PDA

View Full Version : Regarding Reports of Unauthorized Transactions



Scapes
08-26-2014, 01:49 PM
Let us start by saying this very clearly: Trion Worlds' security has not been compromised in any way. There has been absolutely no breach in Trionís servers.

What happened in the last few hours is sadly nothing new: every day, bots obtain user credentials from various unprotected sites around the Internet, build lists of login and passwords, and try them on Trion's servers (along with many other sites). If players consistently use simple or repeated passwords across different online services, these bots may get access to their accounts. Hundreds of millions of such attempts were made from well over a million different IP addresses in the last few weeks, only a fraction of which ended up being successful today.

The team has already started providing refunds and all players affected by fraudulent charges will be automatically refunded within the next few hours today.

As previously mentioned, this type of issue is recurrent in the online world and Trion has actually been working on a solution to address this particular problem for a while now. Coincidentally, starting Thursday, we are adding a new security feature to Glyph to help keep player accounts safe: when players log in from a new computer or a place that we havenít seen them log in from before, theyíll be asked to verify that it really is them logging in, by entering a code emailed to their accountís primary email address.

Trion Worlds encourages all players to update their existing passwords and to make sure to use different, secure passwords for across the Internet. Players can go here to update their account information immediately, including their passwords and login information: https://session.trionworlds.com/login. If you believe that this has happened your account and have any questions, please contact Trion Customer Support as soon as possible: https://support.trionworlds.com/

SilverWF
08-26-2014, 02:13 PM
The team has already started providing refunds and all players affected by fraudulent charges will be automatically refunded within the next few hours today.

This is really great!

Rullingsen
08-26-2014, 02:40 PM
Had the best experience with Trion Billing support live chat a few moments a go. Thank you and good luck catching the thiefs :)

squidgod2000
08-26-2014, 02:42 PM
Coincidentally, starting Thursday, we are adding a new security feature to Glyph to help keep player accounts safe: when players log in from a new computer or a place that we haven’t seen them log in from before, they’ll be asked to verify that it really is them logging in, by entering a code emailed to their account’s primary email address.

Obligatory "What took you so long?" comment.

Had someone in Korea steal my CC info and try to use it to pay their ISP/hosting bill last weekend. Almost certainly unrelated to this (since they would need the actual info and not just access to my Trion account) and also unsurprising, considering how many times my info has been stolen (SOE, Adobe, Target, etc etc), but worth mentioning, given the context.

Tried to add the mobile authenticator to my account a little while ago, but I have no clue what answer I put for my favorite childhood toy, so my account will simply have to go unprotected.

moof
08-26-2014, 03:25 PM
Obligatory "What took you so long?" comment.

Had someone in Korea steal my CC info and try to use it to pay their ISP/hosting bill last weekend. Almost certainly unrelated to this (since they would need the actual info and not just access to my Trion account) and also unsurprising, considering how many times my info has been stolen (SOE, Adobe, Target, etc etc), but worth mentioning, given the context.

Tried to add the mobile authenticator to my account a little while ago, but I have no clue what answer I put for my favorite childhood toy, so my account will simply have to go unprotected.

ah its fine,come up with some kind of absolute jibberish and input it as the answer,make sure to write it down beforehand,thatway only youll know the stuff,and with enough jibberish,youll have unbeatable security bits

CM Kiwibird
08-26-2014, 03:30 PM
Tried to add the mobile authenticator to my account a little while ago, but I have no clue what answer I put for my favorite childhood toy, so my account will simply have to go unprotected.

You can reset those questions with customer support. Use this form here: http://triongam.es/1b8H1ei

Basically, just enter as much information as possible and let them know you need to change your security questions in the subject.

moof
08-26-2014, 03:33 PM
You can reset those questions with customer support. Use this form here: http://triongam.es/1b8H1ei

Basically, just enter as much information as possible and let them know you need to change your security questions in the subject.

make sure he uses the jibberish writedown method,he seems to be getting hacked at alot and this would help him alot

OttawaREDBLACKS
08-26-2014, 04:12 PM
glad your being truthful and revealing on unauthorized account access.

