Early Access Feedback - So disappointed of suport of GGG - Forum

" Sarno#0493 wrote: " bloomhead#3858 wrote: You can't even follow a discussion. No further comments needed. You're the one who was responding to my link and my thoughts on why it was relevant. I don't need to "follow" my own point - I understand it; I am the one making it. 1. How the Person Got Access in the First Place The person gained access to GGG's system by talking their way past Steam Support. 2. How 2FA Would Have Prevented Access to GGG's Systems Now, if GGG 1) had 2FA support, and, 2) implemented it properly, and, 3) mandated its use for all staff accounts then the data breach would never have occurred - even after Steam approved the sign in attempt, GGG's authentication server could have still forcibly demanded a 2FA code. You have said 2FA doesn't help if they already have access to GGG's "system", while seemingly not understanding that the primary goal of supporting 2FA is preventing such access in the first place. 3. You Are Wrong To Dismiss the Data Breach In GGG's post which I have now quoted for your benefit multiple times, they vaguely disclosed that account information had been accessed for "a significant number of accounts". If you look at the categories of information accessed, it is exactly what Support asks for when dealing with "please help, I've lost access to my email account and can't sign in"-style requests. It is the very information used by Support to validate account ownership, at which point they help someone access the account. That information having been leaked is, consequently, a disaster. Because of this breach there will be new account compromises continuing years into the future. 4. You Are Wrong About 2FA Not Being Effective If someone who previously had access to GGG's customer service portal downloaded the account information belonging to "a significant number of accounts" (their words!) tried leveraging that information to brute-force their way into accounts they now have the email addresses for, 2FA being enabled for those accounts would make this an order of magnitude more challenging. At that point, it would essentially render such attacks non-feasible for most of all non-state actors. Potentially even state actors, if we hypothetically assume that GGG's approach to security is significantly more impressive than would appear to be the case. I have no idea why you have spent multiple consecutive posts ranting about the number 66. This breach has almost certainly already resulted in a four-digit number of accounts being successfully accessed by unauthorised third-parties. This will, sadly, continue for years into the future. 1. How the Person Got Access Yes, they social-engineered Steam Support — which means the attack vector was Steam's verification process, not GGG's authentication system. 2FA on GGG staff accounts wouldn't have changed the outcome if the attacker was operating through a legitimately approved Steam session. You're conflating two separate authentication layers. 2. Your 2FA Argument Has Three Big "Ifs" You literally listed them yourself: GGG would have needed to 1) support 2FA, 2) implement it properly, and 3) mandate it. That's not an argument that 2FA would have prevented this — that's an argument that a completely different security infrastructure might have. You're critiquing a hypothetical GGG, not the actual breach. 3. The Breach Severity "A significant number of accounts" is vague by design — companies write breach disclosures with legal teams present. Treating that phrasing as confirmation of your four-digit unauthorized access claim is speculation, not analysis. 4. 2FA Effectiveness Post-Breach Here you've actually shifted your own argument. You started by saying 2FA would have prevented the breach, now you're saying it would make follow-on attacks harder. Those are different claims. The number fixation comment is a deflection. Stay on the actual points.	Posted by bloomhead#3858 on Apr 21, 2026, 6:43:20 AM On Probation Quote this Post
" bloomhead#3858 wrote: 1. How the Person Got Access Yes, they social-engineered Steam Support — which means the attack vector was Steam's verification process, not GGG's authentication system. 2FA on GGG staff accounts wouldn't have changed the outcome if the attacker was operating through a legitimately approved Steam session. You're conflating two separate authentication layers. I am conflating nothing. You can implement 2FA such that a user will be prompted for a code upon being redirected by an OAuth provider. While it is certainly possible to implement such logic exclusively as part of the standard email & password sign in process, that is a decision - and a poor one, at that. " bloomhead#3858 wrote: 2. Your 2FA Argument Has Three Big "Ifs" You literally listed them yourself: GGG would have needed to 1) support 2FA, 2) implement it properly, and 3) mandate it. That's not an argument that 2FA would have prevented this — that's an argument that a completely different security infrastructure might have. You're critiquing a hypothetical GGG, not the actual breach. For someone who has repeatedly critiqued my ability to follow a discussion, you are notably all over the map yourself. My only point the entire time has been that 2FA would improve account security, and that the breach is a good argument as to why. If you are now conceding that 2FA support would have prevented the breach, then we now agree with one another - even if you aren't quite across that. " bloomhead#3858 wrote: 3. The Breach Severity "A significant number of accounts" is vague by design — companies write breach disclosures with legal teams present. Treating that phrasing as confirmation of your four-digit unauthorized access claim is speculation, not analysis. If a legal team were present - and I must say, I do hesitate to accept your speculation that one was - they would have almost certainly argued in favour of either "a number", or, "a large number". It is completely valid to observe what GGG chose to acknowledge in their post. " bloomhead#3858 wrote: 4. 