Data Breach Notification

2FA. 2FA? 2FA! 2FA 2FA 2FA 2FA

C'mon, it's 2025. Step it up.
Beverice#3588 wrote:
Will people who have had their accounts lost or items stolen receive support in getting those back?
PoE#8983 wrote:
How is this a response?

What happens to the items they stole? This is on GGG.
You said they looked at a significant amount of accounts information.

How are we supposed to protect our accounts now that someone could possibly have all the information needed to recover the account through support.

For those accounts they got access to the following private information:
Email Address if the account had one associated
Steam ID if the account had one associated
IP Addresses that the account had used
Shipping address if the account had previously had physical goods sent
Past purchases

This is all the information needed for someone to recover an account through Support. What is anyone supposed to do if they were one of the people?

It was a support-admin account the attacker hijacked. The GGG support does not have your passwords. What the attacker could do is compare mails with known compromised account databases that use the same password everywhere.

GGG cannot fix people too lazy to use unique passwords.

Guys, please ...
Last edited by Cocofang#3395 on Jan 14, 2025, 7:00:45 PM
Will you be contacting the impacted accounts? If they have all that information about thousands of accounts what are we supposed to do about it?

As a side note, maybe this incident should be a wakeup call to have better moderation practices in general, considering all the reports of preemptive bans of people being in the same guild as people with hacked accounts, or the lack of investigation into those cases prior to bans, or the difficulty in getting hacked accounts restored rather than permanently banned (assuming those reports are true).

Also not having 2FA even though it's been a requested feature for years.
Last edited by ammo109#3805 on Jan 14, 2025, 6:58:31 PM
Cocofang#3395 wrote:
Beverice#3588 wrote:
Will people who have had their accounts lost or items stolen receive support in getting those back?
PoE#8983 wrote:
How is this a response?

What happens to the items they stole? This is on GGG.
You said they looked at a significant amount of accounts information.

How are we supposed to protect our accounts now that someone could possibly have all the information needed to recover the account through support.

For those accounts they got access to the following private information:
Email Address if the account had one associated
Steam ID if the account had one associated
IP Addresses that the account had used
Shipping address if the account had previously had physical goods sent
Past purchases

This is all the information needed for someone to recover an account through Support. What is anyone supposed to do if they were one of the people?

It was a support-admin account the attacker hijacked. The GGG support does not have your passwords. What the attacker could do is compare mails with known compromised account databases that use the same password everywhere because lazy.

Guys, please ...

The stream mentioned the fact that they were able to reset the passwords on several accounts, which allowed them to then access those accounts, then they were able to delete the notes that logged the password reset.
Last edited by Wizbaggd#6137 on Jan 14, 2025, 7:01:23 PM
Thank you for publishing this.
This needs to be pinned to the front page.
big L

no 2fa even bigger L

adding 2fa will be a big w

Cocofang#3395 wrote:
Beverice#3588 wrote:
Will people who have had their accounts lost or items stolen receive support in getting those back?
PoE#8983 wrote:
How is this a response?

What happens to the items they stole? This is on GGG.
You said they looked at a significant amount of accounts information.

How are we supposed to protect our accounts now that someone could possibly have all the information needed to recover the account through support.

For those accounts they got access to the following private information:
Email Address if the account had one associated
Steam ID if the account had one associated
IP Addresses that the account had used
Shipping address if the account had previously had physical goods sent
Past purchases

This is all the information needed for someone to recover an account through Support. What is anyone supposed to do if they were one of the people?

It was a support-admin account the attacker hijacked. The GGG support does not have your passwords. What the attacker could do is compare mails with known compromised account databases that use the same password everywhere.

GGG cannot fix people too lazy to use unique passwords.

Guys, please ...

The post mentions that they
also viewed account information for a significant number of accounts through our portal.

They did not change these passwords. They viewed all the information that GGG support uses to recover accounts. What do people do with stuff they view on the internet? They can screen shot it and save it for later.

This means that if they viewed your account information, they could have screenshotted the information and could possibly use it later to recover accounts through support like they did with the GGG admin account through steam support.
It is probable that the attacker would be able to compare email addresses found using our portal against publicly available lists of compromised passwords from other websites in order to find accounts that shared the same password with their PoE account. If that was the case, they would have been able to bypass the region locking using the unlock code.

lol people crying for 2FA when they use the same password everywhere
I hope you will FINALLY enforce 2FA across the board for all account related informations...
These things happen and there is no service that is not being under attack so it is of utmost importance to use security layers where applicable.
If you enforced 2FA the chances of this happening would be much lower. PLEASE finally adress this. We beg for years for this.
Please use for your guides instead of pastebin!

Report Forum Post

Report Account:

Report Type

Additional Info