Massive Account hack

[Xcesiuss]

Surprised this topic isn't here yet. Many Path of exile accounts have been indeed hacked and stolen all their currency and items of worth, the person that did this must've had balls of steel as he / his team hacked many accounts through most likely an exploit through the path of exile site which gained them access to somewhat database(?)

I do recommend checking your account and changing your password. My account were compromised and I never used any tools whatsoever, I only traded for real money ($). All my chaos orbs and currency of value was taken.. I don't really feel like building up a character anymore due to this.

[xsx]

I guess there is a customer support for all these issues right?

[Xcesiuss]

I guess there is a customer support for all these issues right?

Sadly they won't help you with recovering your items. I'm calling a quit on this game

[pushedx]

I've been around games where there have been legitimate hacks going on due to site / game flaws, but I'm just not seeing that right now with this game. I believe GGG when they say it wasn't a site or server compromise. From what I understand about GGG's DB setup (which I had talked to a dev a long time ago about some concerns about their password setup), if they gave out the DB itself, no one could trivially get hacked from the password hashes stored.

That is: your hashed password -> [time consuming, mega round hash function] -> database entry

In order for someone to actually use the data, they'd have to also obtain the hashed password hashing function, and then create a dictionary of all common password hashes to compare each with. This approach is nothing new, and is typically how you "protect the database against compromise".

However, there's no need to go through all that trouble if all you care about is attacking accounts with common/dictionary passwords. It's not that hard to write a clientless account brute-force application that supported proxies and used one of the numerous e-mail / password dumps that exists. Someone could just run that across all known e-mails and common passwords and manage to "get lucky" due to how bad peoples passwords generally are. If there are a million accounts made and you get lucky with even 1%, that's still 10,000 accounts.

Assuming someone didn't get phished, social engineered, had their config ini stolen, or infected via malware, I'd expect that's how most people who got "hacked" did so. If someone made a unique random e-mail for PoE, a long (64+) randomly generated password, and wasn't using any 3rd party applications and practiced safe computing, I don't think they could currently get hacked.

I don't think people understand just how irresponsible some sites are. I lost one of my passwords once due to Yahoo being idiots. The good thing at least was that it wasn't one of my strongest passwords, but it doesn't matter how good your password is when things like that happen all the time (most people just are unaware of it).

[Darkwiccan]

I've been around games where there have been legitimate hacks going on due to site / game flaws, but I'm just not seeing that right now with this game. I believe GGG when they say it wasn't a site or server compromise. From what I understand about GGG's DB setup (which I had talked to a dev a long time ago about some concerns about their password setup), if they gave out the DB itself, no one could trivially get hacked from the password hashes stored.

That is: your hashed password -> [time consuming, mega round hash function] -> database entry

In order for someone to actually use the data, they'd have to also obtain the hashed password hashing function, and then create a dictionary of all common password hashes to compare each with. This approach is nothing new, and is typically how you "protect the database against compromise".

However, there's no need to go through all that trouble if all you care about is attacking accounts with common/dictionary passwords. It's not that hard to write a clientless account brute-force application that supported proxies and used one of the numerous e-mail / password dumps that exists. Someone could just run that across all known e-mails and common passwords and manage to "get lucky" due to how bad peoples passwords generally are. If there are a million accounts made and you get lucky with even 1%, that's still 10,000 accounts.

Assuming someone didn't get phished, social engineered, had their config ini stolen, or infected via malware, I'd expect that's how most people who got "hacked" did so. If someone made a unique random e-mail for PoE, a long (64+) randomly generated password, and wasn't using any 3rd party applications and practiced safe computing, I don't think they could currently get hacked.

I don't think people understand just how irresponsible some sites are. I lost one of my passwords once due to Yahoo being idiots. The good thing at least was that it wasn't one of my strongest passwords, but it doesn't matter how good your password is when things like that happen all the time (most people just are unaware of it).

the only way you get hacked on poe is DL addons that you think are map hacks but are keyloggers

[Xel]

My guess is that their system had a flaw allowing infinite authentication attempts in a row resulting in
a brute-force attack. Assuming this happened, an unauthorized query to their databases might have
occurred as well. This would explain how they got their hands on account names supposedly stored
in plain text.

[pushedx]

the only way you get hacked on poe is DL addons that you think are map hacks but are keyloggers

Or a customer service representative is fooled into handing your account over to someone else.

Anyways, the Account Security and Theft Policy covers just about everything people need to know. You can still get hacked without using illegitimate 3rd party tools, but most who do get hacked are indeed using malware embedded into fake hacks.

My guess is that their system had a flaw allowing infinite authentication attempts in a row resulting in
a brute-force attack. Assuming this happened, an unauthorized query to their databases might have
occurred as well. This would explain how they got their hands on account names supposedly stored
in plain text.

Chris actually mentioned the specific limitations on the forum: Forum - Technical & Account Support - HUGE HACK went down!!! who all got jacked. - Path of Exile

It does work, I tried it on Beta today before posting about it. The threshold is quite high (approximately 30 logins before you get slowed down, followed by about one login per 10 seconds after that). You can try this yourself to see.

In tomorrow's patch, we're reducing it so there are far less attempts before you get banned. This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.

[Xel]

Or a customer service representative is fooled into handing your account over to someone else.

Anyways, the Account Security and Theft Policy covers just about everything people need to know. You can still get hacked without using illegitimate 3rd party tools, but most who do get hacked are indeed using malware embedded into fake hacks.



Chris actually mentioned the specific limitations on the forum: Forum - Technical & Account Support - HUGE HACK went down!!! who all got jacked. - Path of Exile

Specific limitations might only apply to certain methods of authentication (game, website etc.)
but if you were to find another login prompt (when for example directly connecting to a certain IP)
it might not be protected. They might also have multiple idle databases without proper prevention
of bruteforce attacks.

Though I was just guessing..

[Xcesiuss]

Your Path of Exile account has been locked because someone logged in from a location that you don't typically play from - "Jilin, Jilin, China".

So I guess we know where they are located.

[hamp69]

Ok geting sick of these damn threads, and this is one of the many reasons nobody posts on this site and just lurks.


All these scrubs crying they got hacked were stupid enough to download a ****ing hack from youtube, all the screenshots prove this with the message in there status.

Nobody got hacked that did not download a hack from youtube or other bullshit sources, thats what happens when you are stupid, you get owned.


I really wish GGG just banned all you newbs that tried to lie saying you were "Hacked" when really you downloaded a freakin keylogger from YOUTUBE Of all places.


Get over it you scrubs, you ****ed up. Any one over 16 knows any hack on youtube is total bullshit.

[Xcesiuss]

Ok geting sick of these damn threads, and this is one of the many reasons nobody posts on this site and just lurks.


All these scrubs crying they got hacked were stupid enough to download a ****ing hack from youtube, all the screenshots prove this with the message in there status.

Nobody got hacked that did not download a hack from youtube or other bullshit sources, thats what happens when you are stupid, you get owned.


I really wish GGG just banned all you newbs that tried to lie saying you were "Hacked" when really you downloaded a freakin keylogger from YOUTUBE Of all places.


Get over it you scrubs, you ****ed up. Any one over 16 knows any hack on youtube is total bullshit.

Maybe you should not judge everyone from one single stroke. Go back to school