Where can I find info about the extent of recent account hacks?

[Drachmor]

Sorry if this is the wrong place to post - and I don't intend to create mass panic - but I've caught enough rumor lately of recent account hacks to ask the question, does anybody have any source or consensus about this? Are there only a few anecdotes, is it somewhat confirmed that a wave of account hacks has indeed happened?

Thank you for any info!

And if the devs are willing to comment - is it advisable to change our passwords?

 

[Jhenissa]

Sorry if this is the wrong place to post - and I don't intend to create mass panic - but I've caught enough rumor lately of recent account hacks to ask the question, does anybody have any source or consensus about this? Are there only a few anecdotes, is it somewhat confirmed that a wave of account hacks has indeed happened?

Thank you for any info!

And if the devs are willing to comment - is it advisable to change our passwords?

Bump

 

[J1NG]

Basically unconfirmable situation in almost all instances.

1.There is a known issue where it is possible a player that is logging in can end up with someone elses account on logon instead of the one they logged in as. (I personally ran into this twice now over the 16-17 years of DDO)
1.a. Most players immediately log off, but it is theorised that some have decided to take advantage of the situation instead. Due to the way things are, there is no actual proof that this was done by anyone who encountered this situation however, since it would require the one at fault to incriminate themselves by recording them performing the unauthorised purchases, etc and then post about it.
1.b. There is no immediately recognised way to replicate this scenario (getting into a different account). Whilst there are suspisions over here, there's no testing approach that is suitable for me to post about here. No testing is also going to be attempted because it could cause the tester (whilst testing for the flaw) an actual ban. (Sorry, I like the community, but I don't like you THAT much that I'm happy to get one of the more serious responses done when I get tagged by any systems in the process).

2. Many of the posts about account hacks (on the main forum) have been majority from "new" forum posters. (I personally have not looked at discord posts, but have read from others that there's a few of those lately)
2.a. Many of the threads about this are individual experiences (which no one is disputing is happening or not with insufficient evidence either way), however, they also happen to be lacking in detail about their accounts, making it difficult to gather information and evidence to form a theory about what is happening, how it is happening and how to test for it.
2.b. This is made especially difficult when said players feel they are being questioned, or are so focused on their situation only and "shut off" from engaging further with questions. (Again) Preventing any way to form theories as to what is happening and to test them out.
2.c. Key information that realistically needs to be gathered are:
2.c.i. How old the account is (Stolen data, see 3 below)
2.c.ii. Were the Account and Forum details the same? (Some used the same details, resulting in needing only Forum data being stolen to be able to access their in game account)
2.c.iii. Has their data been shared with others before? (There's always stories of someone who didn't look after any data they have got and caused no end of problems to themselves or others)
2.c.iv. Where are they geographically? (This is related to the data breach that happened to Codemasters)

3. It is KNOWN that DDO and Codemasters (Euro server runners of DDO) both have had player data stolen in 2013 and 2011 respectively.
3.a. This data breach could be one of the reasons why players accounts have been accessed so easily (and readily)
3.a.i. Such as by having Account Names being the same as their Forum Names (AND Passwords too)
3.b. It is also possible that Codemasters didn't have as tight security and had even more linked information that was stolen.
3.b.i. Because we know from what SSG staff have said that integration of data from Codemasters was a problem and was part of the problem of server transfer issues as well recently, suggesting some data might not all be in alignment with "how they should be".

4. For now, everything is being classed as an "Account Hack".
4.a. This is because there is no confimation of any suspected method as the ultimate cause of the "Unauthorised Action".
4.b. This includes being careless with data yourself, sharing the data with others and them being careless about the data or their protection of the data, actual hack, brute force multiple password attempts, to lying about it being a hack (for whatever reason), being in cahoots with the actual offender in trying to pull a fast one, etc.
4.b.i. Due to lack of evidence of any one particular action being the thing that happened.

And if the devs are willing to comment - is it advisable to change our passwords?

Not a Dev here.

But, "MY" recommendation is not to wait.

Why?

A. Changing your password now can only reduce the chance of your account being "Hacked" by someone who is going through the data breach on DDO or Codemasters.
A.1. This prevents any long time accounts from being immediately checked up on by stolen data.

B. Change any payment methods that are automatic as well such as Paypal under certain circumstances. This prevents automatic purchases that could have been performed without you knowing.
B.1. I for example require a login to Paypal, as well as the 2FA there to get to the payment stage.
B.1.i. This prevents any unintended logins to my account from being able to make purchases without me knowing.

C. Always perform such security actions (changing of passwords) on known "clean" computers to prevent accidental/unintended exposure to third parties.

There are likely more recommendations by other forum members, but this is what I have to offer thus far. (Not a lot of time on hand due to IRL duties)

J1NG

 

[Solarpower]

2.c. Key information that realistically needs to be gathered are:
2.c.i. How old the account is (Stolen data, see 3 below)
2.c.ii. Were the Account and Forum details the same? (Some used the same details, resulting in needing only Forum data being stolen to be able to access their in game account)
2.c.iii. Has their data been shared with others before? (There's always stories of someone who didn't look after any data they have got and caused no end of problems to themselves or others)
2.c.iv. Where are they geographically? (This is related to the data breach that happened to Codemasters)

And also, does he use third-party programs, like Dungeon Helper or a third-party launcher...

