Account Hacks
Printed From: Illyriad
Category: Strategies, Guides & Help
Forum Name: Technical Support
Forum Description: Post your technical support related questions here.
URL: http://forum.illyriad.co.uk/forum_posts.asp?TID=6697
Printed Date: 17 Apr 2022 at 10:51
Software Version: Web Wiz Forums 12.03 - http://www.webwizforums.com
Topic: Account Hacks
Posted By: Bobtron
Subject: Account Hacks
Date Posted: 30 Nov 2015 at 21:00
|
My account has been manually abandoned, when never in a million years would i have abandoned it! Is there some 'hacker' or virus that is causing this? GMs, is it possible to reverse the abandonment when i did not consent to abandoning? This may also explain the abandonment of Half-Pint or Chet Militaire? ------------- I support the Undying Flame! |
Replies:
Posted By: Wartow
Date Posted: 01 Dec 2015 at 02:37
|
NOOOOOOOoooooooooooooooo Bob! #BRING_BACK_BOB ------------- 
|
Posted By: GM Rikoo
Date Posted: 01 Dec 2015 at 02:40
|
We discussed this in chat and will in IGM, but we do not reverse an abandon. If your account is compromised, we are not responsible for what happens. I'm sorry for the inconvenience. I'll answer you in game now. Rikoo ------------- Illyriad Community Manager / Public Relations / community@illyriad.co.uk |
Posted By: Ptolemy
Date Posted: 01 Dec 2015 at 02:42
| Is this an virus that can harm other people or was Bob's account simply compromised. |
Posted By: jcx
Date Posted: 01 Dec 2015 at 02:51
|
Under the page: Abandon this AccountI no longer wish to play this account. I understand that this is irrevocable. After clicking this button I can create a new account as long as I still only have a maximum of two accounts. This is irreversible - neither you nor the GMs can ever undo this. I understand this: < id="chkAbandonAcc" ="" style="border: 1px solid rgb171, 173, 179; outline: none;"> The system will require you to check the "I understand this: check box" and after that you may be able to click "Abandon Account" and a prompt will pop up "Are you sure you want to abandon your account?" and after that another pop up will appear "Are you REALLY SURE you want to abandon your account?" and after clicking that here you go - Account Abandoned!, and the game will move you back to the login page. I think the devs created enough security measures and warnings on account abandon feature. Hacks - I think this happens when you share your login and password to several in-game players which is against the game policy and devs will suspend your in-game accounts too. ------------- Disclaimer: The above is jcx|orcboy's personal opinion and is not the opinion or policy of Harmless? [H?] or of the little green men that have been following him all day. jcx in H? | orcboy in H? |
Posted By: Sheza
Date Posted: 01 Dec 2015 at 02:55
|
Do away with abandon. or put a three day cool down then it abandons. or we Players just wipe them away. we have growth charts to let us know if they are active or not true? ------------- If Horses don't go to Heaven when they die. then I want to go where they go. |
Posted By: Ptolemy
Date Posted: 01 Dec 2015 at 03:52
| That would mess with terraforming. |
Posted By: Sheza
Date Posted: 01 Dec 2015 at 04:23
|
True that . I did not think of that .. ------------- If Horses don't go to Heaven when they die. then I want to go where they go. |
Posted By: Rill
Date Posted: 01 Dec 2015 at 07:28
| Wow, really sorry to hear this happened, Bob. I hope you restart in the game. |
Posted By: Wartow
Date Posted: 01 Dec 2015 at 13:48
|
I like Sheza's idea of a cool-down period... or perhaps the requirement of a secondary verification via e-mail or text. Something to add that second layer of security... Perhaps answering a password recovery-like question? This may result in fewer abandons, but is that a bad thing? -------------
|
Posted By: Ashleigh Jayne
Date Posted: 01 Dec 2015 at 13:51
|
Bob, I remember chatting to you the day you 'abandoned' - so sorry to hear that something has happened to your account. As Rill says, hope to see you back on the game soon! ------------- ^^^ Ashleigh Jayne (AKA) AJJ |
Posted By: Sheza
Date Posted: 01 Dec 2015 at 16:39
|
Wartow . Evony ( I know thats a bad word sorry) had to add a security code to our accounts. cause that is a issue there. But cool down should work and I dont know if its a bad thing or not? Good luck Bob, ------------- If Horses don't go to Heaven when they die. then I want to go where they go. |
