Account Breach incident

Thank you for the info! i had no idea since i usually change passwords over time or diractly delete accounts when im not using sites anymore, guess i forgot some sites! Now i'll be able to solve that too, thank you!

If it hasn't been suggested yet, a stronger password system could make us incorporate longer passwords, force reset after 'n' days, and inability to reuse the last 'n' amount of passwords. Our company passwords reset after 90 days, require at least 16 characters with a special character and number, and you cannot reuse the last 10 passwords. Albeit that's excessive, it's government related and involves health information that's temporarily stored to their account so maybe a force reset after 180 days or so wouldn't be as nagging.

Aight I've been trying to stay out of this but just let me say... Dear god. please. no forced password resets. My anxiety is horrendous enough. x_x

What if you forgot what said password is, and that you have to reset it, or if you have a hard time memorizing things, like a random set of numbers/letters/symbols? You would probably have to write it down, and that's not good if someone else got a hold of said piece of paper and/or phone, and figure what it's for. Prefer not have to memorize a new password every 180 days.

Please read one of my previous posts. All that does is serve to confuse users on which password it is that they used.

Oh gosh, password expiration on a casual game site is not a good idea at all. Modern 2FA solves the problem much more effectively and with much less annoyance. Security professionals have studied this and concluded that password expiration is most likely a outdated concept for many use cases. People who are subject to frequent password changes are more likely to create worse passwords, and often make their passwords sequential in some way (ex: password1, password2, password3...) How would you even handle old users coming back with an expired password? If you allow them to reset it right then using the old password you have not prevented the attack that happened here. If you require email address involvement you end up with a lot more tickets when people can't remember which email they signed up with. Sorry for the TL;DR but I feel strongly about this.

Don't worry, I know all about password problems XD I'm investigating 2FA. Still can't guarantee it's happening but I like the idea.

I like the sound of 2FA, but I rather have how Blizzard has it, and you can have a phone number associated with said account, in order to have a second form of authentication. Again, I don't know how plausible it is on a website developer point of view, but that's my prefered way of a 2FA, as emails can be compromised much easier than a phone.

This is such a sad affair. I'm really disappointed that the person felt being malicious and shady was worth pixels on a screen. Personally I'm glad that they're blocked from using the site easily, as they've forfted their right to their "dream team". In regards to the password discussion, maybe rather than an expiration on passwords, a reminder to update/change your password can be implemented? I'm sure this event won't leave the site's collective conciousness, and giving one a reminder every 90 days would be helpful in securing one's account.

It was more than "pixels on a screen." they sure got a lot of money out of it sadly.