Anyone else receive unsolicited emails with access codes in Russian language?

Big_Punisher

Got 4 emails with access codes in Russian language today aswell, from legit address.

davidtk

vsrs_au wrote: »

Yes, 2FA definitely helps. I have it enabled, and haven't received any of these emails.

Wait, where I can activate 2FA for ESO account (not for steam)?
It is by phone number or how? I can see only security question...

Elsonso wrote: »

if you didn't make the attempt, you can ignore the email.

Nah i rather changed password for sure.

WAMB0

I got those emails as well.

There is literally no sign of phishing (correct email address, no tampering with hyperlinks even TSL signed).
I changed my password after I got the first mails, and got 2 more mails.
Now I tested with wrong credentials on PTS (which I've not been on from this IP) - and it triggered the mails.

This could be completely avoided if the credentials were checked first - and then the email triggered. Not trigger an email with an access code for WRONG credentials.
But hey, if you can make the customer work instead of your system: sure.



PS:
Some ppl should really rethink their answers:
'this is most definitely phishing, because I got emails about different things from other zos email addresses' is just logically wrong.
About credit cards: even if someone got your account information, they could not use them, because the credit card number is not shown completely.

Elsonso

davidtk wrote: »

vsrs_au wrote: »

Yes, 2FA definitely helps. I have it enabled, and haven't received any of these emails.

Wait, where I can activate 2FA for ESO account (not for steam)?
It is by phone number or how? I can see only security question...

2FA is built into the ESO accounts. That is the purpose of the email you got.

The 2FA that I mentioned, that was responded to, is for the email. Your ESO ID and password are insecure if someone can just steal your email account and grab the 2FA code that they send out.

davidtk

Elsonso wrote: »

if you didn't make the attempt, you can ignore the email.

Elsonso wrote: »

davidtk wrote: »

vsrs_au wrote: »

Yes, 2FA definitely helps. I have it enabled, and haven't received any of these emails.

Wait, where I can activate 2FA for ESO account (not for steam)?
It is by phone number or how? I can see only security question...

2FA is built into the ESO accounts. That is the purpose of the email you got.

The 2FA that I mentioned, that was responded to, is for the email. Your ESO ID and password are insecure if someone can just steal your email account and grab the 2FA code that they send out.

I thought that there can be more then just emails with code... I like authenticators.

HowellQagan

Big_Punisher wrote: »

Got 4 emails with access codes in Russian language today aswell, from legit address.

@Big_Punisher FYI sender email addresses can be spoofed. So that alone doesn't really mean anything.

hrothbern

ProudMary wrote: »

This morning I opened my email and had received, unsolicited, two different access codes for Elder Scrolls Online. They both came from "noreply@mail.elderscrollsonline.com" supposedly. The emails are both in the Russian language, so I can't read them. This seems highly suspicious to me. Needless to say I'm not likely to use these access codes because I didn't pay for them or ask for them, and I don't know what they are access codes for.

Did ZOS get hacked or something? Anyone else get these unsolicited access codes? I've never had something like this happen before. Anyone know what's going on here?

@ZOS_Kevin

@ProudMary
You say "this morning" and I see you started this thread at 10.43 AM CET time (the timestamp I see on this forum.

10.43 CET is 9.43 UTC and according to the ZOS notification I see today ESO Store and Account System maintence was scheduled for 11.00 TC until 15.00 UTC.
=> The issue was before maintenance started
What time did you notice the issue, what time was the email ?

It could be that hackers saw that maintenance round as an opportunity to act, but still what happened does raise for me the following questions:
@ZOS_Kevin
Was the issue already part of the maintenace list, or the reason to do maintenance ?
Could it possibly an artefact of preparations for this maintenance round ?

Syldras

hrothbern wrote: »

Was the issue already part of the maintenace list, or the reason to do maintenance ?

I think that maintenance announcement here at the forum has already been there for a while? So it might be a regular one. But who knows when this current problem first occured, maybe they already got the first reports days ago. Anyway, I hope there will be a clear statement from ZOS about this whole issue.

StormBlade512

Tandor wrote: »

StormBlade512 wrote: »

If anyone gets an unsolicited email, definitely change your passwords asap - it could mean your password has been leaked/cracked/otherwise obtained. It's better to be safe than sorry! (Imo I would also change my email password too).