Posted By: Brandmeister
Date Posted: 01 Dec 2015 at 17:31
| If the passwords were hacked, it is most likely a brute force attack. The same approach led to the hacking of celebrity iCloud accounts last year. The solution is quite simple, the account just needs to go into lockout after 3 bad passwords are attempted. It doesn't even have to be a full lockout, it can just be a 5 minute cool down between attempts if the password is wrong 3 times in a row. |
Posted By: Pellinell
Date Posted: 01 Dec 2015 at 18:16
|
If players are indeed being hacked, this is a very concerning matter. Particularly for those of us who have been here for many years. I hope the devs get on this now and make sure there is a system in place to avoid this. I like the email verification idea best. Seems it would be easy to implement and would not affect terraforming. Get on this devs please! |
Posted By: Serpentina
Date Posted: 01 Dec 2015 at 18:43
|
I want to say that BonTron's abandoning seems very odd to me. He's been really active in the alliance and wasn't showing any sign of leaving. I wasn't online yesterday, but I see that Bob was chatting with others in our AC at 30 nov 00:35. Rikoo, can you see if Bob's abandonment was done during the same session? Or in a subsequent session from the same IP? If it was done from a different IP, and that traceroutes to a different geographical location, it'd sure lend credence that this may have been a hack. |
Posted By: GM Rikoo
Date Posted: 01 Dec 2015 at 19:50
|
1) We already warn players to make secure passwords, etc, and to not share accounts. Even if we had multiple steps of verification, players will still have their accounts "stolen" which could mean many things (they shared it, they play at a public library, etc.) I will pass on the concern for more security, but considering how rare it is, I think we're generally pretty good. 2) IP addresses, etc would not tell the entire story. Again, though, the player is responsible for maintaining their account. 3) As I said before, no matter what, we will not reinstate an abandoned account. Thanks all! We are aware of possible hacking attempts and -- trust me -- keep a look out for them. Pass this on as an example of the importance of practicing security through tough passwords, not sharing accounts, etc. I will not be discussing the particulars of any one player's case, so need to ask. Thanks all! Rikoo ------------- Illyriad Community Manager / Public Relations / community@illyriad.co.uk |
Posted By: Artefore
Date Posted: 01 Dec 2015 at 20:10
...so *no* need to ask. Is what I think you meant. ------------- "don't quote me on that" -Artefore |
GM Rikoo wrote:Posted By: GM Rikoo
Date Posted: 01 Dec 2015 at 20:16
|
You're right, Arte. NO need to ask. :) Rikoo ------------- Illyriad Community Manager / Public Relations / community@illyriad.co.uk |
Posted By: Pellinell
Date Posted: 01 Dec 2015 at 21:48
|
One player being hacked seems enough reason to me to make a change. Whether or not it happens once a year or once a decade, it happens and therefore should be addressed. It doesn't seem to be to much to ask or particularly difficult to implement a email verification. I've put a significant amount of time and effort into building and maintaining my account over the last four plus years. If this were to happen to me I'd be very upset with "we are sorry but even though it can be prevented you don't matter enough for us to fix it" that to me doesn't show the devs care very much about the community that make their game what it is. Thus I ask again please fix this. |
Posted By: GM Rikoo
Date Posted: 01 Dec 2015 at 22:01
|
I am not going to try and convince anyone that we care about the community because we have not immediately placed new players of protection into a system that has already worked for years. I would also like to remind everyone that "hacking" is often the first term that is used to describe any number of situations that are quite possibly not hacking... at all. People also refer to a chat silence as a ban. :) I will pass it on to the team! If you have any other questions, let me know. Rikoo ------------- Illyriad Community Manager / Public Relations / community@illyriad.co.uk |
Posted By: Ptolemy
Date Posted: 01 Dec 2015 at 23:36
I agree with Pell, if there is a chance of a hack, even if it is only 1% chance, the problem should be addressed. I don't want to get fully dedicated to the game, and than have someone hack my account and abandon.