2FA Effectiveness Post-Breach Here you've actually shifted your own argument. You started by saying 2FA would have prevented the breach, now you're saying it would make follow-on attacks harder. Those are different claims. The number fixation comment is a deflection. Stay on the actual points. Thanks for attempting to define my argument for me. I am arguing more broadly that 2FA support being released by GGG would improve PoE account security. There is nothing incorrect about noting multiple examples as to how it would have changd things. While I understand you might dislike seeing multiple examples as to how you had been wrong, I won't be narrowing my points just to make you feel better. GGG do not offer first-party Technical Support. Free Technical Support guides created by the community are available here: https://www.poecommunity.help No ads, trackers, or other weird stuff.	Posted by Sarno#0493 on Apr 21, 2026, 6:56:39 AM Quote this Post
On the website profile section, hide your everything, don't make anything public. I've heard they are targeting rich people with this method.	Posted by Kage#1250 on Apr 21, 2026, 6:57:21 AM Quote this Post
" xx_PsYcHol_xx#7415 wrote: Hello, I have been a player of POE2 since the very beginning and have already spent over 2000 hours in the game. I’ve dedicated a huge amount of time to it. Two days ago, my account was hacked and I was robbed of everything. All my items worth several mirrors are gone — I have nothing left. I lost around 30 mirrors in total. All 15 of my characters have been completely stripped. I would like to point out what I received from GGG: A big “f...off.” Nothing more. I hope others will also realize that they don’t care about us — only about making money. that's why EA model is so popular... it is BETA, so we are paying for ... TESTING , so they dont care what is happening now.	Posted by ungamer321#7175 on Apr 21, 2026, 7:02:46 AM Quote this Post
" Sarno#0493 wrote: " bloomhead#3858 wrote: 1. How the Person Got Access Yes, they social-engineered Steam Support — which means the attack vector was Steam's verification process, not GGG's authentication system. 2FA on GGG staff accounts wouldn't have changed the outcome if the attacker was operating through a legitimately approved Steam session. You're conflating two separate authentication layers. I am conflating nothing. You can implement 2FA such that a user will be prompted for a code upon being redirected by an OAuth provider. While it is certainly possible to implement such logic exclusively as part of the standard email & password sign in process, that is a decision - and a poor one, at that. " bloomhead#3858 wrote: 2. Your 2FA Argument Has Three Big "Ifs" You literally listed them yourself: GGG would have needed to 1) support 2FA, 2) implement it properly, and 3) mandate it. That's not an argument that 2FA would have prevented this — that's an argument that a completely different security infrastructure might have. You're critiquing a hypothetical GGG, not the actual breach. For someone who has repeatedly critiqued my ability to follow a discussion, you are notably all over the map yourself. My only point the entire time has been that 2FA would improve account security, and that the breach is a good argument as to why. If you are now conceding that 2FA support would have prevented the breach, then we now agree with one another - even if you aren't quite across that. " bloomhead#3858 wrote: 3. The Breach Severity "A significant number of accounts" is vague by design — companies write breach disclosures with legal teams present. Treating that phrasing as confirmation of your four-digit unauthorized access claim is speculation, not analysis. If a legal team were present - and I must say, I do hesitate to accept your speculation that one was - they would have almost certainly argued in favour of either "a number", or, "a large number". It is completely valid to observe what GGG chose to acknowledge in their post. " bloomhead#3858 wrote: 4. 2FA Effectiveness Post-Breach Here you've actually shifted your own argument. You started by saying 2FA would have prevented the breach, now you're saying it would make follow-on attacks harder. Those are different claims. The number fixation comment is a deflection. Stay on the actual points. Thanks for attempting to define my argument for me. I am arguing more broadly that 2FA support being released by GGG would improve PoE account security. There is nothing incorrect about noting multiple examples as to how it would have changd things. While I understand you might dislike seeing multiple examples as to how you had been wrong, I won't be narrowing my points just to make you feel better. On point 1: Yes, you can implement 2FA to trigger after OAuth redirect — but that's precisely the "implemented it properly" condition from your own list. That's not a given, and it's not what GGG had. You're still arguing from a hypothetical setup, not the actual one. On point 2: I didn't concede that 2FA would have prevented the breach. I said a completely different security infrastructure might have. Those aren't the same thing. You're claiming agreement where there isn't any. A pattern in this conversation I've noticed. On point 3: You're doing exactly what you accused me of: speculating. You don't know whether a legal team was involved, and you've now admitted as much ("I must say, I do hesitate to accept your speculation"). So we're both inferring intent from a vague corporate statement. That makes your reading of "significant" no more authoritative than mine. On point 4: You've now openly confirmed you're making multiple distinct arguments — breach prevention and post-breach hardening. That's fine, but don't act surprised when someone points out you've shifted ground. Arguing two things isn't the same as arguing one thing correctly twice. Nobody is asking you to narrow your points. We're asking you to keep track of which one you're making at any given moment.	