So disappointed of suport of GGG

"

LFA01#0120 wrote:

"

bloomhead#3858 wrote:

"

xx_PsYcHol_xx#7415 wrote:

Even if everything is lost and I’m extremely disappointed, why does this still keep happening?
This is not the first time!!

No compensation at all — nothing.
I believe you should have much stronger security for logging into the game.

I’m not going to play anymore. I’m completely let down.
The fact that someone could just access my account and take everything as if it were their own is unbelievable.

There was literally no notification that someone was trying to log in!

Compensation for what?

For having all the time and effort they've put into the game stripped because of ggg's lack in security.

Hacked account have been a pretty major issue, since 0.1, clearly wide spread enough to be confident it's a problem on ggg's side. They clearly have to step up their security and make it stop.
And if they can't, they should probably try to restore the stolen items from people, at least in standard.
Nobody really cares that much about standard economy and current "standard" will be borderline discarded as a "legacy" league when 1.0 comes out (or so they've said) so it shouldn't be too bad.

There is no security issue. For sure they are using the same tech for poe2 auth as for poe1 auth.

To "hack" accounts, there needs to be either sus software on the clients machine, phishing or a breach on GGG's side. The latter won't be the problem, because that would have been made public.

So, as most of the time, it's the clients issue. Nothing GGG can do about that. Nothing they should or could compensate.

Right now all it takes to steal someones stuff is their password, which can be stolen a million different ways (online dumps, malware, just knowing the person or having access to their PC).

Mr. Hacker keeps talking about accountability, but all that's really being asked is a very basic and standard security layer in the form of 2FA/login notifications. This very essential deficiency will be a much larger issue when the game goes F2P.

"

Tommo26#1554 wrote:

Right now all it takes to steal someones stuff is their password, which can be stolen a million different ways (online dumps, malware, just knowing the person or having access to their PC).

Mr. Hacker keeps talking about accountability, but all that's really being asked is a very basic and standard security layer in the form of 2FA/login notifications. This very essential deficiency will be a much larger issue when the game goes F2P.

You don't seem to understand how obtaining a password is achieved. And there you go: "online dumps, malware, just knowing the person or having access to their PC". There is not a "million" ways, and most of what you've written is the users fault.

You really think these people would use 2FA? No, they'd complain that it's too much trouble, because it's annoying.

And just btw: Use Steam and you there's your 2FA. ezpz.

Since op is so resistant to acknowledge its only his fault and nothing can be realistically done... i genuinely wonder whether he wants to invent new dupe method.

[Edit: deleted first part...I've mixed something up]

Think about another fact as well: If it was that easy to hack into an account, nobody would ever use poe.ninja for example which shows the whole world how good your equip is, because the Top50 would be the target No. 1 for hacks. Hacking reports in forums would be legion, but actually you barely see one in several months.

Why does everyone believes blindly when someone says: "My multiple mirror account was hacked, I want everything back". [Removed by Support]

"

xx_PsYcHol_xx#7415 wrote:

It wasn’t that simple. I had a strong password, and it was strange to me that someone got in without any notification.

The funniest part is that when I reported it, GGG locked my account. Then I spent 3 days sending emails, screenshots, and different kinds of verification — it was a nightmare.

[Removed by Support]

And on POE 2 , the hacker just logs in and out like nothing happen.

If your poe account is standalone, then your email was compromised, and you should look there for suspicious login notifications. Your strong poe password can be changed to anything with your email access.

If your poe account is linked through steam, your steam was compromised (which could again be email, could be other vector, stealing steam accounts is industry by now)

My poe account email just doesn't have "forgot password?" button. Use secure email providers, not gmail slop.

edit: however I do agree with you that GGG procedures are awful, they lock accounts in 3 sec (including faulty automatic bans), then you must plead your innocence for weeks. GGG could've made their own 2fa via TOTP long time ago, and greatly reduce dependency on faulty user email security.

I don't see any reason not to have 2FA. It's just a standard authentication layer and it makes sense to have it implemented for PoE. GGG is not a small indie company anymore and this is by no means a costly feature.

Never been "hacked", don't think I ever will be either. My acc is just not that interesting and I play through Steam. But I'll support things that just make sense.

"

Tommo26#1554 wrote:

I don't see any reason not to have 2FA. It's just a standard authentication layer and it makes sense to have it implemented for PoE. GGG is not a small indie company anymore and this is by no means a costly feature.

Ok, but only as an option, not mandatory.

"

Tommo26#1554 wrote:

I don't see any reason not to have 2FA. It's just a standard authentication layer and it makes sense to have it implemented for PoE. GGG is not a small indie company anymore and this is by no means a costly feature.

Never been "hacked", don't think I ever will be either. My acc is just not that interesting and I play through Steam. But I'll support things that just make sense.

Looks like you've never implemented 2FA for anything. It's not as trivial as you think. And as you've said yourself: Use Steam and there's your 2FA.

"

bloomhead#3858 wrote:

To "hack" accounts, there needs to be either sus software on the clients machine, phishing or a breach on GGG's side. The latter won't be the problem, because that would have been made public.

I mean - it has happened at least once before.

Not at least offering 2FA support after the below really is a contemptuous approach to security.


Data Breach Notification

"

Community_Team wrote:

Last week we became aware that a PoE account with admin access to the website owned by one of our developers had been compromised. This gave them access to the tools that our customer support agents use.

We immediately locked the account, and forced password resets on all other admin accounts. We then began an investigation into what had occurred.

The PoE account in question was linked to an old steam account that was created by a developer for testing a long time ago, and didn't have any purchases on it. The compromise occurred when the attacker was able to supply enough information to steam support to steal the account.

Since the account was a regular steam account and had no purchases, phone numbers, addresses or other information associated with it, the only information that they were required to supply was the email, account name and be using a VPN from the same country.

The attacker set random passwords on 66 accounts. Unfortunately there was a bug in the event log for this particular support action that allowed the attacker to delete the event showing that the change had occurred. This bug doesn't exist for other support actions and has been fixed now.

The attacker also viewed account information for a significant number of accounts through our portal.

For those accounts they got access to the following private information:

• Email Address if the account had one associated
• Steam ID if the account had one associated
• IP Addresses that the account had used
• Shipping address if the account had previously had physical goods sent
• Current Unlock Code for unlocking accounts locked due to logging in from a different region

No passwords or password hashes were viewable through the customer service portal.

In addition there are some accounts where the attacker looked at transaction history which would have shown a list of previous purchases.

There are also some accounts where the attacker looked at the private message history on the account. Many of these are for GGG staff.

It is probable that the attacker would be able to compare email addresses found using our portal against publicly available lists of compromised passwords from other websites in order to find accounts that shared the same password with their PoE account. If that was the case, they would have been able to bypass the region locking using the unlock code.

We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions.

We are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place and in the future we will be taking even more steps to make sure that this kind of issue never occurs again.