Authenticators & Security Does not guarantee your accounts safety.

[Menolord]

So my GM's account was hacked 3 days ago, we did not find out until a day later.

 

Once we told the GM, he logged in and found out that the hacker stole 1.89 Billions Credits from the guild bank and another 1.5 Billion from across his toons.

 

Our GM called and spoke to Swtor Customer Service ,Reps, & EA/Origin. He explained what happened and they told him they would "lock" his account and investigate. They stated that they will be logging on his account a few times.

 

Missing the raid tonight. We noticed someone logged in on his character, we automatically thought it was a developer. We decided to press G and take a look at our guild credits and nevertheless it was the Hacker and he took another 104 million credits from the guild bank.

 

P.S Both times the Hacker logged into my GMs account he had the Authenticator available. So think again if you believe your account is safe.

 

Hacker Got through the Authenticator the 1st time. The 2nd Time the hacker went through the Authenticator AND the lockout from the Devs or Customer Service.

 

At this point we have no idea what to do. We are sitting here with our thumbs up our.....

If you are a Dev and you are reading this Help us. This is not my last resort but we don't want to take this further than the Devs. It is not just illegal, But your authenticator does not stop ANYONE from wanting to get onto your account.

Edited November 23, 2019 by Menolord
More realistic title.

[SteveTheCynic]

Your GM has an *urgent* need to re-secure his email account (the one linked to his SWTOR account). Urgent, as in right now, or even sooner.

 

And tell GM to use different passwords on the email account than on the SWTOR account, and rotate the email account and to never ever share the email account (or the SWTOR account) with anyone. (No, john-and-jane.doe@example.com is not a good email address to use, unless your GM is having genderfluid episodes. If GM is John and Mrs GM is Jane, there's an information leak right there.)

 

Bypassing the security key / authenticator is possible, and has always been possible (to account for lost / flat-batteried physical authenticators or lost / factory-reset phones etc.), but *does* require that the attacker has access to the linked email account.

 

If you lose / break your key / phone, you can use a "one-time" (= single-use) password in email to bypass the key and get in, but so can an attacker, if the attacker can also find out and access the linked email account. He can even cover his traces by deleting the single-use password email and then deleting it from the deleted items folder.

 

So, again, as a matter of urgency, tell GM to secure the email account, *now*. Do not pass Go!, do not collect 200€, do it now, and tell GM to do it now as well.

[Menolord]

The Huge problem at the moment is the hacker got into his e-mail account and changed the email on his account to the hackers email.....

 

My GM is a computer Engineer, so he isn't a nublette like myself when it comes down to securing things.

My Entire guild is sitting here wondering what is next.

[SteveTheCynic]

My GM is a computer Engineer, so he isn't a nublette like myself when it comes down to securing things.

Sorry to say this, but "he isn't a nublette when it comes down to securing things" is entirely unrelated to "is a computer Engineer".

 

I say this from the viewpoint of someone whose day job has been "Programmer" for more than thirty years. I have colleagues who are younger than my career. The last ten years have been spent in a company that makes network security products, so I have some small experience in securing networks and computers(1).

My Entire guild is sitting here wondering what is next.

If you're really lucky and the GM succeeds in persuading CS to take appropriate, the best you can hope for is that his account will be permanently banned before it can do any more damage, and in particular before the attacker(2) can kick everyone out of the guiid, strip it of the remaining resources and sell it on to someone else.

 

In any event, I wish you the best of luck dealing with this situation, and I hope that you'll spread the word to all the people you know to never ever use the same (or very similar - "Flobble1" and "Flobble2" aren't the *same*, but they are so close to the same that they might as well be the same) password for your game and for your email. (For preference, one password per thing, but always different for email than for everything else.)

 

(1) See my rants elsewhere on these forums about weak TLS ciphers on the launcher. I'm not willing to weaken the security on my firewall to let the launcher use them.

 

(2) I refer you to https://securitytrails.com/blog/hacker-vs-cracker for insight as to why I don't use the word "hacker" here. "Attacker" is also more specific and accurate anyway.

[Void_Singer]

All presuming the GM isn't just feeding you all a line... because Occam's Razor.

[Menolord]

My GM is an IRL friend. and no he is not feeding me a lie. Because While he was away from his desk I witnessed his toon log in and withdraw the money. and now the Devs confirmed he has been hacked and are trying to retrieve what was stolen for him....

 

The only issue is.. What stops this Hacker/Attacker from doing it again?

[DarthDekin]

Ok he only successfully got in my Swtor account not my email not any thing else he tried but couldn’t. Some how he got thru my Account here and changed my email here then disabled the security feature the first time. Prob thru google auto save feature on there browser. The second time the security passwords all change and he still got in and I never logged in since Tuesday. I logged in today to check and yes it’s half way fix from the devs. Not gonna get into details until they give me the green light and it being fully resolved. I haven’t logged in since they told me to this morning as a test. Now I’m waiting for them to do their thing. It happened thru key yes. I e never not had it secure and I know my way around this kinda stuff.