, we're seeing thousands and thousands of accounts running software that is known to be infected with keyloggers. Even if our security measures mean that this software doesn't result in your items being stolen, it will still result in your account being banned for trying to cheat.

If you're worried about having your items stolen and you have not run any strange software, just change your password, don't click weird links and don't use the same password on other sites. That's what I do and no one has hacked my account yet.

Another thing to consider is that attackers can purchase bulk lists of leaked passwords from various services that have been hacked before. It'd make sense for them to go through those lists of email/password combinations to see which ones correspond to valid Path of Exile accounts.

True story time:
One day last year, I was playing Diablo 3 and I got kicked off my account because someone logged into it. I logged back in and changed the password, interrupting the theft of whatever bad items my D3 character had. I knew that I had never run any malware or clicked any bad links, but yet they had my password. After a lot of investigation, I worked out that it was the same password I used for my bitcoin account at Mtgox. Their entire site had been hacked the year before, revealing all the passwords. I managed to find the mtgox leaked password list, and sure enough, mine was on it. I obviously changed all my passwords in response to this and there were never any other problems. This is exactly the type of situation that could have occurred for many Path of Exile users who have been good about not installing hacks or clicking bad links. The account security measures we're adding soon will stop attacks like this.

" Dreggon wrote:

" Chris wrote: After a lot of investigation, I worked out that it was the same password I used for my bitcoin account at Mtgox. Their entire site had been hacked the year before, revealing all the passwords. I managed to find the mtgox leaked password list, and sure enough, mine was on it.

Can you tell me/us how you did this?

It was indexed by google.

Before I worked out where they got my password I was 100% convinced that it wasn't my fault. Then 100% convinced that it was :-(

" Hotcooler wrote: Chris

You're mostly talking about items, and I can sort of understand why you cant restore them (though I bet you will be able to trace all the transactions in the future (since I bet you have logs, just no tools to automate parsing them for this sort of stuff)).

But how about deleted characters? I for one would be quite grateful to get my characters back even with no items, since that's the bulk of the time investment that wont hurt economy in the slightest.

And while we are on the topic of it, how about delete queue for high level characters? So when you press delete on say char that has access to merciless - system puts it in delete queue for say 3 days, and while there is time you can press restore button to cancel delete process. That will save us from this kind of stuff and you from emails about "I accidentally deleted my character"

I definitely agree. At the moment our character deletion is a hard deletion, but we're moving to a model where they are soft-deleted and the names can be reused. If an undeletion occurs, a new name may be needed. We don't have this ready yet (it's lower priority than getting the account-lock-on-suspicious-access case sorted out). I am really looking forward to this being in so that we can easily restore deleted characters (but not any items that were stolen prior to them being deleted).

" MonstaMunch wrote:

" darkro90 wrote: Just tested and found that the PoE doesn't prevent re-entry of password should a user entered the wrong password 3 or mote times.

I guess we now know what's the exploit is. Brute-forcing is never been this easier before.

Just tested and confirmed. JtR would have a field day with this :|

We do lock out accounts for multiple incorrect password attempts! The threshold is higher than 3 though, because users often legitimately take quite a few attempts to get their password right. There's no way they can effectively brute-force passwords in an online manner, and we'd be able to see that in our access logs.

" oBLACKIECHANo wrote: Chris, did you not say before that you track every item? Would it not be very simple to delete all of the items removed from the account, from the system, then restore them on the original account? I don't see the logic in not doing that, as it would be very easy to automate it, even somebody who hadn't been hacked could use it and nothing would change, the economy would remain the same. Besides, it's permanent leagues, the economy gets f*cked up with time no matter what.

The issue with this is that fake hack reports can scam people who traded with the person claiming they were hacked. We already have examples of people who perform trades that they regret so that they claim they were hacked after muling their items to another account they control.

" TheHeffNerr wrote:

" Chris wrote: We do lock out accounts for multiple incorrect password attempts! The threshold is higher than 3 though, because users often legitimately take quite a few attempts to get their password right. There's no way they can effectively brute-force passwords in an online manner, and we'd be able to see that in our access logs.

This is just flat out a lie. I've just entered 10 incorrect passwords in less then a minute and then able to log in... This is why I'm also pissed because GGG lies out their ass. Any one can try this.

http://www.twitch.tv/theheffnerr/b/369580932

I can't wait for GGG nut swingers to answer this one.

" darkro90 wrote: I've also tried this for not only 10 times, 20 times, with reasonable delay in each password input since if you're entered it repeatedly, you will get warning message of "trying to login too much in a short time period". And guess what, when I tried my own password after the 20 tries, it still get me logged in.

Looks like PR disaster is imminent.

Get your sh*t together, GGG. When you resort to public lies like this, your credibility just shrunk more.

There are NO lies in Chris's post. Everything he said is true, and he specifically went and tested that the system still worked before posting. As he said in the post you quoted, the threshold is high, because users reasonably often do take a few attempts to get their passwords correct. The video you linked looks like it misread Chris's post and expected 3 attempts to be the maximum possible number, which is specifically what Chris said it wasn't.
Chris already responded to that post in this thread, but for anyone who doesn't want to bother clicking the link:

" Chris wrote: It does work, I tried it on Beta today before posting about it. The threshold is quite high (approximately 30 logins before you get slowed down, followed by about one login per 10 seconds after that). You can try this yourself to see.

