Account Hacking: SSG Needs to address this NOW

[Daenith]

So, my wife's Lifetime account was hacked this morning; she received a fraudulent activity notice from her bank identifying purchases in the LOTRO store totaling over $600. She called me and I tried in vain to log into her account which had of course had the password changed and was by that time probably trashed. When she got in from work this evening, we filed an in-game ticket and went to the LOTRO Help sight and filed one there as well. After more than 4 hours now, we have yet to get a response to either and while we were waiting, a friend of ours logged in and said that her premium house had been looted and was now up for sale and her main character no longer shows on either of our friends list.

What I want to know from SSG is just why in the hell behavior like this is tolerated and more importantly, what safeguards are you going to implement so that criminal activity like this is no longer possible? And please, spare me the, "you need to change your password more frequently..." as this tells me that YOU, the service provider, feel that you bear no responsibility for the security of your customers data.

Finally, if you are so understaffed that you can't at the very least respond to an issue of this magnitude in under 4 hours, you need to close the doors!

[Ferro_Laurelin]

Sorry to hear your wife's account got compromised.

The number one way for criminals to access an account is by reusing credentials found when other websites get hacked. As user, the number one defense you have against it is by using a password manager that will help you with unique strong passwords for each login you have. Plenty of free ones available, I personally prefer KeePass. Just be sure you never loose access to your passwords.

As for SSG, there are a number of security flaws I found in your story. The first, purchases should never be possible with information that's already stored, such as creditcard numbers. Not only does that prevent purchases on compromised accounts, not storing them also eliminates the possibility of having them leaked in case of an actual hack. Asking for the same, already compromised, password offers very little security.

Second, adding 2FA greatly increases security for customers who want it. Blizzard has this already for over a decade and even provides free bag space to encourage people to actually use it. No need to build your own 2FA, existing 2FA solutions like Authy/Google authenticator work fine.

[Fatty]

What I want to know from SSG is just why in the hell behavior like this is tolerated

You answered that yourself in your first sentence - the 600 dollars they got in sales.

[krypto182]

MFA would be nice and I have suggested it in the past even a security code you could setup for store purchases. But alas none of this has been implemented. Your best bet right now is to use a unique complex password for the game and only for this game do not use it anywhere else. The good news is is that they should be able to recover most if not all your stuff as fraudulent/hacked accounts do not fall under the https://www.lotro.com/forums/showthr...rsement-Policy as for the cc charges they should be able to refund the charges if not then your bank can fix it. It sucks this happened but be patient and they will get everything resolved and hopefully back to normal.

[Loochaldo]

I'm sure they'll make it right for you. As long as you got your CC under control, the rest should be OK.

I'm certain it's not a case of SSG/LOTRO getting hacked, but rather a case of compromised credentials so go change all of your other passwords ASAP.

In any event, there has been previous discussion amongst the playerbase about 2FA, which could go a long way in preventing this type of scenario.

What I want to know from SSG is just why in the hell behavior like this is tolerated

It's tolerated? LOL. How is it tolerated? Just because they are slow and understaffed doesn't mean it's tolerated.

And please, spare me the, "you need to change your password more frequently..." as this tells me that YOU, the service provider, feel that you bear no responsibility for the security of your customers data.

It's kind of a joint venture with the user AND the provider here.

Finally, if you are so understaffed that you can't at the very least respond to an issue of this magnitude in under 4 hours, you need to close the doors!

The damage is already done. They can fix you. Calm down.

[Pewpewmidget]

Unfortunately this happened to me on another game. No one truly believes you when you say you got hacked.
It's far much less effort to blame you for things rather than actually doing something about it.
Then my first account on this game got hacked about 4 years ago and the believed it was me who signed in.

Needless to say that both accounts are permanently banned. :/
Only difference is that the owner of the other game accused me of theft when I got my bank to reverse the transactions and he threatened to sue and put me in jail.

[Thurallor]

Unfortunately this happened to me on another game. No one truly believes you when you say you got hacked.
It's far much less effort to blame you for things rather than actually doing something about it.
Then my first account on this game got hacked about 4 years ago and the believed it was me who signed in.

Needless to say that both accounts are permanently banned. :/
Only difference is that the owner of the other game accused me of theft when I got my bank to reverse the transactions and he threatened to sue and put me in jail.

Yeah, I don't believe you, either. The probability of getting your account "hacked" once is very low. Twice is absurdly low.

Either you're lying, or you're doing something very dumb with your passwords.

[LabadalofDorlomin]

Yeah, I don't believe you, either. The probability of getting your account "hacked" once is very low. Twice is absurdly low.

Either you're lying, or you're doing something very dumb with your passwords.

Accusing someone of lying isn't really in your purview as you don't have all the facts of the particular incident nor the complete rules SSG would use to mediate with. So, if troll then I applaud you as I took the bite but if not then just chill with the accusations !

As to this thread... if it has done one good thing, it has made me shore up my password on al my accounts and I hope it makes others do it also....

Please..... there cannot still be folks out there with the same old password they joined the game with? It is possible because Turbine nor SSG have ever forced any password changes on folks but they have made the password making stronger when you do actually change your password...

