Game Account Access has to be verified per IP / Computer

Started 14 Feb 2019
by gruenesschaf
in Tavern
TL;DR:
Due to recent events we are implementing poor mans 2 factor authentication: whenever a new ip / computer logs into your account with the correct username / password you will receive an email to grant access to this ip / computer and the launcher will show you an error message telling you to check your email to verify the access. Also changing your email address on the forum will from now on only be possible via contacting staff as being able to change your email would render this entirely pointless.


Over the last 3 days around 60 accounts where accessed by a few ips / computers transfering gold to other accounts (target accounts also among those 60 / also a victim) and / or deleting characters.
The incident is quite interesting and no clear source / commonality between the accounts can be found. The attack needed between 1 and 4 attempts until successful login but also had lots of accounts where it was attempted 4 times and then moved on without success. The small number + failures to access accounts points to there not being a breach but it also points to it not being a brute force attack as many of the 60 accounts were accessed on the first or second attempt. The current running theory is some phishing attempt via a fake launcher / loki / moras / radar / whatever but no evidence for that has been found yet.

In order to protect the accounts we will implement a form of 2 factor authentication, whenever a new ip / computer logs into your account with the correct username / password you will receive an email to grant access to this ip / computer and the launcher will show you an error message telling you to check your email to verify the access. This is obviously an inconvenience to many, especially when it comes to sharing accounts, but on the other hand this is volunteer work and dealing with potential "hacked accounts" is rather time consuming and therefore this is mandatory and not opt in / out.

Since our forum software values convenience over security when it comes to email changes we are going to disable this feature for users, if you want to change your email you have to contact the staff. In case people are curious what the forum does / would do with it enabled when the attacker changes your email: it just changes your email to the newly provided one, deactivates your account and sends an activation email to the new one: if someone has your username / password it would just be able to change the email and thereby render this email access granting scheme pointless.

For now whenever the authentication server restarts (for whatever reason) it will forget all access grants, currently it only needs restarts in case of updates which can be expected weeklyish but now, shortly after this new feature there might be a couple restarts needed in the next day or two to get it right.

As for the 60 affected accounts, we'll try to resolve that over the next few days, please bear with us here, while gold transfers are easy to follow and deletions can easily be reverted anything affecting items is a mess.
Thu 14 Feb 2019 9:49 AM by gruenesschaf
Known hosts that block our emails:
ATT: @att.net @sbcglobal.net
Free.fr


If you want to get the email address changed, please read this first and contact Beckett via forum or Discord if it persists.


Please give a staff member some time to respond before trying another.

Providers that previously blocked us but no longer do so:
Telekom: @t-online.de
Yahoo: @yahoo.com/it etc., @aol.com

Known major provider that work without issue:
Google: @gmail.com @googlemail.de etc.
Microsoft: @hotmail.com @outlook.com etc.
Comcast
Web.de
GMX
Mail.fr
Yandex
Protonmail
Sat 16 Feb 2019 7:32 AM by gruenesschaf
The launcher now saves an encrypted token when the 2 factor authentication succeeded and presents that to the auth server on future logins thereby preventing the need for repeated email confirmations for accounts that were already logged in from that computer.

Please note that only the email confirmation is skipped this way, you still need the correct username + password and if someone tries to login from another computer, or rather a computer that does not have the token, the confirmation email will still come.

This should make those emails a lot rarer, especially for dynamic IP / vpn people and also hopefully lead to people more carefully looking at them before blindly following the verification link.
This topic is locked and you can't reply.

Return to Tavern or the latest topics