|
Posted By: Angrim
Date Posted: 02 Dec 2015 at 00:18
|
Posted By: Sheza
Date Posted: 02 Dec 2015 at 00:19
|
I cant grasp what email would do to help. "This is to inform you that your account is abandoned" Wait no .. help.. now what? or Mail that says it will be .. that is same as cool down . right? And agree nwith person that said, one time is to much for someone hacked. we put money and time in here. ------------- If Horses don't go to Heaven when they die. then I want to go where they go. |
Posted By: Deo Volente
Date Posted: 02 Dec 2015 at 02:23
| Sheza I believe they are referring to email verification which upon confirming you want to abandon your account it would send you an email with a confirmation link. Which when clicked would finalize the process. This way if someone did obtain your password and tried to abandon your account they would be unable to do so without having access to your email account. Added layer of protection so to speak. |
Posted By: Mr Damage
Date Posted: 02 Dec 2015 at 04:05
| I dont know what can be done to stop this happening but the day it happens to me will be the day I cease playing. Not a chance I would consider restarting because of something that I had no control over. |
Posted By: Solanar
Date Posted: 02 Dec 2015 at 04:15
| I'm with you Mr. Damage. It would be one thing to start over after being razed to the newb circle, at least that has some gameplay, it's something else again to wake up one day and realize you lost 4 years of effort to no end. |
Posted By: Inferno
Date Posted: 02 Dec 2015 at 08:28
|
I like the idea of e-mail verification, think it'l help a lot with the issue. And I know it's out of the question that you would return an account that has been abandoned, Rikoo, but maybe there could be some way of compensation? for those who lost their accounts due to hacking or w/e security compromise (whether they had a hand in it or not), like if they can provide info that they're the owner of said abandoned account within a certain amount of time, say 3-7days, they can get a new account with 1/3rd of their former account amount of cities and some kind of resource pack sent to them to help them rebuild, tho I believe the community itself can take care of that last part. It's just an idea that I came up with on the fly so not sure if this would be possible either, It's just the players themselves are a huge aspect of Illy, and as Mr Damage said if I were them I won't bother starting over from scratch if I've been playing for 1+ years, so I think offering the means for these players to get back into the game won't be a bad idea at all.
|
Posted By: Dungshoveleux
Date Posted: 02 Dec 2015 at 09:05
| the email verification is a waste of time - if someone has your password they can change the email. |
Posted By: Ander
Date Posted: 02 Dec 2015 at 13:36
Do you have sitters? There is a bug that "sometimes" gives your account access to your sitter. I have a few times been able to access the account rights of the player I sit for. How do I know? When I try to go back to my own account through this page http://elgea.illyriad.co.uk/#/Player/Account?page=sitter instead of showing "Return to your account" it just shows your sat account's sitter page that says "Accounts you sit for" and "Sitters on your account". I dont know how to reproduce this problem, but it has happened to other people as well. Once a person reported this problem to GM Luna. (I can give name of the player if the devs wants to check conversation with GM Luna regarding this problem). I believe GM Luna asked for screenshots and he was in no position to give that because he had logged out from the sat account. |
Posted By: Sheza
Date Posted: 02 Dec 2015 at 13:46
|
Cant someone change the email? I think if they hack into abandon they can use the "change email" thats why a timer would be best I think. or a code we get to protect our accounts. ------------- If Horses don't go to Heaven when they die. then I want to go where they go. |
Posted By: Ander
Date Posted: 02 Dec 2015 at 13:48
This could also find out if the abandon was done by a sitter, exploiting the bug in the game. (If he had a sitter that is). This bug hasnt occurred to me lately, but it occurred 3-4 times in a span of a few months when I used to log into my sitter's account frequently (when i was taking resources from her city to build up). So it is not all that uncommon. |
Posted By: Ander
Date Posted: 02 Dec 2015 at 14:06
| I have found the IGM discussing this problem, will forward to GM Rikoo. The IGM has a snapshot of the problem also. |
Posted By: GM Rikoo
Date Posted: 02 Dec 2015 at 14:29
|
