-
We know the accounts were reset after the original players contacted us to let us know through inter-alliance communication outside of Evony (personal email, skype, ventrio, etc.) - Also, the actual users were reset from X million prestige to 0 and their cities NPC'd. Added to that, the person who hacked the accounts moved the troops of the respective players, quit the alliance, then attacked until no troops were left (granted, only attacked nearby cities - probably for fear of the actual players logging on.)
We reminded everyone of the dangers of weak passwords.
Our suspicions are it was a key-logger. It also occurred to us that it could be Evolliance that was hacked - too often, our players had the same password for both accounts (evony and evolliance)(we since forced password changes for everyone in the alliance in Evolliance.)
Most concerning is the slow response from customer service (now almost 2 months for the first player and a few weeks for the second) and that Evony may actually allow multiple attempts (i.e. apparently infinite attempts) to log into your accounts. I tested it with my own account just typing in gibberish for the password, after 41 failed attempts and no impact, I logged in using my actual information - it didn't even give me an alert that there had been 41 failed attempts. I strongly recommend Evony have a 10 login attempt maximum before the account is suspended for a few hours or something along those lines.
I had a web developer I work with look at the site as well, he indicated there are a substantial number of vulnerabilities mainly tied to how much information Evony allows to be sent from the user unvalidated. It may actually be possible through the user interface to get information about another player - though he wasn't entirely sure on that point.
Again - I recommend everyone caution your players to have good passwords, change them weekly or monthly, don't use the same password for more than 1 application, run virus and spyware scans daily (I also run on-access just to be safe), and not to share account information.
For Evony - please institute a password attempt maximum for all accounts and move more of the handling of information server side rather than user-side. The game is left extremely vulnerable the way it is programmed - at some point the hackers will start targeting the game itself for hacking and DNS attacks.
Good luck everyone.
Felwred from Server N1
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Bookmarks