Anyone else receive unsolicited emails with access codes in Russian language?

Raikiki

Your passwords are safe. Kai Schober just made a statement on the german thread.
This emails will be also send when they put in incorrect passwords.
https://forums.elderscrollsonline.com/de/discussion/625636/russische-e-mails-wegen-otp-weil-sich-versucht-wird-auf-account-einzuloggen

FeedbackOnly

Checked Gmail, Hotmail, even poor security Yahoo

I had 3 stadia accounts, still 3 normal accounts, got steam, twitch, Amazon, Xbox linked

No Russian emails here

Getting Russia emails means zos security did job and stopped them as they know your password. There's many ways you could of lost and

ProudMary

HansK wrote: »

Lot of guessing going on what could be the problem or has happened, all legit. Only way to know for sure is if ZOS makes a clear statement about this, and IMHO they need to. Can we expect that @ZOS_GinaBruno @ZOS_KaiSchober @ZOS_JessicaFolsom ?

I've received 5 more of these emails, all in the Russian language. They appear to be coming from ZOS automatically somehow, but why the heck are they in Russian?

It's past time we got an official announcement from ZOS explaining exactly what is going on here.

@ZOS_Kevin @ZOS_BrianWheeler @ZOS_GinaBruno


Also, I have not changed my account password or used the account login page. I'm confident my individual password has not been guessed or compromised. What's going on with the ZOS database? If this isn't a scam or some sort of phishing expedition, then what is going on here?

ZOS really, really needs to let us know what's going on here.

ProudMary

Raikiki wrote: »

Your passwords are safe. Kai Schober just made a statement on the german thread.
This emails will be also send when they put in incorrect passwords.
https://forums.elderscrollsonline.com/de/discussion/625636/russische-e-mails-wegen-otp-weil-sich-versucht-wird-auf-account-einzuloggen

Nice, but I'm not any more fluent in German than I am in Russian. Where is the announcement in English on this forum?

Balastar

Here is translation of Kai Schober's post in:
https://forums.elderscrollsonline.com/de/discussion/625636/russische-e-mails-wegen-otp-weil-sich-versucht-wird-auf-account-einzuloggen

Hello,

again to explain: At the moment a number of players are receiving official emails in Russian with a one-time password required when logging in from an unknown IP address.
These emails are triggered when someone uses your account name; the correct password does not necessarily have to be known.
The emails are in Russian because a Russian-speaking client was used when trying to log in.
Our databases have not been compromised, and since the LastPass hack last month I am not aware of any other major database breaches that could contain any of our passwords. Unfortunately, you can simply copy the account name required for the login attempt, which then triggers the e-mail to your correct address, in the game.

tl;dr: At the moment we don't see any threat to your accounts, of course we are keeping an eye on the situation and investigating how to prevent spam and the "wrong" language in the future.

As always, it makes sense to renew your passwords from time to time and to use a different password for each site and each account.

G1Countdown

With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.

FeedbackOnly

G1Countdown wrote: »

With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.

Scroll up 1, also not exactly many people

davidtk

I am rly dksappointed that @ZOS_GinaBruno or @ZOS_Kevin just can't say a word here.
I know that eso have several other forums in other language but i thought that there is global forum. So I expect that they will say something here first. But okay that is that better communication. At least someone on different forum said something.

daim

FeedbackOnly wrote: »

G1Countdown wrote: »

With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.

Scroll up 1, also not exactly many people

Also, you can't know how many people. Not nearly everyone come at the forums to look up if this is an issue.
I'm glad I did, as now I know it's wider issue.

I too got scanned on two of my separate accounts.

Denverson

What causes me the most questions is that I received two completely different letters about a login attempt, with a verification code (one when someone else tried to log in, and the second when I changed the password myself). And not only are they different - BOTH from the same email address, more like hacking servers.
Please note that the first email (on a white background) does not have any logos at the end of the message, while the second email (on a black background) has logos and a little below links to all official social media resources (unfortunately not fit on the screen).
Actually and in the sender, despite the same e-mail addresses, different signatures.

