Landroval Hacked

[zook73]

So i am on Landroval and yes i fell for the stupid hack. But lets make it clear that those world posts where going on for a long time before i interacted with it. Assuming incorrectly that if its gone on this long it must be legitimate. Well after 55 hours from submitting a ticket i have got my account back (for which im very grateful for). However as Feedback i have to say SSG needs to do better to protect its clients, communicate when tickets are submitted (not only when a dev is about to interact with them). Whats the point of getting an email to say 'did you change your password', if you try to raise the issue and it just gets put another long que.
End result for me is a bunch of stress, a restored account (thanks to the dev who responded), all my gold taken from all my characters (Which i must say as an accountant is easy to trace and return to players), and a foul mood from the smarmy automatic copy paste comments that the dev had to put into the interaction.

I would have to say that playing this game and DDO is amazing, however dealing with SSG is very painful and i do not look forward to it in the future.

[WindDancer13]

They returned your gold????? Most of my gold was stolen in March (on my birthday no less) and they told me that my account would be banned if I complained again. Twelve years of earnings from crafting, gone (and it was a lot of gold over 47 character on two worlds).

I agree that they should have no trouble tracking down who did this. I sent them a list of the times that my characters had been logged in while the theft was going on (about an hour and a half all told). The thief logged onto my characters and mailed my gold to someone. They had to move a number of toons to get to mail boxes.

It is very disorientating to log into a character and find not only are they not where they are supposed to be (yes, I remember where I left them), but to also find that the thief just loaded the first horse in the Mount list. This whole thing has been very painful and was totally exacerbated by the copy and paste response, basically being called a lia and having my account threatened by "customer support."

To those who want to blame the victim:
I do NOT and never have shared passwords or engaged in risky Internet behavior. No one other than me has access to my computer . . . period. If it had been my computer that had a keylogger or virus as "support" suggested, I believe my bank accounts and credit cards would have been of more interest that virtual in-game gold.

[Plidak]

No one other than me has access to my computer . . . period. .

But someone did. Even with key loger you need to use your acounts after you get hacked so they steal your info. Unless you use password saves like google acchount and #### ... You got the bug, you log in game, done
I dont think ssg give back that guy gold. Also treatening to ban him if he contact them again is .... stupid. But ban is their main solution for many things.
Also even if you have xxx problems, you should not send more than 1 ticket / for one of those probles, or they will be ignored, and if send them again, you may get baned. Its kinda "my way, or the high way" Its normal for most american companies. So yea, nothing new.
Dont open links unless you are sure they are safe. Done, If you do, your fault.
I know sm1 /actualy more than 1/ who got his account hacked, but guy is not even vip, so he will never get his things back.
They guy above just got lucky

[Pewpewmidget]

This brings back terrible memories of when my first account got hacked and permanently banned in 2016.
I tried contacting support but they kept saying that the perm ban was warranted and kept closing my tickets instead of bothering to help.

[WindDancer13]

But someone did. Even with key loger you need to use your acounts after you get hacked so they steal your info. Unless you use password saves like google acchount and #### ... You got the bug, you log in game, done
I dont think ssg give back that guy gold. Also treatening to ban him if he contact them again is .... stupid. But ban is their main solution for many things.
Also even if you have xxx problems, you should not send more than 1 ticket / for one of those probles, or they will be ignored, and if send them again, you may get baned. Its kinda "my way, or the high way" Its normal for most american companies. So yea, nothing new.
Dont open links unless you are sure they are safe. Done, If you do, your fault.
I know sm1 /actualy more than 1/ who got his account hacked, but guy is not even vip, so he will never get his things back.
They guy above just got lucky

Read again my comment about blaming the victim. Then read it again until you understand it. My computer and the programs on it were not accessed physically or online . . . period. I have been computer literate since the 1980s and know how to run a secure computer.

[WindDancer13]

This brings back terrible memories of when my first account got hacked and permanently banned in 2016.
I tried contacting support but they kept saying that the perm ban was warranted and kept closing my tickets instead of bothering to help.

If you were playing in 2011 and/or 2013 when Turbine had the game, there were two major breaches and over a million players had their information stolen complete with user names, passwords and birth dates. When SSG took over the game in 2016, they did nothing to address players being hacked due to those breaches. Obviously, they find it easier to ban accounts rather than deal with the issues that they knowingly bought.

[Plidak]

Read again my comment about blaming the victim. Then read it again until you understand it. My computer and the programs on it were not accessed physically or online . . . period. I have been computer literate since the 1980s and know how to run a secure computer.

Dude you play lotro. How your pc is not accessed online ....
Period ... sure.
And you obv cant run a secure pc. Period.

[Ulrek]

Read again my comment about blaming the victim. Then read it again until you understand it. My computer and the programs on it were not accessed physically or online . . . period. I have been computer literate since the 1980s and know how to run a secure computer.

Obviously you do not. I have been playing since 2006 and 'computer literate' since 1980 and have never had my account for any online game stolen. Either you have week security on your passwords or you were socially engineered. It sucks but true.

[oldsneakers]

SSG would rather spend money on bearded ladies than providing security to their customers with 2FA.

SSG should have this as a top priority if they cared.

[WindDancer13]

Obviously you do not. I have been playing since 2006 and 'computer literate' since 1980 and have never had my account for any online game stolen. Either you have week security on your passwords or you were socially engineered. It sucks but true.

My account was one of the million plus accounts that had information stolen in the LotRO 2013 breach. This is the first time one of my games has had stuff stolen from it, and it is directly related to the lack of security from SSG. There is a ton of information on the Internet on how to brute force a password along with free software to do so, and whoever did this had a head start with the account information they got from the breach.

