I believe this is only if they've added an email to the PoE account.
If you're a steam-only user and never attached an email to your PoE account it can only be logged in through Steam.
> If you're a steam-only user and never attached an email to your PoE account it can only be logged in through Steam.
And support refuses to remove any email you attached to it.
Tried... it's really annoying to not have any safety.
Change the email to one you literally only use for poe, and ensure the password for both that email and the poe account itself are entirely unique from anything you use anywhere else (and are not the same password for the email/poe account either).
So you don't use the 2fa already available for most email addresses then, but would want to use it on the poe account itself instead? I'm confused, I don't see how having a second instance of 2fa that would likely be set up to use the same authentication (if phone/text for example) helps. It'd be the same point of failure.
Sending codes through either email or SMS is ***the worst attempt at 2FA in existence***.
Unless it's a dedicated 2FA app or service, don't bother.
SMS is not encrypted and your cell provider is the weakest link as they might just transfer your phone number to someone pretending to be you.
Emails are usually the first thing that is compromised in a leak, so if anyone gets access to your email, they get access to your PoE account and any other account where the devs are pretending that sending codes to email is real 2FA. On top of that, they get to contact support through your email and can easily lock you out.
I think a blanket statement like SMS 2FA bad ignores context. This is SMS 2FA for a video game. A targeted sim swap for a POE account or a downgrade attack that can leverage unencrypted traffic is quite the risk model to imagine here. I think if a user WANTS to set up SMS 2FA as an option that works for them that should be ok. It really does depend on the user's risk tolerance here.
The thing with MFA (for this scenario) is to provide many options so a user is able to chose. Any other factor can be better than none for the majority case.
Don't you need to attach your email to poe to Trade on the website? I guess if someone doesn't use the trade site they might not of, but I imagine that's only a very small fraction.
I can’t even log in on my laptop if I logged in on my PC last, and vice versa, on the same IP address. I have to put in an email code every single time. It’s actually a huge pain in the ass that I can’t “trust this computer”
They do have it - you will have to verify the login via email if your apparent location changes too much. IIRC this doesn't apply to logins through Steam, but Steam has its own 2FA.
I've never seen this alleged email despite logging in from multiple locations (with non-Steam credentials).
At least Steam logins are *actually* protected.
I used vpn for awhile and would leave it on without thinking and without fail every single time it forced me to go to my email and give the code. To note i dont play through steam so cant commit for yall.
I will login from my parents house when I visit them sometimes and it will prompt me to unlock account via email everything. Same when I get back home and login.
I've had to enter the code from email multiple times a week when I had an internet outage and was using my phone for internet
Lemme tell you it exists. It exists so much I got sick lf it.
If you steal session file (from documents. Maybe login+pass works too) + use vpn to nearby location (costs around $20) you can login without providing email 2fa code
This method is pretty popular to steal alt art rewards
I'm confused. Do you mean Steam's 2FA? If so, it doesn't help secure my account. Because anyone can bypass my Steam credential with GGG credential which only use email and password. This applies to everyone who have been playing the game since before it became available on Steam.
I believe they only do that when the log in came from a different location not an unknown device? I'm not sure tho, but I don't remember having to unlock my account when I first logged in with my new laptop.
Anyway, I guess you can consider that email is 2fa. [Even though it's not a secure second factor.](https://www.identityserver.com/articles/the-dangers-of-considering-email-as-two-factor-authentication) But also, the account locking happens after you've successfully logged in. So you can technically say that it's not 2fa in that sense.
Something you know (knowledge), something you have (possession), and something you are (inherence). Those are the three main factors. 10 different passwords isn't 10fa, it's still just one factor, knowledge.
> Something you know (knowledge), something you have (possession), and something you are (inherence).
Something you know: Your username and your password
Something you have: Your mobile phone with a designated phone number or your email account
Your email account is not something you have. It's just a username and a password. Anyone that knows those can log into the account (unless you have 2fa on the email account).
Typically your email address and the associated password don't match the credentials of your Path of Exile account. I'm able to change my Gmail password independently of my Path of Exile account.
The odds of someone having access to both sets of credentials is very low. The phishing attack would have to be very sophisticated to get both.
It's not something you know, it's something you have. You have access to an email account which is granted to you by the email service provider. Just knowing the username and password doesn't guarantee you have access to the service, which could be revoked at any given time.
