The Scribes of Fate DLC and Update 37 base game patch are now available to test on the PTS! You can read the latest patch notes here: https://forums.elderscrollsonline.com/en/categories/pts
Maintenance for the week of February 6:
· [COMPLETE] EU megaservers for maintenance – February 7, 9:00 UTC (4:00AM EST) - 17:00 UTC (12:00PM EST)
· NA megaservers for patch maintenance – February 9, 4:00AM EST (9:00 UTC) - 10:00AM EST (15:00 UTC) https://forums.elderscrollsonline.com/en/discussion/627149/
· EU megaservers for patch maintenance – February 9, 9:00 UTC (4:00AM EST) - 15:00 UTC (10:00AM EST) https://forums.elderscrollsonline.com/en/discussion/627149/

Anyone else receive unsolicited emails with access codes in Russian language?

ProudMary
ProudMary
✭✭✭✭
This morning I opened my email and had received, unsolicited, two different access codes for Elder Scrolls Online. They both came from "[email protected]" supposedly. The emails are both in the Russian language, so I can't read them. This seems highly suspicious to me. Needless to say I'm not likely to use these access codes because I didn't pay for them or ask for them, and I don't know what they are access codes for.

Did ZOS get hacked or something? Anyone else get these unsolicited access codes? I've never had something like this happen before. Anyone know what's going on here?

@ZOS_Kevin



Edited by ZOS_JessicaFolsom on January 18, 2023 10:15PM
  • Djennku
    Djennku
    ✭✭✭✭
    Sounds like a scam. They are common and happen everywhere. Whatever you do, do not click the links.
  • Maitsukas
    Maitsukas
    ✭✭✭✭
    Just in case, log into the Character Selection and check if you still have your email address linked to your account under Settings -> Account. If it was changed, you can get it back in the same screen and make sure to update your password on the ESO Website.

    I went through the same situation back in 2021, when I discovered my character in Auridon after leaving him in Deshaan the day before. Luckily nothing of value appeared to be lost for me.
    Call me Mait
  • davidtk
    davidtk
    ✭✭✭✭
    ProudMary wrote: »
    The emails are both in the Russian language, so I can't read them. This seems highly suspicious to me.

    You can use google translate anytime.

    Btw i got this email today too. In russian.
    So just some account thieves are on the scene again?

    @ZOS_GinaBruno @ZOS_Kevin
    Why is the IP address of the login request not mentioned in the security email? If we knew the IP, we could write you a report that someone is trying to steal the account.
    Edited by davidtk on January 17, 2023 11:02AM
    Really sorry for my english
  • Syldras
    Syldras
    ✭✭✭✭✭
    ✭✭✭
    Maitsukas wrote: »
    Just in case, log into the Character Selection and check if you still have your email address linked to your account under Settings -> Account. If it was changed, you can get it back in the same screen and make sure to update your password on the ESO Website.
    I went through the same situation back in 2021, when I discovered my character in Auridon after leaving him in Deshaan the day before. Luckily nothing of value appeared to be lost for me.

    I'm wondering: Did you find clear proof that someone had access to your account or were you just checking because of that occurrance? It's not completely clear from the wording.

    I'm asking because I had a few minor cases of logging in at a different spot than I had logged out at last year or so. But it only happened within a zone, logging out inside a delve, finding myself outside the delve when logging in the next day. Same with the thieves den, logged out inside, logged in outside of it. But not every time, completely irregularly. As I heard that the same thing happened to others and there were no changes to my account (at least I didn't see anything, but I changed my password just in case), I thought it might be some server update issue?
    @Syldras | PC | EU
    The forceful expression of will gives true honor to the Ancestors.
    Sarayn Andrethi, Telvanni mage (Main)
    Darvasa Andrethi, his "I'm NOT a Necromancer!" sister
    Malacar Sunavarlas, Altmer Ayleid vampire
  • davidtk
    davidtk
    ✭✭✭✭
    Usually a character will move to the last non-DLC safe zone if they log out where they can't reload. Something else is a crash.

    Anyway, the Russian email seems to be either a good scam or someone cracked my password (I don't think so), but I assume that after a few failed attempts, access is blocked?
    Really sorry for my english
  • davidtk
    davidtk
    ✭✭✭✭
    Djennku wrote: »
    Sounds like a scam. They are common and happen everywhere. Whatever you do, do not click the links.

