I recently had my account hacked, probably my own fault I'll admit as I stupidly used an old password. However, the account would have been safe had it not been for Perfect World's bizarre email confirmation. If you change the email address on an account the confirmation email is sent t the new address. So a hacker simply changes it and they can then log in after confirming the change on their own account. Account Guard does nothing as they then get the Code email on their own email account.
The one bright side to this is that you can change it back again as long as they havent changed your password (which they obviously can do easily).
Does anyone think PW have this right, I struggle to see the good side to this system, I've never seen it in any other online game, the confirmation is always sent to the old address isnt it?
Generally no, this is the way most of the sites I use do it . As why? sometime you lose access to your old email address as has happened to me when I moved out of the service area of one internet provider and had to get service from someone else.
I lost access to all my @provider emails and password changes and resets would all go to an email address I could no longer respond to, so in most of those situations you have to update your email address before you change your password.
If you don't you can get locked out of your account as the confirmation email will go to an address you can't access forcing you to contact customer service which is a pain believe me.
I see you point about getting hacked and the hacker changing your email address though not sure what a good solution would be I don't think sending an email to the old or both old and new addresses is the answer.
For example the email address I had back then was guardian@provider which I am sure someone else snagged as soon as my former provider released it, if they sent it to both then someone else could respond and get control of you account but maybe a optional security question to answer before you could change the password or email address might slow them down.
I recently had my account hacked, probably my own fault I'll admit as I stupidly used an old password. However, the account would have been safe had it not been for Perfect World's bizarre email confirmation. If you change the email address on an account the confirmation email is sent t the new address. So a hacker simply changes it and they can then log in after confirming the change on their own account. Account Guard does nothing as they then get the Code email on their own email account.
The one bright side to this is that you can change it back again as long as they havent changed your password (which they obviously can do easily).
Does anyone think PW have this right, I struggle to see the good side to this system, I've never seen it in any other online game, the confirmation is always sent to the old address isnt it?
Well, I get why they do what they do, it would be nice if they put the email address it was changed TO, just to know.
I woke up this morning (5/17/2013) and saw in my email inbox this exact email. Someone has gone in and hacked me. I have recently started using the website that allows you to craft and access the AH while you are away, and I wonder if there is any connection there.
Also, funny thing is, I purchased ZEN last night, and started buying a few things off the AH. Again, no idea is there is a connection.
So now, I cannot get into my account, someone else is doing something with it. And the website for reporting this stuff is awful. They need a very clear, concise "wizard" for reporting these stolen account instances.
I will be watching the forums to see if there was a big hit or anything last night.
How about as an added security they send a code to your cell phone in a text?
Hell, I would take that at this point. I am baffled as to how I got hit. I saw somewhere there was speculation about Founders getting hit, which I am one/was one. I guess the account is gone since all those other folks haven't heard back from PW.
0
bulldoggMember, Neverwinter Beta UsersPosts: 0Arc User
edited May 2013
I just woke and tried to log in and got incorrect password HAMSTER and then checked my email and this has happened to me to this morning...I was playing just 4 hours ago. I have sent a ticket in but reading these forums it looks like tickets even 10-12 days old have not been answered and from what I see this morning it looks like a rash of this happened just this morning so I can only hope they are on top of this and reply ASAP...I have had the same PWI account for 5 years and spent 300 bucks just this week on this new game and hope they havent finally lost control of security..and that it doesnt take a month just to play again with my stuff I paid for intact...not holding my breath though...
Well,hmmm.. Perhaps there is light at the end of the tunnel if many have been hit. That leads me to believe the chance for a rollback of accounts of some sort. Hate to say it, but the selfish side of me hopes more are like us.
0
terradraconisMember, Neverwinter Beta Users, Neverwinter Guardian Users, Neverwinter Knight of the Feywild UsersPosts: 17Arc User
edited May 2013
You might you know consider turning Account Guard on. You know the system where they email your current address with a PIN that must be entered before any changes to your account can take effect. Or even you can successfully login from a different computer.
At this point your only hope is to email customer support.