Want to echo that we really REALLY need better two factor than the email access codes. It's just too basic and a lot of times takes ages to come through. We need authenticators/SMS with back up codes and de-authorisation

What we really need is a default option not to wander around Tamriel displaying half the information needed to hack our accounts.

Yeah would be great to have a Steam esque login ID that's separate to the account ID

SubSidal

Wanted to chip in because this happened to me today aswell.

By all it seems the email is genuine from an attempted login.

I changed my password and a few hours later received another, which means they got the new password too. Did a full scan of my pc, all clear. It does bear the hallmarks of a data breach of some sort.

Hoping to hear something from ZOS

Syldras

SubSidal wrote: »

By all it seems the email is genuine from an attempted login.
I changed my password and a few hours later received another, which means they got the new password too.

Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

SubSidal

Syldras wrote: »

SubSidal wrote: »

By all it seems the email is genuine from an attempted login.
I changed my password and a few hours later received another, which means they got the new password too.

Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

It's the standard email ZOS sends when you login to authorize a new IP. It's sent when the password is correct but IP needs to be verified before they let you login.

The_one_i_seek

@SubSidal not IP, but Hardware ID

only HWID, even if email says otherwise, ie IP, its a lie

Amottica

Elsonso wrote: »

Amottica wrote: »

I just checked my email.
Emails from ESO are from no-reply@email.bethesda.net.
Emails that are forum related are from noreply.forums@elderscrollsonline.com

Someone got not so creative with creating that new domain. If other players are seeing this I would be concerned that Zenimax got hacked.

What email address did your mysterious email come from?

Edit: the one listed in the first comment, "noreply@mail.elderscrollsonline.com", is legit.

I did not get one. I was just noting the two emails I get from Zenimax and they do not match what the OP noted.

davidtk wrote: »

Elsonso wrote: »

if you didn't make the attempt, you can ignore the email.

Elsonso wrote: »

davidtk wrote: »

vsrs_au wrote: »

Yes, 2FA definitely helps. I have it enabled, and haven't received any of these emails.

Wait, where I can activate 2FA for ESO account (not for steam)?
It is by phone number or how? I can see only security question...

2FA is built into the ESO accounts. That is the purpose of the email you got.

The 2FA that I mentioned, that was responded to, is for the email. Your ESO ID and password are insecure if someone can just steal your email account and grab the 2FA code that they send out.

I thought that there can be more then just emails with code... I like authenticators.

There is no authenticator program built into ESO. Zenimax considers the email system to be sufficient.

Ofc, as I mentioned before a good password system is paramount and especially so since ESO uses emails to authenticate.

The only person I know that had their ESO game hacked had been using the same password for everything since his early days in WoW. He might as well have worn a shirt asking to be hacked.

Valve

I got two of these emails in Russian and my password is saved in a password manager.

Something weird is going on. I doubt ZOS saves the passwords and instead uses a hash so I would guess a bug of sorts.

My password is generated and looks something like (this is an example and is not something I use):
2&%h@8aBLG533gfMexXkoDWhiXv#2@VEW5XZ95&ENtvw!eRbxgke%zBs#nzeWmr33NZ@kc@#U^^USqUz%AH64PvoXgLpQPwtaZDHmaV5a8$dj#LoX4kycCR6$w!ZLPxm

This isn't brute forceable or guessable leaving two scenarios:
1) A bug causing these emails to go out for some reason.
2) ZOS stores passwords insecurely and there was a databreach.

Option #2 is the scary option!

Edit:
Someone did say thet the emails are sent even if an invalid login occurs. This would explain it if someone being geolocated back to Russia or maybe a Russian ESO client is performing a credential stuffing attack.

But in that case, why are we seeing code emails if the passwords are incorrect!?

wilykcat

It could be a glitch.

Elsonso

Amottica wrote: »

There is no authenticator program built into ESO. Zenimax considers the email system to be sufficient.

I wish they did allow use TOTP (time-based authentication) rather than emails. Then we could use something like Google Authenticator and log in right away rather than having to wait for the email.

TaSheen

The only authenticator that would work for me would be a physical one like I had a decade ago for WoW. Anything else wants to send me texts or use my cell phone to call - and my cell doesn't work at my house, so no call no text. Yes, I live in one of the very few places in the lower 48 which has no cell, no tv (other than dish) and no broadband (other than dish). Love living here, not so happy about being a "second class citizen" when it comes to tech.