    Usually the links point to strange addresses, which one can clearly see in the status bar, but here in this email everything points to the correct addresses.
    So, it's all the weirder
    k0wftnvdc4jl.jpg
    Edited by davidtk on January 17, 2023 11:23AM
    Really sorry for my english
  • SPR_of_HA_community
    SPR_of_HA_community
    ✭✭✭✭
    davidtk wrote: »
    Djennku wrote: »
    Sounds like a scam. They are common and happen everywhere. Whatever you do, do not click the links.

    Usually the links point to strange addresses, which one can clearly see in the status bar, but here in this email everything points to the correct addresses.
    So, it's all the weirder
    k0wftnvdc4jl.jpg

    Based on text you post - may be some one try to change your password or some data.
  • davidtk
    davidtk
    ✭✭✭✭
    davidtk wrote: »
    Djennku wrote: »
    Sounds like a scam. They are common and happen everywhere. Whatever you do, do not click the links.

    Usually the links point to strange addresses, which one can clearly see in the status bar, but here in this email everything points to the correct addresses.
    So, it's all the weirder
    k0wftnvdc4jl.jpg

    Based on text you post - may be some one try to change your password or some data.

    Yea but first they musr crack my passwrd. So if they cracked it there is rly problem with account security @ZOS_Kevin because I don't have short easy password...

    Anyway I can't even chage it because account system is under maintenence lol
    Edited by davidtk on January 17, 2023 11:34AM
    Really sorry for my english
  • SPR_of_HA_community
    SPR_of_HA_community
    ✭✭✭✭
    davidtk wrote: »
    davidtk wrote: »
    Djennku wrote: »
    Sounds like a scam. They are common and happen everywhere. Whatever you do, do not click the links.

    Usually the links point to strange addresses, which one can clearly see in the status bar, but here in this email everything points to the correct addresses.
    So, it's all the weirder
    k0wftnvdc4jl.jpg

    Based on text you post - may be some one try to change your password or some data.

    Yea but first they musr crack my passwrd. So if they cracked it there is rly problem with account security @ZOS_Kevin because I don't have short easy password...

    Anyway I can't even chage it because account system is under maintenence lol

    It looks more like they may be try to restore your password by "forgot password" option, so after they may be try to change it system send you email like - confirm change of data.

    May be I am wrong, but it can be fishing scheme like that.

    Some thing like that is popular in our country, but such people try to say some thing like - we are your operator of mobile or your bank, tell us SMS code ore some thing like that )))

    Some day they phone me and tell me some thing like:
    "Mother, i am in trouble, I need money"
    I get a lot of fun from it, because I am really a man and have no children :)))
    My phone was not registered on my name, so it is really hard to leak any my data I do not want - like that )

    But some times I got some funny calls )))
    Edited by SPR_of_HA_community on January 17, 2023 11:41AM
  • davidtk
    davidtk
    ✭✭✭✭
    davidtk wrote: »
    davidtk wrote: »
    Djennku wrote: »
    Sounds like a scam. They are common and happen everywhere. Whatever you do, do not click the links.

    Usually the links point to strange addresses, which one can clearly see in the status bar, but here in this email everything points to the correct addresses.
    So, it's all the weirder
    k0wftnvdc4jl.jpg

    Based on text you post - may be some one try to change your password or some data.

    Yea but first they musr crack my passwrd. So if they cracked it there is rly problem with account security @ZOS_Kevin because I don't have short easy password...

    Anyway I can't even chage it because account system is under maintenence lol

    It looks more like they may be try to restore your password by "forgot password" option, so after they may be try to change it system send you email like - confirm change of data.

    May be I am wrong, but it can be fishing scheme like that.

    Some thing like that is popular in our country, but such people try to say some thing like - we are your operator of mobile or your bank, tell us SMS code ore some thing like that )))

    Some day they phone me and tell me some thing like:
    "Mother, i am in trouble, I need money"
    I get a lot of fun from it, because I am really a man and have no children :)))
    My phone was not registered on my name, so it is really hard to leak any my data I do not want - like that )

    But some times I got some funny calls )))

    Yea it could be "forgot password" option I agree...

