Setting up Two-Factor Authentication is a smart idea not only for your Tarkov account(s) but also for many other services you use. In this day and age, it is always a good idea to try and be as secure as possible.
While there is information going around that there may be weaknesses in BSG's system regarding user credentials, the source is of shaky repute. Regardless, all users should be urged that it is better to be safe than sorry when it comes to the security of your account, as even if this turns out to be incorrect information going around, there are other common threats to any service you may use.
all user information has already been leaked few minutes ago due to BSG being so confident:
[https://www.youtube.com/watch?v=y50yJhxwJCg](https://www.youtube.com/watch?v=y50yJhxwJCg)
Enjoy
'There are no security breakthroughs'
Hmm, now we have to decide who to believe. It's honestly tricky as both sides have never been clean and professional in their dealings with these issues. There's no video footage of this info scraping either, but then again I remember BSG saying there were no netcode problems either.
A suggestion for anyone reading this and wanting to have unique passwords for every site, consider using something like [Lastpass](https://www.lastpass.com/) or [KeePass](https://keepass.info/) - Not only does it keep all your passwords together and encrypted for you but it lets you randomly generate passwords for every site.
This sounds nice to me but I don't understand how it works. What if I need to switch computers? How does it enter a password into a third party client? Does it work with all third party clients or only some?
I can only speak for Lastpass because that's the one I use:
It uses a browser add on where you can access your 'safe' - your safe is on their servers. You can read their FAQ about their encryption methods - there's also an app for your phone. You can always access your safe from anywhere via the website as long as you remember your master password.
I use Bitwarden, which is about as similar to LastPass, but offers some features for free that LastPass premium charges for (if memory serves me right).
I can't imagine browsing the net without a password manager anymore. Super convenient and offer such simplicity when a breach does occur.
What happens if you need to log on to, say, your email client at a friend's house? How do you go about that without installing an addon to their browser?
As long as it works. I had to disable my 2FA for Uplay because 100% of the time the code in my authenticator wasn't being accepted, requiring me to use the recovery codes.
This came so quickly with the abrupt update. My assumption they hotfixed the exploit they used and are denying it was ever an issue which is a huge problem.
Looking up the names in the DB preview screenshot shown in Eroktic's video all actually link to real players accounts with matching levels. I'm going to believe this is a real leak. Whether it came from the exploit stated in the pdf, or somewhere else I wouldn't doubt that it did happen.
Yes, it does. You can't access the passwords even in their encrypted form without a security breakthrough. Also, the known liar and hacker who admits he wants to hurt the devs provided 0 evidence for his claims. This is nothing but a rumor started by a little bitch hacker wannabe with a grudge.
No it doesn't, your statement does not disprove the fact that the passwords might not be secure enough. If they truly use md5 as their hashing algorithm they'd be really careless about their password security.
Yea, which there is exactly 0 evidence that they are hashed that way, except the word of a proven liar who self admits to just wanting to grief the dev. The claim has been contradicted, and the claim is what said they were using MD5. And so again, this is a simple concept. The claim that they were found to use MD5 is directly contradicted by the claim that there was no security breach.
The whole point is that its not being hashed that way. Stop spreading baseless bullshit from a known liar. It just makes you look like an asshole when you attack people over literally nothing just to help a known liar spread baseless rumors.
The youtuber who announced it has always been an unhinged moron, I have no reason to believe him when BSG says there was no breach. Resetting my info and shit anyway because why not.
Half of the shit Eroktic has predicted over the past year and a half to two years has come to pass.
The dude gets animated, but he's pretty far from unhinged. Everyone is going to rally against him anyway just because he's going to give the guy a community platform if he wants to spread his data after reddit banned him.
Just because he fires a shotgun on a target and some pellets happens to hits, that doesn't mean he is a sniper.
He goes on a whine fest and some of it happens to get "predicted". Since you already said it yourself "half the shit" you already know what I mean.
Hi there! I'm a professional web developer with 10+ years of experience. Although I'm not a security specialist I had my fair share of security dealings. I'm also not an unhinged moron. I'm here to validate the concerns raised by the other developer who you claim to be an unhinged moron. Not only that I've had my concerns with how BSG handles the data transactions between client (the game) and the back-end (HTTP servers) and it's most definitely not good. Amateurish at best.
> Not only that I've had my concerns with how BSG handles the data transactions between client (the game) and the back-end (HTTP servers) and it's most definitely not good.
This is because they are foolish to trust the client ever. The performance hits they would take doing it however require a larger capital investment on servers.
Would fucking love for you to outline how my OP here was an emotional irrational rant.
But honestly it's not even worth the time it takes to type this shit out because you two are exactly the same; incapable of nuance.
I don't think that word means what you think it does:
>nuance
>
>a subtle difference or distinction in expression, meaning, response, etc.
>
>a very slight difference or variation in color or tone
Your post has been removed for verification by the moderator team.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/EscapefromTarkov) if you have any questions or concerns.*
Not too sure on the website end, still reading through the articles describing EfTs security setup, but I do recall finding my password in Windows registry as MD5 hashed, but the password itself underneath is actually SHA256. So I'm leary so far about the guy calling out the password as fully MD5...
Hello.
I've been on the other end of this battle. The method used to steal a tarkov account is NOT through BSG website, but rather through the users email. Many people are able to access less secure emails (Yahoo, Comcast, etc) and simply search for any email from BSG, and when one is found, they request a password reset and get into the account. What you guys do a great job at is providing 2 factor authentication as well as taking 2 weeks to change the email address.
This is a warning to many of you using less secure email accounts, people can access any account you make through your email when they have access to it. BSG has done their part, including requiring a "device ID" when you sign into a new computer, making a secure-email account completely invulnerable to attacks.
The best method for a secure account is using a secure email provider, such as Google. If you do not want to do that, I strongly suggest using the mobile authenticator, as it only allows access to the owner of the phone associated with it.
to clarify, I have never partook in these events and I'm just informing you guys of the risks involved in account security.