OK, one second. If there is a separate issue with sitters, etc, please use the petition system and send me the information. Let's keep this topic on track or it will not work. I believe we have already spoke in game about the sitter issue, but I received an IGM, ****not a petition****. I cannot stress this enough: PLEASE petition issues. If you think it is something urgent or gamebreaking, send me an IGM. If a petition seems important and has gone unanswered for months or years, LET ME KNOW. I CANNOT READ MINDS. Seriously... we created a petition system that is a bit TOO good for such a small team. There are too many of them, most that can be shut down because the issues have been fixed or can be fixed now, quickly. POINT THEM TO ME. Help me out, please. Having said that: 1) No, we ***will not*** compensate players who have been hacked, claim to have been hacked, or somehow lost control over their account. We have successfully used this system for years, with tens of thousands of abandons, with barely any issues. 2) We will not add a delay or a chance to "take back" an abandon. Imagine: Tony marks his account as abandoned, gets a bunch of attacks coming in, then claims it back and goes "HELP!!" - drama ensues. We will look into other possible things we can tweak, but the system works great as it is. Rikoo ------------- Illyriad Community Manager / Public Relations / community@illyriad.co.uk |
Posted By: Brandmeister
Date Posted: 02 Dec 2015 at 17:20
| This really isn't a problem with the Abandon function. It's a problem with account security, probably caused by password problems. Even if the devs "fixed" the Abandon function with extra steps or a timer, someone can still trash your account by demolishing cities, wasting your resources, disbanding your troops, exhausting your prestige, or any number of other undesirable things. |
Posted By: Sheza
Date Posted: 02 Dec 2015 at 18:05
|
Brand, that is true. but from that I can recover. I cant recover abandon. if I sign in and see my caravans going to your castle I pretty much know whos the bad guy (Brand you are not a bad guy. in fact a hero type) But Just saying ------------- If Horses don't go to Heaven when they die. then I want to go where they go. |
Posted By: Bobtron
Date Posted: 03 Dec 2015 at 02:19
|
For the people who think I abandoned on purpose - Why on earth would I ever do that?!? 1.5 billion gold in trade hubs, equipment, and prestige, along with some nicely situated towns. An according to my browser history on all home computers, I didn't visit illy at all during November, let alone account abandon, except on my main desktop. I had no sitters for at least 6 months, and since my password registers as 'strong', I am forced to accept that my account was compromised/hacked in some way. (SQL injection?) Why not make some sort of a delay, or password reentry, or email verification, or that account abandons don't fully wipe out everything? You can make it so then Tony's account is only marked abandoned when everything is officially wiped, and not when there is still a chance of recovery, during a (3 day?) period. And the password reentry would stop, say, an account abandon when you're on a bathroom break. The email verification would serve to ensure that a player consents to such an abandonment, and if the email address is changed right before the abandonment, the gms can recompensate such players. In overarching sense, yes, the system might work "great", but remember, just because no one complains, it doesn't mean that all the parachutes are fine. Maybe there were more cases of mysterious abandonment that went unnoticed because the players didn't want to go to the trouble of rebuilding everything, or other players that simply went solo. ------------- I support the Undying Flame! |
Posted By: GM Rikoo
Date Posted: 03 Dec 2015 at 02:24
|
1) I will not discuss the particulars of your issue in the forums. 2) We already discussed why a delay would be a bad idea. We cannot allow a player to mark themselves as abandoned, only to return shortly... for many reasons. 3) We have already taken suggestions for email verification, etc, in this thread and in communications with you. 4) We do not register problems only when people complain. We have other ways of noticing when an issue is an issue. Again, the system has worked almost perfectly for many years. If anyone has any new suggestions, please feel free to post them here. Going over the same points we have already gone over would do no good, as I can only copy them down once. Thanks all! Rikoo ------------- Illyriad Community Manager / Public Relations / community@illyriad.co.uk |
Posted By: jcx
Date Posted: 03 Dec 2015 at 05:38
|
Have you tried entering wrong password for 5 times in a row? if you haven't yet. Try it. I think Illyriad has properly put security processes in place. I think the real problem here is when we share our passwords to other in-game players. I suggest you change your passwords: put something like in UPPER CASE + lower case (Letters) + 5p3ci@l Ch@rat3r$ + 1234567890. And please no sharing for Illyriad's login and password. :) I agree with GM Rikoo! ------------- Disclaimer: The above is jcx|orcboy's personal opinion and is not the opinion or policy of Harmless? [H?] or of the little green men that have been following him all day. jcx in H? | orcboy in H? |
Posted By: Angrim
Date Posted: 04 Dec 2015 at 00:35
|
Posted By: GM Stormcrow
Date Posted: 04 Dec 2015 at 01:56
|
I've resisted commenting on this thread, but now that this is raising questions about the security of the entire system, I feel I have to. I certainly don't want anyone feeling that our system is compromised in any way whatsoever.
