Yes...My WoW account got hacked.
A guildmate made mention of me being in game on a forum, and I knew it wasn't me, but didn't think much of it, as one of my RL best friends had my info and might have been doing some swapping. Then they mentioned it again the next day, so I called my buddy and he said he hadn't logged in, so I tried logging in and found my password didn't work.
I had to contact Blizzard and provide my ID and the credit card assigned to my subscription, and they gave it back to me.
Luckily it was only a couple days days and the hacker hadn't done much damage, took a couple items and some coin, but nothing irreplacable.
Yup, on wow.
Used curse mod manager, which installed .exe files without much security checks and I logged in once to see my account emptied. Never used this system anymore afterwards but it's really not reassuring and you're wondering which or how many of your emails & such could be compromised. That was before TFA, afterwars it never happened anymore anytime.
I know someone who got hacked because his email was known (thanks blizzard for using emails as logins... like no one knows your email...) and the hacker asked for an account restoration using an ID card that had nothing in common with the account owner : Different name, surname, country. They didn't even check the matchings. They just gave the account to that person. Worst Customer service ever.
I had totally forgotten until you asked this question. My WoW account did get hacked once. I logged in one day to a naked character, lost all my gear and quite a bit of money. He was a max level character at the time. I don't remember all the details because customer service took care of it almost imediately (fast enough that I remember it not being a big deal).
I did all the change password things and such, and added the authenticator app, never happened again. I've never had it happen to any of my other accounts of any kinds.
My son had his roblox account hacked haha...I thought that was silly because he had never spent any real life money on his account and there was nothing to take. But, that was his own fault. He had put his info on some website that claimed he could get free robux. A great life lesson learned for him :)
I had my Ubi account hacked a few years ago. I never used it but someone got access to it from a different database being compromised. The account was set up many many years ago and I had actually forgotten about it. However, Ubi support contacted me via email quite quickly when noticing it was being accessed from eastern Europe. I was able to reclaim the account, change the password and install 2FA for it.
I was quite impressed with Ubi's efficiency in catching this.
Only once, playing AC2. Pretty much everyone in the guild had their account compromised, plus many other guilds said so too, at the time.
The next day, everything was rolled back to prior to the incident, and everyone was sent a "you must reset your password" email. I suspect they were storing their passwords not-securely-hashed, which was a common enough rookie developer mistake, back then.
Since then, I use a separate/unique email address and password for every service, site, or game, and whenever possible enable TOTP on all account resets and/or logins. But not SMS. :)
IMO:
TOTP is free to implement, the source code has been open/free for over 10 years, so really, there's no excuse any more.
It's just lazy to not have TOTP on any auth/reset/login mechanism, now.
My WoW account got hacked, I'm not sure how but I'd guess it was a password breach.
My druid named Saldyjawn got his name changed to imatransform by the hacker. He only had it for a week so I don't think he changed anything else besides the talents.
Honestly when I got him back I just kept the name. Talents in that game are also easy to change around.
Luckily it wasn't that big of an issue.
Yes. My wow account got hacked, inventory emptied, guild bank got emptied and I got banned for spamming gold selling in Dalaran. Caused by an imposter site pretending to be an official blizzard site getting my login credentials.
GM recovered evreything in the end but had to wipe out my windows installation to recover my system.
Ordered multi-factor authentication fob for my account upon recovery, must have for Pantheon.
yup had my wow account hacked, was able to gett the account back. The funniest part about it all was i was a lvl 30ish in scrribing as i never worked on the profression much, they switched me to a miner and had my max lvl when i got the account back. I also had 20 stacks of whatever was the best minerals to mine at the time. so i made like 4k gold. They switched me from fire spec to cold spec, bujt i didn't care after seeing the gold i made.
I never have.
Keep in mind 2FA is vulnerable to phishing. In a phishing attempt you would be expecting the 2FA prompt and would respond appropriately, allowing the attacker to gain access. We had a pen test a few years ago that got an IT executive that way. The phish had a link to a dummy website, the user logged in with 2FA which the pen tester immediately relayed into our legitimate company portal gaining access. 2FA is not a fix-all. Education and vigilance is key.
One thing to mitigate this would be to keep your email account confidential so you don't get targeted. Don't make it public on the forums. Also, never click on the link in the email. Even vigilant people can get caught in a phish if it comes in at just the right time while you are sufficiently distracted.
Ruinar said:
Keep in mind 2FA is vulnerable to phishing. In a phishing attempt you would be expecting the 2FA prompt and would respond appropriately, allowing the attacker to gain access. We had a pen test a few years ago that got an IT executive that way. The phish had a link to a dummy website, the user logged in with 2FA which the pen tester immediately relayed into our legitimate company portal gaining access. 2FA is not a fix-all. Education and vigilance is key.One thing to mitigate this would be to keep your email account confidential so you don't get targeted. Don't make it public on the forums. Also, never click on the link in the email. Even vigilant people can get caught in a phish if it comes in at just the right time while you are sufficiently distracted.