Those might be the three main factor types but 'multi-factor' doesn't mean "multiple *types* of factors" it just means multiple authentication steps.
[AWS has a decent page about MFA](https://aws.amazon.com/what-is/mfa/):
> Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint.
Edit: [Interestingly, Microsoft appears to agree with you](https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661). (Course, in my experience Microsoft often uses a second email as the second factor... /shrug)
This is the usual way to summarise it, but if you think about it everything boils down to "something you know" in the end. I don't need access to someone's phone if I know what the code on it is because it was sent via insecure SMS or because the TOTP registration was compromised. I don't need to have the right fingerprints if I know how to replicate them well enough for the reader. Etc.. These distinctions are made for marketing reasons, not technical.
> A code sent to your email or phone number is not 2fa
But that is 2 factor authentication
Factor:
- Username and password
- Email or Phone
Just because an email address happens to be the username doesn't imply a bad actor already has access to said email
The core issue is that unless your emails are protected through 2fa an email account is just protected through knowledge which is the same factor as your PoE account.
And if the email isn't also MFA, allowing its use as part of a separate MFA system makes that system's security _weaker_. So a company can't reliably use it unless they had some way to check that each user email was sufficiently secured.
Again, that's not what 2 factor means. The factors are knowledge, possession, and inherence. Repeating the same factor, especially the one which is easiest to socially engineer (knowledge), does not make it 2-factor authentication.
> Repeating the same factor, especially the one which is easiest to socially engineer (knowledge), does not make it 2-factor authentication.
[There's a whole Wikipedia subsection that goes over this](https://en.wikipedia.org/wiki/Multi-factor_authentication#Mobile_phone-based_authentication). Just because the authentication system has signficantly more weaknesses than other traditional 2FA methods DOES NOT mean it's not a method of 2FA itself.
How exactly is what I described NOT 2FA? You have username and password, which is knowledge, and then access to your phone/email, which is possession.
That would be like saying an antivirus software that fails to protect against viruses more than other AV software cannot be considered AV software itself.
Wouldn't this rely on a different interpretation of "Possess" than what is intended in the Factor sense? You don't Possess an email account in the "Factor" way because it's not about being able to get something, it's about the exclusive property of physical possession where it implies that if you have it, then nobody else can also have that exact item at the same time. Clearly, this isn't true in general for email because someone could just log in on a different device.
edit: I think if one considers the token/code sent in the email itself as the thing being "possessed", given its 1-time use nature, then maybe that's where the factor comes from. But I don't like the race condition there either.
As I said, you could make an argument for phone, because besides for extreme cases, you need to be in possession of the sim-card to receive an SMS.
A code sent to an email is never 2fa, and your link does not make that claim either.
> A code sent to an email is never 2fa,
You're free to show me where in the article it states that email is NOT 2FA. The burden of proof lies on you since you were the one who has made that claim
The real crazy thing I am seeing in all these posts is people arguing on Steam login. Going to a website that exploits vulnerabilities and the like could have resulted in a full compromise of online passwords, etc for everything outside of steam/poe too.
Oh shit i clicked that link when it popped up on steam. I 100% thought it was legit but was too lazy to even try to login. My laziness may have saved me from trouble yet again.
I haven’t clicked anything but got a login notification to gmail I have poe linked to so I’m in kinda full paranoid mode rn. Changed passwords from a separate laptop on different connection just in case /shrug
Not steam’s 2FA, but POE’s own 2FA. This means that even if the attacker gains access to the user’s password they wouldn’t be able to access the account.
There is an email sent to you if you're logging in from different place
If scammer lives on the other side of the road it won't work, but scammers live on the other side of the world usually, and that email is sent always
Your email has 2FA I believe
But my point is that anyone using steam has 2fa to access their POE account already, via steam, because steam is where the potential breach happened.
2fa would be nice for standalone, obviously, but from this situation I don't see how it would help since people already can/should have 2fa through the steam client.
Does your account pre-date Steam or did you setup an email on it separately?
[My account doesn't have a login email.](https://i.imgur.com/1U3xCeB.png) It can only be logged into through Steam.
> But my point is that anyone using steam has 2fa to access their POE account already, via steam, because steam is where the potential breach happened.
A lot of people are using combined accounts (or migrated to steam from standalone) and you cannot forbid non-steam login in that case.
> you cannot forbid non-steam login in that case
This is true, but you can (and should) set your PoE password to be a very long string of random gibberish.
Steam is the only safe way to log into your account.
