PSA: STRENGTHEN YOUR PASSWORD

aRealClassAct

Hello!

So last night as I was playing my funderful Nord Templar, I got kicked off saying someone had logged on my account. Before I could react in time to any of this the hacker had changed the name on my account (to Yang Lin) and changed my credentials, locking me out of my own account.

Yes, my password was very simple. I have checked my computer for keyloggers and found nothing. After finding nothing I changed the password associated with my email address. Before all this though, I noticed a few issues with Zenimax's authentication process that very well may have contributed to my being hacked (in addition to my silly password, of course).

Upon noticing I was being hacked, I was able to log in to my account on the ESO site before I was kicked out. I then changed my password to something else and logged back into the client, already seeing a spam bot had been created on my account (which I promptly deleted). Following this, I started cleaning out my history and cache as well as searching for a possible keylogger on my system. I noticed on the ESO site just as I was clearing my cache (which I believe was my downfall as it logged me out of ESO's website) that the name on my account had been changed to "Yang Lin".

What have I learned from this besides the fact that my passwords need to be better? Well, here is a list:

1. Multiple people can be logged into the same account on the ESO website. My changing the password on my account did not kick the hacker out and make him re-authenticate, just as it did not kick me out to re-authenticate when he changed the password again (my silly decision to clear my web info kicked me out).

2. Since then, I have tried logging in with the hacker's credentials (he is still using my email, and I was able to get the first and last name required to begin the forgot password process). I noticed that there is NO LIMIT to the amount of times I can guess at the security question the hacker changed on my account for "What is my favorite Cartoon character?" Anyone know any popular Chinese cartoon characters?

3. There is also NO LIMIT on the amount of times I can guess at the password on my account. This means with just your account name, which is most likely the same as your account here on the forums (therefore not very private at all), a hacker can run a brute force operation and guess at your password indefinitely until they do gain access to your account.

This service at the moment is VERY susceptible to brute force attacks, and I encourage all of you to increase your password strength to avoid ending up locked out of your own account while some Chinese hustler peddles gold in zone chat using your credentials. Zenimax, PLEASE improve the security of your login system and I seriously hope that an authenticator is in the works. As of now, I am 95% sure that I was brute forced, but the 5% that says I might have a keylogger (despite having verified all of my running processes and the integrity of my system files) Scares the S*** out of me!

Now I am off to work, hopefully my account will be back in my hands when I get off! *fingers crossed*

EDIT: Yes, my password for my email was very similar to the one on my ESO account, which brings up another point that I've always taken for granted... Don't use the same password!!!

babylon

Doesn't changing the password or email on your account send an email to the email address associated with that account?

Foxhunt

I really hope everything works out for you in the end. I feel I have a strong password. Few years back, I looked away from the keyboard and hit random keys while notepad was opened. I memorized those random keys and added a few numbers at the end so I feel my password is pretty strong (14 characters).

flamecloud

Yes it does.

Doowie

http://forums.elderscrollsonline.com/discussion/80327/protecting-your-account-advice

BaKaNoOB

Wish You luck keep your e-mail and ESO passwords different , also use strong passwors at least 12 simbols long Some CAPS, some digits and some special characters for example (aReal^ClassAct&123) is example for good pass (do not use your username for this, it is example)
PS. Bad english sorry

GreasedLizard

Ya ... but they never changed the pword. Just rainbow table'd it lol

AlexDougherty

Thanks for the warning, changed my security question to something harder to guess, already had a reasonably hard password.

Mind you short of memorising a random selection of symbols no password will ever be flawless. And I'm not going to memorise a ten plus character random string of characters.

Laerian

Yeah he maybe can brute force the TESO site, the question is how the hacker skipped the unknown IP code protection.

For this, a hacker needs to take the control of the email tied to the account.

This is fishy, very fishy.

Mace

Hopefully the spam bot character the guy created doesn't get you banned.

aRealClassAct

babylon wrote: »

Doesn't changing the password or email on your account send an email to the email address associated with that account?

It does, however my silly ass has been using the same email (and a very similar password to the one that was compromised) for a good ten years now. I was able to change my email password but not before the hacker gained access.

Regardless of this though, the fact remains that there is no limit at all to the amount of times someone can guess at your password. Hopefully this is improved on to cut back on instances such as mine.

aRealClassAct

Laerian wrote: »

Yeah he maybe can brute force the TESO site, the question is how the hacker skipped the unknown IP code protection.

