This is what happened to me today and I strongly believe that it must be a security flaw!
I have a strong typed password on my emails, I have a updated antivirus and firewall, also I never go to weird sites neither I fill the ingame user info on other websites! Also I didn't fell in a phishing scheme, since I am very cautious about security!
Today I had my laptop offline all day, and I was out.
When I arrived I saw 3 new emails, that didn't have been read yet! This was the following order, password change request, key to new computer access and confirmation that a new computer was authorized.
I immediatly tried to login but the password was really changed. So I had to request a new one, I logged in and all the AD and a few zens where all gone!
I got hacked by someone!
Now my question is, if I have different passwords, if I don't have a keylogger (otherwise a password change request was not needed), if the emails where yet to be opened and read, and the access to my emails for the last month where only made by my ip address and no records of access to it was done since yesterday untill I got home after 4 hours of the attack.... HOW DID SOMEONE CHANGED MY PASSWORD AND STOLE MY AD!?
I believe there most be some kind of exploit on the recover link generation or something because no one could access that link unless the email message was opened (which didn't happened).
Also I have reports of at least 2 more guys that investigated this issues too and found that no access to the webmail was done neither have entered in "weird" websites or such. And the exact same thing happened... they received those emails yet no external access was done to their mail accounts.
I believe that someone should review this quickly because some knows how the links are generated.
I reported this to the PW team with the IP address of the offender (some American guy) and the times when this ocurred and all this info... I hope to get a refund of the materials stole and I am pretty sure that perfect world have logs to see to where it was transfered.
HOW DID SOMEONE CHANGED MY PASSWORD AND STOLE MY AD!?
Thanks!
You will probably not want to hear this, but im gonna do it anyway :
You used you password before, or you used a password which is common/ (btw, did you use the gateway by any chance ?)
If that aint the case then Cryptic's security has been compomised, but if so you would have probably seen a flood of complaints on this forum (or youre just the first)
They could have obtained his information because he has either sold or purchased AD or Gold from a third party site.
People normally don't like to hear this, but it's the user's responsibility for keeping their information safe. No matter how good your system is protected, it does no good at all if you do things you aren't suppose to do. Rarely have I actually seen an account get hacked out of the blue.
you must be one of those people who uses the same password/username combination for every site you visit
keep in mind if you do that, and one of those sites gets hacked (for example, like, sony i think 3 years ago) these hackers will hold on to this information and use it on entirely different website/games (like neverwinter) much later on
in short, it isn't about having a strong password, it's about being able to create multiple strong passwords that you can easily remember, i suggest using a random string of four to five words
like horseradishpotatopie for example, it's random enough that you can't guess it at first glance, but it's easy enough to remember since there's no complex number combination or exchanging numbers for letters
Most obvious tactic by hackers for MMO's seem to be to can accounts for passwordscombinations they stole from other MMO databases. They got literally millions of accountnames/passwordcombo's and they try them all and even variations on it (Monkey1 dont work ? Lets try Monkey1 to Monkey20).
Even GW2 made a separate and extensive blogpost about it just to point their customers at the risk of reusing passwords. When they did and people started to change passwords the number of hacked accounts also dropped considerably.
You didn't read his post, I take it...just skimmed it for key information.
They didn't know his password, they sent a password change request and without accessing his email, changed it and added their computer as a trusted IP. Something is very rotten in the state of Denmark if this is true.
Untrue, they could easily have known his PW and done a PW change request simply to block or slow his access to his acct. Thus giving them more time to transfer the goods. Or some users once knowing their acct has been hacked simply make new accts in f2p models thus giving the hacker a free acct to use as a Spam or farm bot (Though thats more used in p2p or b2p markets since f2p offer free options for as many accounts as one pleases)
You guys are missing the part where they completely bypassed his email. They changed his password and email on his account without access to his email account. Meaning the security checks are completely worthless.
Where's the guarantee they didnt have access to his email account ?
Occam's Razor states the most likely scenario is that there is a security hole in the game.
Ehm, my 10 year old brother can hack hotmail...., so the razor aint so sharp no more I would say.
0
nibbnibbMember, Neverwinter Beta UsersPosts: 0Arc User
edited June 2013
To the OP:
My account was hacked towards the beginning of May as well. I somehow caught it after they changed the e-mail address, but before they changed the password. I was able to change it again without access to the other parties e-mail account since I still had password control over my main account. My password was strong (caps, numbers, and symbols) on both my account and my e-mail.
I ended up changing everything, for whatever that's worth, and reporting it to CS. Any information you can provide CS, you really should. I was able to provide them the e-mail account the hacker changed my access to. I'm sure it was just a dummy account, but at least they could look for a pattern that way.
The long and short of if is, accounts are being hacked. I would guess they're doing it with brute force through scripting since they had my account hacked, but didn't finish the job. Be sure to contact CS and they might be able to recover your goods (especially the Zen since it is heavily tracked). While there could be some sort of security hole with PerfectWorlds, it's just as likely some organization is just pickin' and guessin'.
You will probably not want to hear this, but im gonna do it anyway :
You used you password before, or you used a password which is common/ (btw, did you use the gateway by any chance ?)
If that aint the case then Cryptic's security has been compomised, but if so you would have probably seen a flood of complaints on this forum (or youre just the first)
Actually a lot of people I know in game have all talked about getting new browser/new pc requests randomly from people logging into their accounts (or at least attempting to).