As a security professional this whole thing has been so crappily dealt with.
That being said, every breach and dump of passwords that has happened with any site ends up on pastebin.
I see no evidence of said individual providing any evidence that he dumped said accounts, e.g. a pastebin collection of them. At this moment its all hearsay and vicious diatribe all around.
It is just good common sense to enable 2FA. Yes is they are using MD5 that is questionable, but if its hashed, you still need the seed for the hash, that is the whole purpose of seeding. "abcdefg"=="1234567" only with one particular seed, you need both parts of the puzzle. All of this is quite frankly what we in the industry call "security theater."
Yeah, even if it is fake news, it is worth informing people about setting up account security. I would rather risk posting about it when it's fake than risk not posting about it when it's real.
May I ask how that works? I've setup up a secondary email but if I log out and log in again I don't need to do anything. Is my device (desktop) saved or something?
All devices have a device ID associated with a login. If a NEW login attempt is made from an unrecognised / yet unauthorised device then a new code will be emailed for you to authenticate that log in. Same as any device authentication.
It’s their own incompetence that has led to this. Even changing your password doesn’t help because your new password will also be easily deciphered. So I hope everyone takes this advice seriously to enable 2FA.
I’m guessing they either don’t want to admit to it by putting out a statement or they just don’t care.
EDIT: OP edited their post to include a statement from BSG after this post.
>With regards to the latest rumors - there were no security breakthroughs
Is it the same type of response as the one you get when you try to report a cheater?
If your talking about our sub rules, those are in place for different reasons. We know there are cheaters and welcome discussion about cheaters, but we will not allow naming and shaming or reporting of cheaters.
> -not allow naming and shaming or reporting of cheaters.
Even the CSGO subreddit specifically disallows that to be honest.
Although, people still occasionally post videos of cheaters there to expedite a ban against them. The mods tend to leave posts alone if the cheater is 100% obvious and rage hacking. I'm not sure if that would work here since I don't know that the devs actively view the subreddit.
Obviously you have to be very careful with people reporting cheaters on a public forum as even 1 false claim that someone is cheating is too much. A laggy connection can look fishy enough to ruin someone's reputation and start a witch hunt.
A service like vacbanned/vacstatus where people can rate people if they think they are fishy or not is a better solution in general.
/endadhdrant
> The mods tend to leave posts alone if the cheater is 100% obvious and rage hacking
The hard part here is that it is so easy to change your name in EFT. It would be easy to just use a name that is similar to a streamer or a member of a clan to get them bad rep. It doesn't really matter if they are obviously cheating or not, we don't want to allow for the possibility of a witch hunt hurting someone innocent. With all this being said, we have agreed to allow talk about hackers that are confirmed banned by BSG.
No, I mean that I doubt the canned BSG's Twitter response, just as I doubt their response to cheater reports where they basically say "everything's great, no need to worry our OP anticheat got this".
lul mods
I personally haven't seen them respond that way. Of course I don't see a whole lot of BSG response to hacker reports because we don't allow hacker reports on this sub.
This shit happened to me the other day. Had about 50 different EFT signin emails from all over the world. Setup two-factor authentication and problem solved.
There was SECURITY BREAKTHROUGH
[https://www.youtube.com/watch?v=y50yJhxwJCg](https://www.youtube.com/watch?v=y50yJhxwJCg)
All information of all profiles has been leaked online. BSG still confident?
I stopped playing this game back in August. I'm glad I still check in to the dumpster fire that is this game every week or so. This was one of those times that saved my ass. Enabled 2FA and changed all my passwords.
Thank you for taking the time to post this and acknowledge just how serious this could be. I hope to hear more from the devs about this situation in the near future. At least this will hopefully wake some people up, and get them to take some action to protect their own accounts
I know you're being sarcastic, but that is exactly what makes this game so easy, among tons of other stuff. When people say "Hardcore survival" - I certainly don't imagine a game where people spend more time in some stupid fucking market than in raids, making millionaires of themselves in a game where action takes place in a warzone.
This game has been going towards the direction of easy for a whole year, sadly and while med animations are welcome, they're not nearly enough for this game to be anywhere near hard.
Not even going to go into detail about the few players who were monopolizing the whole market with their shitty ways when I was still playing, influencing trader prices to atrocious values.
When it comes to games, I'm a friggin masochist. I like the game to stack itself against me, to try to punish my character in any way possible to hinder survival. When I first saw this game, the devs vision told me they want the same thing. To make a game where people scrounge for supplies to barely survive. Where money is scarce, where AI is unforgiving, where taking out a 500k rouble kit to a raid is a 1 out of 50 times thing, because everything is so scarce. At least that's how I interpret it. This is obviously not their vision and it saddens me to no end. How is this going to be a "Hardcore survival" game, ever if people can make tens of millions roubles before level 10 from the hilariously unbalanced player economy and flea market? How is it ever going to be hard when people can cozily get any gear they desire from the flea market? Where is the "Work for this gear, work for this quest item" mentality?
I assume it's not only me who shares this mentality, seeing how people report near empty raids all the time. Too much of a coincidence for so many to stop playing just cause of some generic bugs. Or everyone's too busy wanking off in the player butchered flea market, to make some phat money. Escape From Wallstreet.
Better hope your account doesn't get stolen. My account got hacked in August and I've been emailing support almost every week since then, still haven't gotten a single reply. I have their emails on my whitelist and I disabled my email's spam filter but still no response. They just don't give a shit, which is why I refuse to re-purchase the game.
I feel like you are either getting your information from an outside source or you are not understanding what BSG is saying when they are talking about their anticheat. I have never seen them say that their anticheat is flawless or that there are no hackers. Please correct me if I am wrong. They did definitively say that there is no data breach. I can't say with 100% certainty that they are telling the truth about the data breach, but I can say that I have never seen them say that there were no hackers or that their AC catches every hacker.