[SIGPIC][/SIGPIC]
0
bulldoggMember, Neverwinter Beta UsersPosts: 0Arc User
edited May 2013
Well I just checked and 3 more of my friends were hit this morning also since we were all logged in together about 4 hours ago I can only assume this happened around 7 am EST cause all 4 of us got exact same emails at exact same times and all of our accounts have had their emails changed and passwords ect ect...and we are all very old experienced players and have taken all the normal safety precautions and have all played PWI games together for awhile....so beware and check your accounts ASAP !!!
Well I just checked and 3 more of my friends were hit this morning also since we were all logged in together about 4 hours ago I can only assume this happened around 7 am EST cause all 4 of us got exact same emails at exact same times and all of our accounts have had their emails changed and passwords ect ect...and we are all very old experienced players and have taken all the normal safety precautions and have all played PWI games together for awhile....so beware and check your accounts ASAP !!!
Wow. Yea I have sent in 2 tickets, one from the site and one under this temporary account. Hopefully everyone else out there is sending so they can pick up on the pattern.
0
mynfelMember, Neverwinter Beta Users, Neverwinter Hero UsersPosts: 3Arc User
edited May 2013
My account was hit early this morning as well. Also a Founder - all my AD and Zen are gone. My email and my pw have been changed and I'm locked out. No response from CS.
My account was hit early this morning as well. Also a Founder - all my AD and Zen are gone. My email and my pw have been changed and I'm locked out. No response from CS.
So you were able to see all your stuff was gone? How did you do that? Did you get back in right before they changed it?
0
mynfelMember, Neverwinter Beta Users, Neverwinter Hero UsersPosts: 3Arc User
So you were able to see all your stuff was gone? How did you do that? Did you get back in right before they changed it?
I was still logged in via my browser. (Still am, apparently - cookie?) I can see what the email address was changed to and that all my zen is gone, but I can't change the email address or the password because the hacker changed my password too. It's really pretty messed up. (I'm guessing my 2 million in AD will also be gone, assuming I ever manage to get the account back.)
I was still logged in via my browser. (Still am, apparently - cookie?) I can see what the email address was changed to and that all my zen is gone, but I can't change the email address or the password because the hacker changed my password too. It's really pretty messed up. (I'm guessing my 2 million in AD will also be gone, assuming I ever manage to get the account back.)
Oh man. That is kinda weird.
0
bulldoggMember, Neverwinter Beta UsersPosts: 0Arc User
edited May 2013
Exactly the same thing here...because I was logged into this web site cookies has kept me logged in..but everything else is changed. Odd part is everyone says protect yourself blah blah blah..but with their current system there is no protection...all you have to do to hack someone is reset to a new email and it sends the verification to that NEW one..not your registered one..I have never seen a system like that...thats like saying hey come on in and take this and while your at it please confirm on your illegitimate email address that your stealing...really? Every other gaming company I play sends a verification email to your ORIGINAL email before any changes are made to assure that its you...obviously having checked with friends all of our accounts are now registered to emails reading hckxxx2013..at hotmail...talk about advertising your hacking lol...but its so simple with this system why bother being clever..they hand the account to you on a silver platter it seems ...
Exactly the same thing here...because I was logged into this web site cookies has kept me logged in..but everything else is changed. Odd part is everyone says protect yourself blah blah blah..but with their current system there is no protection...all you have to do to hack someone is reset to a new email and it sends the verification to that NEW one..not your registered one..I have never seen a system like that...thats like saying hey come on in and take this and while your at it please confirm on your illegitimate email address that your stealing...really? Every other gaming company I play sends a verification email to your ORIGINAL email before any changes are made to assure that its you...obviously having checked with friends all of our accounts are now registered to emails reading hckxxx2013..at hotmail...talk about advertising your hacking lol...but its so simple with this system why bother being clever..they hand the account to you on a silver platter it seems ...
Well, they closed the thread where people were reporting the issues. Go figure. Oh well, hurry up and wait for Customer Service to "reply".