 

[Blaster]

Here's something that may be nothing, but still, possibly noteworthy.

The OP of this Forums post -- https://forums.ddo.com/index.php?threads/another-hacked-account.24991/ -- is guild members with someone who was posting on a Reddit thread about an account hack -- https://www.reddit.com/r/ddo/comments/1q1dyxs -- and in that Reddit thread, a commenter posted how they knew someone who was hacked who was buying third party boxes from a "sketchy site".



I'm not accusing anyone of anything, just pointing out a potential link to how someone may have gotten their account hacked. (I also believe this is happening to non-USA-based players more so than those Stateside, but that's just my conjecture based on the information people have provided on the forums.)

 

[Jummby]

Sorry if this is the wrong place to post - and I don't intend to create mass panic - but I've caught enough rumor lately of recent account hacks to ask the question, does anybody have any source or consensus about this? Are there only a few anecdotes, is it somewhat confirmed that a wave of account hacks has indeed happened?

Thank you for any info!

And if the devs are willing to comment - is it advisable to change our passwords?

Everyone has just been guessing or speculating on how it happens. There is nothing concrete out there on it. Devs haven't said a word on.

The only things I can think of as to why they aren't answering us the following:

It's the holidays and people are out or they know it's happening, but have no idea how to fix it, so they are trying to figure it out before commenting.

I am guessing they will comment eventually. People removing saving payment information and becoming fearful to make point or Otto's box purchases is bad for them.

 

[Jummby]

Sorry if this is the wrong place to post - and I don't intend to create mass panic - but I've caught enough rumor lately of recent account hacks to ask the question, does anybody have any source or consensus about this? Are there only a few anecdotes, is it somewhat confirmed that a wave of account hacks has indeed happened?

Thank you for any info!

And if the devs are willing to comment - is it advisable to change our passwords?

I don't believe in coincidences. This happened while Otto's Boxes were on sale. Those are a historical way to exploit the game or steal from people, Shady sites and people sell them for real life money.

 

[Bjond]

I don't believe in coincidences. This happened while Otto's Boxes were on sale. Those are a historical way to exploit the game or steal from people, Shady sites and people sell them for real life money.

The traditional smart hacker breaks in and does nothing until there is something to gain. It would make sense that "ottos on sale" would trigger a rash of noticeable hackery.

 

[GrizzlyOso]

of all the things that are btc/bta, why isn’t the one most valuable thing, that is also only purchased by the user, for the account , bound?

 

[Dude]

of all the things that are btc/bta, why isn’t the one most valuable thing, that is also only purchased by the user, for the account , bound?

So that people can sell them for shards.

 

[Falkor]

The fact they use 2FA for the discord accounts, and not here, is revealing of their need for control and disregard for customer safety.

Yet any one who has sailed the seas is well aware of associated risks. Buying from sketchy third party vendors is always risky. Especially if they are selling duped-exploit items. But I'm very skeptical of this, it's pure speculation. It's a big leap to assume the only accounts being hacked are people who made these types of purchases.

It could be the login exploit. We really don't know anything except that it's happening and SSG is offering their usual level of silence and inaction.

What really sucks is for the people this is happening for, they rarely get any acknowledgement from SSG or compensation. They just lose out.

It seems this has become more common since the 64-bit move and urgently needs to be looked into.

Changing passwords is smart. Using different account names vs login names is smart. Keeping identity private is smart. Not saving financial data on Xsolla payment is smart. SSG has notoriously bad payment systems, its a rare week someone isn't commenting about bad charges or other issues. They simply can't be trusted.

And this is a useful tool to see if your email address has been involved in data breaches. https://haveibeenpwned.com/

 

[Livmo]

Basically unconfirmable situation in almost all instances.

1.There is a known issue where it is possible a player that is logging in can end up with someone elses account on logon instead of the one they logged in as. (I personally ran into this twice now over the 16-17 years of DDO)
1.a. Most players immediately log off, but it is theorised that some have decided to take advantage of the situation instead. Due to the way things are, there is no actual proof that this was done by anyone who encountered this situation however, since it would require the one at fault to incriminate themselves by recording them performing the unauthorised purchases, etc and then post about it.
1.b. There is no immediately recognised way to replicate this scenario (getting into a different account). Whilst there are suspisions over here, there's no testing approach that is suitable for me to post about here. No testing is also going to be attempted because it could cause the tester (whilst testing for the flaw) an actual ban. (Sorry, I like the community, but I don't like you THAT much that I'm happy to get one of the more serious responses done when I get tagged by any systems in the process).

