my account stolen

[loftar]

you wouldn't have to waste any time on resolving stolen accounts, if it weren't possible to hijack them through the "change email" function ;)

Neither would I have to if people weren't giving away their passwords to make that possible.

[venatorvenator]

Hasn't this been solved already?

Lesson learned is to not trade accounts.

In my opinion complaints of stolen passwords through shared accounts only make devs less willing to handle legit cases of account theft, namely bruteforcing and keylogging. I believe it's in everyone's best interest that you stop trivializing what is a serious matter with problems that only exist because you told someone how to access your account.

Anyway, Loftar, can't you just remove the change e-mail feature? No fancy identity checks, just remove it altogether. Would that help at all?

[tobi]

This time to crack the password

I notice from the logs that whoever changed the e-mail address did not "crack" the password. He logged right into the account, so it is quite clear that he knew it, quite simply. Given this, it is not entirely easy for me to know whether it is true that he "took" the account, or if it was his and it's you who're trying to take it by trying to convince me that it's yours. Or, for that matter, if this is simply a conflict between the owners of a shared account that is simply not my business.

haha ive lived near to sverelka and she gave her password to Ellie when she quitted he game it is in Ellies hands atm and it mey be sverelka (the rightful owner) who wants it back (meybe its the same sverelka and sverek)

[loftar]

Anyway, Loftar, can't you just remove the change e-mail feature? No fancy identity checks, just remove it altogether. Would that help at all?

Has anyone ever legitametly used the change email function? I dont know why it exists.

It's being used all the time. Of course, people won't go to the forums telling all about it.

haha ive lived near to sverelka and she gave her password to Ellie when she quitted he game it is in Ellies hands atm and it mey be sverelka (the rightful owner) who wants it back (meybe its the same sverelka and sverek)

I did indeed suspect as much. Thanks for clearing that up. If you would, please tell this Ellie to PM me or otherwise contact me about the account now being disabled.

[Sverek]

This time to crack the password

I notice from the logs that whoever changed the e-mail address did not "crack" the password. He logged right into the account, so it is quite clear that he knew it, quite simply. Given this, it is not entirely easy for me to know whether it is true that he "took" the account, or if it was his and it's you who're trying to take it by trying to convince me that it's yours. Or, for that matter, if this is simply a conflict between the owners of a shared account that is simply not my business.

haha ive lived near to sverelka and she gave her password to Ellie when she quitted he game it is in Ellies hands atm and it mey be sverelka (the rightful owner) who wants it back (meybe its the same sverelka and sverek)

It's true. But there is a difference to your password or lose full access to your account. I do not ask to return my account. Ellie also suffered in the game at it all taken away. And this fact does not change. It is not excluded that all changed Ellie, and now he was lying, but the problem lies elsewhere.
 I repeat, I do not ask to return the account or the things in the game. I draw attention to the problem of security in the account. Password can be cracked, and get a peek in other ways through the game client. Can not pay attention and repeat over and over again - or who do not give your password, but the security problem remains. I think this is my last message. I see no reason to write the same thing 100 times. You decide how to proceed.

All the best.

p.s.
You get a very good game!!! The best in the genre! And I believe that you should pay attention to the problems the solution of which can save your time and nerves.

[tobi]

It's true. But there is a difference to your password or lose full access to your account. I do not ask to return my account. Ellie also suffered in the game at it all taken away. And this fact does not change. It is not excluded that all changed Ellie, and now he was lying, but the problem lies elsewhere.
 I repeat, I do not ask to return the account or the things in the game. I draw attention to the problem of security in the account. Password can be cracked, and get a peek in other ways through the game client. Can not pay attention and repeat over and over again - or who do not give your password, but the security problem remains. I think this is my last message. I see no reason to write the same thing 100 times. You decide how to proceed.

All the best.

p.s.
You get a very good game!!! The best in the genre! And I believe that you should pay attention to the problems the solution of which can save your time and nerves.[/quote]

i dont want you to leave Ellie took your account?

[tobi]

Tell me the truth.. Did you know Ellie was gonna kill us?

[VDZ]

I think it should introduce a change confirmation e-mail by phone or with the mail.

Mail - no, this won't work if you no longer have access to your e-mail (for example because your e-mail provider quit/went down).

Phone - hell no, I'm not giving out unnecessary personal details like my phone number. Just don't let anyone else get access to your account, problem solved.

It is also possible secret question.

Absolutely not. Back when I was a little shit, I 'hacked' several accounts by simply guessing the answer to the secret question. They're almost always easy to guess if you know anything about the person and/or are capable of looking stuff up.

For this reason, nowadays whenever I need to enter a secret answer, I go with 'dsifhuih24f938hf94hcoifsdfdsf', because anything else is just a security risk. This has led to me being unable to change my password on at least one account, because I can't answer my secret question (because if I could answer it, others could as well).

People should just not share their passwords. Problem solved. You can't expect developers to help you minimize damage that occurs when you fuck up your own security.

But I see no error to give the password to a friend.

And that right there is the problem. By giving someone your password, you give them full access to your account. That includes the ability to steal the entire account, obviously. To avoid this, do not give out your password. If you do, anything that happens if your own fault.

If my e-mail and password could not be changed without confirmation, the problem would not exist.

But it would. They could steal all your stuff, kill all your characters, give you a bad reputation by posting under your name in the forum and can even get you banned by doing bannable stuff on your account. You can take as many safety measures as you want, the core of the problem is you giving out your password. If that problem is not fixed, all other fixes are futile.

you wouldn't have to waste any time on resolving stolen accounts, if it weren't possible to hijack them through the "change email" function

Too optimistic. There will always be stolen accounts, "stolen" accounts, and complaints about them, as long as people keep giving out their passwords.

[loftar]

But there is a difference to your password or lose full access to your account. [...] I draw attention to the problem of security in the account. Password can be cracked, and get a peek in other ways through the game client.

Sorry, but this is not a sound relationship to your passwords. The password is the key to the account, and the very idea about a password is that only you know it. The client will not let anyone "peek into it", and the server code takes care against brute-force cracking. If you give someone your password, that is equivalent to giving them full access to the account.

[LordD1]

To be honest, the only time I ever had an issue with account theft.. loftar actually did what he was supposed to and helped me get my account back.
As well as Troll's account who also got hacked by the same person back when Apex hacked the email of the person who coded Rizen and had put a keylogger into the client. This all happened back in W6, however because of the forum mechanics back then not even notifying you if your email was changed Apex was able to relog into the characters by changing the passwords. Due to me being allied to DIS this world I don't think he bothered to do anything with my character(s), as when I got my account back I still had all of my stuff including my q60 pneck. Troll however wasn't so lucky, he lost his pink cape, and his char was drowned a few times over I believe.

Giving out passwords is not "stupid", but if you can't judge a persons intentions of why they need your password, etc.. then it's your own fault. You should be able to judge most peoples character, anyone I have given my account info to has never done anything maliciously. Also, if you're sharing passwords of your account(s), only share the ones you see are necessary to share because of said intentions. If someone needs to use the crafter only, why would you give them your fighter/main? If they need a fighter to use for combat, but not a crafter or forager, why would you give them those? Only share what is needed to be shared for you both to progress.


Loftar isn't the best dev when it comes to bugs, and rewarding found bugs that are also reported, but when it comes to account security he has been there.