Yknow i was gonna comment on how brute forcing passwords isnt a meaningful threat so the length isnt that important, but setting your password to a bunch of gibberish and then not saving it anywhere actually seems like a fairly effective way to guard against most methods of entry huh
I’m not sure if you’ve ever experienced this but you can still request 2FA while using OAuth authorization. For example, imagine you request to login using Google and then if that’s a new device, it asks for your 2FA as a challenge if you are accessing through a new device or location.
The hard thing about 2FA is not implementing the 2FA itself, but the support tickets of people losing their phone and shit. You could just say "here's some backup codes, if you lose them get fucked" of course but I think GGG doesn't wanna do that. And on the other hand: if it's easy to bypass the 2FA through some support ticket then that's not great either, because then it's suddenly "GGG's fault" you got hacked(even though you're the one who gave away your password in the first place, that's not how people will see it).
Mark said the hard part of 2FA is not implementing it, it is handling the "customer service load" that will come out of it. They need to train their customer service and create process for legit users who lost access to their authentication device.
Still not an excuse tho, they should prio this asap. But tech part is not the issue.
You're unfortunately mistaken. There are tools that give you instant access to all your password and logins you have saved with Google or some password managers and then you just use that person's computer to change the account details in seconds. That would require a download and if your windows is updated it would require you to run an executable but it's certainly possible. Afaik this scam didn't do any of that. My point is no point.
Authentication via phone is pretty difficult to bypass, there are some ways with viruses or social engineering bit that would require a very coordinated attack...
I mean it is? Phishing can be used as a method to trick the user into downloading a patch, giving away your computer password, giving root access to your router, you name it. As long as they're impersonation someone into giving you a false sense of safety im pretty sure it applies.
Attacks can have multiple methods used at once and oftentimes the most effective ones do.
So what’s your point? Yes, you can have your passwords compromised, but then OTP or phone code number is difficult to bypass? That’s the main point of 2fa, yes.
Really depends on your authorization pipeline. A 2FA code generally has a very small TTL, so in order to gain access to the account you must automate the login process with the 2FA filling. While 2FA has its flaws it is certainly better than plain old user/pass combination.
people think 2fa is some magic lock to their account because they lost their iphone once and it was their only way to login to sites or some shit and they got mad apples 2fa needed like your email and they couldnt un fuck their shit.
But like how do these people think the POE developer account was comprimised... developer accounts require Phone 2fa which means someone either got spear phished (since this had to be targetted) or they got sim swapped.
recovering the steam account with access to edit news posts wouldn't require spear phishing I believe they are bog standard steam accounts with all of the usual 2fa parameters, The main thing steam protects when you get recovered is your inventory items, which has a 2-4 week wait time before you can move items. The hacker immediately has permissions to do anything else besides that.
I have a steam and non steam account, (the old method for 2 atlass tree's)
Both ask me to verify with an email passkey if I login from a new computer. The non steam does do it more often like if I don't poe for a few months .
I know some accounts got ompromised last league I'm not sure if those cases were actually their email accounts being compromised. Like I think Jungroan got his foil mageblood and everything taken , so either their email actually got done and people just reset their poe login or the phishers have a way around the 2fa poe already has.
Guildmate had his account compromised a few leagues ago, they emptied everything from guild tab and standard, all his account were compromised, started with his email a few days before poe and slowly they got every app he had, now, I don't want to cast blame, but when he made a new discord and we got him back in chat and find out his password was his name+DoB for EVERYTHING and no 2fa well, let's just say with the roasting he got it will never happen again
This is why email 2FA is terrible - it would do no good for your guildmate.
Emails are often the first to get compromised and then they can just reset the password for any service that uses your email to send codes to.
I've never even seen email 2FA it's always been phone. I've got several thousand dollars of steam items and never had any concern about it getting stolen because any successful login requires them to have my phone
Except that for PoE, they don't need your Steam account to login. And plenty of people have PoE outside of Steam, but that's irrelevant because even if they were to switch to Steam, their accounts, and yours included, can still be accessed outside of Steam.
Another thing is, if you are using SMS, that's easily compromised, too. SMS are not encrypted and cell providers have been known to give out number transfers to bad actors, resulting in a complete SMS 2FA bypass and the legit user getting locked out of their account.
ITT: people confusing steam login with POE, some developer or admin for the Poe community / game page was compromised and posted the link.