For this, a hacker needs to take the control of the email tied to the account.

This is fishy, very fishy.

Yeah I will edit my main post to include that he did in fact do just that

aRealClassAct

Mace wrote: »

Hopefully the spam bot character the guy created doesn't get you banned.

Haha I already have a very good feeling my account will be restored only to be banned a week down the road from the restoration xD Time will tell.

Saerydoth

Sounds to me like the security issue was on your end. The reason they were able to access the game is because they had access to your email account. Also, brute force attacks don't happen in the real world, only in Hollywood. All of the "hacking" nowadays uses either malware (keyloggers) or social engineering.

No reason at all to try to "brute force" someone's password when you can get them to give you the password without realizing it, or just put a keylogger on their computer to grab it yourself. Or, get access to your email account and then just reset the password.

Sakiri

Ive already gotten an email stating someone tried to get my eso password reset.

Honestly, 3 attempts, lock out. Require support call.

Laerrus

AlexDougherty wrote: »

Thanks for the warning, changed my security question to something harder to guess, already had a reasonably hard password.

Mind you short of memorising a random selection of symbols no password will ever be flawless. And I'm not going to memorise a ten plus character random string of characters.

It's actually not that difficult to memorize a complex password, my current password is over 10 characters.

When I first create a new one, I usually hand write it out and keep it hidden in a safe place until I have it fully ingrained in my memory.

aRealClassAct

Saerydoth wrote: »

Sounds to me like the security issue was on your end. The reason they were able to access the game is because they had access to your email account. Also, brute force attacks don't happen in the real world, only in Hollywood. All of the "hacking" nowadays uses either malware (keyloggers) or social engineering.

No reason at all to try to "brute force" someone's password when you can get them to give you the password without realizing it, or just put a keylogger on their computer to grab it yourself. Or, get access to your email account and then just reset the password.

Yes, I have acknowledged my faults and warned others against them, but that doesn't change the circumstances under which my account was taken.

Brute force doesn't happen because it isn't nearly as effective since the invention of CAPTCHA. You think that a chinese gold selling company who has access to all of our usernames and infinite passwords to automatically run against each username isn't going to utilize that tool? Sure, they will still be phishing and keylogging, but people will use whatever they have to use assuming the target system is vulnerable to it. Currently, without the use of captcha or account timeouts due to failed logins, this system is very vulnerable to it.

aRealClassAct

AlexDougherty wrote: »

Mind you short of memorising a random selection of symbols no password will ever be flawless. And I'm not going to memorise a ten plus character random string of characters.

7h0ugh i7 i5 b3c0m1ng m0r3 p0pul4r, c0nv3r71ng y0ur curren7 pa55w0rd 2 s0m3 f0rm of 1337 5p33k i5 n07 a b4d w4y 2 1mpr0v3 s3cur17y 4nd st177 r3m3mb3r y0ur p455w0rd!

I'm sorry, it hurts my eyes too!

nekrosis258

Yang Lin probably Chinese Hacker. They always hacked an abandon game database that unprotected and when they see your user name and password you know what happen next....(people always use same account name and same password) I am not hacker btw but I know lol

Sakiri

http://xkcd.com/936/

aRealClassAct

nekrosis258 wrote: »

Yang Lin probably Chinese Hacker. They always hacked an abandon game database that unprotected and when they see your user name and password you know what happen next....(people always use same account name and same password) I am not hacker btw but I know lol

Yeah I didnt have the same password as username, but it was very guessable if someone had a large password list and infinite time to try the list

Vordar

By any chance did you use a same password in other games?

I ask you this cause multiple games have been hacked over the years, including all services in Battle.net, Rift, SOE, Aion, GW and others.

A lot of people use the same passwords in different games (which is always a bad idea) so the hackers don't really need to brute force anything, they just go over their old hack records and try them.

nekrosis258

aRealClassAct wrote: »

nekrosis258 wrote: »

Yang Lin probably Chinese Hacker. They always hacked an abandon game database that unprotected and when they see your user name and password you know what happen next....(people always use same account name and same password) I am not hacker btw but I know lol

Yeah I didnt have the same password as username, but it was very guessable if someone had a large password list and infinite time to try the list

I mean they have your username and password from other game.

aRealClassAct

Vordar wrote: »

By any chance did you use a same password in other games?

