Maintenance for the week of March 25:
• [COMPLETE] ESO Store and Account System for maintenance – March 28, 9:00AM EDT (13:00 UTC) - 12:00PM EDT (16:00 UTC)

Anyone else receive unsolicited emails with access codes in Russian language?

  • Raikiki
    Raikiki
    ✭✭✭
    Your passwords are safe. Kai Schober just made a statement on the german thread.
    This emails will be also send when they put in incorrect passwords.
    https://forums.elderscrollsonline.com/de/discussion/625636/russische-e-mails-wegen-otp-weil-sich-versucht-wird-auf-account-einzuloggen
  • FeedbackOnly
    FeedbackOnly
    ✭✭✭✭✭
    ✭✭
    Checked Gmail, Hotmail, even poor security Yahoo

    I had 3 stadia accounts, still 3 normal accounts, got steam, twitch, Amazon, Xbox linked

    No Russian emails here

    Getting Russia emails means zos security did job and stopped them as they know your password. There's many ways you could of lost and
    Edited by FeedbackOnly on January 18, 2023 3:41PM
  • ProudMary
    ProudMary
    ✭✭✭✭✭
    HansK wrote: »
    Lot of guessing going on what could be the problem or has happened, all legit. Only way to know for sure is if ZOS makes a clear statement about this, and IMHO they need to. Can we expect that @ZOS_GinaBruno @ZOS_KaiSchober @ZOS_JessicaFolsom ?

    I've received 5 more of these emails, all in the Russian language. They appear to be coming from ZOS automatically somehow, but why the heck are they in Russian?

    It's past time we got an official announcement from ZOS explaining exactly what is going on here.

    @ZOS_Kevin @ZOS_BrianWheeler @ZOS_GinaBruno


    Also, I have not changed my account password or used the account login page. I'm confident my individual password has not been guessed or compromised. What's going on with the ZOS database? If this isn't a scam or some sort of phishing expedition, then what is going on here?

    ZOS really, really needs to let us know what's going on here.
    Edited by ProudMary on January 18, 2023 3:49PM
  • ProudMary
    ProudMary
    ✭✭✭✭✭
    Raikiki wrote: »
    Your passwords are safe. Kai Schober just made a statement on the german thread.
    This emails will be also send when they put in incorrect passwords.
    https://forums.elderscrollsonline.com/de/discussion/625636/russische-e-mails-wegen-otp-weil-sich-versucht-wird-auf-account-einzuloggen

    Nice, but I'm not any more fluent in German than I am in Russian. Where is the announcement in English on this forum?
  • Balastar
    Balastar
    ✭✭✭
    Here is translation of Kai Schober's post in:
    https://forums.elderscrollsonline.com/de/discussion/625636/russische-e-mails-wegen-otp-weil-sich-versucht-wird-auf-account-einzuloggen

    Hello,

    again to explain: At the moment a number of players are receiving official emails in Russian with a one-time password required when logging in from an unknown IP address.
    These emails are triggered when someone uses your account name; the correct password does not necessarily have to be known.
    The emails are in Russian because a Russian-speaking client was used when trying to log in.
    Our databases have not been compromised, and since the LastPass hack last month I am not aware of any other major database breaches that could contain any of our passwords. Unfortunately, you can simply copy the account name required for the login attempt, which then triggers the e-mail to your correct address, in the game.

    tl;dr: At the moment we don't see any threat to your accounts, of course we are keeping an eye on the situation and investigating how to prevent spam and the "wrong" language in the future.

    As always, it makes sense to renew your passwords from time to time and to use a different password for each site and each account.
    EU/PC trading guild:
    Traders of the Covenant - Grahtwood - Elden Root - To join, contact ingame @Balastar
  • G1Countdown
    G1Countdown
    ✭✭✭✭✭
    With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.
    Edited by G1Countdown on January 18, 2023 4:34PM
  • FeedbackOnly
    FeedbackOnly
    ✭✭✭✭✭
    ✭✭
    With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.

    Scroll up 1, also not exactly many people
    Edited by FeedbackOnly on January 18, 2023 5:02PM
  • davidtk
    davidtk
    ✭✭✭✭
    I am rly dksappointed that @ZOS_GinaBruno or @ZOS_Kevin just can't say a word here.
    I know that eso have several other forums in other language but i thought that there is global forum. So I expect that they will say something here first. But okay that is that better communication. At least someone on different forum said something.
    Really sorry for my english
  • daim
    daim
    ✭✭✭✭✭
    With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.