I do of course get the emails from ESO if my IP has changed between logins.

Raikiki

Hello everybody. Got 2 of these emails yesterday and changed all my passwords, even the passwords from all my emails etc. But this morning i again get 2 mails. So my questions would be: Does someone else got my new password?
Why there is no official statement from Zos?

OnnuK

I got same russian email. They try to login the game from game client. It is exactly same "Elder Scrolls Online - Login From Unknown IP Address" email when you try to login using game client.

The password is not easy to guess and not used elsewhere.
In order to receive this email they must know the password. I tried, even you use a fake password the system sends the email.
So is there a data breach?

[UPDATE ]Looks like it is just brute-force method. They only use our ESO ID for login name, and try to guess password. So I think It is good the system uses 2FA and emails even with the fake password.

rpa

They are likely investigating if/why the mails are being sent out from their system. And will not make a statement until they have figured out what is going on.
I guess (with no way to know) someone is has collected a lot of account @names and is trying dictionary attack. Nothing to worry unless your password is in a most used passwords list.
If people still use as bad passwords as in last millenium when I last checked /etc/password against such list attackers will find password of some users. Even if attacker can't log in game, people who use bad passwords tend to use same name + password in several places...

BretonMage

OnnuK wrote: »

I got same russian email. They try to login the game from game client. It is exactly same "Elder Scrolls Online - Login From Unknown IP Address" email when you try to login using game client.

The password is not easy to guess and not used elsewhere.
In order to receive this email they must know the password. I tried, even you use a fake password the system sends the email.
So is there a data breach?

[UPDATE ]Looks like it is just brute-force method. They only use our ESO ID for login name, and try to guess password. So I think It is good the system uses 2FA and emails even with the fake password.

I took the opportunity to update my password. I wonder if those who log in through Steam are similarly at risk of attack.

HansK

Lot of guessing going on what could be the problem or has happened, all legit. Only way to know for sure is if ZOS makes a clear statement about this, and IMHO they need to. Can we expect that @ZOS_GinaBruno @ZOS_KaiSchober @ZOS_JessicaFolsom ?

ApoAlaia

I still think that having the login ID broadcasted to the entire server is an avoidable risk.

The IGN and the login ID should never had been one and the same.

In Fallout 76 they did correct this oversight some time after release and enabled users to dissociate the IGN from the login ID.

Not sure why ZOS did not follow suit with ESO.

Alcast

ApoAlaia wrote: »

I still think that having the login ID broadcasted to the entire server is an avoidable risk.

The IGN and the login ID should never had been one and the same.

In Fallout 76 they did correct this oversight some time after release and enabled users to dissociate the IGN from the login ID.

Not sure why ZOS did not follow suit with ESO.

Different company, I don't think they have anything to do with each other (except share the same publisher). Though indeed it would be wise to also get this up to standards.

We also know a while ago ZOS used to turn of the email verification during events, not sure if that is still the case though https://forums.elderscrollsonline.com/en/discussion/602650/your-eso-account-is-less-secure-during-free-to-play-events

ghost_bg_ESO

OnnuK wrote: »

I got same russian email. They try to login the game from game client. It is exactly same "Elder Scrolls Online - Login From Unknown IP Address" email when you try to login using game client.

The password is not easy to guess and not used elsewhere.
In order to receive this email they must know the password. I tried, even you use a fake password the system sends the email.
So is there a data breach?

[UPDATE ]Looks like it is just brute-force method. They only use our ESO ID for login name, and try to guess password. So I think It is good the system uses 2FA and emails even with the fake password.

noticed the same trying to log in on pc one of my stadia accounts - entered couple different passwords and every time received email (at the end turns out account didn't received free copy)

SubSidal

Update: Changed password and again and still keep getting these emails. I can't really report them as spam cause they come from ZoS.

Treeshka

I am pretty sure there is something wrong here. I logged in today just fine after reinstalling Windows on my computer. But on my second attempt made a typo in password and got asked this code enter prompt. Well checked my mail and entered the code, but then it said wrong password.

Then logged in just fine after typing my password correct. It is just strange that this incident occurred over wrong credentials.

FeedbackOnly

Yeah password was guessed.

Llynya

Yes, it looks like it. I've got one mail yesterday morning and another one last night - without changing my password for the account in-between.