So disappointed of suport of GGG

"

Sarno#0493 wrote:

"

bloomhead#3858 wrote:

To "hack" accounts, there needs to be either sus software on the clients machine, phishing or a breach on GGG's side. The latter won't be the problem, because that would have been made public.

I mean - it has happened at least once before.

Not at least offering 2FA support after the below really is a contemptuous approach to security.


Data Breach Notification

"

Community_Team wrote:

Last week we became aware that a PoE account with admin access to the website owned by one of our developers had been compromised. This gave them access to the tools that our customer support agents use.

We immediately locked the account, and forced password resets on all other admin accounts. We then began an investigation into what had occurred.

The PoE account in question was linked to an old steam account that was created by a developer for testing a long time ago, and didn't have any purchases on it. The compromise occurred when the attacker was able to supply enough information to steam support to steal the account.

Since the account was a regular steam account and had no purchases, phone numbers, addresses or other information associated with it, the only information that they were required to supply was the email, account name and be using a VPN from the same country.

The attacker set random passwords on 66 accounts. Unfortunately there was a bug in the event log for this particular support action that allowed the attacker to delete the event showing that the change had occurred. This bug doesn't exist for other support actions and has been fixed now.

The attacker also viewed account information for a significant number of accounts through our portal.

For those accounts they got access to the following private information:

• Email Address if the account had one associated
• Steam ID if the account had one associated
• IP Addresses that the account had used
• Shipping address if the account had previously had physical goods sent
• Current Unlock Code for unlocking accounts locked due to logging in from a different region

No passwords or password hashes were viewable through the customer service portal.

In addition there are some accounts where the attacker looked at transaction history which would have shown a list of previous purchases.

There are also some accounts where the attacker looked at the private message history on the account. Many of these are for GGG staff.

It is probable that the attacker would be able to compare email addresses found using our portal against publicly available lists of compromised passwords from other websites in order to find accounts that shared the same password with their PoE account. If that was the case, they would have been able to bypass the region locking using the unlock code.

We have taken steps to ensure that there are more security measures around admin accounts so that this can not happen again. No 3rd party accounts are allowed to be linked to any staff accounts and we have added significantly more stringent IP restrictions.

We are incredibly sorry for this lapse in security. The measures taken to secure the admin website really should have already been in place and in the future we will be taking even more steps to make sure that this kind of issue never occurs again.

And how many accounts were affected out of how many?

So you don't have 2FA when using Steam?

"

bloomhead#3858 wrote:

And how many accounts were affected out of how many?

As GGG did not disclose this information, you would need to direct this question to them.

"

bloomhead#3858 wrote:

So you don't have 2FA when using Steam?

My brother in Christ, what is your obsession with Steam?

Okay, let's consider that platform;

• Is your position that people who don't otherwise use Steam should be expected to register Steam accounts, enable 2FA on those, link it to their PoE account, and then contact Support to ask that their email address be removed from their PoE account? (I don't even know whether Support does that on request btw.)
• Since PoE account security is apparently Valve's responsibility for no adequately expored reason, what is your suggestion to those that live in countries / regions where PoE is not available through Steam, in which case Support has always advised instead using the standalone client?

Your post does not seem in any way serious tbqh.

"

Sarno#0493 wrote:

As GGG did not disclose this information, you would need to direct this question to them.

It's literally in the text. Maybe you should have read it.

"

Sarno#0493 wrote:

My brother in Christ, what is your obsession with Steam?

My brother in Christ, because you get free 2FA, exactly what you're asking for. Do you even understand what you're talking about?

"

Sarno#0493 wrote:

Okay, let's consider that platform;

• Is your position that people who don't otherwise use Steam should be expected to register Steam accounts, enable 2FA on those, link it to their PoE account, and then contact Support to ask that their email address be removed from their PoE account? (I don't even know whether Support does that on request btw.)
• Since PoE account security is apparently Valve's responsibility for no adequately expored reason, what is your suggestion to those that live in countries / regions where PoE is not available through Steam, in which case Support has always advised instead using the standalone client?

Your post does not seem in any way serious tbqh.

2FA can't help you, when someone is in their system, because...he's in their system.

You don't seem to understand how 2FA works, or what it's for.

"

bloomhead#3858 wrote:

It's literally in the text. Maybe you should have read it.

Sounds like you didn't get as far as the thread title?

I'm not talking about password changes; they discussed data leakages for "a significant number of accounts". Including email addresses, which are a significant part of how people log into their account.

"

bloomhead#3858 wrote:

"

Sarno#0493 wrote:

My brother in Christ, what is your obsession with Steam?

My brother in Christ, because you get free 2FA, exactly what you're asking for. Do you even understand what you're talking about?

As per my post - some people have the option of doing so, although it can be very far from being convenient. Since this is what you are apparently explicitly advocating for - can you confirm whether Support does remove account credentials upon request? Because, if not, it's neither here nor there.

"

bloomhead#3858 wrote:

2FA can't help you, when someone is in their system, because...he's in their system.

You don't seem to understand how 2FA works, or what it's for.