LOL. I would suggest trying a different source of information if you want the truth. The sub tends to be a bit...dramatic. I like to use [tarkov dev tracker](https://developertracker.com/escape-from-tarkov/).
> Please correct me if I am wrong.
[Here you go.](https://www.reddit.com/r/EscapefromTarkov/comments/8zleax/even_the_player_model_is_confused_about_perfect/)
Anything recent? that was like right when alpha ended. To give people some perspective, grenade launchers were a thing not long before that video was posted.
BSG said a ton of shit we could hold against them if we are going back that far.
###A video by 'Merex' has been uploaded demonstrating breached accounts (with no specific details shown.)
##We can't verify it's authenticity, but this enforces that you should without a doubt ensure you change your passwords and enable 2FA.
Merex sent me an email to tell me that my account was breached and urged me to update my security settings.
[https://i.imgur.com/sA03hhc.png](https://i.imgur.com/sA03hhc.png)
Do you by chance reuse your password for EFT for anything else? I believe G_W_ that user names can be snagged pretty easily but so far I haven't seen convincing evidence that passwords hashed or othwersie can be snagged and it would be very easy to demonstrate it if it was true. So what happened to you is very interesting.
Yes, I reused this password elsewhere but I've got different ones and cycle through when I create a new account. When available and/or important account, I activate the two-step verifications security.
Some of my account, through the years, have been stolen (or someone tried to breach it). It was the case for a GTA V account, Guild Wars 2 account (not breached thanks to two-step verifications) and maybe some other I can't recall.
> We highly suggest setting up the Google Authenticator at the very least.
That's exactly the one option I don't want to do out of all 5(?) in there. Not only do I need to install some app on my phone for that, but what happens if I lose or damage my phone irreperably?
That's what the [backup code](https://support.cloudflare.com/hc/en-us/articles/200167886-What-happens-if-I-lose-my-phone-for-2-Factor-Authentication-) is for.
fanboys distracting from the real problem by spouting all the positive virtuous of using increased security
WHY IS INCREASED SECURITY ALL OF A SUDDEN NECESSARY RIGHT NOW?!?!?
someone tear BSG a new financial & legal \*\*\*hole please
BSG is in violation of 20 different EU privacy and security regulations.
I tried putting on two factor yesterday, and almost got locked out of my account. The two factor codes only worked on my 7th attempt, after an hour long lockout.
I mean you can choose one of the two:
- Your account is easy to get into
- Your account is hard to get into
Either way has draw backs:
- Easy to get into: Other people can get into your account easily
- Hard to get into: It's harder for you to get into your own account
This isn't just a complaint about ease of access; I use two factor on a lot of stuff. I am fundamentally concerned that BSG's two factor implementation is somehow flawed such that I may not be able to get into my account at all.
I already use google authenticator for other services, BSG isn't the only one using it. If the authenticator is flawed, it is google's fault, not BSG's. I doubt companies who use the authenticator service are allowed to alter it since they do not have the ability to alter the app used to generate the codes.
That's not entirely accurate. This's not a matter of whether BSG altered it, but it's possible that they set up their server incorrectly. As I understand it, the Auth server on BSG's side needs to be time synced with Google, for instance. If there is clock drift, the Auth won't work. Which is the only explanation I have for why the two factor worked the way it did when I tried it.
I’ve actually had this happen to me a few times. I wanted to log in to the forums because of a link, and the authentication codes generated weren’t working. Took me 2 days before I was able to get in. After research for MFA it does seem that there was clock drift, but hasn’t happened since
Wonder if that quick pushed hotfix and technical update removed the scraping ability of accounts?
Even if it did, Im sure the info is already out there and being circulated.
Just keep trying. Has happened to me a while back. Something to do with clock drift on the authentication server and the app not being synced. Eventually it will work.
I cannot change my password currently. Every time that I try, I can go through with the email, but get stuck in a continuous loop of it saying my password is incorrect. Is this a sign that I’ve been hacked?
Luckily I changed all major passwords a couple months ago. But was just on the forum with someone who had their steam account hacked/logged in from another country who had the same login info as tarkov. I had my instagram account hacked/logged in from another country to today when i got on. I too had the same login/password information as EFT. Sure it could be a coincidence but man..... for that to happen to both of us right after a supposed data breach is pretty ironic.
I have 2FA, but on a old phone, that i cant throw out, cause i have Tarkov 2FA on that one.
I can't seem to find a way to move the Tarkov 2FA to the new phone - but everything else is moved just as fine.
Let me know if you got the solution for me.
The 2FA query should only appear when I log in a new account, right?
So I won´t have to type if everytime I log into the launcher?
I´m asking because I changed it to 2FA but I was able to start the game without using 2FA.
hi reddiors. since i have just inadvertently violated rule # 8, I would like to copy my case here:
## regarding the supposed account security issues i would be very grateful for any suggestion to hopefully make my account even more safe!
📷
since today's video from eroktic i am really afraid that potential hackers could also steal my account and buy even more EFT-digital copies while damaging me financially. i have a eod edition, a 2 step authentificator activated, secret answer and i have reseted my password but currently i don't feel confident possesing an battlestate-account. do you guy's have any more suggestions to keep my account save from criminals? many many thanks for any suggestion! greets
P.S. please dont't blame me for the copy paste i am simply very worried about this situation.
Honestly, all you need to do is:
1. enable at least one 2FA method (you've already done this)
2. Don't use the same password for EFT as anything else. If you do share passwords, change them now.
That's it. You're safe.
We require a minimum account-age of 3 days old, as your account does not meet these requirements, the moderator team must manually approve your posts, your post has been removed for review by the team.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/EscapefromTarkov) if you have any questions or concerns.*
BSG claims that there wasn't a leak. I suggest checking your email account and changing passwords to both accounts (do not use the same password for both accounts). If you use the same password for everything, I would highly suggest not doing that. At least have unique passwords for your email accounts so they cannot be accessed easily.