That's a good point, and yes I did but I had never been hacked on any other games to my knowledge. For as long as I've had this password, though, it was bound to happen at some point.

Sakiri

They also take fansite and guild host website databases.

Vordar

aRealClassAct wrote: »

Vordar wrote: »

By any chance did you use a same password in other games?

That's a good point, and yes I did but I had never been hacked on any other games to my knowledge. For as long as I've had this password, though, it was bound to happen at some point.

No you haven't been hacked, the companies have been hacked in fact. Most of them just try to sweep under the rug this fact but you know Internet and all, the old skeletons in the closet come out.

Sony a few years ago accepted to have been hacked and prompted people to change their passwords, Battle.net got hacked when Diablo 3 came out. Trion Worlds got hacked and even lost Credit Card info when Rift came out. And those are just 3 examples right off the top of my head.

Laerian

Saerydoth wrote: »

Also, brute force attacks don't happen in the real world, only in Hollywood.

Ever heard of pron password sites?

aRealClassAct wrote: »

Laerian wrote: »

Yeah he maybe can brute force the TESO site, the question is how the hacker skipped the unknown IP code protection.

For this, a hacker needs to take the control of the email tied to the account.

This is fishy, very fishy.

Yeah I will edit my main post to include that he did in fact do just that

We know that the account "user" is public; if the password can be cracked using brute force (if you used a common word or a short combination of characters). The question is how he knew the email address.

Part of the email addresses were public during beta, for example an user1234@mail.com created a "user1234XX_ESO" default username.

So far I now, even when the "Allow other members to see your email?" is checked, it is not linked to the account "user". Still the hacker need to steal the email.

WitchAngel

aRealClassAct wrote: »

AlexDougherty wrote: »

Mind you short of memorising a random selection of symbols no password will ever be flawless. And I'm not going to memorise a ten plus character random string of characters.

7h0ugh i7 i5 b3c0m1ng m0r3 p0pul4r, c0nv3r71ng y0ur curren7 pa55w0rd 2 s0m3 f0rm of 1337 5p33k i5 n07 a b4d w4y 2 1mpr0v3 s3cur17y 4nd st177 r3m3mb3r y0ur p455w0rd!

I'm sorry, it hurts my eyes too!

It's much easier to create a long sentence which gives meaning to you. Use the first letters in the sentence, change to numbers where possible and add a few capital letters.

Saerydoth

aRealClassAct wrote: »

Saerydoth wrote: »

Sounds to me like the security issue was on your end. The reason they were able to access the game is because they had access to your email account. Also, brute force attacks don't happen in the real world, only in Hollywood. All of the "hacking" nowadays uses either malware (keyloggers) or social engineering.

No reason at all to try to "brute force" someone's password when you can get them to give you the password without realizing it, or just put a keylogger on their computer to grab it yourself. Or, get access to your email account and then just reset the password.

Yes, I have acknowledged my faults and warned others against them, but that doesn't change the circumstances under which my account was taken.

Brute force doesn't happen because it isn't nearly as effective since the invention of CAPTCHA. You think that a chinese gold selling company who has access to all of our usernames and infinite passwords to automatically run against each username isn't going to utilize that tool? Sure, they will still be phishing and keylogging, but people will use whatever they have to use assuming the target system is vulnerable to it. Currently, without the use of captcha or account timeouts due to failed logins, this system is very vulnerable to it.

I'll just leave this here.

http://xkcd.com/936/

aRealClassAct

Wow.... Zenimax phone support is absolutely horrendous!

After being on hold for ~40 mins, Some guy just says "hello?" He had slurred speech and didn't say anything about working for zenimax or elder scrolls, just started asking me for information and then my bank account info?? Then he transferred me to a supervisor who I could actually understand who also kept asking about my bank info and the amount in my account. I had to explain to him 3 times that I was calling because my account was hacked, then after I explained what I meant by "account hacked" he put me on hold for 10 minutes. Then he came back and said he would forward the issue to "the floor" because he can't handle that. I asked to speak with someone who can handle it and he said that department is internal and there is no way for me to speak to anyone who can help me get my account back. I don't know who they outsourced the customer support to, but I will definitely try and stick to email support from now on.

Daverios

Your email was hacked not ESO by the looks. You are pointing the finger in wrong direction.

Quick advise always create a new email account for each game account. Write it down on paper... unless you think someone will break in to your house to hack ESO.