Account Breach incident

Ouch thats freaky not gonna lie. Imma go change my password now

It's so disappointed that someone would do this to take advantage of people's hard work for their own selfish gain, i hope people can find approapte help in this situation and if anyone wants to talk or vent i am here, I know what it's like to have someone take away your hard work or have someone take away your Pokémon. If anyone wants to talk im always here for you

I agree with D33RG0D5 in regards to the password thing. It really shouldn't be hard to make new passwords require say, a special character, number, and caps as well as be a certain length, et cetera. Could simply make that a new requirement and strongly recommend users update their passwords accordingly or risk the same happening to them. I admit, my password is extremely lax and it would never have been a possible password on any other site due to other sites' stricter password requirements. Everyone shouldn't be punished for the wrongdoing of a single user ;w;'

oof...I'm sort of sad about the VIP list being changed, but it's for the best! I've only bought ZC from the site once, but I don't think rmt should be removed entirely, users use it to make profit while unable to work irl. I'll just go change my password now-

To balance money. If I buy zc from the site to supply my hunts and then sell my extra melans or the currency I made from selling them, then I end up at zero or at least at less money spend. The same reason why people resell let's say books they've read. Sure thing, I payed 10 bucks for this and I sell it for 4, so I'm 'losing' money, but I'm not actually losing money. I got to read a book for cheaper than expected. People don't buy 100zc for £1 and then turn around and sell the same 100zc for $1 after all. At the end of the day the fact that a lot of people like this should be enough to show it's an important feature and a lot of people have opinions about this, even if you personally don't understand. Now to the main post. I'm really glad you guys (or just you?) caught this person, dealt with them and are trying to find ways to make things like this less likely to happen in the future. I think that's really important to keep things fair and enjoyable for the rest of the user base. I also think that there needs to be a balance between 'Making sure this does not happen again' and 'Making sure we don't take a lot of enjoyment away from the rest of the user base'. I know you always try to hit the sweet spot here and are willing to listen to us, which I really appreciate. Please don't make any decisions hasty and while (I assume, I know I have) having a lot of feelings about this. I know a lot of people will give their thoughts about RMT, so I want to touch on the online list. Personally I find that it's one of the most helpful qol features on here. There are a ton of reasons why it's been important to me to see (at least roughly) when someone has been online last. This mainly includes things like pm’ing mods, trades or raffles. Simply reporting someone does not help most of the time here. Unless there have been a ton of issues about this, I don’t think one person taking advantage of this, makes it reasonable to make away this feature for the rest of us. So, yeah, I hope you take some time to think everything through. Thanks for updating us on this

I don't think we'll be disallowing RMT but it's definitely something to discuss and talk about - maybe there is something we can figure out or do, but there's a point where you can't and for things like these you just yeet the offending person and pick up the puzzle pieces that they threw on the floor. Your art is your art - that's not RMT as that's you selling your product. Not ours. RMT is specifically about selling game-'content', (whether that's sprites for us or GP or credits) for irl currency. It's a common thing you can find in MMOs, especially WoW and FFXIV - they'll sell, for instance, Gold / Gil for a real money amount. But they don't allow it and thus the people caught doing that get banned, whether that's selling or buying. That is the atypical stance that Mass-Player games have. We differ from that and maybe that's a good thing? It might not be, too, but we're okay with what we have for the time being so that doesn't matter at the moment. That doesn't stop people re-using their passwords, Hayashi Rin, and that's the primary issue. I'd also note that requiring those things doesn't stop the following: Password1! ...Not very strong at all. Account security is very important and we've had an announcement about this in the past for a reason. Sorry - but "one" is not the number you're looking for x: Of course, no instance prior was like this.

have you thought of using 2FA?

Still stronger than "password" by a decent enough margin. There's a reason most sites have stricter password requirements, and if you wanted to make certain people don't reuse their passwords you could always have unique requirements such as requiring it to start with a number and end with a special character. Very easy to do using regular expressions in coding. "([0-9]{1})(?=.*[A-Z])([a-zA-Z0-9[\^$.|?*+()]{1,})([[\^$.|?*+()]{1})" I've seen sites with odd requirements like that, and they're often some of the most secure in terms of passwords. Not only that, but if it's an issue with people reusing passwords, could always do big bold red letters of "CAUTION" upon creating a password, reminding users that reusing passwords may result in them being hacked more easily should it happen, across all sites. There're a number of ways to make the passwords more secure, that was only one option ^^;

---

Edit: Agreeing with TESSA, and for those that don't know what 2FA is, it's multi-factor authentication such as requiring a password and a security code sent to your email. It can be a hassle, but it is often also an option as opposed to a requirement and is available for those that care more about their security. Edit 2: I guess Niet debunked the email issue, but it still remains as an option as opposed to a requirement for those that care about the security.

2FA is any two of the following: - Something you know - Something you have - Something you are "Something you know" is your password. "Something you are" is right out as that would involve biometrics or some other kind of personal tracking. "Something you have" would involve sending you a physical token of some kind, or implement some kind of third-party system (eg. to send text messages), or develop an authentication app (with all the problems that come with that). Anything less than this would not be "real" 2FA. Sending an email alert saying "hey is this you?" is NOT 2FA because what is your email secured with? Another password. So yes, we've thought of it. At length. We cannot implement it at this time.

Is it possible to instead of showing users as simply offline regardless of how long they have been inactive, to make it show offline for up to "1 week", after that it just shows ">1 week". That way such bad people don't know for how long they have been inactive (some users only log in once a week) but shop owners who offer hunt spots (boxes, S/A, Gems etc.) can still see if that person is actually inactive or just not currently online. Cause I really don't want to have to run after people that are actually inactive and wasting mine and everyone elses (on the hunt list) time D: It would also greatly help with dexing. QwQ Games like Shakes & Fidget do it that way (they show "last login 1 day/2days/>2days/1week/2weeks/>2weeks" and it stops at ">2 weeks") for PFQ would "1 week" be enough, it would really help A LOT