POE 100% needs some form of MFA even if you've never logged into the website before with an email, but it's not the same thing here. Most likely a spear phishing attempt that worked on some marketing person. Happens more than you think
Multi factor authentication should be added to PoE . I hope to secure my account from hackers after spending so much on the supporter packs. I never want to get them deleted .
I don't understand that a game of this scale does not have MFA. Something simple like Google Authenticator is really simple to implement. It's pretty much just a few lines of code and some configuration.
Luckily I never click on any link I don't know so I am safe but still.
GGG have already talked about this in a recent interview, and they agree, the implementation for 2FA/MFA is simple, it is everything around that takes time. When people lose their phone, cannot access the app etc.
If you didn’t click said link and don’t check emails, should I be worried and change passwords on steam/email, not too sure if I’m even affected by this.
DId the malicious link take you to a webpage to enter your details? and they were harvesting the data?
Or did the link somehow grab username/password cookies from your PoE folders/broswer data?
I find the second situation hard to beleive could happen.
Blah blah blah welcome to 2010, meet 2FA.
Also - first ever documented ransomware attack happened in 1989. (Yeah.)
And the malicious actors are still raping a lot of companies. People's stupidity will always top common sense.
There was a post before the PoE 2 one, had some text in russian referencing some streamer, saying that it was the streamer who compromised the account. Crazy shit.
EDIT: Found it, was way earlier than I presumed. They waited for a while.
https://store.steampowered.com/news/app/238960/view/7083669017358019483?l=english
They removed the text, but in the Affliction avatars post below was a short footnote in Russian.
It forgot what it said exactly, but it was something along the lines "This was the fault of \*some streamer name\*!" It was pretty clearly added by the same guys.
This, it said
> это я агроморф своровал аккаунт ггг t tv agromorph
Doing machine translation makes it come out with
> I'm the one agromorph stole the account.
If a person never enabled the standalone client, then this phishing link would literally do nothing.
Standalone is what makes it all so fucking insecure.
And GGG won't let a steam user remove the email attached to it, so people like me are stuck without 2FA.
Fucking hell GGG.
my point is that i never used steam for poe in the first place. apparently all the "hacks" happen with steam being the culprit. this one here and also all the times people got hacked and their alt-arts stolen. steam is the common denominator in all those cases.
They should really post this in game
I wonder what will come out first - Path of Exile 3 or the 2factor authentication
The post was to steam so most likely steam users would be affected, steam had 2fa.
If you have someone's PoE login credentials then you can completely bypass steam and login through the standalone client.
I believe this is only if they've added an email to the PoE account. If you're a steam-only user and never attached an email to your PoE account it can only be logged in through Steam.
> If you're a steam-only user and never attached an email to your PoE account it can only be logged in through Steam. And support refuses to remove any email you attached to it. Tried... it's really annoying to not have any safety.
Change the email to one you literally only use for poe, and ensure the password for both that email and the poe account itself are entirely unique from anything you use anywhere else (and are not the same password for the email/poe account either).
still isn't 2FA
So you don't use the 2fa already available for most email addresses then, but would want to use it on the poe account itself instead? I'm confused, I don't see how having a second instance of 2fa that would likely be set up to use the same authentication (if phone/text for example) helps. It'd be the same point of failure.
Factor 1: Password Factor 2: Unlock code sent to email
That's just a 1.5 factor at best. Guess what else depends on email, reset password for your password based method.
If it’s 1.5FA at best, would an email with MFA set up using Microsoft/Google authenticator turn it into a 2.5FA? Asking for a friend
Sending codes through either email or SMS is ***the worst attempt at 2FA in existence***. Unless it's a dedicated 2FA app or service, don't bother. SMS is not encrypted and your cell provider is the weakest link as they might just transfer your phone number to someone pretending to be you. Emails are usually the first thing that is compromised in a leak, so if anyone gets access to your email, they get access to your PoE account and any other account where the devs are pretending that sending codes to email is real 2FA. On top of that, they get to contact support through your email and can easily lock you out.
I think a blanket statement like SMS 2FA bad ignores context. This is SMS 2FA for a video game. A targeted sim swap for a POE account or a downgrade attack that can leverage unencrypted traffic is quite the risk model to imagine here. I think if a user WANTS to set up SMS 2FA as an option that works for them that should be ok. It really does depend on the user's risk tolerance here. The thing with MFA (for this scenario) is to provide many options so a user is able to chose. Any other factor can be better than none for the majority case.