Maybe next you can actually can do something in response to 3rd party mods. Still waiting on a response from both kiwibird and a ticket from well over a week. I am also waiting for anything to be done outside of people getting in trouble for name and shame.

Deunan
08-26-2014, 08:06 PM
...If players consistently use simple or repeated passwords across different online services, these bots may get access to their accounts....


http://youtu.be/_JNGI1dI-e8k

BlackTalons
08-26-2014, 08:32 PM
What I do is have about four password fragments and mix two or three of them at diferent sites. That way nobody has easy access to the complete set, but in case I forget a password I only have to try a few combinations to get it right.

MadDogTremor
08-26-2014, 08:33 PM
Post deleted by author. Please remove.

Silicon Valley
08-27-2014, 06:42 AM
What happened in the last few hours is sadly nothing new: every day, bots obtain user credentials from various unprotected sites around the Internet, build lists of login and passwords, and try them on Trion's servers (along with many other sites).

Actually it IS something new and should be made aware to players by updating the patcher. It's like everytime Trion launches a new game accounts are getting hacked and customers are getting their billing information stolen. It seems to be worse in ArcheAge, but we also seem to have a few Defiance cases.

ArcheAge:
http://forums.archeagegame.com/showthread.php?25246-quot-Hacked-quot-Account
http://forums.archeagegame.com/showthread.php?32011-Trion-World-Unauthorized-Purchased.

Defiance:
http://forums.defiance.com/showthread.php?171011-Account-hacked

Trion's servers have been hacked before and back then it took a customer to solve the issue by showing how a backdoor was being used. It's weird something this serious hasn't been made aware more.

N3gativeCr33p
08-27-2014, 06:50 AM
It's weird something this serious hasn't been made aware more.

cough*PAX*cough

dramaQkarri
08-27-2014, 06:51 AM
<valuable info>

I was reading a bit on the ArcheAge forums and it sounds like it's REALLY bad over there! Not only are users accounts getting hacked and the hackers attempt to make purchases, it seems they are also hijacking accounts and attempting to hack the gameplay. This results in the users game account being banned, and then they have no access to live chat or support. Their only hope is the forums. A lot of these people bought the $150 early access package and have lost it to hackers. I hear some of them are getting sorted out but it's affected a whole bunch of players.

Must be the new pay-to-get-banned model...replacing the tired old P2W model. KIDDING! I hope all these people get their accounts and/or money back.

430005
08-27-2014, 07:39 AM
What happened in the last few hours is sadly nothing new

Uhm Scapes, someone on forum said Trion servers got hacked before and financial information stolen through a Rift backdoor (no pun). He also posted a thread that this shtako has been going on for a full month in ArcheAge and seeping into Defiance. You sure about this?

This isn't something that happend in the last few hours, mate.

dramaQkarri
08-27-2014, 10:25 AM
Bumping for visibility.

As the linked closed thread suggests, I'd still recommend a password change. Err on the side of caution, friends.

http://forums.defiance.com/showthread.php?172932-Urgent!-change-your-passwords-asap.

Cavadus
08-27-2014, 11:39 AM
This affected me as well. Had multiple attempted Archage purchases. Luckily I use my Google Wallet card for all online purchases so I didn't have any issues but it's pretty clear that TW is having security problems.

Don't know why they'd lie about it though.

dramaQkarri
08-27-2014, 12:08 PM
This affected me as well. Had multiple attempted Archage purchases. Luckily I use my Google Wallet card for all online purchases so I didn't have any issues but it's pretty clear that TW is having security problems.

Don't know why they'd lie about it though.

It's a loophole in the language I'm sure.


Trion Worlds' security has not been compromised in any way. There has been absolutely no breach in Trionís servers.

The statement is true from a certain perspective. User accounts were used to make unauthorized purchases but Trion's servers remain intact.

It's like saying someone touched your stuff in my house but my stuff is fine, and I still have your sullied stuff.

dramaQkarri
08-27-2014, 12:39 PM
http://www.gamenguide.com/articles/12731/20140827/archeage-beta-online-2014-news-game-hacked-players-charged-founder.htm

http://www.ign.com/articles/2014/08/26/archeage-players-hit-with-unauthorised-transactions-from-trion-worlds

Basically it's being said that ArcheAge game was hacked, which implies that Trion's servers were not.