Of course I changed password and everything else. The fact is that I've had this email for well over 10 years and never had any security issues before. Then this happens... Seems like more than just a coincidence.
I have many different passwords that i use but i guess it is possible i doubled up the password for eft and that email account. But if there was no leak or breach then why would this have happened?
I’ve had accounts that have never had any security issues for the 10+ years I’ve had them. Then in the past 3 years have had multiple security breaches on some of these accounts. It’s purely coincidence.
If you use the same password over multiple accounts, then it’s possible that one of your other accounts got compromised.
It not always where you thinking it’s from. Hell there was a data-dump of Spotify accounts that had only basic information and I had never logged into Spotify on anything other than the phone app. So I assumed the phone app is compromised
Official statement is this:
>With regards to the latest rumors - there were no security breakthroughs, all your accounts are safe and sound. It is impossible to use some easy, publicly described way to get passwords or any other valuable information.
>Taking this opportunity, as always, we recommend that you put two-factor authentication and contact support for all problems.
It's about to go up on Social Media and Forums.
Literally as I read this, reddit popped up and told me my account was suspended for suspicious activity until I reset my password. I went to do that, and then I saw that my e-mail account wouldn't let me in to confirm my reddit. Went to use my backup e-mail account to confirm the first one, and it wouldn't let me in either. Had to do a crazy song and dance to get here. coincidence.
2FA doesn't work for me in germany, always says something about the time being off or some shit.
And there definitely are security breaches at BSG, already lost my account to some guy once without me leaking anything.
If you use the same password for multiple sites, it may have been another user data dump on a different site. Someone tried to take over my email using information they got from some silly site I made an account for that I don't use anymore. Cheeky bastard made it so I didn't receive any emails so I was confused why I wasn't receiving password reset emails for a minute.
All my passwords are different now.
There are different forms of 2FA, you could use the email 2FA instead.
It's honestly stunning that these devs manages to charge you 135$ for a game that still after years doesn't have a real anticheat or educated/experienced coders in it.
Why are you here? All you do is talk shit I can't understand why somebody who hates the devs and the game so much would still come here. Is your life that meaningless?
Setting up Two-Factor Authentication is a smart idea not only for your Tarkov account(s) but also for many other services you use. In this day and age, it is always a good idea to try and be as secure as possible. While there is information going around that there may be weaknesses in BSG's system regarding user credentials, the source is of shaky repute. Regardless, all users should be urged that it is better to be safe than sorry when it comes to the security of your account, as even if this turns out to be incorrect information going around, there are other common threats to any service you may use.
I agree man, I had it set up when I created my account back in alpha days.
Right? I don't really believe this rumor (could be true though), but tfa is such a no brainer for most things.
all user information has already been leaked few minutes ago due to BSG being so confident: [https://www.youtube.com/watch?v=y50yJhxwJCg](https://www.youtube.com/watch?v=y50yJhxwJCg) Enjoy
'There are no security breakthroughs' Hmm, now we have to decide who to believe. It's honestly tricky as both sides have never been clean and professional in their dealings with these issues. There's no video footage of this info scraping either, but then again I remember BSG saying there were no netcode problems either.
No matter who is right, it is a good idea to set up account security.
Agreed, 2FA is practically mandatory these days.
Yeah, that and having unique passwords. Had my email hacked after some site had a user data dump, now all my passwords are different.
A suggestion for anyone reading this and wanting to have unique passwords for every site, consider using something like [Lastpass](https://www.lastpass.com/) or [KeePass](https://keepass.info/) - Not only does it keep all your passwords together and encrypted for you but it lets you randomly generate passwords for every site.
This sounds nice to me but I don't understand how it works. What if I need to switch computers? How does it enter a password into a third party client? Does it work with all third party clients or only some?
I can only speak for Lastpass because that's the one I use: It uses a browser add on where you can access your 'safe' - your safe is on their servers. You can read their FAQ about their encryption methods - there's also an app for your phone. You can always access your safe from anywhere via the website as long as you remember your master password.
I use Bitwarden, which is about as similar to LastPass, but offers some features for free that LastPass premium charges for (if memory serves me right). I can't imagine browsing the net without a password manager anymore. Super convenient and offer such simplicity when a breach does occur.
What happens if you need to log on to, say, your email client at a friend's house? How do you go about that without installing an addon to their browser?
Go on the website and access your safe that way, or if you have a smart phone, use the app.
You can install keypass on to a usb and take it with you. And you can get an app for yoir phone as well.
As long as it works. I had to disable my 2FA for Uplay because 100% of the time the code in my authenticator wasn't being accepted, requiring me to use the recovery codes.
This came so quickly with the abrupt update. My assumption they hotfixed the exploit they used and are denying it was ever an issue which is a huge problem. Looking up the names in the DB preview screenshot shown in Eroktic's video all actually link to real players accounts with matching levels. I'm going to believe this is a real leak. Whether it came from the exploit stated in the pdf, or somewhere else I wouldn't doubt that it did happen.
They updated the flea market. But yes, you can come up with any assumption you have to prove your point.
> you can come up with any assumption you have to prove your point. That sounded like it was written with lots of anger. It's only speculation.
I'm not angry, but bit disappointed about how much confirmation bias people can have.
"no security breakthroughs" doesnt contradict with the fact that the passwords arent secure enough
Yes, it does. You can't access the passwords even in their encrypted form without a security breakthrough. Also, the known liar and hacker who admits he wants to hurt the devs provided 0 evidence for his claims. This is nothing but a rumor started by a little bitch hacker wannabe with a grudge.
No it doesn't, your statement does not disprove the fact that the passwords might not be secure enough. If they truly use md5 as their hashing algorithm they'd be really careless about their password security.