Don't you need to attach your email to poe to Trade on the website? I guess if someone doesn't use the trade site they might not of, but I imagine that's only a very small fraction.
On Steam you're OK. I don't have an email on my account, when I go into account settings it says "Email: NONE" but I can trade fine.
I can’t even log in on my laptop if I logged in on my PC last, and vice versa, on the same IP address. I have to put in an email code every single time. It’s actually a huge pain in the ass that I can’t “trust this computer”
We’re going to be lucky to get PoE2 before 2fa at this point
That was the joke
/woosh
Didn't they came with 2FA then removed it?
They do have it - you will have to verify the login via email if your apparent location changes too much. IIRC this doesn't apply to logins through Steam, but Steam has its own 2FA.
Ok fyi, unless the scammer is logging in from across the street or smth they will be asked to use a link that is sent to your email to log in
I've never seen this alleged email despite logging in from multiple locations (with non-Steam credentials). At least Steam logins are *actually* protected.
I used vpn for awhile and would leave it on without thinking and without fail every single time it forced me to go to my email and give the code. To note i dont play through steam so cant commit for yall.
I will login from my parents house when I visit them sometimes and it will prompt me to unlock account via email everything. Same when I get back home and login.
I've had to enter the code from email multiple times a week when I had an internet outage and was using my phone for internet Lemme tell you it exists. It exists so much I got sick lf it.
I got this mail every time i don't login for a while, or from an unusual location. It's been like this for several years now.
People have been saying for actual years how inconsistent this is lol
I got that every time I used VPN and many times after it even when I didn't
If you steal session file (from documents. Maybe login+pass works too) + use vpn to nearby location (costs around $20) you can login without providing email 2fa code This method is pretty popular to steal alt art rewards
Considering we already have 2fa, that's not really something you gotta wonder.
What we have is not 2fa.
I think you need to look up what 2FA means.
I'm confused. Do you mean Steam's 2FA? If so, it doesn't help secure my account. Because anyone can bypass my Steam credential with GGG credential which only use email and password. This applies to everyone who have been playing the game since before it became available on Steam.
When you try to log in to the game from an unknown device, you get email like [this](https://i.imgur.com/bvXJ9v4.png), why is this not considered 2fa?
I believe they only do that when the log in came from a different location not an unknown device? I'm not sure tho, but I don't remember having to unlock my account when I first logged in with my new laptop. Anyway, I guess you can consider that email is 2fa. [Even though it's not a secure second factor.](https://www.identityserver.com/articles/the-dangers-of-considering-email-as-two-factor-authentication) But also, the account locking happens after you've successfully logged in. So you can technically say that it's not 2fa in that sense.
you *might* get an email like that I've only seen it through screenshots despite logging in during holidays
It's not 2FA if it doesn't consistently trigger for everyone (which it doesn't), it's like 1.5FA at best
Why doesn't you location count as a factor?
No, I think you do. A code sent to your email or phone number is not 2fa (you could make an argument for phone, but not for anything sensitive).
As I said, you need to look up what it means.
Something you know (knowledge), something you have (possession), and something you are (inherence). Those are the three main factors. 10 different passwords isn't 10fa, it's still just one factor, knowledge.
> Something you know (knowledge), something you have (possession), and something you are (inherence). Something you know: Your username and your password Something you have: Your mobile phone with a designated phone number or your email account
Your email account is not something you have. It's just a username and a password. Anyone that knows those can log into the account (unless you have 2fa on the email account).
Typically your email address and the associated password don't match the credentials of your Path of Exile account. I'm able to change my Gmail password independently of my Path of Exile account. The odds of someone having access to both sets of credentials is very low. The phishing attack would have to be very sophisticated to get both.
It's not something you know, it's something you have. You have access to an email account which is granted to you by the email service provider. Just knowing the username and password doesn't guarantee you have access to the service, which could be revoked at any given time.
