Loading...

Top
PFQ Banner

This is PokéFarm Q, a free online Pokémon collectables game.

Already a user? New to PFQ?

Account Breach incident

Forum Index > Core > Announcements > News Archive >

Pages: 123··· 222324

Niet [Adam]'s AvatarNiet [Adam]
Niet [Adam]'s Avatar

Original post

Today we became aware of an individual who has breached a large number of accounts and stolen their things. Here's what we've done and what we're going to do. Starting around May of this year, a user (who shall remain unnamed) began accessing accounts belonging to other people. As far as we can tell, their method was to seek out inactive accounts and guess at weak passwords. They would then siphon valuables from those inactive accounts, and then sell them to other players for USD. We've been in contact with many affected users and we'll do what we can - although since most of the stolen items are now in the hands of innocent users, there's not too much we can do in terms of getting stuff back. The following emergency updates have been made: - The VIP list no longer shows how long a user has been offline for, instead just showing that they are indeed offline. - When attempting to log in, an incorrect password entry will be logged. Not the "failed password" itself, just which account was attempted to be logged into, and when, along with an IP address to try and help track and identify abuse. While we are painfully aware of VPNs, we can still try to find patterns in behaviour to help prevent breaches. - Failure to log in three times will result in a 10 second "timeout". Another failure and it's 20 seconds. The timeout grows quite rapidly until capping out at 2 minutes. This lockout is based on "target user" and IP address of the person logging in. Again, this does mean that VPNs could bypass the restriction, but you'd have to get a new IP address every time you try to log in, so that shouldn't be too much of an issue. The point is to make it significantly harder to brute-force access to an account by guessing passwords.
The thief has successfully profited in an amount exceeding £1,250, although it's impossible to determine the exact value as they sold the items to other players for money on PayPal. Due to this incident, we will be seriously considering whether RMT is something that should continue to be allowed. If we didn't allow RMT, then the thief would not have been able to profiteer from their endeavour. So we'll discuss this and get back to you with a verdict.
We have found no evidence of actual "hacking", just the breach of accounts with weak or re-used passwords. I'd like to take this opportunity to remind you to ensure your passwords are strong. If you aren't using a password manager, you really should. Most importantly, don't re-use the same password in multiple places - if another website gets hacked, any website where you used the same password is now vulnerable. You can change your PFQ password by logging out and using the "Forgot your password?" link on the login screen.

Okay, so - the decision has been made that the perpetrator is going to be named. We normally wouldn't do this as it falls under a manner of blacklisting which we are notably against - but this is a rather special situation. The purpose of naming this individual is so those that have been affected can make informed decisions moving forward, as there have been concerns expressed from people about having gained anything from this individual and some people expressing a want to return items if that is the case. Before I do say who it is, I just want to say upfront that I want to see no rulebreaking in regards to this. It is horrible, believe me, we know. But enough bad has been done as it is - we don't need to add more to that. This information is for the sake of providing information so that we can all move forward in a positive way through making informed decisions. For those who have been directly affected by this person, please feel free to contact the support centre and we'll work with you to do everything that we can. I'm going to place the username in a hidebox so that those who don't want to know don't need to and in the hope that everything is read before the username is seen.

username of the thief

Karenkhor
Hiding original post to get this message out, will likely un-hide it later. There are some people sending the perpetrator messages - in simple terms, there's no point. You're free to do so but you will not get anything back from this person as they are account-locked. If you were someone who had things taken from you, please contact the Support centre to contact a member of staff. We have a list of everything that was taken and we will help you.
Clip from Pokémon anime, re-lined by me
-- OMNOMNOM!
Featured story: Injustice Feedback welcome!
SpoodleBug's AvatarSpoodleBug
SpoodleBug's Avatar
yikes D: thank you for updating things noot
Avvy by SimonPetrikov
furina's Avatarfurina
furina's Avatar
this is really awful to hear... i'm so sorry for the ones who got affected by this breach. :( despite that, i really don't want RMT to go. it's only a select few that's ruining it for fair players... buying ZC directly from the site is already a pain as i can't use stripe and the paypal fees are bad. that's why people trade with each other. we should still find alternatives that allow people to use RMT while guaranteeing security.
forum avatar is furina from genshin impact
Ryko Seratuno's AvatarRyko Seratuno
Ryko Seratuno's Avatar
Hrm, well, this is a kick in the face to go change my password, wasn't affected in this instance but honestly I doubt my Password is all that hard to brute force.
Niet [Adam]'s AvatarNiet [Adam]
Niet [Adam]'s Avatar