0
terradraconisMember, Neverwinter Beta Users, Neverwinter Guardian Users, Neverwinter Knight of the Feywild UsersPosts: 17Arc User
Exactly the same thing here...because I was logged into this web site cookies has kept me logged in..but everything else is changed. Odd part is everyone says protect yourself blah blah blah..but with their current system there is no protection...all you have to do to hack someone is reset to a new email and it sends the verification to that NEW one..not your registered one..I have never seen a system like that...thats like saying hey come on in and take this and while your at it please confirm on your illegitimate email address that your stealing...really? Every other gaming company I play sends a verification email to your ORIGINAL email before any changes are made to assure that its you...obviously having checked with friends all of our accounts are now registered to emails reading hckxxx2013..at hotmail...talk about advertising your hacking lol...but its so simple with this system why bother being clever..they hand the account to you on a silver platter it seems ...
Wrong. If you have Cryptic's Account Guard turned on you any attempt to login to your account even with a browser elicits an email to your registered email address with a PIN that you need to finish loging in. The email also contains a link to revoke the access.
But to have that you must TURN ON ACCOUNT GUARD. If you don't have that turned on you don't get the protection of an email about the change.
Wrong. If you have Cryptic's Account Guard turned on you any attempt to login to your account even with a browser elicits an email to your registered email address with a PIN that you need to finish loging in. The email also contains a link to revoke the access.
But to have that you must TURN ON ACCOUNT GUARD. If you don't have that turned on you don't get the protection of an email about the change.
I do not know if that is entirely accurate. I received the email PINs for adding new computers access, and new browsers (when using the Gateway). I did not receive the same PIN verification when I was hacked at 2 AM this morning.
Wrong. If you have Cryptic's Account Guard turned on you any attempt to login to your account even with a browser elicits an email to your registered email address with a PIN that you need to finish loging in. The email also contains a link to revoke the access.
But to have that you must TURN ON ACCOUNT GUARD. If you don't have that turned on you don't get the protection of an email about the change.
And why arent those turned on by default?
And this is not working the way you described it. Just tested it and took all of 3 minutes to verify how easy it would be to hack an account if the password is gained. I have one PC saved on account guard, my home PC. I am logged in posting right now on this forum from work on a completely different PC, and I was never asked to auth this PC. I can change my email if I want to or my password RIGht NOW from an UNAUTHORIZED PC.
So what the hacker is doing is changing the email address to the account first, then changing the password, then logging into the game account. Account guard then sends the NEW EMAIL ADDRESS THEY CHANGED IT TO the pin that needs to be used to auth the new PC onto the account.
Your password is really the only thing protecting you folks. Dont fall for the phishing attempt or third party sites. Dont hand it out to anyone.
Generally no, this is the way most of the sites I use do it . As why? sometime you lose access to your old email address as has happened to me when I moved out of the service area of one internet provider and had to get service from someone else.
I lost access to all my @provider emails and password changes and resets would all go to an email address I could no longer respond to, so in most of those situations you have to update your email address before you change your password.
If you don't you can get locked out of your account as the confirmation email will go to an address you can't access forcing you to contact customer service which is a pain believe me.
Most of the time email change of address warnings dont require a response unless it wasnt you that made the request.
If your account is accessed by a new computer or browser a five-digit code is sent to your registered email address - you must then type in the code before access is granted. Your email and password cannot be changed unless that computer/browser are authorized access.
I may be mistaken, but I believe the default for this "option" is turned on in your account settings. If the default is turned off, then PWE should change this. For those whose accounts have not been hacked (yet) I recommend you go into your account settings and turn this verification option ON.
Well I just checked and 3 more of my friends were hit this morning also since we were all logged in together about 4 hours ago I can only assume this happened around 7 am EST cause all 4 of us got exact same emails at exact same times and all of our accounts have had their emails changed and passwords ect ect...and we are all very old experienced players and have taken all the normal safety precautions and have all played PWI games together for awhile....so beware and check your accounts ASAP !!!
3 of your friends all had the same issue at the same time? That can't be coincidence. Do you all log into the same forum, and use a common password for your accounts? It is important to use unique passwords for all accounts you have, especialy your email and any account that has money tied to it. Also, never click on links your receive in your email unless you are 100% sure it is authentic. Don't ever give any personal information to a stranger that calls you on your phone, and most important, don't blink, blink and your dead, don't turn away, and what ever you do, don't blink.