If your approach to 2FA support is allowing anyone and everyone at the company to remove it from an account, then sure - it is of limited effectiveness, but even then it still helps with account credentials (e.g. email addresses) being accessed and used to attempt to access an account later even after their access to GGG's network has been brought to an end. Naturally, nobody has advocated for such a policy. Only a small number of specialised staff should be able to do that, and particular care should be taken towards the accounts used for that purpose.

"

Sarno#0493 wrote:

"

bloomhead#3858 wrote:

It's literally in the text. Maybe you should have read it.

Sounds like you didn't get as far as the thread title?

I'm not talking about password changes; they discussed data leakages for "a significant number of accounts". Including email addresses, which are a significant part of how people log into their account.

66. It's 66. Maybe you should read the stuff you post, before commenting.

And since you can't even read your own pasted text, further commenting is not necessary, since you've disqualified yourself already.

"

bloomhead#3858 wrote:

66. It's 66. Maybe you should read the stuff you post, before commenting.

And since you can't even read your own pasted text, further commenting is not necessary, since you've disqualified yourself already.

No number was ever provided for the number of people whose information had been accessed.

"

Community_Team wrote:

The attacker set random passwords on 66 accounts. Unfortunately there was a bug in the event log for this particular support action that allowed the attacker to delete the event showing that the change had occurred. This bug doesn't exist for other support actions and has been fixed now.

The attacker also viewed account information for a significant number of accounts through our portal.

For those accounts they got access to the following private information:

• Email Address if the account had one associated
• Steam ID if the account had one associated
• IP Addresses that the account had used
• Shipping address if the account had previously had physical goods sent
• Current Unlock Code for unlocking accounts locked due to logging in from a different region

"

Sarno#0493 wrote:

"

bloomhead#3858 wrote:

66. It's 66. Maybe you should read the stuff you post, before commenting.

And since you can't even read your own pasted text, further commenting is not necessary, since you've disqualified yourself already.

No number was ever provided for the number of people whose information had been accessed.

"

Community_Team wrote:

The attacker set random passwords on 66 accounts. Unfortunately there was a bug in the event log for this particular support action that allowed the attacker to delete the event showing that the change had occurred. This bug doesn't exist for other support actions and has been fixed now.

The attacker also viewed account information for a significant number of accounts through our portal.

For those accounts they got access to the following private information:

• Email Address if the account had one associated
• Steam ID if the account had one associated
• IP Addresses that the account had used
• Shipping address if the account had previously had physical goods sent
• Current Unlock Code for unlocking accounts locked due to logging in from a different region

Again, read the stuff you post thoroughly. Here, I'll help you, since you're kind of having a hard time:

"

No passwords or password hashes were viewable through the customer service portal.

"

bloomhead#3858 wrote:

Again, read the stuff you post thoroughly. Here, I'll help you, since you're kind of having a hard time:

"

No passwords or password hashes were viewable through the customer service portal.

You are responding to something I never said.

"

Sarno#0493 wrote:

"

bloomhead#3858 wrote:

Again, read the stuff you post thoroughly. Here, I'll help you, since you're kind of having a hard time:

"

No passwords or password hashes were viewable through the customer service portal.

You are responding to something I never said.

You can't even follow a discussion. No further comments needed.

"

bloomhead#3858 wrote:

You can't even follow a discussion. No further comments needed.

You're the one who was responding to my link and my thoughts on why it was relevant.

I don't need to "follow" my own point - I understand it; I am the one making it.

---

1. How the Person Got Access in the First Place

The person gained access to GGG's system by talking their way past Steam Support.


2. How 2FA Would Have Prevented Access to GGG's Systems

Now, if GGG 1) had 2FA support, and, 2) implemented it properly, and, 3) mandated its use for all staff accounts then the data breach would never have occurred - even after Steam approved the sign in attempt, GGG's authentication server could have still forcibly demanded a 2FA code. You have said 2FA doesn't help if they already have access to GGG's "system", while seemingly not understanding that the primary goal of supporting 2FA is preventing such access in the first place.


3. You Are Wrong To Dismiss the Data Breach

In GGG's post which I have now quoted for your benefit multiple times, they vaguely disclosed that account information had been accessed for "a significant number of accounts". If you look at the categories of information accessed, it is exactly what Support asks for when dealing with "please help, I've lost access to my email account and can't sign in"-style requests. It is the very information used by Support to validate account ownership, at which point they help someone access the account. That information having been leaked is, consequently, a disaster.

Because of this breach there will be new account compromises continuing years into the future.


4. You Are Wrong About 2FA Not Being Effective

If someone who previously had access to GGG's customer service portal downloaded the account information belonging to "a significant number of accounts" (their words!) tried leveraging that information to brute-force their way into accounts they now have the email addresses for, 2FA being enabled for those accounts would make this an order of magnitude more challenging.

At that point, it would essentially render such attacks non-feasible for most of all non-state actors. Potentially even state actors, if we hypothetically assume that GGG's approach to security is significantly more impressive than would appear to be the case.

---

I have no idea why you have spent multiple consecutive posts ranting about the number 66. This breach has almost certainly already resulted in a four-digit number of accounts being successfully accessed by unauthorised third-parties. This will, sadly, continue for years into the future.