Path of Exile Hacked?!

Written by: (Twitter @oliviadgrace - ) | February 19, 2013 5:59 am
Path of Exile Hacked?!
17 Comments

Grinding Gear Games’ Path of Exile appears to have been the latest in a long line of games suffering from a hacking problem. But was Path of Exile hacked, or are players simply too lax about account security?

This started at some point yesterday afternoon, with players reporting being booted from the servers, and being unable to log back in, as their passwords were being changed. They were still able to view their characters’ belongings, and discovered that everything was gone. Grinding Gear Games’ Lead Developer responded as follows to those complaining of being hacked:

We’re in the middle of implementing a feature where people who steal your password are not able to easily log into your account. This is unfortunately still approximately a week away, so in the meantime make sure to avoid falling into the common traps that people use to scam passwords (discussed in this thread and here.

Almost every account compromise that we’ve investigated in depth has eventually led back to one of those causes where people are unsafe with their computers or passwords. It’s generally people running exploit/hack software in most cases. I wish there was more we could do to help protect users in the very short term but our new security features I mentioned above are coming along well and we’ll deploy them as soon as they work reliably.

This follows an isolated Path of Exile hacking incident around 10 days ago, where a Chinese IP hacked around 25 accounts, as well as a few other, similar incidents, as reported in this thread. Grinding Gear Games, while they have commented as above, firmly deny that any security was breached at their end. The earlier thread shows their strong approach, where they even respond directly to players about how exactly their accounts were hacked – saying it’s generally by phishing or malware stealing passwords, rather than any database issues.

No Deleted Items or Characters Can Be Restored?!

And that’s all well and good, apart from one element: Grinding Gear Games “cannot” restore any items lost to theft. Whether they are genuinely unable to or simply unwilling to is unclear, but this puts the “was Path of Exile hacked?” question in a new light. Not only do Grinding Gear Games not yet have systems where they can prevent password thieves from accessing player accounts, nothing lost to these thieves will be returned. Reasons of economy are offered as explanation, as can be seen from the forum post we quote below.

What’s your take on this? It seems likely that the developers are being truthful, and that the hacks are actually password thefts occurring thanks to sub-par security practices, but it’s remarkable that no system is in place to restore items lost to account theft. Yes, players could well be at fault, but not restoring items is likely to cause bad feelings. GAMEBREAKER really hopes that GGG are able to implement the aforementioned additional security measures, and that no further accounts are compromised.

Unfortunately, we cannot restore any items lost to theft. One of the most important things about Path of Exile is its online economy, and if we performed restorations on demand then the economy would be flooded with duplicated items. We’ve seen this in other games (where the game companies restore compromised items and create a massive economic problem in the game).

If someone compromises your account and deletes your characters, we’re currently unable to restore these characters. We are working on changing the game so that deletions are “soft” rather than “hard”, which will allow us to restore deleted characters easily. If their items are stolen, however, then the character will be empty. This feature will be available in the future but is not ready yet!

I am very sorry that our policy is no help if you’ve lost items or characters. I sincerely wish that I could restore them for you, but to do so would undermine one of the most important aspects of the game. If you have been compromised, I strongly suggest:

  • First, make sure your computer is malware free. A reformat would be the best bet. If you follow the following steps but still have malware, the attacker will just take your password again.
  • Make sure that your email account is secure. Change its password! Set up two-factor (i.e. cellphone) authentication with your email provider. If the email is not secure, the attacker can still steal your account
  • Set a Path of Exile password that is different from any other password you have used before. Make it long and complex.
  • Don’t enter your password anywhere except the official site and the game client. Make sure the site says “Grinding Gear Games Limited” when you click the lock icon next to the address.
  • Don’t download untrusted software or click untrusted links.

We take security very, very seriously. The website and game client both use secure encrypted sessions to handle logins. We don’t store credit card information on our servers. Passwords are stored hashed and salted. Even the backups of your data are encrypted so that thieves can’t get anything if they steal the backups.

Please take steps to make sure your accounts are safe. It pains me greatly every time I read about lost items that we can’t replace. With some development time on our end (as outlined above) and good security on the part of our users, your accounts will be much more secure and the item sales sites won’t be able to steal our items.

  • Middreks

    After all these years if people still click on phishing links or use maphacks/other tools and in result get their accounts stolen it’s their fault, you cannot (entirely) blame the company to do that. Probably they will use some kind extra authentication method in the near future, so these won’t happen that often.

    As for not restoring items: it’s their general policy in all cases.

    • Tomasz Guzik

       Yea. It’s the same with Hardcore deaths. They have a policy of not restoring your HC char no matter what caused your death. Even if it was the game crashing or (in the words of Chris Wilson the director who jokingly said): “Even if one of our Game developers we’re to jump i your game and just kill your character for no reason, we will not restore it to HC”; which is a valid right, it’s their game, their vision.
      Sad to see them have the hack issues tho; I wish only the best to GGG, rly great studio, they deserve some succes after all those years working on the game with barely any funding.

  • http://twitter.com/Zax19taken Zax19

    That sucks, GGG is a great indie studio :/

  • Krzysztof Kotarba

    is this for EU or US severs? 