If your account is accessed by a new computer or browser a five-digit code is sent to your registered email address - you must then type in the code before access is granted. Your email and password cannot be changed unless that computer/browser are authorized access.
I may be mistaken, but I believe the default for this "option" is turned on in your account settings. If the default is turned off, then PWE should change this. For those whose accounts have not been hacked (yet) I recommend you go into your account settings and turn this verification option ON.
Where is this settings button with which you can toggle Account Guard? I've checked within the "My Account" button and looked at the Account Guard FAQ but haven't been able to find exactly how to access this feature unless I play STO or CO which I don't.
also i just noticed you cannot change your email anymore, well you can but it will just hang, even if it says you have changed it, i logged out and logged in still old email address, plus no "confimation" mail sent to new address, wow day two dealing with perfect world and already major issues with accounts. made in Asia...
I put in a ticket yesterday morning and I still havent gotten any news except for the automated reply. I was enjoying myself playing the game however the longer they make me wait for my account and the more I hear about how easy it was for people to sidestep the supposed security they have in place the less I want to play.
0
bulldoggMember, Neverwinter Beta UsersPosts: 0Arc User
edited May 2013
Not even an auto reply yet for me or any of my friends or guildmates. Cannot do anything now as the "new" owner of my account has changed everything. As stated before I have "former" guildmates with support tickets going on 12 days without even a first response..so after spending 300 bucks this week it seems I am no longer going to be playing PWI games..
Not even an auto reply yet for me or any of my friends or guildmates. Cannot do anything now as the "new" owner of my account has changed everything. As stated before I have "former" guildmates with support tickets going on 12 days without even a first response..so after spending 300 bucks this week it seems I am no longer going to be playing PWI games..
While i'm less worried about NW, as I didn't have to much stuff on my level 60 cleric or my 30 something TR, I am worried about STO where I had quite a few things purchased. These rash of compromised accounts and the poor customer support response could lose them alot of business and they would deserve it.
I kinda want to play today but as this is an account I just made so I could post if I needed to I just don't see the point.
3 of your friends all had the same issue at the same time? That can't be coincidence. Do you all log into the same forum, and use a common password for your accounts?
When multiple "friends" all have it happen at the same time, from my experience, it's because they were all sharing account logins and either one of the "friends" went to a website they shouldn't have...or one of the "friends" decided it was time to rob the other "friends".
actually that's not what happened to me. Someone tried to hack mine last week or so, and the email was sent to my old account saying "press this link if you did make this change to confirm."
I've logged in since then so I'm pretty sure it worked by my not confirming the email change.
When multiple "friends" all have it happen at the same time, from my experience, it's because they were all sharing account logins and either one of the "friends" went to a website they shouldn't have...or one of the "friends" decided it was time to rob the other "friends".
Comments
I lost access to all my @provider emails and password changes and resets would all go to an email address I could no longer respond to, so in most of those situations you have to update your email address before you change your password.
If you don't you can get locked out of your account as the confirmation email will go to an address you can't access forcing you to contact customer service which is a pain believe me.
I see you point about getting hacked and the hacker changing your email address though not sure what a good solution would be I don't think sending an email to the old or both old and new addresses is the answer.
For example the email address I had back then was guardian@provider which I am sure someone else snagged as soon as my former provider released it, if they sent it to both then someone else could respond and get control of you account but maybe a optional security question to answer before you could change the password or email address might slow them down.
Well, I get why they do what they do, it would be nice if they put the email address it was changed TO, just to know.
I woke up this morning (5/17/2013) and saw in my email inbox this exact email. Someone has gone in and hacked me. I have recently started using the website that allows you to craft and access the AH while you are away, and I wonder if there is any connection there.
Also, funny thing is, I purchased ZEN last night, and started buying a few things off the AH. Again, no idea is there is a connection.
So now, I cannot get into my account, someone else is doing something with it. And the website for reporting this stuff is awful. They need a very clear, concise "wizard" for reporting these stolen account instances.