2. Many of the posts about account hacks (on the main forum) have been majority from "new" forum posters. (I personally have not looked at discord posts, but have read from others that there's a few of those lately)
2.a. Many of the threads about this are individual experiences (which no one is disputing is happening or not with insufficient evidence either way), however, they also happen to be lacking in detail about their accounts, making it difficult to gather information and evidence to form a theory about what is happening, how it is happening and how to test for it.
2.b. This is made especially difficult when said players feel they are being questioned, or are so focused on their situation only and "shut off" from engaging further with questions. (Again) Preventing any way to form theories as to what is happening and to test them out.
2.c. Key information that realistically needs to be gathered are:
2.c.i. How old the account is (Stolen data, see 3 below)
2.c.ii. Were the Account and Forum details the same? (Some used the same details, resulting in needing only Forum data being stolen to be able to access their in game account)
2.c.iii. Has their data been shared with others before? (There's always stories of someone who didn't look after any data they have got and caused no end of problems to themselves or others)
2.c.iv. Where are they geographically? (This is related to the data breach that happened to Codemasters)

3. It is KNOWN that DDO and Codemasters (Euro server runners of DDO) both have had player data stolen in 2013 and 2011 respectively.
3.a. This data breach could be one of the reasons why players accounts have been accessed so easily (and readily)
3.a.i. Such as by having Account Names being the same as their Forum Names (AND Passwords too)
3.b. It is also possible that Codemasters didn't have as tight security and had even more linked information that was stolen.
3.b.i. Because we know from what SSG staff have said that integration of data from Codemasters was a problem and was part of the problem of server transfer issues as well recently, suggesting some data might not all be in alignment with "how they should be".

4. For now, everything is being classed as an "Account Hack".
4.a. This is because there is no confimation of any suspected method as the ultimate cause of the "Unauthorised Action".
4.b. This includes being careless with data yourself, sharing the data with others and them being careless about the data or their protection of the data, actual hack, brute force multiple password attempts, to lying about it being a hack (for whatever reason), being in cahoots with the actual offender in trying to pull a fast one, etc.
4.b.i. Due to lack of evidence of any one particular action being the thing that happened.



Not a Dev here.

But, "MY" recommendation is not to wait.

Why?

A. Changing your password now can only reduce the chance of your account being "Hacked" by someone who is going through the data breach on DDO or Codemasters.
A.1. This prevents any long time accounts from being immediately checked up on by stolen data.

B. Change any payment methods that are automatic as well such as Paypal under certain circumstances. This prevents automatic purchases that could have been performed without you knowing.
B.1. I for example require a login to Paypal, as well as the 2FA there to get to the payment stage.
B.1.i. This prevents any unintended logins to my account from being able to make purchases without me knowing.

C. Always perform such security actions (changing of passwords) on known "clean" computers to prevent accidental/unintended exposure to third parties.

There are likely more recommendations by other forum members, but this is what I have to offer thus far. (Not a lot of time on hand due to IRL duties)

J1NG

Back in 2017 I got up and logged in to Sarlona and only saw 4 toons and I had 22. As I started to panic I realized I didn't recognize any of the toons or names. I used my login credentials, that I've never shared and only lives in the brain box to log in. I realized quickly I was in someone else's account. I logged out, closed game, rebooted machine, and payed, prayed like I've never prayed before with Gnoman tickling my ear, "Shall we continue?" I was back in my account after relogging thank goodness!

I'm lawful to chaotic good, so I didn't touch that person's account, but I could have looted it if I had a different alignment in RL. I have an ocassional nightmare someone will have the pleasure (or pain) of logging into my account by accident and cleaning me out : ) )

 

[adamkatt]

I ended up in someones account once.. ill saw all there characters and then the launcher dropped me, it was only about 10 secs. i was just thinking when did i make a toon named showNuff... If i was faster to react i would have taken a screenshot but i was not!

 

[Grumgrim]

if the devs wanted to fix it they would ask those qustions after a ticket is raised.
they don't, this suggests they can't easily fix it and are hoping not enough people will be affected and they can ignore it

 

[Willow]

I'm vip and deleted my payment info for safety sake. So I assume when it comes time to renew I will just have to repurchase vip if I want it? I would reather lose this game than get my bank account wiped.

 

[Bjond]

I'm vip and deleted my payment info for safety sake. So I assume when it comes time to renew I will just have to repurchase vip if I want it? I would reather lose this game than get my bank account wiped.

I would not worry about a credit card. CC companies do an exceptional job of detecting and handling fraud AND none of it can bounce back on you.

Using a debit card, echeck, or ACH would indeed expose your bank account.

 

[Willow]

I would not worry about a credit card. CC companies do an exceptional job of detecting and handling fraud AND none of it can bounce back on you.

Using a debit card, echeck, or ACH would indeed expose your bank account.

I was using paypal

 

[Jummby]

I would not worry about a credit card. CC companies do an exceptional job of detecting and handling fraud AND none of it can bounce back on you.

Using a debit card, echeck, or ACH would indeed expose your bank account.

Why even risk your credit card? Go buy a prepaid card if you want to purchase anything in game moving forward. Why deal with the hassle of sitting on the phone with CC company to deal with it and removing charges?

 

[Jummby]

I was using paypal

Alot more on Redit on what's happening. DO NOT use PayPal.

 

[Willow]

Alot more on Redit on what's happening. DO NOT use PayPal.

What about if you dont have it save your payment info/delet it right after? All I got is paypal or debit card, lol.