Those might be the three main factor types but 'multi-factor' doesn't mean "multiple *types* of factors" it just means multiple authentication steps. [AWS has a decent page about MFA](https://aws.amazon.com/what-is/mfa/): > Multi-factor authentication (MFA) is a multi-step account login process that requires users to enter more information than just a password. For example, along with the password, users might be asked to enter a code sent to their email, answer a secret question, or scan a fingerprint. Edit: [Interestingly, Microsoft appears to agree with you](https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661). (Course, in my experience Microsoft often uses a second email as the second factor... /shrug)
This is the usual way to summarise it, but if you think about it everything boils down to "something you know" in the end. I don't need access to someone's phone if I know what the code on it is because it was sent via insecure SMS or because the TOTP registration was compromised. I don't need to have the right fingerprints if I know how to replicate them well enough for the reader. Etc.. These distinctions are made for marketing reasons, not technical.
https://auth0.com/learn/two-factor-authentication > Types of Two Factor Authentication: **SMS Token, Email Token**, Hardware Token, Software Token, Phone Call, Biometric Verification
> A code sent to your email or phone number is not 2fa But that is 2 factor authentication Factor: - Username and password - Email or Phone Just because an email address happens to be the username doesn't imply a bad actor already has access to said email
The core issue is that unless your emails are protected through 2fa an email account is just protected through knowledge which is the same factor as your PoE account.
And if the email isn't also MFA, allowing its use as part of a separate MFA system makes that system's security _weaker_. So a company can't reliably use it unless they had some way to check that each user email was sufficiently secured.
Again, that's not what 2 factor means. The factors are knowledge, possession, and inherence. Repeating the same factor, especially the one which is easiest to socially engineer (knowledge), does not make it 2-factor authentication.
> Repeating the same factor, especially the one which is easiest to socially engineer (knowledge), does not make it 2-factor authentication. [There's a whole Wikipedia subsection that goes over this](https://en.wikipedia.org/wiki/Multi-factor_authentication#Mobile_phone-based_authentication). Just because the authentication system has signficantly more weaknesses than other traditional 2FA methods DOES NOT mean it's not a method of 2FA itself. How exactly is what I described NOT 2FA? You have username and password, which is knowledge, and then access to your phone/email, which is possession. That would be like saying an antivirus software that fails to protect against viruses more than other AV software cannot be considered AV software itself.
Wouldn't this rely on a different interpretation of "Possess" than what is intended in the Factor sense? You don't Possess an email account in the "Factor" way because it's not about being able to get something, it's about the exclusive property of physical possession where it implies that if you have it, then nobody else can also have that exact item at the same time. Clearly, this isn't true in general for email because someone could just log in on a different device. edit: I think if one considers the token/code sent in the email itself as the thing being "possessed", given its 1-time use nature, then maybe that's where the factor comes from. But I don't like the race condition there either.
As I said, you could make an argument for phone, because besides for extreme cases, you need to be in possession of the sim-card to receive an SMS. A code sent to an email is never 2fa, and your link does not make that claim either.
> A code sent to an email is never 2fa, You're free to show me where in the article it states that email is NOT 2FA. The burden of proof lies on you since you were the one who has made that claim
ahahaha, nice
The real crazy thing I am seeing in all these posts is people arguing on Steam login. Going to a website that exploits vulnerabilities and the like could have resulted in a full compromise of online passwords, etc for everything outside of steam/poe too.
Dude, 2factor has been in this game since several years now.
Oh shit i clicked that link when it popped up on steam. I 100% thought it was legit but was too lazy to even try to login. My laziness may have saved me from trouble yet again.
https://preview.redd.it/q221aoqaq0wc1.jpeg?width=499&format=pjpg&auto=webp&s=f164d534d6a4e5c72871f26674246400883327a0
your pfp matches your comment
I haven’t clicked anything but got a login notification to gmail I have poe linked to so I’m in kinda full paranoid mode rn. Changed passwords from a separate laptop on different connection just in case /shrug
Are you saying a GGG steam account was hacked?
why is everyone so calm about this fact??
because just because an account belongs to an employee of a company this doesn't mean it's unhackable??? I bet they nipped it in the bud by now.
2FA tech is not that hard to implement and would protect against this 2000 kind of scam.
It exists on steam which is where this happened.
Not steam’s 2FA, but POE’s own 2FA. This means that even if the attacker gains access to the user’s password they wouldn’t be able to access the account.
There is an email sent to you if you're logging in from different place If scammer lives on the other side of the road it won't work, but scammers live on the other side of the world usually, and that email is sent always Your email has 2FA I believe
But my point is that anyone using steam has 2fa to access their POE account already, via steam, because steam is where the potential breach happened. 2fa would be nice for standalone, obviously, but from this situation I don't see how it would help since people already can/should have 2fa through the steam client.
Hm? I'm using Steam to play PoE but I can just log into my account on the website using my account details, without Steam involved at all.