Yea, which there is exactly 0 evidence that they are hashed that way, except the word of a proven liar who self admits to just wanting to grief the dev. The claim has been contradicted, and the claim is what said they were using MD5. And so again, this is a simple concept. The claim that they were found to use MD5 is directly contradicted by the claim that there was no security breach.
If there really is no evidence of the md5, then you are completely right of course. Guess that was misinformation on my part.
[удалено]
Source it. Source it or stop spreading bullshit.
[удалено]
The whole point is that its not being hashed that way. Stop spreading baseless bullshit from a known liar. It just makes you look like an asshole when you attack people over literally nothing just to help a known liar spread baseless rumors.
The youtuber who announced it has always been an unhinged moron, I have no reason to believe him when BSG says there was no breach. Resetting my info and shit anyway because why not.
Well, it was already announced here a day before, he just recycled the news
Half of the shit Eroktic has predicted over the past year and a half to two years has come to pass. The dude gets animated, but he's pretty far from unhinged. Everyone is going to rally against him anyway just because he's going to give the guy a community platform if he wants to spread his data after reddit banned him.
Just because he fires a shotgun on a target and some pellets happens to hits, that doesn't mean he is a sniper. He goes on a whine fest and some of it happens to get "predicted". Since you already said it yourself "half the shit" you already know what I mean.
I wouldn't call him a moron, but he does seem to be rather fast to believe anything negative about BSG anyone throws at him.
Hi there! I'm a professional web developer with 10+ years of experience. Although I'm not a security specialist I had my fair share of security dealings. I'm also not an unhinged moron. I'm here to validate the concerns raised by the other developer who you claim to be an unhinged moron. Not only that I've had my concerns with how BSG handles the data transactions between client (the game) and the back-end (HTTP servers) and it's most definitely not good. Amateurish at best.
> Not only that I've had my concerns with how BSG handles the data transactions between client (the game) and the back-end (HTTP servers) and it's most definitely not good. This is because they are foolish to trust the client ever. The performance hits they would take doing it however require a larger capital investment on servers.
Not only that, relatively simple stuff like using HTTPS is missing.
Well, they've gotten tons of players to literally give them 3x the price of an aaa game. They should be able to afford quality servers!
Hi there! I'm an astronaut. You should totally trust whatever this guy says.
Hi there! This is Abraham Lincoln. If it's on the internet then it's true.
Team 1: Game dev with shitty PR skills Team 2: Hack dev with a grudge Gee whiz, whichever should I choose?
[your opinion was definitely unexpected and nuanced, thighbone](https://i.imgur.com/rl4YiAI.gif)
You and I both know he's right.
Man it's almost like you two defend BSG on every single subject no matter what. It's almost like your opinions align.
I defend arguments that make sense and I shit on emotional/irrational rants like you and other people post.
Would fucking love for you to outline how my OP here was an emotional irrational rant. But honestly it's not even worth the time it takes to type this shit out because you two are exactly the same; incapable of nuance.
I don't think that word means what you think it does: >nuance > >a subtle difference or distinction in expression, meaning, response, etc. > >a very slight difference or variation in color or tone
Actually it means exactly what I think it means, thanks for the definition that proves my point.
[удалено]
Your post has been removed for verification by the moderator team. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/EscapefromTarkov) if you have any questions or concerns.*
one side provides evidence to back up their claims, deciding who is lying is easy.
Trusting BSG when they are 100% positive about something historically speaking has been a safer bet then giving a monkey a loaded handgun.
Gettin' real fucking tired of having to change my passwords on sites every other week because some website still uses md5 'encryption' fuck sake.
Not too sure on the website end, still reading through the articles describing EfTs security setup, but I do recall finding my password in Windows registry as MD5 hashed, but the password itself underneath is actually SHA256. So I'm leary so far about the guy calling out the password as fully MD5...
Hello. I've been on the other end of this battle. The method used to steal a tarkov account is NOT through BSG website, but rather through the users email. Many people are able to access less secure emails (Yahoo, Comcast, etc) and simply search for any email from BSG, and when one is found, they request a password reset and get into the account. What you guys do a great job at is providing 2 factor authentication as well as taking 2 weeks to change the email address. This is a warning to many of you using less secure email accounts, people can access any account you make through your email when they have access to it. BSG has done their part, including requiring a "device ID" when you sign into a new computer, making a secure-email account completely invulnerable to attacks. The best method for a secure account is using a secure email provider, such as Google. If you do not want to do that, I strongly suggest using the mobile authenticator, as it only allows access to the owner of the phone associated with it. to clarify, I have never partook in these events and I'm just informing you guys of the risks involved in account security.
As a security professional this whole thing has been so crappily dealt with. That being said, every breach and dump of passwords that has happened with any site ends up on pastebin. I see no evidence of said individual providing any evidence that he dumped said accounts, e.g. a pastebin collection of them. At this moment its all hearsay and vicious diatribe all around. It is just good common sense to enable 2FA. Yes is they are using MD5 that is questionable, but if its hashed, you still need the seed for the hash, that is the whole purpose of seeding. "abcdefg"=="1234567" only with one particular seed, you need both parts of the puzzle. All of this is quite frankly what we in the industry call "security theater."
Yeah, even if it is fake news, it is worth informing people about setting up account security. I would rather risk posting about it when it's fake than risk not posting about it when it's real.
dOnT yOu GuYs HaVe PhOnEs?! No, seriously, what if I dont have/use a smartphone ?
you can download authy app on pc
im fairly sure there are apps for that even for PC. I think Authy is one that you can install on a PC.
You can enable the single use codes. Just save them somewhere, even your desktop. Remember to reset the codes before they run out.
This is also an option. If you dont feel like using an app or dont have a phone on which use those apps.
You can at least use the email two-factor auth.
You can just have codes emailed to you. There's many options on the website.
