Chris

The people who were compromising the majority of the accounts have:
a) A botnet with at least 270,000 IPs we've seen so far.
b) A list with over 5 million email addresses and passwords, almost all of which are not people who have ever heard of Path of Exile.

They try the passwords on our website and are IP banned pretty quickly, which is when they change IP.

This email and password list has not come from us. It contains users from many other web services and is probably a concatenation of stolen lists from dozens of sites and games. They are trying it against Path of Exile because it gives them free accounts if they do stumble in to any. This is why it's important to use a unique password. I'm not saying every compromised account came from their use of this list, but it's certainly the bulk of them.

Since we deployed the security patch in 0.10.1d, the rate of account compromise dropped off almost completely because they have no way to log into... Read more

" Boem wrote: is there anybody on this forrum that knows, if my provider gives me a new ip adress durring a PoE session wil i get kicked because of the new anti hack protection in place?
i noticed this afternoon i got a new adress and i was kicked and had to get a delock key from my e-mail adress. If this is the case a lot of people wil be unesecarly allarmed i think, because they would assume they were hacked while in fact they just got a new ip adress and poe misttakes it for a hack attempt and asks for a delock key....(also if poe autokicks when ure provider gives u a new ip adress a lot of people in HC mode are about to die in ...

Read more

" MonstaMunch wrote:

" darkro90 wrote: Just tested and found that the PoE doesn't prevent re-entry of password should a user entered the wrong password 3 or mote times.

I guess we now know what's the exploit is. Brute-forcing is never been this easier before. ...

Read more

" Dreggon wrote:

" Chris wrote: After a lot of investigation, I worked out that it was the same password I used for my bitcoin account at Mtgox. Their entire site had been hacked the year before, revealing all the passwords. I managed to find the mtgox leaked password list, and su...

Read more

Another thing to consider is that attackers can purchase bulk lists of leaked passwords from various services that have been hacked before. It'd make sense for them to go through those lists of email/password combinations to see which ones correspond to valid Path of Exile accounts.

True story time:
One day last year, I was playing Diablo 3 and I got kicked off my account because someone logged into it. I logged back in and changed the password, interrupting the theft of whatever bad items my D3 character had. I knew that I had never run any malware or clicked any bad links, but yet they had my password. After a lot of investigation, I worked out that it was the same password I used for my bitcoin account at Mtgox. Their entire site had been hacked the year before, revealing all the passwords. I managed to find the mtgox leaked password list, and sure enough, mine was on it. I obviously changed all my passwords in response to this and there were never any other pro... Read more

A couple of weeks ago I posted here explaining the common ways that users are having their passwords compromised by attackers.

We're now seeing an increase in the rate at which the attackers are stripping these accounts of their valuable items. As soon as we had the realm stability issues sorted out, we started work on new account security measures that should make it difficult for attackers to use stolen passwords to access your accounts.

I want to be completely clear - our security has not been breached. If our database had been compromised, the accounts that attackers would target first would be the most wealthy players, the high profile streamers or the developers. Imagine how much it'd be worth to compromise my account? Kripparrian's? The top people o... Read more

In any online game with an economy, in-game items have value. These items are often sold on external real-money trading sites, and we’re doing what we can to stop these affecting Path of Exile. We're attacking their spam and the way that they get items to sell.

Unfortunately, one of the ways these shops obtain items is by stealing them from other Path of Exile players. We have received several reports of people losing items, and we can see from our logs that these end up on accounts (generally accessed by Chinese IPs) that are used to supply RMT item sites.

After several days of painstakingly investigating these cases, we've identified quite a few ways that players are having their passwords stolen. I'd like to go through them one by one and explain how players can keep themselves safe and what we can do on our end to make these attacks more difficult.

I should stress that these problems are common to most online games and that they're problems that p... Read more

Real Money/External Trading



Buying and selling items or accounts for real money or external currencies (such as Forum Gold) is not allowed and we will ban people who attempt to engage in it in-game or on the pathofexile.com forums.



The following things are examples of behaviour that could get you banned under this rule:

• Posting a trade thread where you ask for things other than Path of Exile items in exchange for your gear.


• Offering people money or external currencies in exchange for their Path of Exile items or accounts.


• Advertising external item sales sites. It's best to avoid mentioning them by name.


• Running a service where you sell items or accounts to people for things other than Path of Exile items.

Self-promoting forum threads



We've had numerous posts being promoted by aut... Read more