    Scroll up 1, also not exactly many people

    Also, you can't know how many people. Not nearly everyone come at the forums to look up if this is an issue.
    I'm glad I did, as now I know it's wider issue.

    I too got scanned on two of my separate accounts.
    ""I am that which grips the heart in fright, hearkens night and silences the light." It was written on my sword, long…long ago." ―Ajunta Pall
    PC|EU
  • Denverson
    Denverson
    ✭✭
    What causes me the most questions is that I received two completely different letters about a login attempt, with a verification code (one when someone else tried to log in, and the second when I changed the password myself). And not only are they different - BOTH from the same email address, more like hacking servers.
    Please note that the first email (on a white background) does not have any logos at the end of the message, while the second email (on a black background) has logos and a little below links to all official social media resources (unfortunately not fit on the screen).
    Actually and in the sender, despite the same e-mail addresses, different signatures.

    00001.jpg
    00002.jpg
    550.jpg
    551.jpg
    Edited by Denverson on January 18, 2023 5:37PM
  • DinoZavr
    DinoZavr
    ✭✭✭✭✭
    Now with kind @ZOS_KaiSchober 's explanations we can assume that most likely the issue is:

    1. A huge list of @UserIDs collected ingame was made available somewhere
    2. Robots with varying IP addresses test passwords for the said @UserIDs against a dictionary
    3. Each guessing attempt successful or not – player receives a one-time from the Official ESO site

    For the most of it, it looks harmless, but very annoying.
    Because of the fact players can not really get rid of these e-mails.
    - Blocking sender is a bad idea, as when players ISP changes IP address, or player themselves change password they could not proceed playing because they don’t get the one-time code message, because they had blocked the Official ESO sender.
    - Changing e-mail associated with @UserID would not help either as the Official server will use the most recent players e-mail

    @ZOS_GinaBruno
    @ZOS_Kevin

    I have a serious question. Considering the attack is rather harmless and its main purpose is just to annoy players, I believe the real goal is to discredit Russians (as Russian-localized client is used 100% on purpose, regardless where actually these robots are located (there are anonymous VPNs, peering networks like TOR and such)).
    I see the attack as reputational war against Russia, though these are hardly the Russian bots performing the said attack and exposing themselves so clearly.
    Considering geo-IP, reverse traceroutes, how Zenimax sees what is happening and what measures you plan to take?
    Also if Zeni plans to ban all the Russians, because the hackers' intent is clearly to push Zenimax to this measure?

    Gina, could you, please, respond to my questions and, if possible, comment on this security incident still unfolding?
    Thanks in advance
    PC EU
  • DinoZavr
    DinoZavr
    ✭✭✭✭✭
    @Denverson thank you for detailed info.
    Have you checked if links in the "white" e-mail legitimate or fraud?
    PC EU
  • davidtk
    davidtk
    ✭✭✭✭
    DinoZavr wrote: »
    @Denverson thank you for detailed info.
    Have you checked if links in the "white" e-mail legitimate or fraud?

    @DinoZavr
    Fromy my personal experience, that you can find it there on topic, links are valid legitimate links to the eso website.
    Edited by davidtk on January 18, 2023 6:25PM
    Really sorry for my english
  • daim
    daim
    ✭✭✭✭✭
    Syldras wrote: »
    SubSidal wrote: »
    By all it seems the email is genuine from an attempted login.
    I changed my password and a few hours later received another, which means they got the new password too.

    Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

    Was there any official reply to this (I dont read German) ?

    As he says that makes a huge difference. Apparently we get the mail also in the case the login fails on unknown device? In this case someone has just collected a pile of game ID's and tries to bot accounts.

    But if we get a notification only when both account and psw is correct then it implies there's most likely a breach on ZOS.
    Edited by daim on January 18, 2023 6:03PM
    ""I am that which grips the heart in fright, hearkens night and silences the light." It was written on my sword, long…long ago." ―Ajunta Pall
    PC|EU
  • Olauron
    Olauron
    ✭✭✭✭✭
    Denverson wrote: »
    What causes me the most questions is that I received two completely different letters about a login attempt, with a verification code (one when someone else tried to log in, and the second when I changed the password myself). And not only are they different - BOTH from the same email address, more like hacking servers.
    Please note that the first email (on a white background) does not have any logos at the end of the message, while the second email (on a black background) has logos and a little below links to all official social media resources (unfortunately not fit on the screen).
    Actually and in the sender, despite the same e-mail addresses, different signatures.
    The white one with just "Elder Scrolls Online" as sender is for "please enter the code below when prompted in game."
    The black one with "The Elder Scrolls Online" as sender is for "please enter the code below when prompted on The Elder Scrolls® Online site".

