Data Breach Notification

I work in IT for 30 years and this is completely unprofessional, ok the transparency to tell us what happened but come one, you can't have your own admins accounts hacked because lack of security, get you s h i t fixed GGG, I know quite some players that quit because of this, is 2025 and you haven't provided us with 2FA authentication, quite unacceptable.

2FA is necessary now more than ever.

Also, i really fucking don't appreciate just any old staff member being able to see my shipping address. Lock our sensitive information down to ONLY accounts that require the information. This isn't just about an attacker gaining access, you don't fully know every person who works for you. Thank you for the update.

"

bawaaji#1185 написал:

"

ibims111#7338 написал:

It physically hurts how some people refuse to read and understand the GGG post on this topic.

Investigator: The fence had a whole which made it easy for the attackers to get access to the factory.
Victims: If only the door would have been more secure.

At this point GGG should pray really hard that some legal processes will not be opened against them.

Accounts were hacked in left and right from last year (just make a search on reddit and see how many complains are there).
So this whole in the fence is their responsibility and not ours.
And this statement that only 66 account were affected is one big bs.

I don't deny that accounts got hacked and that GGG is handling all of that very very poorly. I understand all of that. But I also do understand that the fence (be it the hacked admin account or the hideout/trading thing) has nothing to do with a more secure front door (having 2FA). It is good to have 2FA implemented, no question about that, but it has done nothing in this case and would have done nothing on the stand alone client to those accounts affected.

This might be an unpopular take, but I also think that locking the accounts makes sense. Jonathan stated in the patch stream with DM and Ghazzy that only 30 days of locks are kept. So in case accounts are under investigation for what actually happened to them, GGG has an interest of not producing more logs to avoid they get overwritten. You can argue that you could make backups to go through them, but, nothing better than a dead body to examine.

Of course, my understanding of a field in the logs that is flagged the wrong way or configured the wrong way or what ever it is to make a field read only to an admin, it is not a bug. It sounds more like a misconfiguration. It most likely is human error when creating, implementing or writing the log mechanism itself. This usually also gets tested and approved before going life, I would imagine especially if such a case was a thing (maybe not exactly the same, but accounts got hacked previously in PoE1) to your environment in the past.

I also still believe that there is more to it than GGG currently admits. And to be honest, I hope there will be legal issues following this. It would only help the players in the long run because any company will only ever invest as much into security as they are forced to do. Because it is expensive and just like backup is perceived in the IT, it is a waste of money until you rely on it.

Let´s hope GGG can make something out of that situation. As it seems right now, even free supporter packs would not fix the damage the support has done.
And by support I do not mean the actions taken to accounts, I mean how they communicated those actions with the hackers victims.

All in all a very unsatisfying situation for anyone who just wanted to enjoy some days off work in a video game.

2FA please. I will be very happy if you implemen this. Like steam guard app on phone.

Dear GGG, they are many IT guys who playing your wonderful RPG game; I'm one of them.
If you need us to develop 2FA, hire us and we gladly do it for you.
I'm a RHCSA holder and currently pursuing Azure and AWS cloud computing. I'm pretty much an intermediate in web services.

When can I share my resume?

we need 2FA

So since they can see our transaction history, can they see our credit card information? And with our credit card information, was our personal information stolen?

And thanks for saying "Oh were sorry.", sorry doesnt cut it anymore when personal information is stolen no matter what country your in.

"

Cloop123#0584 написал:

Sorry but you are just factually incorrect here.

2FA does a few things (if setup correctly) it adds another layer of verification even if password is brute forced, it can also be linked to force an account to be notified or locked down if repeated attempts are made and 2FA fails after x number of attempts.

The only time 2FA becomes irrelevant is if they steal the cookie session which usually requires the hacker to have direct access to your PC or you clicked on something dubious and it pulled that information.

Well, no. This happened because an attacker gained access to an admin account. Admin acocunts would, obviously, have the ability to remove 2FA from your account since that is the only way GGG support can help you recover your account if you lose access to your 2FA.
No passwords were compomised or stolen. They were simply removed. The same would be the case with 2FA, which would have done absolutely nothing to protect agains this kind of attack.

Was this databreach even reported according to GDPR within 72 hours? Where affected users informed?

2FA would of protected this, if they set it up correctly and prompted for privileged operations. Some of the responses from GGG sound like total fabrications for their inept implementation of access.

There were many things that could of been done, a basic user access review would of picked this up. There are so many failings here it's like they built a palace on top of stilts.

Can someone from GGG please freaken tell us if our details have been compromised?

Are we going to be contacted or is this swept under the rug while you release some BS Elon bag.

This is total amateur hour, expected more from this company.