Account Breach incident

Shouldn’t we contact Paypal and ask them who did it?

Firstly, I'm honestly so disgusted in people who think this sort of behavior is okay. It really isn't and I really hope I never bought from that user in the past. Secondly, for those worried about weak passwords, I really recommend what Niet said about using a password manager. I use Chrome for my internet browser and whenever I want to make an account on a site I'm registering on for the first time, Chrome's password manager can make an automatic password made up of numbers, letters, symbols etc. And then all you need to do, to log in to the site is let it autofill the password for you, so you don't need to remember the one it generated for you. It's a lot safer than using something like "password1" or something that can be easily guessed at.

this is probably a no-brainer, but: the person responsible for this has been suspended, right? i wouldn't rest easy if this person was still among us...

I was probably one of the first accounts affected, and I'll take total blame for it for overusing a weak password. But if it wasn't for someone asking if I had lost a certain Pokemon Which happened to be a misplaced dex-trade, so double win I wouldn't have known, since nothing big was taken. A month of HM I had forgotten I had, a Shiny Charm, and some random albinos from my gumbled up storage fields and my hunt extras fields. I would have noticed the missing albinos and Shiny Charm at some point (I know I have exactly 35 Charms and I fill my storage fields in numerical order), but it would have been too late at that point, since I got everything back because of my trade history. Since it seems like nothing can really be done to protect accounts on the password side outside of using a stronger password, I was thinking a notification Probably an optional one could be added that would tell you when your account was last used, either when logging in or when reloading a tab that had been open for awhile. Maybe give the IP address of the last log-in and your current one to help. Maybe have it be non-optional, but only show up when your current IP address is different from the last used IP address? I don't know how feasible that would be coding wise, but if it's possible, it seems like a useful feature. Since prevention seems to be something that can't get an update to help, then an alert system would be the next best thing, since as I mentioned earlier, I wouldn't have noticed the breach in time without the alert I got from another player. On another note, and I don't know how this factors into the adversion to sending an email for 2FA, but maybe we could add a notification email, like many other sites use, that will send you an email whenever a new IP address is used to access your account. It'd be similar to the other feature I suggested, but there's never too many alarm systems if it can help protect something you worked hard to get.

Maybe change the login system? Instead of using your username and password *that you have now changed* You use your accounts email and password? I can't look at Garth's profile and be like "awe yeah, his email is ×××××÷×@%%%.com" I'd have to guess it. A lot. Or be told it Another alternative: Login name Password And your sitewide username. Ie: ShiroUsagi - login name ××××× - password Bo-mi - username

Thanks for telling us Niet. Just changed my password to be save. As for 2fa would it be possible to use the google authenticater? Cause that way unless the person can somehow find the corresponding mobile device and get into it to grab the code even if they get the password they can't do the code part. Unless they are the phone owner of course. X3

I wouldn't be against either requiring your email address or a 2nd username to log in. There's no way, that I know of, to find out someone's email from their PFQ account without someone telling you, so it'd probably be one of the easiest things to implement without big changes. PFQ already gives every account an ID number that not even the accountholder knows except in certain situations. The log in could be changed to require email, password, and the hidden account ID (Or a 2nd ID could be generated to keep the first hidden still). That would make it much harder than just guessing passwords for a certain username.

Why not make all passwords to include at least 8 digits, 1 small letter, 1 big letter, 1 number and 1 symbol (like !/$) that System is commonly used and would make a "password" or"123" into a "Password1!" which is (still not the best) but already significantly better than a simple "password"

This was already talked about It doesnt stop someone from being able to do something like Password1$

Garth responded to that suggestion a few pages back, and my interpretation of what he was saying is that yes, it would force stronger passwords, but it doesn't force a strong password, so it's not worth the time to implement. Since this idea got brought up multiple times, it can be assumed that using numbers and special characters in passwords to make them stronger is common knowledge for the most part, so most people will probably use them even without being forced to, thus making that updated pointless. A password is like a door. A weak password is like a Japanese paper door, while a strong one is like a steel bank vault. Even if the door was required to use steel, there's nothing stopping it from being a paper door on a steel frame. It fits the requirements, but it doesn't make the door any stronger. Or a 3 number combo lock vs a 4 number one. More numbers is harder to crack, but nothing's stopping you from using 0000 instead of 000.