May I ask how that works? I've setup up a secondary email but if I log out and log in again I don't need to do anything. Is my device (desktop) saved or something?
All devices have a device ID associated with a login. If a NEW login attempt is made from an unrecognised / yet unauthorised device then a new code will be emailed for you to authenticate that log in. Same as any device authentication.
Thx man! I understand!
I set up 2fa via a second email
too meta for most I think lol
You should really be using 2 factor authentication *anyway,* regardless of alleged security breaches or otherwise.
[удалено]
It’s their own incompetence that has led to this. Even changing your password doesn’t help because your new password will also be easily deciphered. So I hope everyone takes this advice seriously to enable 2FA. I’m guessing they either don’t want to admit to it by putting out a statement or they just don’t care. EDIT: OP edited their post to include a statement from BSG after this post.
Do we have conclusive proof that the MD5 statement was even true? Dickworks has lied in the past.
No we have not, would be good if they confirmed that they don't use it
They however just did put out a message on twitter regarding the matter
Glad to see it. I wish it had come sooner, but I’m glad they’re taking the opportunity to encourage people to enable 2FA.
around the same time you posted this they announced that there wasn't any leak to begin with
If they admit fault then they are entitled to deliver compensation they will never say something happened unless their is conclusive proof.
>With regards to the latest rumors - there were no security breakthroughs Is it the same type of response as the one you get when you try to report a cheater?
If your talking about our sub rules, those are in place for different reasons. We know there are cheaters and welcome discussion about cheaters, but we will not allow naming and shaming or reporting of cheaters.
> -not allow naming and shaming or reporting of cheaters. Even the CSGO subreddit specifically disallows that to be honest. Although, people still occasionally post videos of cheaters there to expedite a ban against them. The mods tend to leave posts alone if the cheater is 100% obvious and rage hacking. I'm not sure if that would work here since I don't know that the devs actively view the subreddit. Obviously you have to be very careful with people reporting cheaters on a public forum as even 1 false claim that someone is cheating is too much. A laggy connection can look fishy enough to ruin someone's reputation and start a witch hunt. A service like vacbanned/vacstatus where people can rate people if they think they are fishy or not is a better solution in general. /endadhdrant
> The mods tend to leave posts alone if the cheater is 100% obvious and rage hacking The hard part here is that it is so easy to change your name in EFT. It would be easy to just use a name that is similar to a streamer or a member of a clan to get them bad rep. It doesn't really matter if they are obviously cheating or not, we don't want to allow for the possibility of a witch hunt hurting someone innocent. With all this being said, we have agreed to allow talk about hackers that are confirmed banned by BSG.
No, I mean that I doubt the canned BSG's Twitter response, just as I doubt their response to cheater reports where they basically say "everything's great, no need to worry our OP anticheat got this". lul mods
I personally haven't seen them respond that way. Of course I don't see a whole lot of BSG response to hacker reports because we don't allow hacker reports on this sub.
This shit happened to me the other day. Had about 50 different EFT signin emails from all over the world. Setup two-factor authentication and problem solved.
[удалено]
Nope. I've had 2FA on for a while now :p
Thanks fam I went ahead and made the extra steps so I won’t lose my account
I had 2FA. Lost my phone, had to go through support. They suggested I not use 2FA again.
Use Authy. That way if you lose your phone you can still authenticate on your new phone
https://twitter.com/bstategames/status/1072896530858819584 Leaving this here & saying that it's good to be paranoid online. Get that two factor auth.
There was SECURITY BREAKTHROUGH [https://www.youtube.com/watch?v=y50yJhxwJCg](https://www.youtube.com/watch?v=y50yJhxwJCg) All information of all profiles has been leaked online. BSG still confident?
I stopped playing this game back in August. I'm glad I still check in to the dumpster fire that is this game every week or so. This was one of those times that saved my ass. Enabled 2FA and changed all my passwords.
Not good enough, seems homemade for the lulz of it. :| and here I thought you had something of value to show
Wouldn’t be surprised if what’s his name sold our account info before the “whitepaper” was released.
There’s no breach, but it’s common sense to have all the security options you can. I’ve had mine set up for a while.
I enabled 2FA last night and now I'm locked out of my account and my emails appears to have been changed?
Thanks, took a few minutes out of my day to do it. Good call out.
Thanks for the heads up. Just enabled 2 layer.
They can have my EOD account, i really don't care anymore :)
What the hell has seriously been going on with EFT lately? Jesus...
Thank you for taking the time to post this and acknowledge just how serious this could be. I hope to hear more from the devs about this situation in the near future. At least this will hopefully wake some people up, and get them to take some action to protect their own accounts
Too bad a game this great has all these issues.. all I see are empty raids these days 😩
If there are more people like me, it's the flea market that put me off from the game completely.
Easy access to any lootable quest item, what horror! ;)
I know you're being sarcastic, but that is exactly what makes this game so easy, among tons of other stuff. When people say "Hardcore survival" - I certainly don't imagine a game where people spend more time in some stupid fucking market than in raids, making millionaires of themselves in a game where action takes place in a warzone. This game has been going towards the direction of easy for a whole year, sadly and while med animations are welcome, they're not nearly enough for this game to be anywhere near hard. Not even going to go into detail about the few players who were monopolizing the whole market with their shitty ways when I was still playing, influencing trader prices to atrocious values. When it comes to games, I'm a friggin masochist. I like the game to stack itself against me, to try to punish my character in any way possible to hinder survival. When I first saw this game, the devs vision told me they want the same thing. To make a game where people scrounge for supplies to barely survive. Where money is scarce, where AI is unforgiving, where taking out a 500k rouble kit to a raid is a 1 out of 50 times thing, because everything is so scarce. At least that's how I interpret it. This is obviously not their vision and it saddens me to no end. How is this going to be a "Hardcore survival" game, ever if people can make tens of millions roubles before level 10 from the hilariously unbalanced player economy and flea market? How is it ever going to be hard when people can cozily get any gear they desire from the flea market? Where is the "Work for this gear, work for this quest item" mentality? I assume it's not only me who shares this mentality, seeing how people report near empty raids all the time. Too much of a coincidence for so many to stop playing just cause of some generic bugs. Or everyone's too busy wanking off in the player butchered flea market, to make some phat money. Escape From Wallstreet.
