StarGateWars Forums

My account was just hacked and i lost 30 mill uu

and my last trade was to Zaraki kanpatchi so that was all done and tekki was able to log on to my account to stop whoever it was.
as it was not letting me log in

this is complete BS as i am the second person from delta for this to hap.

I am sending admin an email now but i would like this looked at right now

Damn man, I hope it gets fixed.

Hold up, tekki logged into your account....how was she able to get into it, and you were not...



Again the security on this site needs updated.

well since gandy is to pissed off to post clearly atm (he will edit his first post later)

he was on his acount when sudenly it was hacked. they did the following to him:

- remove all uu from his acount
- abandonne all of his planets
- delete his inbox
- untrained all they could
- sold all weapons except 1 strike weapon
- cleaned out his bank
- started massing his supers on my (zeekomkommer id 75836) defence

then they were stopped with changing the password. i'm sure if they wern't stoped in time he would have been changed back to a regular race and his ascended would have ended up with all planets trained as defence ones with his assasins untrained

Gandy 181 wrote:My account was just hacked and i lost 30 mill uu

and my last trade was to Zaraki kanpatchi so that was all done and tekki was able to log on to my account to stop whoever it was.
as it was not letting me log in

this is complete BS as i am the second person from delta for this to hap.

I am sending admin an email now but i would like this looked at right now

ouch that sucks, thats the second one i've read today.
kind of makes me think about not returning to the game.

I'd better explain why I logged into his account.

I was transferring turns to gandy from my account when he said he was logged out of his account. I checked mine and was still in SGW so it wasn't the game freezing or anything.

Didn't think anything of it until a few mins later when he told me he STILL couldn't log in and then I noticed he'd left Delta. Now when you are talking on MSN with someone and they leave teh alliance that kind of set's alarm bells ringing.

I figured there was nothing to lose in attempting to log in for him and change his password, so I screamed at him to give me the details and did just that. That SEEMED to stop whatever was happening and I managed to rebank his naq.

Now the ONLY reason I did it was 'cos he was being hacked at teh time. This can be confirmed by admin when they see that I did nothing more than rebank naq, change password and log out and in again with teh new password before logging out.

That sucks,

Just make it you can only be logged into your account from 1 location at a time, so if your online playing and someone tries to get in it would tell them your already logged in.

Another really easy solution to all this,

MAKE YOUR LOGIN NAME DIFFERENT TO YOUR INGAME NAME

Example

Login Name , absckd34242s
Ingame Name, GeneralChaos

And providing you dont tell anyone your login name they will never have access to your account, unless someone on the inside, ( dev/admin team, tells someone your name, or someone who has access to the server, and there are a few players i believe do, related to the IRC, not that they would do anything, but they still play......how secure are we again )

well hear is what hap and thanks tek and zeek for explainig it i was going mad and thought bout breaking my laptop

well my account went funny and i could not log in and it would not let me everytime i tryed i was talking with tek online at this point and then she told me that i was out of the allience and i am off ppt so tek tryed loggin in for me, and then tekki was able to get in for me and change the password and bank the naq and then she has logged out, tek done nothin wrong apart from help a friend but i would like to find the C*** that has done this.

really hope all will be fixed !!!!!!!
Tekki, i dont think anyone will ask to ban u or gandy, this is due to admin problem, not your fault (i hope i speack in name of TJP)
"strongly thinking to sell my account before loosing all uu, naq, merlins, asceznsion lvls,..."
dunno what happened to shornaal, but i really hope admin will restore oth account...
good luck gandy, and keep your laptop safe

Defense-Forcefield wrote:really hope all will be fixed !!!!!!!
Tekki, i dont think anyone will ask to ban u or gandy, this is due to admin problem, not your fault (i hope i speack in name of TJP)
"strongly thinking to sell my account before loosing all uu, naq, merlins, asceznsion lvls,..."
dunno what happened to shornaal, but i really hope admin will restore oth account...
good luck gandy, and keep your laptop safe

what he said ^^

I hope we can find these people who are doing this..

