Grinding Gear Games’ Path of Exile appears to have been the latest in a long line of games suffering from a hacking problem. But was Path of Exile hacked, or are players simply too lax about account security?
This started at some point yesterday afternoon, with players reporting being booted from the servers, and being unable to log back in, as their passwords were being changed. They were still able to view their characters’ belongings, and discovered that everything was gone. Grinding Gear Games’ Lead Developer responded as follows to those complaining of being hacked:
We’re in the middle of implementing a feature where people who steal your password are not able to easily log into your account. This is unfortunately still approximately a week away, so in the meantime make sure to avoid falling into the common traps that people use to scam passwords (discussed in this thread and here.
Almost every account compromise that we’ve investigated in depth has eventually led back to one of those causes where people are unsafe with their computers or passwords. It’s generally people running exploit/hack software in most cases. I wish there was more we could do to help protect users in the very short term but our new security features I mentioned above are coming along well and we’ll deploy them as soon as they work reliably.
This follows an isolated Path of Exile hacking incident around 10 days ago, where a Chinese IP hacked around 25 accounts, as well as a few other, similar incidents, as reported in this thread. Grinding Gear Games, while they have commented as above, firmly deny that any security was breached at their end. The earlier thread shows their strong approach, where they even respond directly to players about how exactly their accounts were hacked – saying it’s generally by phishing or malware stealing passwords, rather than any database issues.
No Deleted Items or Characters Can Be Restored?!
And that’s all well and good, apart from one element: Grinding Gear Games “cannot” restore any items lost to theft. Whether they are genuinely unable to or simply unwilling to is unclear, but this puts the “was Path of Exile hacked?” question in a new light. Not only do Grinding Gear Games not yet have systems where they can prevent password thieves from accessing player accounts, nothing lost to these thieves will be returned. Reasons of economy are offered as explanation, as can be seen from the forum post we quote below.
What’s your take on this? It seems likely that the developers are being truthful, and that the hacks are actually password thefts occurring thanks to sub-par security practices, but it’s remarkable that no system is in place to restore items lost to account theft. Yes, players could well be at fault, but not restoring items is likely to cause bad feelings. GAMEBREAKER really hopes that GGG are able to implement the aforementioned additional security measures, and that no further accounts are compromised.
Unfortunately, we cannot restore any items lost to theft. One of the most important things about Path of Exile is its online economy, and if we performed restorations on demand then the economy would be flooded with duplicated items. We’ve seen this in other games (where the game companies restore compromised items and create a massive economic problem in the game).
If someone compromises your account and deletes your characters, we’re currently unable to restore these characters. We are working on changing the game so that deletions are “soft” rather than “hard”, which will allow us to restore deleted characters easily. If their items are stolen, however, then the character will be empty. This feature will be available in the future but is not ready yet!
I am very sorry that our policy is no help if you’ve lost items or characters. I sincerely wish that I could restore them for you, but to do so would undermine one of the most important aspects of the game. If you have been compromised, I strongly suggest:
- First, make sure your computer is malware free. A reformat would be the best bet. If you follow the following steps but still have malware, the attacker will just take your password again.
- Make sure that your email account is secure. Change its password! Set up two-factor (i.e. cellphone) authentication with your email provider. If the email is not secure, the attacker can still steal your account
- Set a Path of Exile password that is different from any other password you have used before. Make it long and complex.
- Don’t enter your password anywhere except the official site and the game client. Make sure the site says “Grinding Gear Games Limited” when you click the lock icon next to the address.
- Don’t download untrusted software or click untrusted links.
We take security very, very seriously. The website and game client both use secure encrypted sessions to handle logins. We don’t store credit card information on our servers. Passwords are stored hashed and salted. Even the backups of your data are encrypted so that thieves can’t get anything if they steal the backups.
Please take steps to make sure your accounts are safe. It pains me greatly every time I read about lost items that we can’t replace. With some development time on our end (as outlined above) and good security on the part of our users, your accounts will be much more secure and the item sales sites won’t be able to steal our items.