    This is correct.
    The Three Storm Sharks, episode 8 released on january the 8th.
    One mer to rule them all,
    one mer to find them,
    One mer to bring them all
    and in the darkness bind them.
  • WAMB0
    WAMB0
    ✭✭✭
    daim wrote: »
    Syldras wrote: »
    SubSidal wrote: »
    By all it seems the email is genuine from an attempted login.
    I changed my password and a few hours later received another, which means they got the new password too.

    Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

    Was there any official reply to this (I dont read German) ?

    As he says that makes a huge difference. Apparently we get the mail also in the case the login fails on unknown device? In this case someone has just collected a pile of game ID's and tries to bot accounts.

    But if we get a notification only when both account and psw is correct then it implies there's most likely a breach on ZOS.

    SubSidal just assumed that the mails were only sent with correct credentials and stated his assumption as fact.

    There was an official reply and in post 96 this reply got translated.

    It confirms that the emails are sent without confirming credentials first.
    This means they only need to use your @name, which is super easy to collect (ingame, and via uploaded esologs). No data breach that is likely.

    Also ppl pls stop jumping 10 steps ahead as in "ZOS is planning to ban all russians" ... over a few mails?

  • davidtk
    davidtk
    ✭✭✭✭
    White mail is from the game client
    Black mail is from eso account website
    All links are legit true not fraud links to the eso website. At least mine mail what I got and posted here.

    But there is one thing what is interesting.
    I got only one white (game client) mail.
    I changed password after account system maintenence yesterday. And didn't recieve any other emails.
    Edited by davidtk on January 18, 2023 6:17PM
    Really sorry for my english
  • DinoZavr
    DinoZavr
    ✭✭✭✭✭
    @Olauron thank you for the clarification
    Olauron wrote: »
    The white one with just "Elder Scrolls Online" as sender is for "please enter the code below when prompted in game."
    The black one with "The Elder Scrolls Online" as sender is for "please enter the code below when prompted on The Elder Scrolls® Online site".

    what do you think, based on the already known facts, whether we may suppose that the attack itself is mainly a hoax?
    (as the victims (legitimate players) are not getting a form to enter a received code?)

    PC EU
  • ghost_bg_ESO
    ghost_bg_ESO
    ✭✭✭✭
    i've mentioned at previous comment dealing with stadia to pc client this is screenshot of ORIGINAL Zeni email i had received enlish in my case (one can ignore dark part as i'm using dark template wherever i can)
    qn46xq5deoab.png


    Edit and i have used couple different passwords every time i've got email
    Edited by ghost_bg_ESO on January 18, 2023 6:26PM
  • daim
    daim
    ✭✭✭✭✭
    WAMB0 wrote: »
    daim wrote: »
    Syldras wrote: »
    SubSidal wrote: »
    By all it seems the email is genuine from an attempted login.
    I changed my password and a few hours later received another, which means they got the new password too.

    Is the email sent out with successful login attempts only or with every kind of login attempt? That makes a big difference.

    Was there any official reply to this (I dont read German) ?

    As he says that makes a huge difference. Apparently we get the mail also in the case the login fails on unknown device? In this case someone has just collected a pile of game ID's and tries to bot accounts.

    But if we get a notification only when both account and psw is correct then it implies there's most likely a breach on ZOS.

    SubSidal just assumed that the mails were only sent with correct credentials and stated his assumption as fact.

    There was an official reply and in post 96 this reply got translated.

    It confirms that the emails are sent without confirming credentials first.
    This means they only need to use your @name, which is super easy to collect (ingame, and via uploaded esologs). No data breach that is likely.

    Also ppl pls stop jumping 10 steps ahead as in "ZOS is planning to ban all russians" ... over a few mails?

    Thanks

    All I can say thumbs up to team zos_german :) . Kinda makes me sad that no one from the team didn't bother to do the post in english as well.
    ""I am that which grips the heart in fright, hearkens night and silences the light." It was written on my sword, long…long ago." ―Ajunta Pall
    PC|EU
  • davidtk
    davidtk
    ✭✭✭✭
    As I posted here on my comment with my screenshot
    davidtk wrote: »
    Here is full email
    q6y1q7rtknrc.jpg
    White email (game client) in russian.
    But it was 6 digit code. i found some old (last year) mails when I reinstalled PC, etc.. and all codes was 7 digit codes Just dont know if it matters or not.
    Edited by davidtk on January 18, 2023 6:36PM
    Really sorry for my english
  • DinoZavr
    DinoZavr
    ✭✭✭✭✭
    @daim if the current attack is just a hoax, then it should have a purpose, shouldn't it?
    PC EU
  • ghost_bg_ESO
    ghost_bg_ESO
    ✭✭✭✭
    davidtk wrote: »
    As I posted here on my comment with my screenshot
    davidtk wrote: »
    Here is full email
    q6y1q7rtknrc.jpg
    White email (game client) in russian.
    But it was 6 digit code. i found some old (last year) mails when I reinstalled PC, etc.. and all codes was 7 digit codes Just dont know if it matters or not.