I also hope this can get quickly fixed. Like I said in the other topic, send a message to Clarkey and ask him to point Jason to these threads on Wednesday.

GeneralChaos wrote:That sucks,

Just make it you can only be logged into your account from 1 location at a time, so if your online playing and someone tries to get in it would tell them your already logged in.

Another really easy solution to all this,

MAKE YOUR LOGIN NAME DIFFERENT TO YOUR INGAME NAME

Example

Login Name , absckd34242s
Ingame Name, GeneralChaos

And providing you dont tell anyone your login name they will never have access to your account, unless someone on the inside, ( dev/admin team, tells someone your name, or someone who has access to the server, and there are a few players i believe do, related to the IRC, not that they would do anything, but they still play......how secure are we again )

You don't need the login name. You only need the first letter of the log on name.

Try it; if you don't believe me. Instead of logging in as "whatever", try "w" and see if it lets you in.

Chaos and SGAW were changed to make you use all your login name (that's how I know about this before someone blames me for the hacks).

110% agree with GC -- we need a different LOGIN name then "in game name" -- I understand what the 'DICE' do to help minimize bots or whatever logging in an banking.. but jeez this was too close -- they dropped his alliance and did all that? what a MESS!

ADMIN, Please consider doing something with the login process.. how can it hurt to force us to have a username different then ingame.. and no way to match the two?

As for someone trying to change his password.. I think Clarkey reported those emails were broken somewhere.. so the account would have been locked out.. had they tried to do that first (too bad too)

Good luck,
SlimD

SlimD wrote:110% agree with GC -- we need a different LOGIN name then "in game name" -- I understand what the 'DICE' do to help minimize bots or whatever logging in an banking.. but jeez this was too close -- they dropped his alliance and did all that? what a MESS!

ADMIN, Please consider doing something with the login process.. how can it hurt to force us to have a username different then ingame.. and no way to match the two?

As for someone trying to change his password.. I think Clarkey reported those emails were broken somewhere.. so the account would have been locked out.. had they tried to do that first (too bad too)

Good luck,
SlimD

Passwords at present are case insensitive. They need to be case sensitive. Adding a username different to an ingame name... this then becomes a second, easier to find out password. What's the point if it has been demonstrated that passwords can already be guessed or the security system bypassed?

The idea that those dice prevent bots from logging in as laughable. Anyone capable of writing a bot that can bank most certainly can implement a simple image manipulation and identification program - there are only 2 distinct images for each number, and 9 numbers. That means a computer looks at the images, compares each one against the possibles. Under amortized conditions, that's 54 comparisons. 0.1s? 0.01s? Probably even less.

The security system of sgw definitely needs reviewing, and these latest cases prove it. Will admin allow us to know in what manner the passwords are stored? How are things processed?

Good luck on getting this sorted out, too, Gandy.

SuperSaiyan wrote:

Harlequin wrote: Will admin allow us to know in what manner the passwords are stored? How are things processed?

I certainly hope not, something like that should be for admin eyes only, not public knowledge as its harder to break into a building with no blueprints

If admin has implemented the system securely, what has he got to fear? I recently made a website that required a login system - I'll stick it in a spoiler because I have nothing to fear from you knowing it...

[spoiler]After taking the passwords over an SSL-encrypted connection, I first performed a sha512 one-way hash of the text, then salted it with a randomly generated 6-letter string. This salted string was then hashed again using sha512. The salt and encrypted string were both stored in the database. Whenever someone logs in, take the password over SSL, sha512 the string, salt it with the salt in the database and sha512 it again. Compare it to the database stored password; if they match, then the user is verified. This is the highest degree of security currently attainable for a simple password-verification system. Most corporate websites use a similar system, with varying degrees of salting. After any password is done with, the memory is overwritten and then deallocated.

With this system, the weak point is then entirely on the users end. If they have a keylogger or a very easy-to-guess password then it's their own fault.[/spoiler]