And, LOL, no I was not socially engineered.

[Thurallor]

If you were playing in 2011 and/or 2013 when Turbine had the game, there were two major breaches and over a million players had their information stolen complete with user names, passwords and birth dates. When SSG took over the game in 2016, they did nothing to address players being hacked due to those breaches. Obviously, they find it easier to ban accounts rather than deal with the issues that they knowingly bought.

Interesting. I was playing then, and I haven't changed my password since then (or ever, actually). Wonder why none of the hackers are interested in my gold.

Why didn't you change your password in the 10+ years between the data breach and when your gold was stolen?

[thinx]

Interesting. I was playing then, and I haven't changed my password since then (or ever, actually). Wonder why none of the hackers are interested in my gold.

Go to haveibeenpwned and check. You just need to enter your mail adress and they will tell you if it was associated with the Turbine leak - which they could not know unless you associated your address with LOTRO somewhere else.
We do not know if ALL account data was retrieved, so your account *could* be an exception - but the data set is big enough to assume yours is among it. IF your data listed there, it is about time to change your password.

Most account hijacking that was described in the forums used manual effort, i.e. people logging in, changing the password and then logging all characters to sell stuff, retrieve gold etc.
So to answer your question why you were not hacked yet: They did not yet find the time for it. It was not your turn yet.

[SniperCT]

Read again my comment about blaming the victim. Then read it again until you understand it. My computer and the programs on it were not accessed physically or online . . . period. I have been computer literate since the 1980s and know how to run a secure computer.

Turbine was hacked, if you have an old account and never changed your password you're at risk.

Alternately if you use the same user/pass elsewhere and that elsewhere was hacked, hackers frequently use these lists of compromised accounts from website A to try to log into b, c, d, e, f, etc.

Thirdly is keyloggers acquired somehow, but honestly the first 2 are the most likely.

Obviously you do not. I have been playing since 2006 and 'computer literate' since 1980 and have never had my account for any online game stolen. Either you have week security on your passwords or you were socially engineered. It sucks but true.

As long as you change your password regularly you should be good. Most people, though, tend to share their usernames and passwords across multiple sites. If one of those is hacked, all are compromised and hackers will brute force dozens or hundreds of services to see if they get into anything.

My account was one of the million plus accounts that had information stolen in the LotRO 2013 breach. This is the first time one of my games has had stuff stolen from it, and it is directly related to the lack of security from SSG. There is a ton of information on the Internet on how to brute force a password along with free software to do so, and whoever did this had a head start with the account information they got from the breach.

And, LOL, no I was not socially engineered.

The first thing I did was change my password. And I've changed my password several times since then as a matter of course.

SSG desparately needs 2FA but that is coming.

Interesting. I was playing then, and I haven't changed my password since then (or ever, actually). Wonder why none of the hackers are interested in my gold.

Why didn't you change your password in the 10+ years between the data breach and when your gold was stolen?

For the love of god change your password! Just because they haven't gotten to you yet doesn't mean someone won't eventually try.

SSG would rather spend money on bearded ladies than providing security to their customers with 2FA.

SSG should have this as a top priority if they cared.

They're working on 2FA but that is coming with a general full authentication overhaul, so no real ETR. Also the team that handles that sort of engineering isn't the same team working on the character creator.

I wish we could change our usernames, I'd like to change mine.

[Polymachos]

My account is in the HaveIbeenPwned database, too. So far, nothing happened to me.

Maybe it is the password. Mine is rather long (14 characters) and does even include special characters. Maybe this was a bit too strong for a rainbow attack. Maybe, only yet.

Or there was a social element involved. Hard to tell. I hope, after a change in your password you are safe.


Good luck,

Polymachos

[SniperCT]

My account is in the HaveIbeenPwned database, too. So far, nothing happened to me.

Maybe it is the password. Mine is rather long (14 characters) and does even include special characters. Maybe this was a bit too strong for a rainbow attack. Maybe, only yet.

Or there was a social element involved. Hard to tell. I hope, after a change in your password you are safe.


Good luck,

Polymachos

No, it's luck you haven't been hacked yet. It's literally irrelevant that your password is strong because the password itself is compromised.

All someone has to do is look at a pastebin, find your user name, see the password listed there in plain text, and literally copy and paste it into Lotro's account page or the game and they are in. (or try that user/pass anywhere else to see if you've reused it).

And they use bots to do this so it's no work on their part at all. They just run through logging in with hundreds or thousands of accounts and the bot tells them which ones worked.

Being safe since then doesn't mean you'll always be safe, it just means someone hasn't reached yours yet.

And since we don't have 2FA yet, change your password and if you use that username/pass combo literally anywhere else, change it there too.

One time, I didn't even realize my wow account had been compromised until I had to remove my 2fa token in order to move it to another phone. In that 2 minute window. Someone got in, transferred my main to another server and was in the process of liquidating things. I was able to get in, change the password, email and readd 2fa, while also logging into the game itself to boot them out. Blizz was pretty good about rolling my account back to before that happened. A friend who hadn't played in 5 years had their account randomly compromised and I noticed because I saw their character online. In both these cases we didn't practice good practices and had reused user/pass at a different website that was later hacked and the info released into the wild internet.

So I change my password regularly, changed the usernames I used where I can(you can't change your lotro username unfortunately), periodically check to see if there's been a new breach somewhere (which immediately means I need a new password for places) and use 2FA literally everywhere I can.