Tricky wording designed to keep us from worrying - but in fact, the tricky wording makes us feel SUSPICIOUS.

Copperpot
08-27-2014, 12:54 PM
Do you think the hack could have messed up their support ticket system? It seems to be broken, although they say they are just backed up. In your article it says, "Trion is reportedly not responding to in-game report tickets regarding the issue, though some players have reported receiving refunds after speaking to Trion representatives via their live chat system."

dramaQkarri
08-27-2014, 12:58 PM
Do you think the hack could have messed up their support ticket system? It seems to be broken, although they say they are just backed up. In your article it says, "Trion is reportedly not responding to in-game report tickets regarding the issue, though some players have reported receiving refunds after speaking to Trion representatives via their live chat system."

I doubt it but who knows. The unauthorized purchases on accounts of ArcheAge players have been happening since late July so that might be where the backlog starts.

Also, apparently there seems to be a big problem due to Paypal allowing Trion to bill Paypal directly instead of making them log in to Paypal. One ArcheAge forum user said it best:
Every other game makes me log into my Paypal to complete the purchase, Archeage doesn't do that.

N3gativeCr33p
08-27-2014, 01:02 PM
Also, apparently there seems to be a big problem due to Paypal allowing Trion to bill Paypal directly instead of making them log in to Paypal. One ArcheAge forum user said it best: "Every other game makes me log into my Paypal to complete the purchase, Archeage doesn't do that."

http://2.bp.blogspot.com/-LxUK9d0QGBM/TyJ9QwstHRI/AAAAAAAAUPs/aOIXAt7okPU/s1600/doh.jpg

Unique One
08-27-2014, 03:20 PM
Why the hell is this not a sticky... and why the hell is (as an absolute minimum) password change not mentioned/forced on the launcher?????




Lack of proof that you have been hacked does not mean you have not been.

Amack
08-27-2014, 04:21 PM
Lack of proof that I am Superman does not mean I am not Superman. I am so Superman!

Come now children, please spare us this mindless drama. A person or people had success while phishing and built a list of login credentials which they then used to login and make false purchases. This is not a server or database breach. If they had breached server security they would have used the information for more than in-game digital purchases. In that kind of situation you would have seen more immediate and broad actions taken by Trion.

If someone gets a keylogger onto your machine, changing your password will be a moot point as they would then be able to get the new password as well. This is why Trion is implementing IP login authentication for locations.

Silicon Valley
08-27-2014, 04:45 PM
Come now children, please spare us this mindless drama.

Players aren't causing the drama here. Trion servers have been hacked before. When Rift accounts got their information stolen it had to be a customer, not Trion to show that there was a backdoor.

You want to defend Trion, do it on a matter that needs defending. Everything negative about Trion being spouted is because they keep messing up. They should have posted this on their launcher.

There are several different highly effective ways to limit "hundreds of millions of such attempts" from "well over a million different IP addresses". Failure to implement ANY method of limiting brute force login cracks is entirely Trion's fault. It just adds to the list of fails that makes you not purchase anything.

Check out the ArcheAge link. Trion as usual is dodging responsibility with fanbois trying to defend.

http://forums.archeagegame.com/showthread.php?32011-Trion-World-Unauthorized-Purchased

Too many accounts have been compromised. The way Trion is acting is insulting. Yet again.

Amack
08-27-2014, 04:55 PM
Players aren't causing the drama here. Trion servers have been hacked before. When Rift accounts got their information stolen it had to be a customer, not Trion to show that there was a backdoor.

You want to defend Trion, do it on a matter that needs defending. Everything negative about Trion being spouted is because they keep messing up. They should have posted this on their launcher.

There are several different highly effective ways to limit "hundreds of millions of such attempts" from "well over a million different IP addresses". Failure to implement ANY method of limiting brute force login cracks is entirely Trion's fault. It just adds to the list of fails that makes you not purchase anything.