  • http://twitter.com/LusitanGaming Lusitan Gaming

    my account is just fine, im pretty sure this problem is on the end user

    • http://www.facebook.com/brandon.owen.79 Brandon Owen

      People always say that until it happens to them.  Just because it hasn’t affected you doesn’t mean it HAS to be an end user problem.  Very poor logic there.

      • http://twitter.com/Bahska Bahska

         If people weren’t stupid every day with account/computer security they wouldn’t be blamed. That said if you look on the forums it seems a lot of the hackings were from people using d2jsp so they were basically asking to be hacked.

      • http://profile.yahoo.com/APHJB3QZIDC34QYRLE2RAUSLMU TJ

        people always blame the company.  Once again were is the PERSONAL RESPONSIBILITY.  Just because you lost all your gear does not mean the game was hacked.

        Hell most people use the same login information for everything.  Lose ur information once and now they have info for every game u play.

  • BigH001

    ” It seems likely that the developers are being truthful, and that the
    hacks are actually password thefts occurring thanks to sub-par security
    practices, **but it’s remarkable that no system is in place to restore
    items lost to account theft**.”

    Isn’t the game still in beta? While being in beta is no excuse to have crap server security, it seems like a good enough excuse not to have advanced account features implemented yet.
    As long as servers weren’t hacked directly and CC data wasn’t taken, ie the lost items came from compromised accounts and bad passwords (user error), then I’m fine with it. Beta is beta, features will be implemented as they’re ready, until then (and even after that) don’t be stupid with your password.

  • http://twitter.com/Bahska Bahska

    I cant believe in 2013 people are still this dumb about there own account security L2 use computers. :3

  • http://twitter.com/Spitynko Spity

    People are still stupid and use the same usernames and passwords on multiple and untrustworthy sites, it is their own bloody fault, maybe they will learn from this (but i doubt it)

  • Ta_Ga

    Is Gamebreaker a part of the Fox news network? None of the facts point towards GGG being hacked themselves, and yet you imply it in the thread title and theorize it within the post?

    The blatant misinterpretation on Obama and gamers and now this. I’m starting to look at Gamebreaker as a far less credible news source than I used to.

    If, by chance, a handful of Gamebreaker users were hacked and their profiles used to promote some gold-selling site, would the GB team like to see other gaming news sources pop up with posts like this? “GAMEBREAKER HACKED!?”

    Stick to the facts and create an open discussion about it. I understand your approach grabs more views, but at what cost?

    • http://www.facebook.com/antwane Antwane Fort

       I have to agree with you. What is up with the TMZ style headlines lately.

      • http://twitter.com/Spitynko Spity

        yup, gamebreaker has become yahoo news, it is is not the site that it used to be anymore

  • Joshua Callander

    The game is still in beta anyway of course there not going to have all the systems setup and running yet. 

    • http://twitter.com/Bloodspine Gwaith

      I like how indoctrinated PoE fanboys are. You accuse people with 0 evidence for your claims. There’s liking a game and then there’s venerating it to the point of being their free PR. Drones instantly assume that everyone that got hacked is a dimwit with a 5 letter password that clicks on penis enlargement ads. I am guessing crap security at their end but why would they admit that? Leave it to your internet minions to shut off any argument with accusations of improper security behaviour.

  • Matthew Sullivan

    Being one of the hacked ones, I have done nothing to open my account up for hacking and as far as I can tell either have many of the people commenting on the forum.  I am a little insulted at the blame being pushed at the users right now, and I am certainly not the only one.  There are many arguments flowing over this and that only certain types of items were taken.

    If it was hacking fine, but its more than users being insecure. I am sure that is part of the problem, and maybe I am unsafe but have no idea how. I get the feeling something larger is compromised here.  Whether its the users or the hackers or lack of security from the developers I can’t tell, but I guess at the end of the day it is a beta and you can’t expect perfection. I just hope it gets fixed :D

Giveaway

gbtv_ios_app
RECOMMENDED FOR YOU
Monday
6 pst

The Republic

Star Wars The Old Republic

Tuesday
n/a

Monty's Minute

Have Questions? He Has Answers

9 pst

After Dark

Live Call In Show

Wednesday
6 pst

Guildcast

Guild Wars 2

Thursday
7 pst

Conspiracy Craft

World of WarCraft Lore

8 pst

Legendary

World of WarCraft

Friday
3 pst

TWIMMO

This Week In MMO

4 pst

Derpy Dragon

Free to Play Show



TOP GAMES
Guild Wars 2 MMO News
Guild Wars 2
Genre: MMORPG Fantasy
Developer: Arenanet
Metacritic Score: 90
The Elder Scrolls Online MMORPG News
The Elder Scrolls Online
Genre: MMORPG Fantasy
Developer: Zenimax
Metacritic Score: n/a
World of Warcraft MMO News
World of Warcraft
Genre: MMORPG Fantasy
Developer: Blizzard
Metacritic Score: 82
SWTOR MMO News
Star Wars the Old Republic
Genre: MMORPG SciFi
Developer: Bioware
Metacritic Score: 85
League of Legends News
League of Legends
Genre: MOBA
Developer: Riot
Metacritic Score: 78