DinoZavr

Now with kind @ZOS_KaiSchober 's explanations we can assume that most likely the issue is:

1. A huge list of @UserIDs collected ingame was made available somewhere
2. Robots with varying IP addresses test passwords for the said @UserIDs against a dictionary
3. Each guessing attempt successful or not – player receives a one-time from the Official ESO site

For the most of it, it looks harmless, but very annoying.
Because of the fact players can not really get rid of these e-mails.
- Blocking sender is a bad idea, as when players ISP changes IP address, or player themselves change password they could not proceed playing because they don’t get the one-time code message, because they had blocked the Official ESO sender.
- Changing e-mail associated with @UserID would not help either as the Official server will use the most recent players e-mail

@ZOS_GinaBruno
@ZOS_Kevin

I have a serious question. Considering the attack is rather harmless and its main purpose is just to annoy players, I believe the real goal is to discredit Russians (as Russian-localized client is used 100% on purpose, regardless where actually these robots are located (there are anonymous VPNs, peering networks like TOR and such)).
I see the attack as reputational war against Russia, though these are hardly the Russian bots performing the said attack and exposing themselves so clearly.
Considering geo-IP, reverse traceroutes, how Zenimax sees what is happening and what measures you plan to take?
Also if Zeni plans to ban all the Russians, because the hackers' intent is clearly to push Zenimax to this measure?

Gina, could you, please, respond to my questions and, if possible, comment on this security incident still unfolding?
Thanks in advance

DinoZavr

@Denverson thank you for detailed info.
Have you checked if links in the "white" e-mail legitimate or fraud?

davidtk

DinoZavr wrote: »

@Denverson thank you for detailed info.
Have you checked if links in the "white" e-mail legitimate or fraud?

@DinoZavr
Fromy my personal experience, that you can find it there on topic, links are valid legitimate links to the eso website.

daim

Syldras wrote: »

SubSidal wrote: »

By all it seems the email is genuine from an attempted login.
I changed my password and a few hours later received another, which means they got the new password too.

Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

Was there any official reply to this (I dont read German) ?

As he says that makes a huge difference. Apparently we get the mail also in the case the login fails on unknown device? In this case someone has just collected a pile of game ID's and tries to bot accounts.

But if we get a notification only when both account and psw is correct then it implies there's most likely a breach on ZOS.

Olauron

Denverson wrote: »

What causes me the most questions is that I received two completely different letters about a login attempt, with a verification code (one when someone else tried to log in, and the second when I changed the password myself). And not only are they different - BOTH from the same email address, more like hacking servers.
Please note that the first email (on a white background) does not have any logos at the end of the message, while the second email (on a black background) has logos and a little below links to all official social media resources (unfortunately not fit on the screen).
Actually and in the sender, despite the same e-mail addresses, different signatures.

The white one with just "Elder Scrolls Online" as sender is for "please enter the code below when prompted in game."
The black one with "The Elder Scrolls Online" as sender is for "please enter the code below when prompted on The Elder Scrolls® Online site".

This is correct.

WAMB0

daim wrote: »

Syldras wrote: »

SubSidal wrote: »

By all it seems the email is genuine from an attempted login.
I changed my password and a few hours later received another, which means they got the new password too.

Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

Was there any official reply to this (I dont read German) ?

As he says that makes a huge difference. Apparently we get the mail also in the case the login fails on unknown device? In this case someone has just collected a pile of game ID's and tries to bot accounts.

But if we get a notification only when both account and psw is correct then it implies there's most likely a breach on ZOS.

SubSidal just assumed that the mails were only sent with correct credentials and stated his assumption as fact.

There was an official reply and in post 96 this reply got translated.

It confirms that the emails are sent without confirming credentials first.
This means they only need to use your @name, which is super easy to collect (ingame, and via uploaded esologs). No data breach that is likely.

Also ppl pls stop jumping 10 steps ahead as in "ZOS is planning to ban all russians" ... over a few mails?

davidtk

White mail is from the game client
Black mail is from eso account website
All links are legit true not fraud links to the eso website. At least mine mail what I got and posted here.

But there is one thing what is interesting.
I got only one white (game client) mail.
I changed password after account system maintenence yesterday. And didn't recieve any other emails.

DinoZavr

@Olauron thank you for the clarification

Olauron wrote: »

The white one with just "Elder Scrolls Online" as sender is for "please enter the code below when prompted in game."
The black one with "The Elder Scrolls Online" as sender is for "please enter the code below when prompted on The Elder Scrolls® Online site".

what do you think, based on the already known facts, whether we may suppose that the attack itself is mainly a hoax?
(as the victims (legitimate players) are not getting a form to enter a received code?)

ghost_bg_ESO

i've mentioned at previous comment dealing with stadia to pc client this is screenshot of ORIGINAL Zeni email i had received enlish in my case (one can ignore dark part as i'm using dark template wherever i can)



Edit and i have used couple different passwords every time i've got email

daim

WAMB0 wrote: »

daim wrote: »

Syldras wrote: »

SubSidal wrote: »

By all it seems the email is genuine from an attempted login.
I changed my password and a few hours later received another, which means they got the new password too.

Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

Was there any official reply to this (I dont read German) ?

As he says that makes a huge difference. Apparently we get the mail also in the case the login fails on unknown device? In this case someone has just collected a pile of game ID's and tries to bot accounts.

But if we get a notification only when both account and psw is correct then it implies there's most likely a breach on ZOS.

SubSidal just assumed that the mails were only sent with correct credentials and stated his assumption as fact.

There was an official reply and in post 96 this reply got translated.

It confirms that the emails are sent without confirming credentials first.
This means they only need to use your @name, which is super easy to collect (ingame, and via uploaded esologs). No data breach that is likely.

Also ppl pls stop jumping 10 steps ahead as in "ZOS is planning to ban all russians" ... over a few mails?

Thanks

All I can say thumbs up to team zos_german . Kinda makes me sad that no one from the team didn't bother to do the post in english as well.

davidtk

As I posted here on my comment with my screenshot

davidtk wrote: »

Here is full email

White email (game client) in russian.
But it was 6 digit code. i found some old (last year) mails when I reinstalled PC, etc.. and all codes was 7 digit codes Just dont know if it matters or not.

DinoZavr

@daim if the current attack is just a hoax, then it should have a purpose, shouldn't it?

ghost_bg_ESO

davidtk wrote: »

As I posted here on my comment with my screenshot

davidtk wrote: »

Here is full email

White email (game client) in russian.
But it was 6 digit code. i found some old (last year) mails when I reinstalled PC, etc.. and all codes was 7 digit codes Just dont know if it matters or not.

last couple emails i've received have 6 and 7 digit codes

Olauron

DinoZavr wrote: »

what do you think, based on the already known facts, whether we may suppose that the attack itself is mainly a hoax?
(as the victims (legitimate players) are not getting a form to enter a received code?)

It depends. I am not sure whether it is possible to disable code e-mail or not (there may be users who decided to do that and they are the target of these attempts). It may be some kind of guild drama, if there is something similar among people who received notifications. The list goes on.

davidtk wrote: »

But it was 6 digit code. i found some old (last year) mails when I reinstalled PC, etc.. and all codes was 7 digit codes Just dont know if it matters or not.

I had 7 digit codes and 8 digit codes from real e-mails, so I find it possible to have 6 digit code from real e-mail.

davidtk

@ghost_bg_ESO and @Olauron
Thank you.
So then I consider my mail as legit true 2fa mail. Because all links inside mail are real.
I dont have this mail anymore but others can check digital signature.

perfiction

Got same email, but my account is linked to Steam (and I can't login without it into the game) so most likely someone wanted to log into https://account.elderscrollsonline.com/

Also it's 2023 and ESO still doesn't support 2FA apps, shame.

davidtk

perfiction wrote: »

Got same email, but my account is linked to Steam (and I can't login without it into the game)

I dont understand this... I have Steam version but I have password for the account so I can login WITHOUT steam without problem and can change password too. Just dont know how I made this before several years. I bought my game through Steam.

perfiction

davidtk wrote: »

perfiction wrote: »

Got same email, but my account is linked to Steam (and I can't login without it into the game)

I dont understand this... I have Steam version but I have password for the account so I can login WITHOUT steam without problem and can change password too. Just dont know how I made this before several years. I bought my game through Steam.

If you bought your game on steam pre 2017 then you can log in using both methods (through steam or with login + password in non-steam launcher). If you bought it post 2017 then your only option is steam authentication.

G1Countdown

FeedbackOnly wrote: »

G1Countdown wrote: »

With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.

Scroll up 1, also not exactly many people

Explain to me where you have details on "not exactly many people?" What does not exactly mean? One less than exactly? Where are you getting this? If ZOS posted this, then I want a definition of what "not exactly many people" means. If that quote is just from you, then enough from the peanut gallery.

davidtk

perfiction wrote: »

davidtk wrote: »

perfiction wrote: »

Got same email, but my account is linked to Steam (and I can't login without it into the game)

I dont understand this... I have Steam version but I have password for the account so I can login WITHOUT steam without problem and can change password too. Just dont know how I made this before several years. I bought my game through Steam.

If you bought your game on steam pre 2017 then you can log in using both methods (through steam or with login + password in non-steam launcher). If you bought it post 2017 then your only option is steam authentication.

2020 I bought it sooo dont understand. And wife have the same.
Anyway somehow it is possible they changed something or who knows why I can login both methods.