As above though... I would like a 2 form factor Identification added to the login... We all have mobiles nowadays... even if it isn't compulsory but at least then if the person like the OP then came on and said he was hacked but he didn't opt for 2 form factor ID then we may have more sympathy or acceptance lets say for the message above....

[Wargoat]

I will say, this thread has caused me to delete all saved payment methods from my LOTRO account.

So if I ever do get hacked in this game, they're not going to have any saved payment methods at the ready.

[HeliStorm]

I will say, this thread has caused me to delete all saved payment methods from my LOTRO account.

So if I ever do get hacked in this game, they're not going to have any saved payment methods at the ready.

Yeah, i did that years ago when i heard about hacked accounts. I advice to dot it.

[Daenith]

I will say, this thread has caused me to delete all saved payment methods from my LOTRO account.

So if I ever do get hacked in this game, they're not going to have any saved payment methods at the ready.

I hear ya.

Sad thing is, if it weren't for my wife's bank notifying her of the questionable charges, we'd have been none the wiser until she tried to log in to the account.

Update:
My wife contacted Xsolla yesterday morning after talking to her bank, telling them what was going on and they said they would/have banned the account. So far, we have have been contacted once (by text as we're unable to find a phone number) by SSG customer support and quite honestly, because of the time that has now elapsed (almost 2 days) and the "tone" of the conversation, I would say that prospects for a "happy" resolution are looking pretty bleak at this point. Honestly, I don't believe they (SSG) actually care one way or the other because it's one less Lifetime account they have to deal with and quite frankly, I think they'd just as soon be rid of all of them, period.

Bottom line is that nobody should be able to log into your account, change the password AND contact information without some serious red flags going up on SSG's side. In most instances, not all mind you, but most, when doing anything like that, you are first emailed a verification code before you can proceed to change anything and it goes to your original email. Not the case here. Your LOTRO accounts are NOT secure, not even by the most rudimentary standards.

[PJ.]

How did they find out your email or username? If it is the same as your forum name, it might be worth changing the forum name. Shame there isn’t a two step authentication process such as an app for a WoW/SWTOR with a code generator.

[Nehniriel]

Shame there isn’t a two step authentication process such as an app for a WoW/SWTOR with a code generator.

Absolutely. Now it's a must to do.

[Daenith]

How did they find out your email or username? If it is the same as your forum name, it might be worth changing the forum name. Shame there isn’t a two step authentication process such as an app for a WoW/SWTOR with a code generator.

Valid questions. How do hackers hack an account? I have no idea, but they do and they will continue to do so until stronger safeguards are in place.

I do know that in this instance, once they do gain access to your account, you are pretty much screwed as it gives them complete access to your info including your email address. Don't believe me? Log on and take a look. Once in, they can change anything they want without ANY verification whatsoever.

Try to get your account back and you'll be asked to provide just about everything short of a DNA sample and even then, well as I posted previously, it ain't looking good. The information is there, I'm sure it's time stamped and all they have to do is look at it to verify what we've told them. At this point, I don't know what else to say other than how deeply disappointed and upset I am that SSG hasn't take this more seriously.

[Elmagor]

Valid questions. How do hackers hack an account? I have no idea, but they do and they will continue to do so until stronger safeguards are in place.

I do know that in this instance, once they do gain access to your account, you are pretty much screwed as it gives them complete access to your info including your email address. Don't believe me? Log on and take a look. Once in, they can change anything they want without ANY verification whatsoever.

Try to get your account back and you'll be asked to provide just about everything short of a DNA sample and even then, well as I posted previously, it ain't looking good. The information is there, I'm sure it's time stamped and all they have to do is look at it to verify what we've told them. At this point, I don't know what else to say other than how deeply disappointed and upset I am that SSG hasn't take this more seriously.

In most of situations, players type his login/pass in wrong place in wrong time

[Pontin_Finnberry]

Valid questions. How do hackers hack an account? I have no idea, but they do and they will continue to do so until stronger safeguards are in place.

I would run an Antivirus as first thing, if your account was indeed hacked it possible there are Key loggers, A key logger will record not only your game login, but any keystroke you enter, and that is not good to have at all, that is how they get your info to hack your account...

[Daenith]

I would run an Antivirus as first thing, if your account was indeed hacked it possible there are Key loggers, A key logger will record not only your game login, but any keystroke you enter, and that is not good to have at all, that is how they get your info to hack your account...

Well Pont, her premium house was vandalized and sold. Her level 130 Guardian she's played and worked on for 10+ years has either been transferred to another server or deleted altogether and as for her other characters, well, we don't rightly know their status at present because we no longer control the account that I purchased back in 2009. Now I'm no rocket scientist by any means, but between you and me, I'm gonna go out on a limb and say that constitutes a HACK.

Thanks for the support, buddy.

[Thorondir]

Well Pont, her premium house was vandalized and sold. Her level 130 Guardian she's played and worked on for 10+ years has either been transferred to another server or deleted altogether and as for her other characters, well, we don't rightly know their status at present because we no longer control the account that I purchased back in 2009. Now I'm no rocket scientist by any means, but between you and me, I'm gonna go out on a limb and say that constitutes a HACK.