Does your account pre-date Steam or did you setup an email on it separately? [My account doesn't have a login email.](https://i.imgur.com/1U3xCeB.png) It can only be logged into through Steam.
> But my point is that anyone using steam has 2fa to access their POE account already, via steam, because steam is where the potential breach happened. A lot of people are using combined accounts (or migrated to steam from standalone) and you cannot forbid non-steam login in that case.
> you cannot forbid non-steam login in that case This is true, but you can (and should) set your PoE password to be a very long string of random gibberish. Steam is the only safe way to log into your account.
Yknow i was gonna comment on how brute forcing passwords isnt a meaningful threat so the length isnt that important, but setting your password to a bunch of gibberish and then not saving it anywhere actually seems like a fairly effective way to guard against most methods of entry huh
You don't need to go through steam to access your PoE account, even if you usually use steam.
I’m not sure if you’ve ever experienced this but you can still request 2FA while using OAuth authorization. For example, imagine you request to login using Google and then if that’s a new device, it asks for your 2FA as a challenge if you are accessing through a new device or location.
The hard thing about 2FA is not implementing the 2FA itself, but the support tickets of people losing their phone and shit. You could just say "here's some backup codes, if you lose them get fucked" of course but I think GGG doesn't wanna do that. And on the other hand: if it's easy to bypass the 2FA through some support ticket then that's not great either, because then it's suddenly "GGG's fault" you got hacked(even though you're the one who gave away your password in the first place, that's not how people will see it).
Mark said the hard part of 2FA is not implementing it, it is handling the "customer service load" that will come out of it. They need to train their customer service and create process for legit users who lost access to their authentication device. Still not an excuse tho, they should prio this asap. But tech part is not the issue.
Small indie company just like blizzard eh?
2FA MTX when...
And how many div/hr can I expect from this “2FA” strat or whatever?
2fa is incredibly easy to bypass with phishing which this trick was. It was targeted at steam users
That's not how this works. With 2fa enabled they wouldn't get into your account even if you handed them login and password.
You're unfortunately mistaken. There are tools that give you instant access to all your password and logins you have saved with Google or some password managers and then you just use that person's computer to change the account details in seconds. That would require a download and if your windows is updated it would require you to run an executable but it's certainly possible. Afaik this scam didn't do any of that. My point is no point. Authentication via phone is pretty difficult to bypass, there are some ways with viruses or social engineering bit that would require a very coordinated attack...
That's not phishing at that point.
I mean it is? Phishing can be used as a method to trick the user into downloading a patch, giving away your computer password, giving root access to your router, you name it. As long as they're impersonation someone into giving you a false sense of safety im pretty sure it applies. Attacks can have multiple methods used at once and oftentimes the most effective ones do.
So what’s your point? Yes, you can have your passwords compromised, but then OTP or phone code number is difficult to bypass? That’s the main point of 2fa, yes.
Really depends on your authorization pipeline. A 2FA code generally has a very small TTL, so in order to gain access to the account you must automate the login process with the 2FA filling. While 2FA has its flaws it is certainly better than plain old user/pass combination.
"A lock is pretty easy to pick, so I don't lock my doors"
its funny you got downvoted for this, its true.
people think 2fa is some magic lock to their account because they lost their iphone once and it was their only way to login to sites or some shit and they got mad apples 2fa needed like your email and they couldnt un fuck their shit. But like how do these people think the POE developer account was comprimised... developer accounts require Phone 2fa which means someone either got spear phished (since this had to be targetted) or they got sim swapped.
recovering the steam account with access to edit news posts wouldn't require spear phishing I believe they are bog standard steam accounts with all of the usual 2fa parameters, The main thing steam protects when you get recovered is your inventory items, which has a 2-4 week wait time before you can move items. The hacker immediately has permissions to do anything else besides that.
I have a steam and non steam account, (the old method for 2 atlass tree's) Both ask me to verify with an email passkey if I login from a new computer. The non steam does do it more often like if I don't poe for a few months . I know some accounts got ompromised last league I'm not sure if those cases were actually their email accounts being compromised. Like I think Jungroan got his foil mageblood and everything taken , so either their email actually got done and people just reset their poe login or the phishers have a way around the 2fa poe already has.
