Massive Account hack menu

These ads disappear when you log in.

Results 1 to 11 of 11
  1. #1
    Xcesiuss's Avatar Contributor CoreCoins User
    Reputation
    117
    Join Date
    Mar 2008
    Posts
    130
    Thanks G/R
    11/83
    Trade Feedback
    3 (100%)

    Massive Account hack

    Surprised this topic isn't here yet. Many Path of exile accounts have been indeed hacked and stolen all their currency and items of worth, the person that did this must've had balls of steel as he / his team hacked many accounts through most likely an exploit through the path of exile site which gained them access to somewhat database(?)

    I do recommend checking your account and changing your password. My account were compromised and I never used any tools whatsoever, I only traded for real money ($). All my chaos orbs and currency of value was taken.. I don't really feel like building up a character anymore due to this.

  2. #2
    xsx's Avatar Contributor CoreCoins User
    Reputation
    180
    Join Date
    Sep 2007
    Posts
    514
    Thanks G/R
    5/0
    Trade Feedback
    0 (0%)
    I guess there is a customer support for all these issues right?

  3. #3
    Xcesiuss's Avatar Contributor CoreCoins User
    Reputation
    117
    Join Date
    Mar 2008
    Posts
    130
    Thanks G/R
    11/83
    Trade Feedback
    3 (100%)
    Originally Posted by xsx View Post
    I guess there is a customer support for all these issues right?

    Sadly they won't help you with recovering your items. I'm calling a quit on this game

  4. #4
    pushedx's Avatar Contributor CoreCoins User
    Reputation
    146
    Join Date
    Nov 2009
    Posts
    96
    Thanks G/R
    2/33
    Trade Feedback
    0 (0%)
    I've been around games where there have been legitimate hacks going on due to site / game flaws, but I'm just not seeing that right now with this game. I believe GGG when they say it wasn't a site or server compromise. From what I understand about GGG's DB setup (which I had talked to a dev a long time ago about some concerns about their password setup), if they gave out the DB itself, no one could trivially get hacked from the password hashes stored.

    That is: your hashed password -> [time consuming, mega round hash function] -> database entry

    In order for someone to actually use the data, they'd have to also obtain the hashed password hashing function, and then create a dictionary of all common password hashes to compare each with. This approach is nothing new, and is typically how you "protect the database against compromise".

    However, there's no need to go through all that trouble if all you care about is attacking accounts with common/dictionary passwords. It's not that hard to write a clientless account brute-force application that supported proxies and used one of the numerous e-mail / password dumps that exists. Someone could just run that across all known e-mails and common passwords and manage to "get lucky" due to how bad peoples passwords generally are. If there are a million accounts made and you get lucky with even 1%, that's still 10,000 accounts.

    Assuming someone didn't get phished, social engineered, had their config ini stolen, or infected via malware, I'd expect that's how most people who got "hacked" did so. If someone made a unique random e-mail for PoE, a long (64+) randomly generated password, and wasn't using any 3rd party applications and practiced safe computing, I don't think they could currently get hacked.

    I don't think people understand just how irresponsible some sites are. I lost one of my passwords once due to Yahoo being idiots. The good thing at least was that it wasn't one of my strongest passwords, but it doesn't matter how good your password is when things like that happen all the time (most people just are unaware of it).

  5. #5
    Darkwiccan's Avatar Private
    Reputation
    1
    Join Date
    Aug 2012
    Posts
    9
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Originally Posted by pushedx View Post
    I've been around games where there have been legitimate hacks going on due to site / game flaws, but I'm just not seeing that right now with this game. I believe GGG when they say it wasn't a site or server compromise. From what I understand about GGG's DB setup (which I had talked to a dev a long time ago about some concerns about their password setup), if they gave out the DB itself, no one could trivially get hacked from the password hashes stored.

    That is: your hashed password -> [time consuming, mega round hash function] -> database entry

    In order for someone to actually use the data, they'd have to also obtain the hashed password hashing function, and then create a dictionary of all common password hashes to compare each with. This approach is nothing new, and is typically how you "protect the database against compromise".

    However, there's no need to go through all that trouble if all you care about is attacking accounts with common/dictionary passwords. It's not that hard to write a clientless account brute-force application that supported proxies and used one of the numerous e-mail / password dumps that exists. Someone could just run that across all known e-mails and common passwords and manage to "get lucky" due to how bad peoples passwords generally are. If there are a million accounts made and you get lucky with even 1%, that's still 10,000 accounts.

    Assuming someone didn't get phished, social engineered, had their config ini stolen, or infected via malware, I'd expect that's how most people who got "hacked" did so. If someone made a unique random e-mail for PoE, a long (64+) randomly generated password, and wasn't using any 3rd party applications and practiced safe computing, I don't think they could currently get hacked.

    I don't think people understand just how irresponsible some sites are. I lost one of my passwords once due to Yahoo being idiots. The good thing at least was that it wasn't one of my strongest passwords, but it doesn't matter how good your password is when things like that happen all the time (most people just are unaware of it).
    the only way you get hacked on poe is DL addons that you think are map hacks but are keyloggers

  6. #6
    Xel's Avatar Gone fishing
    CoreCoins User
    Reputation
    1178
    Join Date
    Jul 2008
    Posts
    2,910
    Thanks G/R
    93/50
    Trade Feedback
    0 (0%)
    My guess is that their system had a flaw allowing infinite authentication attempts in a row resulting in
    a brute-force attack. Assuming this happened, an unauthorized query to their databases might have
    occurred as well. This would explain how they got their hands on account names supposedly stored
    in plain text.
    Last edited by Xel; 02-21-2013 at 10:54 AM.
    And the game was over and the player woke up from the dream.
    And the player began a new dream.
    And the player dreamed again, dreamed better.
    And the player was the universe.
    And the player was love.

