Cyber Security, it’s not a game

I’ve been playing a fair bit of OSRS lately and loving it. The game takes account security pretty seriously and even has a quest/achievement where the quest answers are all about account security and to unlock the final reward.. a pair of gorgeous rainbow boots, you need to set up an authenticator. I have one set up on WoW and I really wanted the boots so was more than happy to set it up to keep my account safe.

Fast forward to tonight and I try to login and the game wants my authenticator details, which was odd as I had just re-entered it 4 days ago (the game makes you refresh your auth code every 30 days or so) and after a few false attempts where it wouldn’t recognize my code I ended up logging onto the website and disabling my authenticator to be able to log in. To find in the 18hours or so I’d been offline, my toon had been logged into from somewhere else, all my gold taken and all her armor, gear, items sold on the auction house, and that gold transferred too. Pretty fucking devastating initially and then incredibly scary as I back tracked through what had to have occurred for my account to be hacked through an authenticator.

Was it 100% my fault? In a nutshell yes. Let’s backtrack 4 days ago.

OSRS wanted me to update my authenticator code. In the last 30 days, I had got a new phone and hadn’t got around to putting the authenticator on it. So l decided rather than go turn on and probably charge my old phone, I’d just add the authenticator to my new phone. But it wasn’t that simple getting the authenticator to recognise being loaded onto a new phone as I already had an authenticator set up elsewhere, so I logged into  OSRS and disabled my authenticator. As part of having issues getting through emails saying I had enabled/disabled the authenticator I mucked around with my email settings and… disabled the 2-step verification I had on my email account. For god only knows what reason I thought this was needed, but I did (Mistake 1). {just in case you don’t know, 2 step verification means if someone tries to log into my email, even with my password, it send me a SMS with a code I need to enter before I can access emails}

I got the authenticator working on my phone and re-enabled it on my OSRS account but forgot in my excitement to get into the game or dead-tired brain fog from a stupidly busy day or whatever, forgot to re-enable 2-step verification (Mistake 2). Pay attention to my stupidity in that one step there.

The next morning, rushing out the door I noticed I had an email saying someone had tried to change my security questions to my Mojang (minecraft) account. I hadn’t logged into Minecraft for years and I brushed it off  not thinking it through far enough; to change my security questions probably meant they had gotten into my account, and promptly forgot about it (Mistake 3).

2 days later (today), someone tries to change my password on Riot Games. I didn’t see this email as I’m stupidly busy at work and never get a chance to look at my phone to see emails anymore. Then 5 hours later, I find myself staring at a cleaned out toon and coming to the realization that what has most likely happened is someone has hacked my email account password and lifted details and game logins. And here’s another mistake, I was rather lazy with my gaming email account and games and a number of other accounts typically had the same password so once they had one, they probably didn’t have to work hard to get the others.

It is fucking scary not really knowing what was read in my emails, or if someone just used my email account to change passwords or have they rifled through all the emails and pieced together more information and website logins than I even can realise yet. And with the lovely helpful inter connectivity of my google account and it wrapping it’s little google fingers into everything I do, the amount of information a simple gmail account could bring to a person’s finger tips is downright scary.

I’ve spent the last few hours changing every password I can think of to many varied and random ones and running my anti-virus through multiple virus scans just in case the first 1, 2 or 3 missed something.

There’s so many questions this brings. Where was my account details taken from? It was my Mojang account which I never use that was accessed  first, how did that go to  my OSRS account getting cleaned out. Did someone systematically go through emails to find links to games?

The only place I’ve ever entered my OSRS account details into is the official website. I’ve never bought gold, the relatively small amount of gold they took was from levelling professions and selling as much as I could. And the one question I really can’t wrap my head around, is why after hacking my account would they re-enable an authenticator and where did the emails saying my auth had been disabled and re-enabled go? I can’t find any history of them even in my deleted items.

It’s a strange and scary place I feel like I’m sitting in right now. I hope to god I take this lesson to heart and not brush off cyber security because living with so much of my life online in various websites and accounts, scares the hell out of me not knowing what information might have been touched.



13 thoughts on “Cyber Security, it’s not a game

  1. I am so sorry to hear that Zeirah, that must be very upsetting. I hope the damage done is worse in your head compared to reality /fingers crossed.

  2. I’m so sorry to hear that :/

    I go full psycho with cybersecurity, going as far as keeping several email accounts all compartmentalised. The email associated with my wordpress account was a new one created just for this purpose. Even my USB pens are encrypted.

    Before resetting any passwords you should make sure to add more security steps to your accounts.

    Judging by the MO, they were after your gaming stuff. If you had any past emails from banks or similar things like shopping accounts associated with credit cards, contact your account manager so they are on the lookout for suspicious activity (a friend of mine once was contacted because “he” was apparently trying to buy a several thousand euro watch on the other side of Europe). Be extra careful if you had any personal information on emails like home/work address.

    Never, ever, ever disable authenticators. They will not interfere with any email reception, trust me.

    The first thing someone tries once they get through in an email is trying the same password or password type on all associated accounts. This can even be automated via software.

    I hope the scare has passed, and don’t forget that data protection is the first door and window to our “home”, so make it as secure as your doors and windows 😉

    • I was incredibly lax I think when it came down to it. I ended up coming to realisiation that it probably was more serious than an email hack because I dont think my authenticator on the game was disabled, which meant it was someone accessing the game via my pc. I decided to do a full format of my drives and a fresh install of windows, only backing up photos. That should have got of anything that was on my machine and I’ll be a lot more careful moving foward.

  3. Oh No! I hope they didnt take too much! Hopefully you still had your authenticator in place on WoW, it would be devastating to lose all of your stuff there. Let me know if I can help out at all.

    • WoW was fine because I do have the authenticator yay. Best piece of hardware ever. I reinstalled windows though, did a full format of all my drives and only backed up photos, so I have no addons or anything atm, starting fresh with remembering what I had in place

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s