I'm confused by your description of this hazard. I really try to keep on top of threats, so I'm trying to understand it.
My bank requires what I believe is 2FA. When I go to log in, after I give my pw, they email a security code to me. I have to type that code into the bank's login page. The email doesn't HAVE a link in it. Just a number, written in plain text. I copy/paste it into the login page to continue.
I also don't understand how a hacker would know I was trying to log into my bank account unless they had already hacked into the bank's site and were monitoring the login page.
Jothany said:Ruinar said:
Keep in mind 2FA is vulnerable to phishing. In a phishing attempt you would be expecting the 2FA prompt and would respond appropriately, allowing the attacker to gain access. We had a pen test a few years ago that got an IT executive that way. The phish had a link to a dummy website, the user logged in with 2FA which the pen tester immediately relayed into our legitimate company portal gaining access. 2FA is not a fix-all. Education and vigilance is key.One thing to mitigate this would be to keep your email account confidential so you don't get targeted. Don't make it public on the forums. Also, never click on the link in the email. Even vigilant people can get caught in a phish if it comes in at just the right time while you are sufficiently distracted.
I'm confused by your description of this hazard. I really try to keep on top of threats, so I'm trying to understand it.
My bank requires what I believe is 2FA. When I go to log in, after I give my pw, they email a security code to me. I have to type that code into the bank's login page. The email doesn't HAVE a link in it. Just a number, written in plain text. I copy/paste it into the login page to continue.
I also don't understand how a hacker would know I was trying to log into my bank account unless they had already hacked into the bank's site and were monitoring the login page.
My scenario is a phishing attack where you click on the link in the phish. Usually an email. Then you end up on the attackers fake web site and you are providing your information to them rather than your bank and they are passing it through to the real bank website.
If you are vigilant about not clicking links in your email, this wouldn't happen to you. But otherwise intelligent people can fall for a phish. They are very effective.
Ruinar said:...
Keep in mind 2FA is vulnerable to phishing....
IMO:
Depends on what you mean by 2FA.
TOTP is not vulnerable to phishing or SMS intercept because it uses neither of those for delivery. It's the most secure 2FA I'm aware of, and is free and trivial to implement on any operating system, platform, or device.
Any auth mechanism that relies on a compromised delivery mechanism is vulnerable to interception. That's logically and historically true. Simplist answer then is: don't use that. :)
If you trust email, then by all means, use email for 2FA. If you trust SMS, then by all means, use SMS for 2FA.
Similarly..
If you DON'T trust email, then DON'T use email for 2FA. If you DON'T trust SMS, then DON'T use SMS for 2FA.
You didn't understand the scenario, probably because I suck at trying to explain it. The user that got suckered in the pen test wasn't using email for 2FA. He got an email stating that he needed to "update his account" or something along that line. He clicked the link the in the email and entered his username and password. The attacker's website immediately relayed that to the legitimate site. Then the fake site asked for his TOTP and he entered that. The attacker's website then immediately relayed that to the legitimate website and the attacker gained access. Because the OTP was passed immediately to the legitimate site through an automated process, the time-out didn't matter.
This would have worked for SMS, or a prompt based authenticator on your phone, or any other type. The mistake that was made, is the user got an email and assumed it was legitimate.
A lot of very intelligent people made that mistake. So my note in this forum was just a PSA to not trust emails, even when they look legitimate. And 2FA doesn't invalidate social engineering, which is what phishing is.
I'm sorry for getting so far off topic. I know the idea was to find out people's experiences with getting their accounts hacked.
Ruinar said:You didn't understand the scenario, probably because I suck at trying to explain it. The user that got suckered in the pen test wasn't using email for 2FA. He got an email stating that he needed to "update his account" or something along that line. He clicked the link the in the email and entered his username and password. The attacker's website immediately relayed that to the legitimate site. Then the fake site asked for his TOTP and he entered that. The attacker's website then immediately relayed that to the legitimate website and the attacker gained access. Because the OTP was passed immediately to the legitimate site through an automated process, the time-out didn't matter.
This would have worked for SMS, or a prompt based authenticator on your phone, or any other type. The mistake that was made, is the user got an email and assumed it was legitimate.
A lot of very intelligent people made that mistake. So my note in this forum was just a PSA to not trust emails, even when they look legitimate. And 2FA doesn't invalidate social engineering, which is what phishing is.
I'm sorry for getting so far off topic. I know the idea was to find out people's experiences with getting their accounts hacked.
IMO:
Using email for any part of the process makes it vulnerable to email phishing, as it was used in your example.
Security requires a layered approach, and social engineering is certainly effective.
Hopefully, over time, email will be removed from the equation entirely as it adds nothing but risk.
I think your response is entirely on-topic. If Visionary Realms trusts email, and uses it as part of account setup, reset and/or recovery, Pantheon accounts will be hacked via phishing emails. Just like every other site, game, app, or business that trusts email in this same way.