    You are the player.
    Wake up.

  7. #7
    pushedx's Avatar Contributor CoreCoins User
    Reputation
    146
    Join Date
    Nov 2009
    Posts
    96
    Thanks G/R
    2/33
    Trade Feedback
    0 (0%)
    Originally Posted by Darkwiccan View Post
    the only way you get hacked on poe is DL addons that you think are map hacks but are keyloggers
    Or a customer service representative is fooled into handing your account over to someone else.

    Anyways, the Account Security and Theft Policy covers just about everything people need to know. You can still get hacked without using illegitimate 3rd party tools, but most who do get hacked are indeed using malware embedded into fake hacks.

    Originally Posted by Xel View Post
    My guess is that their system had a flaw allowing infinite authentication attempts in a row resulting in
    a brute-force attack. Assuming this happened, an unauthorized query to their databases might have
    occurred as well. This would explain how they got their hands on account names supposedly stored
    in plain text.
    Chris actually mentioned the specific limitations on the forum: Forum - Technical & Account Support - HUGE HACK went down!!! who all got jacked. - Path of Exile
    It does work, I tried it on Beta today before posting about it. The threshold is quite high (approximately 30 logins before you get slowed down, followed by about one login per 10 seconds after that). You can try this yourself to see.

    In tomorrow's patch, we're reducing it so there are far less attempts before you get banned. This is mostly for peace of mind because there's no way to do a practical brute force with one attempt per 10 seconds.

  8. #8
    Xel's Avatar Gone fishing
    CoreCoins User
    Reputation
    1178
    Join Date
    Jul 2008
    Posts
    2,910
    Thanks G/R
    93/50
    Trade Feedback
    0 (0%)
    Originally Posted by pushedx View Post
    Or a customer service representative is fooled into handing your account over to someone else.

    Anyways, the Account Security and Theft Policy covers just about everything people need to know. You can still get hacked without using illegitimate 3rd party tools, but most who do get hacked are indeed using malware embedded into fake hacks.



    Chris actually mentioned the specific limitations on the forum: Forum - Technical & Account Support - HUGE HACK went down!!! who all got jacked. - Path of Exile
    Specific limitations might only apply to certain methods of authentication (game, website etc.)
    but if you were to find another login prompt (when for example directly connecting to a certain IP)
    it might not be protected. They might also have multiple idle databases without proper prevention
    of bruteforce attacks.

    Though I was just guessing..
    And the game was over and the player woke up from the dream.
    And the player began a new dream.
    And the player dreamed again, dreamed better.
    And the player was the universe.
    And the player was love.

    You are the player.
    Wake up.

  9. #9
    Xcesiuss's Avatar Contributor CoreCoins User
    Reputation
    117
    Join Date
    Mar 2008
    Posts
    130
    Thanks G/R
    11/83
    Trade Feedback
    3 (100%)
    Your Path of Exile account has been locked because someone logged in from a location that you don't typically play from - "Jilin, Jilin, China".

    So I guess we know where they are located.

  10. #10
    hamp69's Avatar Member
    Reputation
    6
    Join Date
    Jun 2011
    Posts
    31
    Thanks G/R
    0/0
    Trade Feedback
    2 (100%)
    Ok geting sick of these damn threads, and this is one of the many reasons nobody posts on this site and just lurks.


    All these scrubs crying they got hacked were stupid enough to download a ****ing hack from youtube, all the screenshots prove this with the message in there status.

    Nobody got hacked that did not download a hack from youtube or other bullshit sources, thats what happens when you are stupid, you get owned.


    I really wish GGG just banned all you newbs that tried to lie saying you were "Hacked" when really you downloaded a freakin keylogger from YOUTUBE Of all places.


    Get over it you scrubs, you ****ed up. Any one over 16 knows any hack on youtube is total bullshit.

  11. #11
    Xcesiuss's Avatar Contributor CoreCoins User
    Reputation
    117
    Join Date
    Mar 2008
    Posts
    130
    Thanks G/R
    11/83
    Trade Feedback
    3 (100%)
    Originally Posted by hamp69 View Post
    Ok geting sick of these damn threads, and this is one of the many reasons nobody posts on this site and just lurks.


    All these scrubs crying they got hacked were stupid enough to download a ****ing hack from youtube, all the screenshots prove this with the message in there status.

    Nobody got hacked that did not download a hack from youtube or other bullshit sources, thats what happens when you are stupid, you get owned.


    I really wish GGG just banned all you newbs that tried to lie saying you were "Hacked" when really you downloaded a freakin keylogger from YOUTUBE Of all places.


    Get over it you scrubs, you ****ed up. Any one over 16 knows any hack on youtube is total bullshit.
    Maybe you should not judge everyone from one single stroke. Go back to school

Similar Threads

  1. Account hack with email scam
    By immortal1983 in forum WoW Scam Prevention
    Replies: 172
    Last Post: 07-14-2007, 02:02 AM
  2. very simple account hack
    By koolkory in forum WoW Scam Prevention
    Replies: 15
    Last Post: 05-26-2007, 06:42 PM
  3. account hacked please help
    By smithen1 in forum Community Chat
    Replies: 7
    Last Post: 03-21-2007, 12:30 AM
  4. Account Hack
    By Broynin in forum World of Warcraft General
    Replies: 7
    Last Post: 12-17-2006, 02:42 PM
  5. account hacked and need help
    By corn674 in forum Community Chat
    Replies: 8
    Last Post: 12-11-2006, 07:06 PM
All times are GMT -5. The time now is 11:46 AM. Powered by vBulletin® Version 4.2.3
Copyright © 2019 vBulletin Solutions, Inc. All rights reserved. Digital Point modules: Sphinx-based search