[POE2: EA] Final Update on the Hack

Nah, mindless fanboys will justify everything. If it was every other arpg, fanboys would have already buried them alive.

I think all we have is speculation at this point till GGG releases a statement (if they will).
Tbh, I'm pretty chill about it. All I essentially lost was a mirror and 150 divs and (thank god) my characters can still play.
I'm no holding my breath for GGG to talk about this issue and I'll be moving on to do other stuff.

that is cope anyone who gets hacked is doing one of these 3 things and then they cry they got hacked
1. used RMT site
2. downloaded some kinda overlay program for PoE 2
3. clicked some fishy link he thought isnt fishy

I didn't start the conversation with accusations.
I started by saying hi and wanting to start a conversation. He didn't reply (for 15-20 minutes).
When he didn't respond I figure the only way to actually get him to say something is to say something provocative to see if it would trigger a response and it did. (which is why you have this video)
I stated throughout this video that I'm not sure if its him. I only stated my suspicions and the likelihood that it could be him.
I do NOT condone that viewers take things into their own hands, if they do so its their decision to make and hence their consequences to bear (if any). My only role here is to provide information into my problem and my own investigation into that problem. I don't want or expect other people to do anything about a problem that is clearly mine. My objective here is to investigate my account breach and document it, not start a witchhunt. Hope this is clear.

@@Uberjager Yo mate, dont take this as me making a harsh judgement. What you did was totaly within the limits what what is or what at least should be considered reasonable actions of someone affected by illegal actions of another. They fucked with your shit. No one likes that to have happen to them. I sympathize with your situation first and foremost. It was just me saying his reaction is somewhat understandable and non-sussy as "the kids" would put it these days. I hope they catch the bastards doing this, I hope some small measure of ... restitution or "satisfaction" can be given to you folks who got their experience ruined. Hope you are well personally. Godspeed.

@@Rakschas666 hey np dude. just explaining my stance and point of view. Have a good day ahead!

No idea. Just waiting for GGG to do an investigation.

Session ID in PoE is an unique account key for the API and the site. It is unknown at the moment, how they get into account without changing password. But, in theory, someone can access your account on site with knowledge of session id. Perhaps, it is a vulnerability in API from GGG side.

I haven't read up on this in particular but it sounds like some client side exploits I'm familiar with.
Basically, many sites after you use your password create a session key or cookie to store what is used to access your account.
This usually has a time out but is stored locally in your browser to give you access for a period of time. It's not your "password" but usually some kind of hash created with your password and a salt or something that can be verified by the website.
Because these are stored locally in your browser and in traffic they can be stolen if someone has either access to your browser or unencrypted traffic.
You can then replay this traffic with tools like burpsuite to gain access.
Again, I'm not familiar with the situation but this is what it sounds like you were asking about. I am a security researcher though, so I'll try to look into what's been happening

@@beta_J yes, you can gain access to account with session id in browser, but how do they access the account in game without changing password and going through geo-lock? This is really weird.
Also, this is a major problem, but GGG is dead silent on this. Something really bad going on behind the scenes.

​​ I read a reddit account of someone that logged in on an account and get access to other player(not his own), it's replicable up to 3x and it's actually a known poe1 bug. If the hacker is able to exploit the bug in a controlled manner, it's possible that he got access to other player account by passing login and steam accounts. The way he targets accounts probably have something to do with how the trade website works.

​​
Here's from reddit :
#1
So earlier I log on one of my character and when i log off to switch character, the character selection was someone else. I thought it was a visual bugged, so I log in on one of his character and it was another person account. I didn't do anything on it, just run around a bit feeling confuse then got Dc as he logged back on.
#2
just happened to me too. i was switching characters and the character list had someone elses names. i logged in and was able to look into their stash.
i had to log back to title screen to get back to mine

Well all I can say is my role here is to conduct my own investigation (since GGG has not responded) and that this is the result of my investigation.
I'm not in any way telling other people to take things into their own hands, I have no interest in vigilante justice. If other people want to do that, that's their decision and they have to deal with the consequences of it themselves. I strongly advise that everyone not do anything (since this is my problem, not theirs) and my approach is to let GGG handle what is clearly a GGG problem at their own time and pace.

Of course it's all fueled by RMT

same

Haha I honestly expected him to never respond.

@@Uberjager god dammit, I was hoping your wife was selling divines :( would make for a cool story