Jump to content
Sign in to follow this  
Followers 0
Maczuga

Hacked account - not a request

By Maczuga, in Help & Support

Recommended Posts

Maczuga    0

Maczuga
Posted (edited)

Hello, I've got my account hacked like 2-3 hours ago (last time i checked at 10 AM UTC it was just fine). It's partialy my fault - I didn't have the 2 factor auth, but I'll get my gear back. Yet something is fishy here.

As you can see - accounts are beign hacked in waves, mostly at the same times. It takes some time for people to get users passwords. As far as I remember WoW is using this way to crypt passwords MD5(username:password), so bypassing by password really takes some time. Also passwords aren't case-sensitive in WoW which makes it easier, but still it should be hard to guess.

1. Why Elysium isn't locking the account/IP after X unsuccessful attempts? This would decrease the potential amount of hacked accounts if passwords are being guessed by hackers.

2. If you are storing our password as a plain text in database - please STOP! I bet this is the case, because the amount of hacked accounts DAILY is huge. Also you should really provide some proves, that you are keeping our passwords safe!

PS: Even a simple notification on email after an unsuccessful attempt would be a great thing to protect our accounts!

Edited by Maczuga
0

Share this post

Link to post
Share on other sites

Shiamorah    20

Shiamorah
Posted (edited)

I think the idea of locking an account for a period after unsuccessful attempts is a good idea. I'm not sure if this is already implemented in some shape or form. I'm also not sure if this is even possible with Vanilla, but maybe. I notified some of the Community Managers of this thread, so hopefully they will give us some context on the situation.

Good questions though! I know that the staff here cares about each individuals security, and wouldn't do anything unreasonable to compromise that.

Edited by Shiamorah
0

Share this post

Link to post
Share on other sites

Erjh8765    19

Erjh8765
Posted

So, you managed to get yourself hacked. Grats. At least the hacker didn't delete your toons as some do.

None of your gold and none of your items will be restored. (An exception is items acquired through end game quests such as Lok Delar or Benediction).

Change password and setup 2FA to avoid getting hacked in the future. See my profile's about me section for instructions.

Even if they do store passwords as plain text, it's still your fault for failing to enable 2FA. Even if the haxxor has your password, they still wouldn't be able to capwn you without your authenticator.

So, your post is basically wasting ppl's time.

0

Share this post

Link to post
Share on other sites

Shiamorah    20

Shiamorah
Posted

It is pretty obvious this guy isn't looking to get his gold or items restored, or looking for information about 2FA. He isn't wasting anyone's time, he is just wondering general questions that really can't be answered by anyone besides those associated with the project.

0

Share this post

Link to post
Share on other sites

Maczuga    0

Maczuga
Posted (edited)
10 minutes ago, Erjh8765 said:

So, you managed to get yourself hacked. Grats. At least the hacker didn't delete your toons as some do.

None of your gold and none of your items will be restored. (An exception is items acquired through end game quests such as Lok Delar or Benediction).

Change password and setup 2FA to avoid getting hacked in the future. See my profile's about me section for instructions.

Even if they do store passwords as plain text, it's still your fault for failing to enable 2FA. Even if the haxxor has your password, they still wouldn't be able to capwn you without your authenticator.

So, your post is basically wasting ppl's time.

So you are posting the same stuff under every thread about hacking? And you claim that if someone stores your password as plain text is ok? I didn't even ask about any account/character restore. I'm not asking wasting anyone time, just asking the right questions, that needs to be answered, because all of those account hacking seems to be easy. Also if hackers were guessing those passwords - tell me how lucky they were when they were guessing 12-char password mixed with characters and digits? It's highly unlikely, unless you have a solid source of all account passwords, because encryption of single account password would take days, because of hash that WoW is using for authentication (as I said - MD5(username:login)), yet we have a lot of accounts hacked. More of this - how does hacker know the account name? Trust me - Elysium stuff either have a huge leak in account database, or had a mole all the time. So it's not only a password issue. You have to guess BOTH account name AND password.

Edited by Maczuga
0

Share this post

Link to post
Share on other sites

Shiamorah    20

Shiamorah
Posted (edited)
2 minutes ago, Maczuga said:

So you are posting the same stuff under every thread about hacking? And you claim that if someone stores your password as plain text is ok? I didn't even ask about any account/character restore. I'm not asking anyone time, just asking the right questions, that needs to be answered, because all of those account hacking seems to be easy. Also if hackers were guessing those passwords - tell me how lucky they were when they were guessing 12-char password mixed with characters and digits? It's highly unlikely, unless you have a solid source of all account passwords, because encryption of single account password would take days, because of hash that WoW is using for authentication (as I said - MD5(username:login)), yet we have a lot of accounts hacked. More of this - how does hacker know the account name? Trust me - Elysium stuff either have a huge leak in account database, or had a mole all the time. So it's not only a password issue. You have to guess BOTH account name AND password.

My knowledge is that an unrelated WoW private server had its entire database compromised, which is what sparked the increase amount of security, and the creation of the 2FA system here. So anyone that has the same account name and password on that server can be compromised. But, your questions are still valid and should be answered, for the benefit of everyone.

Edited by Shiamorah
0

Share this post

Link to post
Share on other sites

Maczuga    0

Maczuga
Posted
1 minute ago, Shiamorah said:

My knowledge is that an unrelated WoW private server had its entire database compromised, which is what sparked the increase amount of security, and the creation of the 2FA system here. So anyone that has the same account name and password on that server can be compromised. But, your questions are still valid and should be answered, for the benefit of everyone.

Good to know, yet I don't think this might be the case in my situation. I wasn't playing WoW on private servers for last 3-4 years, I came here from retail before start of 7.1.5. Let's wait for some statement from staff member.

0

Share this post

Link to post
Share on other sites

Maczuga    0

Maczuga
Posted (edited)
3 minutes ago, Tomcatbg said:

so they gona give you back your gear?I got hacked too lost everything!

 

No, Elysium stuff won't give it back. That's normal - too many cases, that would take too much time to restore anyone characters. The point of this thread is to get answers for some important questions about security, because if our passwords are not encrypted in database, then we might have huge security issues if we are using same authentication details on other services. So even with 2FA auth, we are not really safe, because if we use the same password elsewhere then this is huge security issue.

Edited by Maczuga
0

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Help & Support
×