Single post in Account Breach incident

Today we became aware of an individual who has breached a large number of accounts and stolen their things. Here's what we've done and what we're going to do. Starting around May of this year, a user (who shall remain unnamed) began accessing accounts belonging to other people. As far as we can tell, their method was to seek out inactive accounts and guess at weak passwords. They would then siphon valuables from those inactive accounts, and then sell them to other players for USD. We've been in contact with many affected users and we'll do what we can - although since most of the stolen items are now in the hands of innocent users, there's not too much we can do in terms of getting stuff back. The following emergency updates have been made: - The VIP list no longer shows how long a user has been offline for, instead just showing that they are indeed offline. - When attempting to log in, an incorrect password entry will be logged. Not the "failed password" itself, just which account was attempted to be logged into, and when, along with an IP address to try and help track and identify abuse. While we are painfully aware of VPNs, we can still try to find patterns in behaviour to help prevent breaches. - Failure to log in three times will result in a 10 second "timeout". Another failure and it's 20 seconds. The timeout grows quite rapidly until capping out at 2 minutes. This lockout is based on "target user" and IP address of the person logging in. Again, this does mean that VPNs could bypass the restriction, but you'd have to get a new IP address every time you try to log in, so that shouldn't be too much of an issue. The point is to make it significantly harder to brute-force access to an account by guessing passwords.

---

The thief has successfully profited in an amount exceeding £1,250, although it's impossible to determine the exact value as they sold the items to other players for money on PayPal. Due to this incident, we will be seriously considering whether RMT is something that should continue to be allowed. If we didn't allow RMT, then the thief would not have been able to profiteer from their endeavour. So we'll discuss this and get back to you with a verdict.

---

We have found no evidence of actual "hacking", just the breach of accounts with weak or re-used passwords. I'd like to take this opportunity to remind you to ensure your passwords are strong. If you aren't using a password manager, you really should. Most importantly, don't re-use the same password in multiple places - if another website gets hacked, any website where you used the same password is now vulnerable. You can change your PFQ password by logging out and using the "Forgot your password?" link on the login screen.

---

---

Okay, so - the decision has been made that the perpetrator is going to be named. We normally wouldn't do this as it falls under a manner of blacklisting which we are notably against - but this is a rather special situation. The purpose of naming this individual is so those that have been affected can make informed decisions moving forward, as there have been concerns expressed from people about having gained anything from this individual and some people expressing a want to return items if that is the case. Before I do say who it is, I just want to say upfront that I want to see no rulebreaking in regards to this. It is horrible, believe me, we know. But enough bad has been done as it is - we don't need to add more to that. This information is for the sake of providing information so that we can all move forward in a positive way through making informed decisions. For those who have been directly affected by this person, please feel free to contact the support centre and we'll work with you to do everything that we can. I'm going to place the username in a hidebox so that those who don't want to know don't need to and in the hope that everything is read before the username is seen.