    Heh scams, in our country theres is same....
    You have an unpaid shipment, it cannot be delivered until you pay the postage.

    Your account has been blocked, please verify your identity. And then you look at the logo of that company and fall off your chair laughing XD Because you know that logo is different and then you check the links where you see some igsrigbsdiogosdgbsdvg.com XD
    Edited by davidtk on January 17, 2023 11:46AM
    Really sorry for my english
  • INM
    INM
    ✭✭✭
    I would assume that the language of these emails depends on the client's language. Most likely, someone got your password and is trying to log in. Change your passwords asap, probably those got leaked.
  • Syldras
    Syldras
    ✭✭✭✭✭
    ✭✭✭
    Some day they phone me and tell me some thing like:
    "Mother, i am in trouble, I need money"
    I get a lot of fun from it, because I am really a man and have no children :)))

    One day my neighbour in this house told me that a stranger was ringing at his door while I was away and asked him if he could accept some gift package for some "blonde girl" and pointed at my door why saying that... The thought of a blonde girl hiding somewhere in my appartment (Inside a cavity in the walls? Or inside my wardrobe? Maybe in the laundry basket?) creeps me out :D
    davidtk wrote: »
    Usually a character will move to the last non-DLC safe zone if they log out where they can't reload. Something else is a crash.

    Can't remember if it also occurred somewhere else, but in my case, it happened on Vvardenfell a few times.
    Maitsukas wrote: »
    The zone change was the first thing I noticed back then, I immediately looked into my Outlook inbox to see an unread email from ZOS regarding my ESO Account's email address being changed from my hotmail.com to an unknown Indian email address. The IP address where this change occurred was attached with the ZOS email I received as well, which listed random places in Ukraine.

    How awful. But at least ZOS does send a warning in such cases, it seems, which is at least a bit reassuring.


    @Syldras | PC | EU
    The forceful expression of will gives true honor to the Ancestors.
    Sarayn Andrethi, Telvanni mage (Main)
    Darvasa Andrethi, his "I'm NOT a Necromancer!" sister
    Malacar Sunavarlas, Altmer Ayleid vampire
  • davidtk
    davidtk
    ✭✭✭✭
    INM wrote: »
    I would assume that the language of these emails depends on the client's language. Most likely, someone got your password and is trying to log in. Change your passwords asap, probably those got leaked.

    We would like to change it but...
    m7pcib1b6rt9.jpg
    lol
    Really sorry for my english
  • DinoZavr
    DinoZavr
    ✭✭✭✭✭
    If this could help here is the translation of the mail fragment exposed:

    cut here ----
    If that was not you, who attempted logging in, ignore this letter.
    If you are not sure about your account security you can reset your password.
    We recommend regular chaning your password to keep your account secure.
    Don't forget to log out if you used someones' else computer!
    If you have questions regarding this e-mail, (please,) visit out support page and we will be glad to help you help.elderscrollsonline.com
    Best regards
    Elder Scrolls Online team.
    cut here ----

    Bolded by me: letter confirms the login attempt (not necessarily successful), this simply means your @UserID was used (@UserID is highly visible ingame), so most logical assumption is that some robot/newbie-hacker attempted a dictionary attack against all the @UserIDs they have collected.
    or your @UserID was remembered at someone else's computer (and box owner entered theirs password not noticing wrong UserID)
    or some other gamer targeted your @UserID to crack your password
    In the case of successful password guess you should receive one more e-mail to authorize the usage of the new client device.

    non-relevant: Italics by me: i expected "please" (which was omitted) in this invitation to open a support ticket, but, as Zeni probably thinks Russians do not deserve any politeness.

    I'd suggest to ignore this mail and if your password is shorter that 11..12 characters or it is a dictionary word - to set up a new strong and reliable password. 16 characters non-dictionary including uppercase lowercase numeric and special characters is a good idea. Do not store it on electronic media.

    edit:
    Cracker is not necessarily Russian, they could use VPN resulting in Russia geo-IP address and/or Russian localized windows OS regardless where they were actually located.