Put simply, no. Sorry. Illyriad has really quite serious security features - most of them invisible. We completely log every single click ingame, with full audit trails. We're not - and have never been - vulnerable to SQL injection, and I'd be grateful if people could stop stirring up potentially damaging clouds of FUD on subjects they know little about. However, for obvious reasons, we don't specifically outline our security policies and protocols. What I can say is that we know who was logged in, what credentials they used to log in - and even the details of their specific browser and session, logged to the millisecond with every single click that anyone makes on anything in the entire game. This is stuff *way* beyond the fairly blunt instrument of IP addresses; we track to the actual browser session itself (and beyond). Suggestions about "delays" and "2 factor verification" etc are nice and all... but they're a sideshow to the fundamental truth that we do actually know what buttons were pressed, when they are pressed, and what credentials, IPs and browser session cookies were being used to authenticate their usage. Regards, SC |
Posted By: Ruarc
Date Posted: 04 Dec 2015 at 10:40
Um. This is actually much more alarming than I had previously thought. You have a blanket policy against reactivating abandoned accounts even if you know that it's unlikely and/or effectively impossible that the person who actually owned the account pressed the Abandon button? Just by way of example here's the scenario I have in mind: Say you've happy-go-lucky Illyriad player Billy. Billy lives in Australia. Two years playing Illyriad later Billy tries to log in but can't. Apparently his account has been abandoned. He whines a bit about how it's not him that abandoned the account. Meanwhile, you've got one (or more) of the GMs sitting at a computer looking at the login details for Billy. They know that Billy's account was abandoned from somewhere in the United States. Somewhere that he's never logged in from before. They do nothing. I'm being (hopefully obviously) a bit flippant here so that you get my point. It's not reassuring, in the slightest, saying that you know all of this information if you have no intention of ever using it to undo clearly malicious actions taken against someone's account. A further layer of player-side security isn't a sideshow in that scenario, in all fairness.
|
Posted By: BARQ
Date Posted: 04 Dec 2015 at 14:18
|
i think GMs Said the have taken the suggetions of email verification etc in consideration so this ends the debate . they've agreed to what you were suggesting to avoid this type of abandons . please let me know if i m wrong
|
Posted By: Ruarc
Date Posted: 04 Dec 2015 at 14:32
It doesn't sound that way. GM Stormcrow said;
That certainly implies (to me at any rate) that they have no intention of implementing any sort of further verification process to the abandon account option.
|
Posted By: GM Rikoo
Date Posted: 04 Dec 2015 at 15:16
|
We have answered the questions about this policy very clearly now, so I am closing this thread. If you have questions about your specific account, please let me know in game or at community@illyriad.co.uk. If we change or alter the way things are done in any way, we will of course let everyone know as with any other update. Thanks! Rikoo ------------- Illyriad Community Manager / Public Relations / community@illyriad.co.uk |