My account was hacked and how it's been handled so far.

[cooler989]

While I really feel sorry for you, there is one thing I don't get.

Why did you need to remove your current token to move it to the mobile one? Was it not working in the first place? It seems like you kinda screwed yourself over from the get-go.

"If it aint broke, don't fix it" is a little bit of knowledge i'd like to pass on to you sir.

Does anyone know how long the rollback process takes its been almost 4 days since I filled out the forms and I have heard nothing from se?

[Comicbookguy]

I looked it up and it was TRION that had their database hacked.

Same thing happened with Turbine and LOTRO. My dormat account that I haven't logged into for 3 years was hacked and they took everything from my inventory.


http://www.computerandvideogames.com...tabase-hacked/

http://www.tentonhammer.com/lotro/ne...er-compromised

[Wiggles]

When you activated the token password the FIRST TIME, they provided you with a special password to keep JUST IN CASE you lose or decide to remove your authenticator. Im guessing you didnt read the e-mail right?

Its not Squares fault a keylogger was on your system and you didnt have your one-time password setup correctly or stored the backup reset password. Im sure they can roll you back but its not their fault its yours and yours alone for not taking the precautions.

[Rutteger]

These horror stories made me immediately set up a software token. Most people own a mobile device with either iOS or android, so there is no excuse not to!

Could you log in and change your password now? Shouldn't the hackers be kicked off like everyone else, and therefore you shouldn't get the error 3102 when you try and log? Hopefully immediately after maintenance ends of course. Good luck anyway!

[Mychael]

It sounds like the game doesn't kick you even if a token is added to the account or if the account password is changed which in turn means if the person who compromised the account doesn't log out they don't have to go through the new security measures.

If that is true, then the hacker shouldn't be able to log back in after maintenance.

I can confirm this. Back when we all stayed logged in 24/7, I logged in from a random company laptop while I had nothing to do at work one day, and as a result my account was frozen and I had to reset my password. I did this, and still got 3102 errors. When I got home, my character was still sitting there, happy as ever.

The same situation occured when I activated my software token. My characters' connection was not disrupted. I made a thread about it a while back, but I think it was lost to general discussion.

[Silverwalk]

These horror stories made me immediately set up a software token. Most people own a mobile device with either iOS or android, so there is no excuse not to!

Could you log in and change your password now? Shouldn't the hackers be kicked off like everyone else, and therefore you shouldn't get the error 3102 when you try and log? Hopefully immediately after maintenance ends of course. Good luck anyway!

He has the mobile token app associated with his account, so the hackers won't be able to use his account any more.

Unless there is a flaw in SE's system that allows the authentication to be bypassed, such as brute forcing the session ID as happened with RIFT (from what I read). In that case they don't need your password.

[Silverwalk]

I can confirm this. Back when we all stayed logged in 24/7, I logged in from a random company laptop while I had nothing to do at work one day, and as a result my account was frozen and I had to reset my password
....

That's what I've been wondering. How can they log in from another IP? Even if they manage to gain your password the account should be locked when they try until you change the password.

It used to be this way in 1.0 but has it changed? Or is this check disabled when you put the authenticator on your account?

[Mychael]

That's what I've been wondering. How can they log in from another IP? Even if they manage to gain your password the account should be locked when they try until you change the password.

It used to be this way in 1.0 but has it changed? Or is this check disabled when you put the authenticator on your account?

I haven't been frozen since I applied the token. Even if that's not the case, IPs could theoretically be spoofed, and depending on the skill of the hacker, if they're capable of retrieving someone's login information, the IP shouldn't be too difficult. I'm not entirely sure what the requirements for a freeze are. It might be client-related rather than IP-related. I had no issues taking my personal computer to work and logging in before the token.

[Silverwalk]

I haven't been frozen since I applied the token. Even if that's not the case, IPs could theoretically be spoofed, and depending on the skill of the hacker, if they're capable of retrieving someone's login information, the IP shouldn't be too difficult. I'm not entirely sure what the requirements for a freeze are. It might be client-related rather than IP-related. I had no issues taking my personal computer to work and logging in before the token.

Ugh that's disappointing to hear. When I was playing on 1.0 if my internet disconnected and I got a different IP address when it reconnected I got locked out when I tried to log in (on the same computer).

Since you were able to take your computer to work and log in without this happening it seems that 2.0 does not implement this check anymore.

Much

[SanjiroLionheart]

......then HE REMOVED IT and had me change my password on the forums.
"

Waaaaait forrrrr iiiiiiiiit.......

.........And who the hell said ANYTHING about a forum password? FFS I feel like I'm talking to an infant. And the forum info and game info are the same...you have to log in with the exact same info. So again, no clue where you were going with that tidbit.

I believe that would be you, sir. Sucks you got hacked, sucks even more if you're legit about not doing anything shady. I suggest either reading what you type, to avoid cases like this, or type things out to be a bit less confusing to people. For you to say that you had to change your forum password in one post, and then turn around and act like the guy who quoted you was imagining things and in turn /rage at him is just ridiculous.