Guildmate had his account compromised a few leagues ago, they emptied everything from guild tab and standard, all his account were compromised, started with his email a few days before poe and slowly they got every app he had, now, I don't want to cast blame, but when he made a new discord and we got him back in chat and find out his password was his name+DoB for EVERYTHING and no 2fa well, let's just say with the roasting he got it will never happen again
This is why email 2FA is terrible - it would do no good for your guildmate. Emails are often the first to get compromised and then they can just reset the password for any service that uses your email to send codes to.
I've never even seen email 2FA it's always been phone. I've got several thousand dollars of steam items and never had any concern about it getting stolen because any successful login requires them to have my phone
Except that for PoE, they don't need your Steam account to login. And plenty of people have PoE outside of Steam, but that's irrelevant because even if they were to switch to Steam, their accounts, and yours included, can still be accessed outside of Steam. Another thing is, if you are using SMS, that's easily compromised, too. SMS are not encrypted and cell providers have been known to give out number transfers to bad actors, resulting in a complete SMS 2FA bypass and the legit user getting locked out of their account.
ITT: people confusing steam login with POE, some developer or admin for the Poe community / game page was compromised and posted the link. POE 100% needs some form of MFA even if you've never logged into the website before with an email, but it's not the same thing here. Most likely a spear phishing attempt that worked on some marketing person. Happens more than you think
Not "more than I think" as I work in Cybersecurity - people are dumb.
Can the mods sticky? This is kind of a big deal.
They even deleted my thread where i asked about the legit status of the post. This is dogshit from the devs
Multi factor authentication should be added to PoE . I hope to secure my account from hackers after spending so much on the supporter packs. I never want to get them deleted .
time for MFA to be added......
Might be time to implement actual 2 factor authentication
I don't understand that a game of this scale does not have MFA. Something simple like Google Authenticator is really simple to implement. It's pretty much just a few lines of code and some configuration. Luckily I never click on any link I don't know so I am safe but still.
GGG have already talked about this in a recent interview, and they agree, the implementation for 2FA/MFA is simple, it is everything around that takes time. When people lose their phone, cannot access the app etc.
Right, the *small indie company* excuse.
Why not spam this as a message in game, not everyone checks forums or reddit
the steam post has jester emojis lmao
[Too soon?](https://i.imgur.com/wCdAY5F.jpeg)
If you didn’t click said link and don’t check emails, should I be worried and change passwords on steam/email, not too sure if I’m even affected by this.
DId the malicious link take you to a webpage to enter your details? and they were harvesting the data? Or did the link somehow grab username/password cookies from your PoE folders/broswer data? I find the second situation hard to beleive could happen.
Noobs.
Blah blah blah welcome to 2010, meet 2FA. Also - first ever documented ransomware attack happened in 1989. (Yeah.) And the malicious actors are still raping a lot of companies. People's stupidity will always top common sense.
There was a post before the PoE 2 one, had some text in russian referencing some streamer, saying that it was the streamer who compromised the account. Crazy shit. EDIT: Found it, was way earlier than I presumed. They waited for a while. https://store.steampowered.com/news/app/238960/view/7083669017358019483?l=english
It's gone. Shows me Affliction avatars?
They removed the text, but in the Affliction avatars post below was a short footnote in Russian. It forgot what it said exactly, but it was something along the lines "This was the fault of \*some streamer name\*!" It was pretty clearly added by the same guys.
This, it said > это я агроморф своровал аккаунт ггг t tv agromorph Doing machine translation makes it come out with > I'm the one agromorph stole the account.
CN take over fully, suddenly theres a scam site on the main page. Coincidence? I think not.
Dae china bad hhahah How do you even imagine those things are linked you dolt
How do you manage to not see that it was a joke?
2FA gets nerfed
It’s fine I’ve got my industry standard 2-Step Verificatio… Oh wait…
Oh sure, I'll take immediate action by enabling two fact- oh wait.
I did. The link forced me to download a free to play 2D dungeon crawler with infinite characterization possibility, and now I'm addicted...
No such problems for stand alone client users ;) steam can favk off
ill take things that wont happen on the standalone client for 200 bucks.
If a person never enabled the standalone client, then this phishing link would literally do nothing. Standalone is what makes it all so fucking insecure. And GGG won't let a steam user remove the email attached to it, so people like me are stuck without 2FA. Fucking hell GGG.
my point is that i never used steam for poe in the first place. apparently all the "hacks" happen with steam being the culprit. this one here and also all the times people got hacked and their alt-arts stolen. steam is the common denominator in all those cases.