I will be watching the forums to see if there was a big hit or anything last night.
Narayan
Hell, I would take that at this point. I am baffled as to how I got hit. I saw somewhere there was speculation about Founders getting hit, which I am one/was one. I guess the account is gone since all those other folks haven't heard back from PW.
At this point your only hope is to email customer support.
[SIGPIC][/SIGPIC]
Wow. Yea I have sent in 2 tickets, one from the site and one under this temporary account. Hopefully everyone else out there is sending so they can pick up on the pattern.
So you were able to see all your stuff was gone? How did you do that? Did you get back in right before they changed it?
I was still logged in via my browser. (Still am, apparently - cookie?) I can see what the email address was changed to and that all my zen is gone, but I can't change the email address or the password because the hacker changed my password too. It's really pretty messed up. (I'm guessing my 2 million in AD will also be gone, assuming I ever manage to get the account back.)
Oh man. That is kinda weird.
Well, they closed the thread where people were reporting the issues. Go figure. Oh well, hurry up and wait for Customer Service to "reply".
Wrong. If you have Cryptic's Account Guard turned on you any attempt to login to your account even with a browser elicits an email to your registered email address with a PIN that you need to finish loging in. The email also contains a link to revoke the access.
But to have that you must TURN ON ACCOUNT GUARD. If you don't have that turned on you don't get the protection of an email about the change.
[SIGPIC][/SIGPIC]
I do not know if that is entirely accurate. I received the email PINs for adding new computers access, and new browsers (when using the Gateway). I did not receive the same PIN verification when I was hacked at 2 AM this morning.
And why arent those turned on by default?
And this is not working the way you described it. Just tested it and took all of 3 minutes to verify how easy it would be to hack an account if the password is gained. I have one PC saved on account guard, my home PC. I am logged in posting right now on this forum from work on a completely different PC, and I was never asked to auth this PC. I can change my email if I want to or my password RIGht NOW from an UNAUTHORIZED PC.
So what the hacker is doing is changing the email address to the account first, then changing the password, then logging into the game account. Account guard then sends the NEW EMAIL ADDRESS THEY CHANGED IT TO the pin that needs to be used to auth the new PC onto the account.
Your password is really the only thing protecting you folks. Dont fall for the phishing attempt or third party sites. Dont hand it out to anyone.
Most of the time email change of address warnings dont require a response unless it wasnt you that made the request.
If your account is accessed by a new computer or browser a five-digit code is sent to your registered email address - you must then type in the code before access is granted. Your email and password cannot be changed unless that computer/browser are authorized access.
I may be mistaken, but I believe the default for this "option" is turned on in your account settings. If the default is turned off, then PWE should change this. For those whose accounts have not been hacked (yet) I recommend you go into your account settings and turn this verification option ON.
3 of your friends all had the same issue at the same time? That can't be coincidence. Do you all log into the same forum, and use a common password for your accounts? It is important to use unique passwords for all accounts you have, especialy your email and any account that has money tied to it. Also, never click on links your receive in your email unless you are 100% sure it is authentic. Don't ever give any personal information to a stranger that calls you on your phone, and most important, don't blink, blink and your dead, don't turn away, and what ever you do, don't blink.
Where is this settings button with which you can toggle Account Guard? I've checked within the "My Account" button and looked at the Account Guard FAQ but haven't been able to find exactly how to access this feature unless I play STO or CO which I don't.
While i'm less worried about NW, as I didn't have to much stuff on my level 60 cleric or my 30 something TR, I am worried about STO where I had quite a few things purchased. These rash of compromised accounts and the poor customer support response could lose them alot of business and they would deserve it.
I kinda want to play today but as this is an account I just made so I could post if I needed to I just don't see the point.
When multiple "friends" all have it happen at the same time, from my experience, it's because they were all sharing account logins and either one of the "friends" went to a website they shouldn't have...or one of the "friends" decided it was time to rob the other "friends".
I've logged in since then so I'm pretty sure it worked by my not confirming the email change.
Stop blaming the victim. It is reprehensible.