http://www.pathofexile.com/forum/view-thread/172532

A couple of weeks ago I posted here explaining the common ways that users are having their passwords compromised by attackers.

We're now seeing an increase in the rate at which the attackers are stripping these accounts of their valuable items. As soon as we had the realm stability issues sorted out, we started work on new account security measures that should make it difficult for attackers to use stolen passwords to access your accounts.

I want to be completely clear - our security has not been breached. If our database had been compromised, the accounts that attackers would target first would be the most wealthy players, the high profile streamers or the developers. Imagine how much it'd be worth to compromise my account? Kripparrian's? The top people on the ladder? These people have not lost their passwords. There has been a 0% rate of developer accounts being accessed by overseas IPs. The accounts that are being targeted are generally mid-low playing accounts, typically associated with the usage of hack software. We often have users write into support complaining about side effects of their maphacks, only to later report the same day that their items have been stolen. It is worth pointing out that these hack programs are bannable, and while we haven't yet done a banwave, the thousands of people who use them will lose their accounts due to it if they are still running them as we turn on our countermeasures.

I've spent massive amounts of time going through logs of IP usage and talking to people who have been compromised. In almost every case, it was due to violating one of the security practices we've outlined in the post I mentioned at the top of this one. Players have been using the same passwords on insecure community sites, running malware, clicking phishing links and have pre-compromised machines that are part of botnets. Now that the attackers who have these passwords have some degree of automation, they appear to be stripping accounts more quickly than before, resulting in a big increase in the reports of hacking. We are mass-banning IP addresses that are used for this theft, but due to the use proxies, it's very hard to stop it in this way.

I'm not claiming that everyone that has lost items has run an illegal hack program. Many users have merely re-used passwords, had an insecure version of Java when browsing infected community sites, or accidentally clicked a bad link and logged into a fake version of our site. These are very easy mistakes to make unless you are extremely careful.

This situation is exactly why games have security systems in place to prevent people accessing accounts in this way. Path of Exile does not yet have such a system, but it will do very soon. We're a very small team of developers and have been working long hours for the last month to address these issues and other stability ones (that are now thankfully much better). Within a week we expect to launch the account security improvements which would mean that even if you do have your password compromised, it's still hard for people to access your account. We may be able to deploy the first improvements that help with in the next 48 hours.

People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.

If our policy was to restore in a way that duplicated the items, this would be a free duplication method that people could easily use. If our policy was to take the items back from the attacker without duplicating them, then this would result in a free tradehack that anyone could use. In either case, the economy would be destroyed.

It's currently taking our staff the entire day just to process our existing volume of support requests. Not only would thoroughly investigating each claim take far too long, but the very fact we were doing it would encourage people to abuse it as hard as they can. For all of those reasons, it is not an option to restore items under any circumstances.

This whole situation is a lesson in why it is inadequate to assume that passwords are sufficient security. I am very, very sorry that we did not have better security measures to make stolen passwords useless when we entered Open Beta. Thankfully there are improvements to this coming very soon so that it won't be a problem in the future. I will work every evening and through the weekend to make sure that these fixes are deployed as soon as humanly possible. Although people will probably still lose their passwords, the attackers will hopefully not be able to actually get any items from it and then they'll stop bothering.

This is also a lesson in how many users are running infected software. Although we have an active community of over a million monthly users, we're seeing thousands and thousands of accounts running software that is known to be infected with keyloggers. Even if our security measures mean that this software doesn't result in your items being stolen, it will still result in your account being banned for trying to cheat.

If you're worried about having your items stolen and you have not run any strange software, just change your password, don't click weird links and don't use the same password on other sites. That's what I do and no one has hacked my account yet.

Maybe they need to sell authenticators. Because you know only Blizzard has ever had security problems. It's never happened like this to any other company. It's never the fault of the hackers or players failing to secure their accounts properly. It's always the fault of the evil greedy Corporation suits.

On a more serious note I hope you get your stuff back but I don't think Grinding Gears Games was prepared for this. Be patient they're doing the best they can.

As mentioned above, the timing of this wave of hacks doesn't jibe with dev claims that blame lies entirely upon the poor practices of users. Yes people can be idiots when it comes to security online. 'Hacks' from mistakes on the users' end will have started in earnest with open beta and the announcement of the last wipe.

Many accounts getting looted all at once is another thing entirely. You could make a case that groups behind maphacks downloaded by idiots may have waited till they got their tools and targets in order to all go in at once (apparantyly much of the looting was extremely efficient and fast,) but you'll never convince me that everyone that got hit this time were clients of dodgy cheat sites.

People say a safe computer is one that's never been connected to anything outside of itself, meaning that you can use safe practices but never be 100% safe if you venture out into the internet. Well this applies to developers along with players. Categorically denying even the prospect of culpability does not strike confidence in me with GGG. Even if they were super tight on their end this time, refusing to entertain the notion that it wasn't all idiot players doesn't send me the message that they're on top of things, it seems to me that they're more likely now to slip up due to overconfidence or that they're less proficient with security than they want me to think.

Originally posted by gnerex2
Im one of the victims , my account got hacked i lost lots of orbs and several orange items , and hell no i dont use hacks and i dont have keyloggers and i have good security, antivirus program , but im not the only one in ONE DAY LOTS OF ACCOUNTS HAD BEEN HACKED LIKE A WAVE , AND GGG BLAME THE VICTIMS , USERS U WILL GO DOWN IF THIS KEEP CONTINUING LIKE THAT  LOVE & PEACE \m/.....and good luck

you have no clue what your talking about. I bet your one of those guys that use the same password on EVERY game. And come complain about beeing hacked. Its easy to that once you get a 3rd party homepage or forum hacked you get all the infos. After that you need jsut to try that data on every game. iM pretty sure thats how you got hacked.

mass account hacks dont happen just because those players didnt secure their accounts enough or got keyloggers or whatever. That is valid, but it is also lack of security from the company. Both mixed result in easier massive hacking....

Remember what happened to Sony? they had unsecured and outdated databases. If it happened to a ginormous company like Sony, it can happen to a tiny company like GGG.

Also, like someone said before. Account hackings, as well as gold selling and bots, happen when games become popular. They wouldnt waste time in empty games that nobody care about