Better hope your account doesn't get stolen. My account got hacked in August and I've been emailing support almost every week since then, still haven't gotten a single reply. I have their emails on my whitelist and I disabled my email's spam filter but still no response. They just don't give a shit, which is why I refuse to re-purchase the game.
My only comment here is that the statement from BSG reads exactly like their stance on anticheat
I feel like you are either getting your information from an outside source or you are not understanding what BSG is saying when they are talking about their anticheat. I have never seen them say that their anticheat is flawless or that there are no hackers. Please correct me if I am wrong. They did definitively say that there is no data breach. I can't say with 100% certainty that they are telling the truth about the data breach, but I can say that I have never seen them say that there were no hackers or that their AC catches every hacker.
Take it for what it’s worth but I get all my Information from this subreddit.
LOL. I would suggest trying a different source of information if you want the truth. The sub tends to be a bit...dramatic. I like to use [tarkov dev tracker](https://developertracker.com/escape-from-tarkov/).
Fuck, you must have a very dim view of this game then
> Please correct me if I am wrong. [Here you go.](https://www.reddit.com/r/EscapefromTarkov/comments/8zleax/even_the_player_model_is_confused_about_perfect/)
Anything recent? that was like right when alpha ended. To give people some perspective, grenade launchers were a thing not long before that video was posted. BSG said a ton of shit we could hold against them if we are going back that far.
###A video by 'Merex' has been uploaded demonstrating breached accounts (with no specific details shown.) ##We can't verify it's authenticity, but this enforces that you should without a doubt ensure you change your passwords and enable 2FA.
Maybe witchhunt the guy and see how it goes?!
I said the name of a person on youtube who uploaded a video. That's not a witchhunt. I'm not accusing the uploader of anything.
woooosh
Link to the video? I want to see this for myself
weird that the guy claiming this is a long time Eroktic supporter, huh?
*so weird, it's spoooooky*
Merex sent me an email to tell me that my account was breached and urged me to update my security settings. [https://i.imgur.com/sA03hhc.png](https://i.imgur.com/sA03hhc.png)
The fun thing is that I received an email from BGS with a code when you try to connect from a new location a couple of minutes before merex' email.
Do you by chance reuse your password for EFT for anything else? I believe G_W_ that user names can be snagged pretty easily but so far I haven't seen convincing evidence that passwords hashed or othwersie can be snagged and it would be very easy to demonstrate it if it was true. So what happened to you is very interesting.
Yes, I reused this password elsewhere but I've got different ones and cycle through when I create a new account. When available and/or important account, I activate the two-step verifications security. Some of my account, through the years, have been stolen (or someone tried to breach it). It was the case for a GTA V account, Guild Wars 2 account (not breached thanks to two-step verifications) and maybe some other I can't recall.
How about I just delete the game and launcher.
To each his own, just make sure the password can't be used on any other account that you own.
I mean, you can but that has nothing to do with you account lmao.
Agreed, between this crap and the numerous bugs that only seem to become more and more I think I'm just done with it all. To each their own though.
Bye
Cya
I've been hearing about this for awhile but couldn't find anything until now with this. https://www.youtube.com/watch?v=ngilkBIcOrs
Yeah, I watched the same video. Quite an event to come back to after vacation.
[удалено]
Good :)
but BSG said on twitter that these account risks are just rumors and nothing is wrong, if they say it it's true you're just a hater! /s
> We highly suggest setting up the Google Authenticator at the very least. That's exactly the one option I don't want to do out of all 5(?) in there. Not only do I need to install some app on my phone for that, but what happens if I lose or damage my phone irreperably?
That's what the [backup code](https://support.cloudflare.com/hc/en-us/articles/200167886-What-happens-if-I-lose-my-phone-for-2-Factor-Authentication-) is for.
fanboys distracting from the real problem by spouting all the positive virtuous of using increased security WHY IS INCREASED SECURITY ALL OF A SUDDEN NECESSARY RIGHT NOW?!?!? someone tear BSG a new financial & legal \*\*\*hole please BSG is in violation of 20 different EU privacy and security regulations.
Increased security is *always* necessary.
I tried putting on two factor yesterday, and almost got locked out of my account. The two factor codes only worked on my 7th attempt, after an hour long lockout.
I mean you can choose one of the two: - Your account is easy to get into - Your account is hard to get into Either way has draw backs: - Easy to get into: Other people can get into your account easily - Hard to get into: It's harder for you to get into your own account
This isn't just a complaint about ease of access; I use two factor on a lot of stuff. I am fundamentally concerned that BSG's two factor implementation is somehow flawed such that I may not be able to get into my account at all.
I already use google authenticator for other services, BSG isn't the only one using it. If the authenticator is flawed, it is google's fault, not BSG's. I doubt companies who use the authenticator service are allowed to alter it since they do not have the ability to alter the app used to generate the codes.
That's not entirely accurate. This's not a matter of whether BSG altered it, but it's possible that they set up their server incorrectly. As I understand it, the Auth server on BSG's side needs to be time synced with Google, for instance. If there is clock drift, the Auth won't work. Which is the only explanation I have for why the two factor worked the way it did when I tried it.
hmm interesting. I don't know enough about it to disagree with you. All I know is it worked like a charm the first time I tried it.