My account was also hacked and all my diamonds and zen were stolen. It has been over a week and I still have not heard anything back from PWE very frustrating! I know the hacker did not access my email because I have the text code to cellphone security option turned on for the gmail I use for the game. I also checked the IPs that accessed my email and noone but me was listed. I received an email stating a new computer had been saved for my account without the prior code email. My password was unique and only for this game and this computer is only a few weeks old and I have not accessed anything that should have had keyloggers. I did double check by checking for viruses and spyware and found none. I went to the Star Trek Online Account page and went into Account Guard and found they had turned it off so I turned it back on and of course changed my password again. I did use the gateway to craft before the hack and wonder if that is how they got my account information. Even though I enjoy the convience of crafting through the gateway I am too afraid of getting hacked again to use it again.
There is no assumption, he said it, it is fact, try again.
He has also made the implicit assumption that his password was not already compromised. You're also making the assumption that he is not mistaken or lying.
You had no valid points and are just resorting to straw man tactics.
I have not resorted to any straw man tactics; perhaps you should review the meaning of "straw man". Additionally, my points have been that there is no evidence to back up the OP's claims, and that extraordinary claims (such as a game has a hole so large that it allows you to bypass the usual safety and recovery mechanisms) require extraordinary evidence. Consider: if there is a hole of this magnitude, why are there not more reports of this?
You are the one avoiding my point entirely, trying to skirt it and distract from the issue that there might be a rather large security hole if what the OP says is true.
And there's the assumption: IF what the OP says is true. Now that I have once again pointed out your flawed reasoning, would you like to try again?
So until you address the argument rather than the way I convey my argument, yes, I wil blow you off.
So what you're saying is that you're so blinded by your desire for there to be an exploit of this magnitude that you're willing to disregard reason entirely? OK.
0
terradraconisMember, Neverwinter Beta Users, Neverwinter Guardian Users, Neverwinter Knight of the Feywild UsersPosts: 17Arc User
He couldn't have gotten phished. Read the post. He says clearly that they requested a password change without knowing the current one.
The only answer left with least assumptions is a security hole。
Errr no the only way you can request a password change and then successfully steal an account is if you have access to the email account. Not if you have access to the game system.
So from the OP's story despite claiming otherwise it is clear that the email was hacked.
Comments
also they tried to get me around 2am saturday morning but everything was there (got email from account guard but nothing past that).
Ability Scores || All Attribute Roll Combinations || My Cleric Stream \o/
You will probably not want to hear this, but im gonna do it anyway :
You used you password before, or you used a password which is common/ (btw, did you use the gateway by any chance ?)
If that aint the case then Cryptic's security has been compomised, but if so you would have probably seen a flood of complaints on this forum (or youre just the first)
People normally don't like to hear this, but it's the user's responsibility for keeping their information safe. No matter how good your system is protected, it does no good at all if you do things you aren't suppose to do. Rarely have I actually seen an account get hacked out of the blue.
It takes over a day or even longer to proof that my email was hacked.
Not saying the OP made mistakes, but its just difficult to blame it all solely on Cryptic in this case.
keep in mind if you do that, and one of those sites gets hacked (for example, like, sony i think 3 years ago) these hackers will hold on to this information and use it on entirely different website/games (like neverwinter) much later on
in short, it isn't about having a strong password, it's about being able to create multiple strong passwords that you can easily remember, i suggest using a random string of four to five words
like horseradishpotatopie for example, it's random enough that you can't guess it at first glance, but it's easy enough to remember since there's no complex number combination or exchanging numbers for letters
Even GW2 made a separate and extensive blogpost about it just to point their customers at the risk of reusing passwords. When they did and people started to change passwords the number of hacked accounts also dropped considerably.
Hotmail for example doesnt. Even then I could hide my IP or better let it tunnel through the same hops the OP was using.
Where's the guarantee they didnt have access to his email account ?
Ehm, my 10 year old brother can hack hotmail...., so the razor aint so sharp no more I would say.
My account was hacked towards the beginning of May as well. I somehow caught it after they changed the e-mail address, but before they changed the password. I was able to change it again without access to the other parties e-mail account since I still had password control over my main account. My password was strong (caps, numbers, and symbols) on both my account and my e-mail.
I ended up changing everything, for whatever that's worth, and reporting it to CS. Any information you can provide CS, you really should. I was able to provide them the e-mail account the hacker changed my access to. I'm sure it was just a dummy account, but at least they could look for a pattern that way.
The long and short of if is, accounts are being hacked. I would guess they're doing it with brute force through scripting since they had my account hacked, but didn't finish the job. Be sure to contact CS and they might be able to recover your goods (especially the Zen since it is heavily tracked). While there could be some sort of security hole with PerfectWorlds, it's just as likely some organization is just pickin' and guessin'.
Actually a lot of people I know in game have all talked about getting new browser/new pc requests randomly from people logging into their accounts (or at least attempting to).
No, Occam's Razor states that the most likely scenario is that he got phished, since that requires the least assumptions.
You've made an implicit assumption that they did not know the current password. Try again.
He has also made the implicit assumption that his password was not already compromised. You're also making the assumption that he is not mistaken or lying.
Yes, because every dissenter is obviously a shill. Would you like to address my valid points, or do you just want to blow me off?
I have not resorted to any straw man tactics; perhaps you should review the meaning of "straw man". Additionally, my points have been that there is no evidence to back up the OP's claims, and that extraordinary claims (such as a game has a hole so large that it allows you to bypass the usual safety and recovery mechanisms) require extraordinary evidence. Consider: if there is a hole of this magnitude, why are there not more reports of this?
And there's the assumption: IF what the OP says is true. Now that I have once again pointed out your flawed reasoning, would you like to try again?
So what you're saying is that you're so blinded by your desire for there to be an exploit of this magnitude that you're willing to disregard reason entirely? OK.
Errr no the only way you can request a password change and then successfully steal an account is if you have access to the email account. Not if you have access to the game system.
So from the OP's story despite claiming otherwise it is clear that the email was hacked.
[SIGPIC][/SIGPIC]