In tomorrow's patch, we're reducing it so there are far less attempts before you get banned. This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.

The people who were compromising the majority of the accounts have:
a) A botnet with at least 270,000 IPs we've seen so far.
b) A list with over 5 million email addresses and passwords, almost all of which are not people who have ever heard of Path of Exile.

They try the passwords on our website and are IP banned pretty quickly, which is when they change IP.

This email and password list has not come from us. It contains users from many other web services and is probably a concatenation of stolen lists from dozens of sites and games. They are trying it against Path of Exile because it gives them free accounts if they do stumble in to any. This is why it's important to use a unique password. I'm not saying every compromised account came from their use of this list, but it's certainly the bulk of them.

Since we deployed the security patch in 0.10.1d, the rate of account compromise dropped off almost completely because they have no way to log into an account from a different location.

There is a patch coming soon (probably 0.10.2) that will add the same lockout code to the website too.

To users worried that we have had our security breached: Don't worry! We would tell you as soon as we had any evidence of that happening. Our server security is excellent and there have been no signs so far of any attempts, yet alone successful ones. Even if they did gain access to public-facing servers, there would be an awful lot of work (that we could see) before they got anywhere near the accounts database. Also, we do not save credit card numbers on our servers. Our payment provider handles that.

To azurarutlan who claims that he knows someone that breached our servers: Such claims can be very damaging to a company. Do you have any evidence of this? Please get in touch if you do, I'd be very interested in discussing it.

Morgawr, AzraelX, as you both presented fairly compelling cases I decided to investigate your accounts to make sure there wasn't anything unusual going on (as I have done with other random accounts when I get the chance). I wanted to share my findings with you in the hopes that it helps explain the situation.

In both cases your accounts were compromised during a sweep of login attempts, and in both cases yours were the only logins that succeeded from the respective IPs performing the login attempts (out of the half-dozen or so accounts they tried in each attempt). In each case only 1 login attempt is made per account, suggesting they are using a list of email/password combinations and are not brute forcing the passwords. None of the other accounts they tried even have PoE accounts associated with them, suggesting this list did not come from us.

A quick google search of your registered email addresses shows that both are used elsewhere on the internet. I cannot guess as to how they got your passwords, especially if they were randomly generated specifically for PoE - however if they had somehow been obtained from us it wouldn't make any sense for them to try all the non-existent email addresses at the same time (tinfoil hat theorists please stay in off topic).

These findings are consistent with everything we've seen and reported so far, I make a point of investigating cases which sound suspicious and so far none have raised alarms.

Also, before people start saying "Why don't you just block them from trying all these accounts?", we *do* have limits in place for login attempts which is why they only tried half a dozen or so per IP. The problem is we need to allow enough slack in the system for legitimate users to get their email/password wrong a few times without being instantly blocked - and the hackers (or crackers if you prefer) have over 270,000 IPs to do these tests from. We are however coming up with other ways to combat them, and will continue to do so until they are no longer a problem.

" steven_mcburn wrote: 1. How would they even know my email is associated with this game? How would they even know I'm playing, especially from this email? It's not like it's publicly flaunted.

The same way they have been finding other users information - by going through an enormous list of email/password combinations, most of which do not have PoE accounts associated with them. They just got lucky on yours (as they do with other users they compromise, they are playing the odds here).

" steven_mcburn wrote: 2. How would they guess a password that I don't use for any other services, or better yet, how would they know where I live personally to set up a proxy so they could access my account through your services?

There are two parts to this - firstly I do not know how they got your password(s), Chris has made several posts explaining the usual ways, but there is no way for us to be sure how they got yours specifically.

The second part is that they did not know your home town, they accessed your account from China. The first time they accessed your account they were unable to log in, and you unlocked the account yourself (the email you used to unlock the account should have said someone from China attempted to log in). Shortly after that they accessed your account a second time, and this time they unlocked your account. The only way they could do this is if they had access to your email account.

Assuming you use a different password for PoE and for your email account, this means they have two of your passwords. Assuming you changed your passwords after receiving the warning email the first time they failed to log in (which you really should have), this suggests a strong possibility that you have some sort of keylogger or trojan given how quickly they obtained your new passwords.

The reason you got an email saying someone from your home city accessed your account is because they successfully unlocked your account which set the "normal" city to somewhere in China. This means when you later logged in the system detected your login attempt as the foreign one - so they never used a proxy or knew where you were playing from.

" steven_mcburn wrote:
I welcome you to try to log on my email with the password that's associated with this account.

That would be impossible, as we do not store your password - only a salted hash which could not be used to access your email account even if the passwords were the same.

I hope this information clears up your questions, if you have any further questions please ask.

Edit: fixed bold markup and typos...

Please be aware of these phishing attempts - GGG staff and moderators will always use blue or yellow text in chat, and please never click external links sent to you, especially if they are not under the www.pathofexile.com domain.
If you're ever unsure, just email us at [email protected] and we'll look into it for you.