    last couple emails i've received have 6 and 7 digit codes
  • Olauron
    Olauron
    ✭✭✭✭✭
    DinoZavr wrote: »
    what do you think, based on the already known facts, whether we may suppose that the attack itself is mainly a hoax?
    (as the victims (legitimate players) are not getting a form to enter a received code?)

    It depends. I am not sure whether it is possible to disable code e-mail or not (there may be users who decided to do that and they are the target of these attempts). It may be some kind of guild drama, if there is something similar among people who received notifications. The list goes on.
    davidtk wrote: »
    But it was 6 digit code. i found some old (last year) mails when I reinstalled PC, etc.. and all codes was 7 digit codes Just dont know if it matters or not.
    I had 7 digit codes and 8 digit codes from real e-mails, so I find it possible to have 6 digit code from real e-mail.
    The Three Storm Sharks, episode 8 released on january the 8th.
    One mer to rule them all,
    one mer to find them,
    One mer to bring them all
    and in the darkness bind them.
  • davidtk
    davidtk
    ✭✭✭✭
    @ghost_bg_ESO and @Olauron
    Thank you.
    So then I consider my mail as legit true 2fa mail. Because all links inside mail are real.
    I dont have this mail anymore but others can check digital signature.
    Edited by davidtk on January 18, 2023 6:59PM
    Really sorry for my english
  • perfiction
    perfiction
    ✭✭✭✭✭
    Got same email, but my account is linked to Steam (and I can't login without it into the game) so most likely someone wanted to log into https://account.elderscrollsonline.com/

    Also it's 2023 and ESO still doesn't support 2FA apps, shame.
    Edited by perfiction on January 18, 2023 7:03PM
  • davidtk
    davidtk
    ✭✭✭✭
    perfiction wrote: »
    Got same email, but my account is linked to Steam (and I can't login without it into the game)

    I dont understand this... I have Steam version but I have password for the account so I can login WITHOUT steam without problem and can change password too. Just dont know how I made this before several years. I bought my game through Steam.
    Edited by davidtk on January 18, 2023 7:14PM
    Really sorry for my english
  • perfiction
    perfiction
    ✭✭✭✭✭
    davidtk wrote: »
    perfiction wrote: »
    Got same email, but my account is linked to Steam (and I can't login without it into the game)

    I dont understand this... I have Steam version but I have password for the account so I can login WITHOUT steam without problem and can change password too. Just dont know how I made this before several years. I bought my game through Steam.

    If you bought your game on steam pre 2017 then you can log in using both methods (through steam or with login + password in non-steam launcher). If you bought it post 2017 then your only option is steam authentication.
  • G1Countdown
    G1Countdown
    ✭✭✭✭✭
    With something as significant as a possible data breach apparently affecting many players I would expect more of a response in this thread than ‘submit a ticket.’ It sounds like at the least a large list of account @names were released. I am grossly disappointed in the official response. The correct response in my mind would have been along the lines of ‘we are looking into this now. And we will respond when we have more information.’ And then, I would actually expect that response with their findings.

    Scroll up 1, also not exactly many people

    Explain to me where you have details on "not exactly many people?" What does not exactly mean? One less than exactly? Where are you getting this? If ZOS posted this, then I want a definition of what "not exactly many people" means. If that quote is just from you, then enough from the peanut gallery.
  • davidtk
    davidtk
    ✭✭✭✭
    perfiction wrote: »
    davidtk wrote: »
    perfiction wrote: »
    Got same email, but my account is linked to Steam (and I can't login without it into the game)

    I dont understand this... I have Steam version but I have password for the account so I can login WITHOUT steam without problem and can change password too. Just dont know how I made this before several years. I bought my game through Steam.

    If you bought your game on steam pre 2017 then you can log in using both methods (through steam or with login + password in non-steam launcher). If you bought it post 2017 then your only option is steam authentication.

    2020 I bought it sooo dont understand. And wife have the same.
    Anyway somehow it is possible they changed something or who knows why I can login both methods.
    Edited by davidtk on January 18, 2023 7:42PM
    Really sorry for my english
This discussion has been closed.