    Also: NEVER follow the links in any mail when you suspect fishing. This could be pharming attack - link leading to a malicious site to intercept your login and password!
    Edited by DinoZavr on January 17, 2023 12:52PM
    PC EU
  • BretonMage
    BretonMage
    ✭✭✭✭✭
    It must be pretty widespread, I've seen people talking about it both on Reddit and in zone chat... I haven't received anything myself.
  • davidtk
    davidtk
    ✭✭✭✭
    @ZOS_GinaBruno Thank you very much but have a question... How many attempts are allowed for account lock or there is no other security than this code for new device???
    Really sorry for my english
  • davidtk
    davidtk
    ✭✭✭✭
    Account system is still under maintenence, can we get an eta? It should already running, I wanted change my password asap.
    Really sorry for my english
  • Holycannoli
    Holycannoli
    ✭✭✭✭✭
    ✭✭
    This has me spooked. No suspicious emails yet but I did have an account hacked in 2009 WoW. No idea how it was done.

    But security wasn't the same then either.
  • ProudMary
    ProudMary
    ✭✭✭✭
    davidtk wrote: »
    Djennku wrote: »
    Sounds like a scam. They are common and happen everywhere. Whatever you do, do not click the links.

    Usually the links point to strange addresses, which one can clearly see in the status bar, but here in this email everything points to the correct addresses.
    So, it's all the weirder
    k0wftnvdc4jl.jpg

    That is exactly like the emails I got. Thank you for posting a pic of them.

    I'm still able to log into my account and play just fine. I don't think my personal password has been compromised, but I will likely change it anyway. I still have all my gold and all my materials as far as I can tell.

    It seem pretty obvious that individual accounts were not hacked. But rather someone got into the ZOS database and copied a bunch of account email addresses and that this is a phishing scam using those email addresses.

    A lot of people are getting these emails. Let's hope ZOS updates their security on their databases so this doesn't happen again.

    Edited by ProudMary on January 17, 2023 3:59PM
  • davidtk
    davidtk
    ✭✭✭✭
    I am just curious why eso don't have any two phase security... Blizz have authenticator, Steam have authenticator...
    We have security code mail and no information how many attempts you have before your account will be locked due to bad password...
    @ZOS_GinaBruno @ZOS_Kevin
    Edited by davidtk on January 17, 2023 3:49PM
    Really sorry for my english
  • Manadh
    Manadh
    Soul Shriven
    Got a couple of these e-mails as well. One thing I noticed though, was that they are using an older template. When I tried to log in myself, the e-mail background and code format were different than of those two.
  • ProudMary
    ProudMary
    ✭✭✭✭
    Actually, I'm not going to change my password due to these emails. It seems like a trick to get people to log into a database someone other than ZOS now has access to and the people changing their information might be the victims. So I'm not taking any action as a result of these emails, not yet anyway.

    I'm going to wait to hear back from ZOS to tell us the coast is clear, their database is safe and secure, then I'll update my account information.
  • davidtk
    davidtk
    ✭✭✭✭
    I changed password right now. Just hoping that wasn't any mistake lol
    Really sorry for my english
  • belial5221_ESO
    belial5221_ESO
    ✭✭✭✭
    I recieved one,never even opened it,knowing it is a scam,and just tried logging into game.They jsut spam lots of generated emails hoping ppl open and click.Opening them lets them know it's a real address,cause they hide clear gifs and stuff,it's how they test,unless you got a sandbos or in spam folder where they disable all images,links,etc.
  • ProudMary
    ProudMary
    ✭✭✭✭
    Lephrel wrote: »
    Hi everyone, if you received one of these emails, please submit a ticket with Support and provide the details. You can choose the "Account Recovery" category. Thank you!
    @ZOS_GinaBruno Did account passwords get leaked though? Do you have any infos on that, as it would be a major problem.

    We definitely need an official announcement from ZOS regarding this data breach. What all info was compromised? And what should the player response be?
    Edited by ProudMary on January 17, 2023 4:13PM
  • Konstanz
    Konstanz
    I got 5 emails total, from about 12 hours last night. I logged in from a secure connection from the website itself to check. Everything seems fine. what I want to know is how they got to the recovery screen since they would need to know the login name in the game. Being that my twitch, Xbox, and other platforms are connected to ZoS and the website, this worries me greatly.

    Hopefully, someone will take a serious dive into this now that the holiday is over and we can see if the database was actually breached.

    MissK
This discussion has been closed.