Check out the ArcheAge link. Trion as usual is dodging responsibility with fanbois trying to defend.

http://forums.archeagegame.com/showthread.php?32011-Trion-World-Unauthorized-Purchased

Too many accounts have been compromised. It's insulting. But hey, keep trying.

You are hilarious. Where is the corresponding lawsuit that would have been filed against Trion for negligence?

PSA: Don't be like this person and believe everything you read on teh interwebz.

Unique One
08-27-2014, 05:03 PM
This has nothing to do with drama and everything to do with good security practice.

Hacked or not, people should be changing their passwords after so many incident reports in such a short time.

Amack
08-27-2014, 05:09 PM
Good security practices would dictate changing every single password you use every 30 days, regardless.

Unique One
08-27-2014, 05:19 PM
Good security practices would dictate changing every single password you use every 30 days, regardless.

Absolutely. Especially when many people have reported recent compromises.

430005
08-27-2014, 06:08 PM
Don't be like this person and believe everything you read on teh interwebz.

The complaints are enough for me to remove my billing information from Defiance.

This should not happen.

dramaQkarri
08-27-2014, 06:09 PM
It's not drama. The reports of unauthorized purchases being made in ArcheAge accounts have been going on since the last week in July.

Go check out the ArcheAge forums.

All we're saying is, Trion could be much more vigilant in preventing this sort of issue from happening in the first place. It can happen to anyone, anywhere. But we can't condone it by pretending it's on US, not them. It's on us AND them to do better.

Spare me the high horse, Amack. I hope it doesn't happen to you.

Amack
08-27-2014, 06:21 PM
I appreciate your concern DramaQ, like a hole in my head.

Here is one of my very favorite articles (http://technet.microsoft.com/en-us/library/hh278941.aspx) regarding security.

Silicon Valley
08-27-2014, 06:26 PM
Point is, this the second time this has happend to Trion. First Rift, now ArcheAge and Defiance.

Remove the billing information and check your security. Because you can't trust Trion.

Defiance = NSFW (Not Safe For Wallets). Well, more ArcheAge. But still.

Sliverbaer
08-28-2014, 05:53 AM
"Law #5: Weak passwords trump strong security."

More info would be nice, but Trion isn't the only company getting hit. It boils down to using same username/email login and password for sites with craptasic security that may or may not do transactions, which gets hacked and dumped into a list, which is used everywhere to see if you use it at other sites.

The internet sucks. Think of all that could be done moving forward if people weren't a-holes.

dramaQkarri
08-28-2014, 07:33 AM
Well the hacker a-holes got to JP Morgan overnight apparently.

https://finance.yahoo.com/news/jpmorgan-confirms-investigating-possible-cyber-120423762.html

Compared to a bank getting hacked, a gaming company is small potatoes. Still, a chain is only as strong as its weakest link. Bottom line, if the a-hole wants in bad enough, he WILL get in. Just like a thief breaking into your house or business - there is always a way in.

As consumers the only thing we can do to protect ourselves by using complex passwords, not using the SAME passwords for multiple accounts. You can also be like me and have virtually no assets - how can I worry if there's nothing in my posession for someone to steal? LOL

Antavius
08-28-2014, 02:40 PM
I've had issues just logging in and I know that it's not on my side. My password keeps getting kicked back as incorrect and I know my passwords by heart. I can type the damn thing in with my eyes shut. The minute I send in an issue about my account inaccessibility I get something back and suddenly I can log in... hmm...

dramaQkarri
08-29-2014, 01:33 PM
Well this bothers me. The hacking of ArcheAge accounts is continuing:

http://forums.archeagegame.com/showthread.php?33360-Account-has-been-hacked-still-no-help-from-this-archeage-support

So I don't know if the people that were hacked today had gone in and changed their passwords or not and I'm not setting up a forum account just to ask about it, no point as that game isn't my type.

but it BOTHERS ME that this situation remains unresolved. A lot of people still waiting for refunds too I guess.

I'll say it again - don't leave your billing information lying around the internet! You can set up monthly auto payments through your bank (although really nowhere is safe, I guess).