I got hacked

[jock]

For people that did get hacked can you comment and share what client you were using, to try to help people avoid this?

This also allows us to see correlations if a specific client is to blame or if there is another reason this occurred.

[loftar]

For people that did get hack can you comment and share what client you where using, to try help people avoid this.

I want to be clear about the fact that I don't know that it's a malicious client. If anything, I've noticed among the hacked accounts some that haven't even logged in since like 2013, so I'm not sure the client theory is even satisfactory at all.

To be sure, though, it's not just a brute-force hack. The attacker just logged straight into the accounts without trying different passwords, so he clearly has some sort of list of credentials.

[jock]

For people that did get hack can you comment and share what client you where using, to try help people avoid this.

I want to be clear about the fact that I don't know that it's a malicious client. If anything, I've noticed among the hacked accounts some that haven't even logged in since like 2013, so I'm not sure the clien theory is even satisfactory at all.

I edit my post just before you replied

[jock]

For people that did get hacked can you comment and share what client you were using, to try to help people avoid this?

This also allows us to see correlations if a specific client is to blame or if there is another reason this occurred.

<edit

[vatas]

No idea if this is connected and this is basically hearsay, but someone said they lost 4 top-quality treepots and suspected a bug. While Occam's Razor still says "he accidentally dropped them, did not notice, they despawned" there still could be a connection. It would make sense that the attacker would perform surgical strikes like this. In WoW you could make decent in-game gold from compromised accounts by vendoring everything soulbound (trade restricted) then simply mailing all money and all non-soulbound items to an expendable mule account. In Haven you can't really liquidate large amount of items, part of the reason why, after a successful siege, it is common to simply bash most containers and only cherry-pick the few especially valuable items.

[Kyrex]

No idea if this is connected and this is basically hearsay, but someone said they lost 4 top-quality treepots and suspected a bug.

How long ago?

It seems not enough people know about the (awesome) security logs that you can check.
On this website, the person can go to:

Code: Select all

Account -> Account Security -> View Security Log

[Kyrex]

i got hacked and my name is not on the list i feel scammed xD

Re: this
Checked in with Menillos and looks like e probably didn't get hacked.

[dor]

To be sure, though, it's not just a brute-force hack. The attacker just logged straight into the accounts without trying different passwords, so he clearly has some sort of list of credentials.

IMHO, it's not related to malicious client. Initially I thought it was just dict-based bruteforce attack, but if there was no failed attempts, it seems that hacker had login:pass pair. I think he got it from one of the widely available leaked bases. So he just had to try these pairs in hope that user used same password everywhere.

@Loftar, if it's possible, please, check two things:
- are there any spike in amount of failed attempts with non-existent login
- are there any spike in amount of failed attempts overall

First could give some insight regarding where from attacker got logins. Second one will shed some light on my hypothesis about "same password everywhere" attack.

If both are "no" then it would mean that attacker had very accurate info about user accounts.

[dagrimreefah]

IMHO, it's not related to malicious client. Initially I thought it was just dict-based bruteforce attack, but if there was no failed attempts, it seems that hacker had login:pass pair. I think he got it from one of the widely available leaked bases. So he just had to try these pairs in hope that user used same password everywhere.

@Loftar, if it's possible, please, check two things:
- are there any spike in amount of failed attempts with non-existent login
- are there any spike in amount of failed attempts overall

First could give some insight regarding where from attacker got logins. Second one will shed some light on my hypothesis about "same password everywhere" attack.

If both are "no" then it would mean that attacker had very accurate info about user accounts.

[Kyrex]

To be sure, though, it's not just a brute-force hack. The attacker just logged straight into the accounts without trying different passwords, so he clearly has some sort of list of credentials.

IMHO, it's not related to malicious client. Initially I thought it was just dict-based bruteforce attack, but if there was no failed attempts, it seems that hacker had login:pass pair. I think he got it from one of the widely available leaked bases. So he just had to try these pairs in hope that user used same password everywhere.

@Loftar, if it's possible, please, check two things:
- are there any spike in amount of failed attempts with non-existent login
- are there any spike in amount of failed attempts overall

From discord:

To be sure, it's not just a random brute-force bot, the site does have protections against that. The attacker just logged straight into the accounts without any password misses.
Or well, there were some accounts where he used the wrong passwords, but on the ones where they did successfully log in, they logged right in.

Suggesting that the credentials that failed had changed passwords since their compromise.

This is generally suggestive of some kind of phishing/scraping.