Thanks for the support, buddy.

That does not constitute a hack. I am 99% sure that the mistake is not on the site of SSG or we would have many more threads about hacks.

So, there are 3 more options remaining:

1) Voluntarily shared the account data with a third person.

2) Got a keylogger on the computer due to downloading some shady stuff.

3) Entered the exact same login information at another website, that either was malicious from the beginning, or if not, got hacked (e.g. some small community site which often have lackluster (at best) security in place)

Either way, the first thing you should do, is to find the path they entered and seal it - Change the password on your email (the most important thing to do), run an AV, or better just set up the compute a-new, ...

[Esgalad]

Well Pont, her premium house was vandalized and sold. Her level 130 Guardian she's played and worked on for 10+ years has either been transferred to another server or deleted altogether and as for her other characters, well, we don't rightly know their status at present because we no longer control the account that I purchased back in 2009. Now I'm no rocket scientist by any means, but between you and me, I'm gonna go out on a limb and say that constitutes a HACK.

Thanks for the support, buddy.

I'm sorry for your frustration and possible loss here, and LOTRO absolutely does have both the least and worst customer support, and the least and worst account security and protection of any game I still play.

So don't think I'm accusing you of anything here, but what does the part in bold mean more specifically in your post? It might be the answer to how this happened

[Daenith]

I'm sorry for your frustration and possible loss here, and LOTRO absolutely does have both the least and worst customer support, and the least and worst account security and protection of any game I still play.

So don't think I'm accusing you of anything here, but what does the part in bold mean more specifically in your post? It might be the answer to how this happened

It simply means that I bought the account from then Turbine in 2009 when they still offered a Lifetime account purchase option. Someone, I have no idea who, managed to get the account username, password, etc., by whatever means and we no longer "own" it. I suppose to be more correct, I should have said "stolen" instead of "hacked" but I kinda figured they had to hack in first, before they stole it. But that's beside the point.

The point is, there is no way they should be able to do this regardless. SSG's account security is not only an absolute joke, it's non existent. I guess they think that the, "if you are not XXXX, please log out" is a sufficient enough deterrent to keep hard working criminals at bay. And that is all they are really, Criminals.

Some of you suggest that I'm lying or making this all up. Fine. Log onto your account page and change your password. You will "soon" get an email notifying you that your password has been changed and that if you did not change it, to contact customer support. Many of you will site this as proof that there are indeed security measures in place and you would be correct if it were not for one thing; and that is that you are being notified "after the fact", at which point it would be too late and your account is already toast. Secondly, and being that they are criminals, if someone does manage to get that far, you will never even get an email from SSG notifying you of a password change because the first thing the hackers/thieves did was to change the account email address to theirs and then proceed to change the password so that the notification comes to them.

That explains why we found out about this whole mess from my wife's bank instead of SSG. Because as far as SSG is concerned, nothing malicious has happened. SSG has the logs to verify what I've told them so it should be cut and dried. Unfortunately, it appears that you are a liar until proven otherwise. That's damn sad.

In our case, because of the dollar amounts involved (the original game cost, all the expansions I've purchased with the exception of War of 3 Peaks and the fraudulent Xsolla purchases), you cross the threshold from petty thievery, to full fledged Felony Larceny. If any of you are comfortable with that, then there's nothing I can say or do to convince you that I am 100% on the up and up about this. I sincerely hope it doesn't happen to any of you.

[Thorondir]

ISecondly, and being that they are criminals, if someone does manage to get that far, you will never even get an email from SSG notifying you of a password change because the first thing the hackers/thieves did was to change the account email address to theirs and then proceed to change the password so that the notification comes to them.

Except you will get an email to your OLD email if you change your email address. So, something is off here...

[Daenith]

Except you will get an email to your OLD email if you change your email address. So, something is off here...

Going to have to disagree with you here as she received no notification whatsoever, email or otherwise from SSG. And unless you have 2 email accounts, which I do not, there's no way to prove or disprove you without setting up a bogus email account to test it. But being as the only communication we have had from SSG came almost 24 hours after we filed the ticket, I'm going to say you are incorrect.

Edit: I would be very interested to know the outcome if someone was able to test this. Change your email address, then change your password and see which email account the notification comes to.

[Thorondir]

Going to have to disagree with you here as she received no notification whatsoever, email or otherwise from SSG. And unless you have 2 email accounts, which I do not, there's no way to prove or disprove you without setting up a bogus email account to test it. But being as the only communication we have had from SSG came almost 24 hours after we filed the ticket, I'm going to say you are incorrect.

Edit: I would be very interested to know the outcome if someone was able to test this. Change your email address, then change your password and see which email account the notification comes to.

I just tested it to be sure, although i remembered it from before.

[Daenith]

So you changed your contact email, changed the password and the password change notification came to your old email? Just to be clear.

Edit: Wife is home, we just tried this and it sent a notice to the old and the new email address. Why we initially received no notice at all is beyond me. I have to go to work so will resume tomorrow.

[Nebless]

... We all have mobiles nowadays...

No, we don't. While you and many others might not be able to live without them, some of us get along just fine without them.