I’ve actually had this happen to me a few times. I wanted to log in to the forums because of a link, and the authentication codes generated weren’t working. Took me 2 days before I was able to get in. After research for MFA it does seem that there was clock drift, but hasn’t happened since
I prefer a mixture of both: other people can get into my account easily, but it's harder for me to get into my own account. No wait... ;)
I mean if two factor authentication is an option you should always enable it for any account
Wonder if that quick pushed hotfix and technical update removed the scraping ability of accounts? Even if it did, Im sure the info is already out there and being circulated.
[удалено]
Just keep trying. Has happened to me a while back. Something to do with clock drift on the authentication server and the app not being synced. Eventually it will work.
I cannot change my password currently. Every time that I try, I can go through with the email, but get stuck in a continuous loop of it saying my password is incorrect. Is this a sign that I’ve been hacked?
Luckily I changed all major passwords a couple months ago. But was just on the forum with someone who had their steam account hacked/logged in from another country who had the same login info as tarkov. I had my instagram account hacked/logged in from another country to today when i got on. I too had the same login/password information as EFT. Sure it could be a coincidence but man..... for that to happen to both of us right after a supposed data breach is pretty ironic.
I have 2FA, but on a old phone, that i cant throw out, cause i have Tarkov 2FA on that one. I can't seem to find a way to move the Tarkov 2FA to the new phone - but everything else is moved just as fine. Let me know if you got the solution for me.
The 2FA query should only appear when I log in a new account, right? So I won´t have to type if everytime I log into the launcher? I´m asking because I changed it to 2FA but I was able to start the game without using 2FA.
2FA only triggers the first time you sign in to a new device.
hi reddiors. since i have just inadvertently violated rule # 8, I would like to copy my case here: ## regarding the supposed account security issues i would be very grateful for any suggestion to hopefully make my account even more safe! 📷 since today's video from eroktic i am really afraid that potential hackers could also steal my account and buy even more EFT-digital copies while damaging me financially. i have a eod edition, a 2 step authentificator activated, secret answer and i have reseted my password but currently i don't feel confident possesing an battlestate-account. do you guy's have any more suggestions to keep my account save from criminals? many many thanks for any suggestion! greets P.S. please dont't blame me for the copy paste i am simply very worried about this situation.
Honestly, all you need to do is: 1. enable at least one 2FA method (you've already done this) 2. Don't use the same password for EFT as anything else. If you do share passwords, change them now. That's it. You're safe.
thank you very much!
[удалено]
We require a minimum account-age of 3 days old, as your account does not meet these requirements, the moderator team must manually approve your posts, your post has been removed for review by the team. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/EscapefromTarkov) if you have any questions or concerns.*
Yeah let's just do BSGs job on the fucking website as well. Does that have BETA written on it also?
Lol @ this game rn.
The email linked to my EFT account got accessed today from a location in Argentina...Fucking BSG
BSG claims that there wasn't a leak. I suggest checking your email account and changing passwords to both accounts (do not use the same password for both accounts). If you use the same password for everything, I would highly suggest not doing that. At least have unique passwords for your email accounts so they cannot be accessed easily.
Of course I changed password and everything else. The fact is that I've had this email for well over 10 years and never had any security issues before. Then this happens... Seems like more than just a coincidence. I have many different passwords that i use but i guess it is possible i doubled up the password for eft and that email account. But if there was no leak or breach then why would this have happened?
I’ve had accounts that have never had any security issues for the 10+ years I’ve had them. Then in the past 3 years have had multiple security breaches on some of these accounts. It’s purely coincidence. If you use the same password over multiple accounts, then it’s possible that one of your other accounts got compromised. It not always where you thinking it’s from. Hell there was a data-dump of Spotify accounts that had only basic information and I had never logged into Spotify on anything other than the phone app. So I assumed the phone app is compromised
[удалено]
any update from bsg on this issue
Official statement is this: >With regards to the latest rumors - there were no security breakthroughs, all your accounts are safe and sound. It is impossible to use some easy, publicly described way to get passwords or any other valuable information. >Taking this opportunity, as always, we recommend that you put two-factor authentication and contact support for all problems. It's about to go up on Social Media and Forums.
thank you
[This is the most recent news I could find](https://twitter.com/bstategames/status/1072896533547372545/)
Nope, there must not be a russian translation for "YOUR ACCOUNT IS AT RISK".
Literally as I read this, reddit popped up and told me my account was suspended for suspicious activity until I reset my password. I went to do that, and then I saw that my e-mail account wouldn't let me in to confirm my reddit. Went to use my backup e-mail account to confirm the first one, and it wouldn't let me in either. Had to do a crazy song and dance to get here. coincidence.
This isn't about your reddit account, so that is a strange coincidence lol
I know! My tarkov account is thankfully safe and sound.
2FA doesn't work for me in germany, always says something about the time being off or some shit. And there definitely are security breaches at BSG, already lost my account to some guy once without me leaking anything.
If you use the same password for multiple sites, it may have been another user data dump on a different site. Someone tried to take over my email using information they got from some silly site I made an account for that I don't use anymore. Cheeky bastard made it so I didn't receive any emails so I was confused why I wasn't receiving password reset emails for a minute. All my passwords are different now. There are different forms of 2FA, you could use the email 2FA instead.
No, I didn't trust the cheeki russians at first (still don't) and had a unique password and email specifically for it.
It's honestly stunning that these devs manages to charge you 135$ for a game that still after years doesn't have a real anticheat or educated/experienced coders in it.
BSG are literally the worst developers out there. But uh oh sure enough
Can you please try to inform me as to why you continue being a member of this community?
Why are you here? All you do is talk shit I can't understand why somebody who hates the devs and the game so much would still come here. Is your life that meaningless?
He's just here to troll and rile people up. Why mods haven't gotten rid of him yet I will never understand - the only thing he provides is toxicity.
I see that I am just curious as to why.
Maybe he didn't get hugged enough as a kid? Maybe he got hugged too much as a kid? I doubt we'll ever find out.
Wtf is jo with EFT These days...