Jump to content

Stolen account - no support - poor 2FA


prettyprettypudding
 Share

Recommended Posts

Dear DE,

 

My account was stolen about a month ago after my email account was attacked (not this one). Pretty much all of my accounts were attacked. I have created a support ticket regarding the stolen account, and at the time of writing this, the ticket has been there for 1 month without any kind of response. I don't think it's even been seen. I understand you're releasing Fortuna and there's lots to do, but one would think that a ticket in the "Account has been hacked" category would get at least a little attention. That kind of problem is time-sensitive after all.

 

While on the subject of security, your "2FA" is quite depressing. I hope you don't feel personally attacked when I say this, but a lot of games these days offer very effective 2FA options, such as temporary SMS codes, authenticator logins, etc.I mean you could even use your mobile app for this. These are used to offer an extra layer of actual security to a login, and can have various triggers ranging from only during account recovery, to every single login. The fact that your "2FA" can be bypassed by having access to my email, and then immediately MOVE the account to a different email is ridiculous. 

 

Your 2fa "verification code" email didn't include the email that the account was being moved to, and while it's not necessary, I think it would be nice so I would at least know where my account went. After all, if it really was me that requested it, then including the new email address shouldn't be an issue.

 

Your swift response would be appreciated (seriously, this is driving me crazy),

PrettyPrettyPudding (not my original name)

Link to comment
Share on other sites

I've re-read the forum guidlines and would like to reiterate: the original post is not intended as an insult or a rage post. I feel that the lack of 2FA options is an important issue that could be greatly improved, and currently poses a high risk to any player that simply has their email account violated, due to password reset process combined with the ability to move the account to a different email.

And due to the lack of response from support, I'm worried if I even have a chance to get the account back.

My personal experience was a troll violated multiple of my accounts, and we had a turf war while I tried to reclaim them over a weekend, eventually they "handed" it back to me after doing troll things, but no permanent damage has been found so far (I recovered deleted emails, etc.) except that they stole this account. Actually stole it. And I have thousands of hours in it, so you can imagine how frustrated I am at losing so much progress on a game that I enjoy so much. And right before Fortuna comes out no less.

Link to comment
Share on other sites

21 minutes ago, prettyprettypudding said:

I've re-read the forum guidlines and would like to reiterate: the original post is not intended as an insult or a rage post. I feel that the lack of 2FA options is an important issue that could be greatly improved, and currently poses a high risk to any player that simply has their email account violated, due to password reset process combined with the ability to move the account to a different email.

1) I do agree's warframe's 2 factor should use either SMS or google authenticator, something thats NOT email. Its not very secure. 

2) What I would say, on your part, is clearly you were not using good 2 factor on your email if it was hacked. So, having a good 2 factor on warframe wont matter if your not properly using it?

Link to comment
Share on other sites

While I have learned that I could have secured it better, it seems to me that my information was possibly leaked and they used an offline attack to learn my password. I had recovery processes set in place that were successful, but they would use them against me too, hence the "turf war". And they changed the recovery details, but the provider wouldn't let me change it back. I guess it doesn't have a behaviour recognition for this sort of thing. So I had to do the long recovery every time, proving that I know enough account history to get it back, but after 2 days of this, I suddenly got "This has been done too many times in the last 24 hours, please try again later". My theory is they used that form repeatedly, deliberately to lock me out of my last method for access. After they screwed with a few things they sent one of my other accounts a message, trying to be all cryptic, and game me access back.

Suffice to say, I put up every wall I can find.

Link to comment
Share on other sites

1 minute ago, prettyprettypudding said:

While I have learned that I could have secured it better, it seems to me that my information was possibly leaked and they used an offline attack to learn my password. I had recovery processes set in place that were successful, but they would use them against me too, hence the "turf war". And they changed the recovery details, but the provider wouldn't let me change it back. I guess it doesn't have a behaviour recognition for this sort of thing. So I had to do the long recovery every time, proving that I know enough account history to get it back, but after 2 days of this, I suddenly got "This has been done too many times in the last 24 hours, please try again later". My theory is they used that form repeatedly, deliberately to lock me out of my last method for access. After they screwed with a few things they sent one of my other accounts a message, trying to be all cryptic, and game me access back.

Suffice to say, I put up every wall I can find.

Ah.. Seems like your email provider isn't protecting your account as well as they should. Who ever wants your account, really seems to want it bad.

Link to comment
Share on other sites

Pretty darn annoying when they attacked multiple of my unrelated accounts, and they would have had access to financials, but didn't do anything with them. Once I realised the attack I locked down all other email accounts before they could do anything to them. The only major stuff they did was delete 15 years of emails, delete my paypal account (again, without spending anything) and steal this account (which they then removed all friend and clan connections, and renamed, which means they invested plat because I certainly didn't have enough???).

Edited by prettyprettypudding
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...