QUOTE originally posted by TESSA

we should still find alternatives that allow people to use RMT while guaranteeing security.
There is no such thing. I'll admit, I'm confused as to why people sell ZC for USD in the first place. Like... selling it cheaper than the site does makes no sense because you're deliberately losing value (you have 100 ZC, you sell it for less than £1 - and yes, $1 USD is MUCH LESS than £1). Selling it for more than the site does makes no sense because the buyer can just buy from the site. Seriously... why do people buy/sell ZC for PayPal when it's a bad deal for everyone involved? EDIT: Explanations from users have been very helpful to my understanding of this query. Thank you! ^^
ohush's Avatarohush
ohush's Avatar
please continue to allow real money trading! don't let a few bad apples ruin the whole bunch. :( i currently do not have a job and use PFQ as a way to make extra money by selling boxboxes and melans for paypal. it's one of the main reasons i play. i know many others who are in similar situations, especially with quarantine!
Kaolin's AvatarKaolin
Kaolin's Avatar
Yikes, it's unfortunate that the thief can't be slapped with more than a ban :/ I agree that I'd really like RMT to stay though, it's one of the biggest reasons this site is special for me. But I guess desperate times warrant desperate measures. @Niet, I believe some people don't actually ever buy ZC, and earn ZC from other players by trading other currency/items. Then by trading their earned ZC for USD, they're then able to extract some value (not all but better than nothing) from their gameplay when cash is needed for other things.
[ PFQ +12 | Works 9am-5pm Mon-Fri ] - Been a while, bear with me while I reacclimatise - Free Exclusive and Variant Exchange! Credits: Avatar | Signature | Banners
xie lian's Avatarxie lian
xie lian's Avatar
oh mymy- am so sorry to the users affected by this :c i really thought my weak password was impossible for any adult to figure out... but i’ll change it!
avatar is official art from a project sekai card
× 0 / 50
(i am NOT collecting summons they just look cute)
Kinshine's AvatarKinshine
Kinshine's Avatar
Sea Glass speaks...
coded by water, art by CloverPatch
Gosh this is terrible to hear people are still doing this. I wasn't breached but to those who were I am so sorry T-T I am a bit sad that the vip is now being changed due to this because alot user use that to help sell / know time of when players have been on or not to send prizes and or ect. With out that I am goingh ave to resort to a messy pms and tracking people on other sites / places to do my orders whicth feels like a pain. Because this allowed players to know who was inactive and not. But if someone is a hacker I can see how they can use that in a bad way so this just really sucks. I hope everyone will start making harder passwords. Is there a way to maybe when new players come on or even older players to have a way that forces them to make a heavy worded / numbered password so that no one could guess or hack it? That might help with situations like this / have securty questions to if that makes it more protective but the only places I seen do that is my bank and goverment stuff and this is PFQ but lol Thought i ask maybe if that could be implyed. I still feel sicken that someone would do such a thing to any player thats active or not active. :( I am glad you all caught this and are taking action. Thanks for the update! ---- Also cause everyone posted before this... @TESSA - I agree with you it is not fair cause I feel we should be able to trade with players as well. @Niet - I do not know how to answer that but it could be because they don't have a credit card or can't do it thruogh the site due to the fees or something. I get people to buy for me because can't do it myself but I do understand when people quit the site they may or maynot want to sell there melans or items for paypal so that would be a reason for the ZC to Paypal exchange possible as well. Also players like myself trade for zc so one could also maybe make profit by eselling there items for Zc then trying to get USD that way as well. EDIT - Kaolin said it better than I did XD LOL
Avatar by: Nettle Bee | Pixel by: Bufuserk

QUOTE originally posted by Niet

I'll admit, I'm confused as to why people sell ZC for USD in the first place. Like... selling it cheaper than the site does makes no sense because you're deliberately losing value (you have 100 ZC, you sell it for less than £1 - and yes, $1 USD is MUCH LESS than £1). Selling it for more than the site does makes no sense because the buyer can just buy from the site. Seriously... why do people buy/sell ZC for PayPal when it's a bad deal for everyone involved?
I've seen people mass/bulk-buy when a sale happens and re-sell it then, or use the discounts you get for bulk-buying (£20 off) to make a small profit, so that would be my guess for why? I'd also really like to keep RMT too though - it's really not fair that one twisted user should and can ruin everything for the rest of us. Because what will happen to art shops, if RMT is disallowed? They can't accept real money anymore and get no real-world value, or will it just be disallowed for sprites?
Edited by Chronos
Edited by Me
Edited by Me
Edited by Me
Credits; Icon (see below), Signature
TCG Artwork
Icon is from the official Love Live School Idol Festival Mobile App <3

Pages: 123··· 222324

Cannot post: Please log in to post

© PokéFarm 2009-2024 (Full details)Contact | Rules | Privacy | Reviews 4.6★Get shortlink for this page