Posted by bloomhead#3858 on Apr 21, 2026, 7:08:44 AM On Probation Quote this Post
There is another possible attack vector never mentioned in this thread: auth tokens. When you use "remember me" checkbox in poe client, a token is created on your client (and is sent to server) by combining your hardware data, location data, and account data, and is used for automatic logins. Poe was always highly lucrative target for RMT, thus had probably attracted attention of professional cheatmakers and skilled reversers more than once. If you manage to reconstruct a token for another account and also forge location, you're in. No emails, steams, or unlock codes needed. Operators of such advanced exploit are also smart enough to not attract attention by wiping stolen accounts clean. I don't have proof that this had happened in the past (and really doubt GGG would have admitted such breach as readily as they did with that old hacked admin account), but there were rumors about malicious actors getting enough information about victim accounts by joining their hideouts and sending trade/party requests. This whole thread is speculation anyway, so I thought I could add a bit more of it, for educational purposes:)	Posted by Echothesis#7320 on Apr 21, 2026, 1:26:23 PM Quote this Post
Several times when this has been mentioned I point out that one of the things that allows this to be successful for the very likely RMT motivated thieves is the wide open hole that is direct player to player trade. It needs to go away, whether that is willingly by GGG and other developers, or mandated by some government authority like the EU. IT needs to happen. The EU has already publicly mentioned that they do not like illicit RMT in video games, and may be looking into it in the future. It allows far to much bad stuff, not the least of which has become a very obvious conduit for Gambling. Amenhotep Apothecaries Sisyphus	Posted by ExsiliumUltra#5541 on May 9, 2026, 7:15:51 PM Quote this Post
its funny how the people who get hacked are always these multiple mirror guys. how do the hacker even know that this guy had 30 mirrors? perhaps he was a customer on their RMT shop? likely scenario: people buy mirrors from RMT sites,these people then get hacked and the site takes back the mirrors to sell again to some sucker and cycle repeats Last edited by Druidenjoyer#0031 on May 9, 2026, 7:42:50 PM	Posted by Druidenjoyer#0031 on May 9, 2026, 7:42:13 PM Quote this Post
That's a childish notion. If you're running a business you're not going to do well if you keep robbing your own customers. The drug dealer who cuts his product too much or otherwise steals his customers money isn't going to have customers for long. PoE economy is entirely based on gambling. That's why RMT is such a big issue. The game design itself fosters gambling addiction, and people pay real money to keep pulling that crafting slot machine or to get uber gear without doing that. The majority of RMT customers are going to go through the orbs they purchase fairly quickly, using way more divs and p chaos than anyone else would since they got thousands of them in just a few minutes. They're going to burn through them and be back for more. But they're not going to do that if their account was just hacked. Having a customer who keeps returning every new league, probably several times, to buy currency from you is worth much more. The RMT folks all have bots that use tight filters and automatically pick up whatever loot that shows in the filter and return it to a stash 24/7. They don't need to hack an account to steal currency items. It's not difficult to see. Spend some time searching the in game trade and seeing how many items are listed for sale by characters with random fus6789ft screen names. They use bots on a dozen or more accounts simultaneously, 24/7, to farm and fill a stash with currency drops and items that sell quickly for a good amount, and hop[ from account to account personally and list all that stuff for sale, then continually sell the orbs for real money. Last edited by AbyssianOne#1625 on May 9, 2026, 8:35:44 PM	Posted by AbyssianOne#1625 on May 9, 2026, 8:29:56 PM Quote this Post
" AbyssianOne#1625 wrote: That's a childish notion. If you're running a business you're not going to do well if you keep robbing your own customers. The drug dealer who cuts his product too much or otherwise steals his customers money isn't going to have customers for long. the customer doesnt know who robbed him. thats the thing. so he will just go back to the shop and buy again. the same customer probably doesn't get robbed twice otherwise he might get suspicious. its just my theory otherwise how do you explain that poor people never get hacked? the hacker always seem to know who the richest players are	Posted by Druidenjoyer#0031 on May 9, 2026, 8:34:01 PM Quote this Post