Apparently "some" are not. https://royals.ms/forum/threads/hacked.184878/ https://royals.ms/forum/threads/all-valuables-stolen-from-account-with-the-recent-breach.185036/ Just to link a few. On the 9th of February, a good amount of accounts security has been breached by "Credential stuffing". https://royals.ms/forum/threads/account-security.184904/ Q: Will hacked accounts be compensated? A: While using secure account details for MapleRoyals that you don't use elsewhere online is the responsibility for the user, we are exploring recovery options to help our players that got affected by this large scale operation.-As the Admins have restored the accounts that were accessed by the malicious users back to a state before the malicious users logged in on them to restore your mesos and items, please login to your account to check if the items are restored successfully. Edit to include quote by Admins: We have changed your password for your own protection. We wont provide this password to you. In order to play again you need to: - Go to www.royals.ms/controlpanel and choose the 'FORGOT PASSWORD?' feature to reset your password by email (keep in mind the control panel is case sensitive). Do not set your password back to what it was before. - Log in on the control panel with the new password you registered and reset your PIN (email verification is required for this step which is also done in the control panel). - You should now be able to log in on the game client and set up your new PIN to then start playing again! If account was not restored, please post details of the items you have lost so far and I will forward them to the Admins for confirmation -------------------- This was actually commented on several character issues that accounts have been properly rolled back, yet a few examples from the players are Now after a good 6 months of investigation (Feb 9 - Aug 23), a clear cut reply from the staff is "Hello, unfortunately we cannot take responsibility for issues related to a player's personal account security and cannot assist with recovering your stolen items. I'm really sorry that we can't do any more for you in this situation." Players are affected, years of effort are gone? These gears are pumped into the hacker's account. Are they actually properly banned and confiscated, or are they leaked into the market? & if they are taken care of, why is the server not returning the items to the players? You guys have the login logs at least. Another hacking situation is bound to come, sooner or later if mapleroyals does actually want to operate for another 8 years, and yes it affects more players perhaps even you and me. Will our effort be refunded, or will it result like our current affected users, waited for 5months and replied with a disappointment? To be honest with things, I'm disappointed with the results of this issue, I'm very sure affected players are devasted to hear this, who knows more players are affected. If players are hacked because they shared their password openly be it pass private servers which allowed account sharing which is one of the usual cases, then i'm sure we can agree that its their fault, but this was a brute force attack, affected users really can't defend against it huh? For nonaffected users. refusing to roll back is a server decision, sure. Not being able to showcase the security of our accounts & efforts is another. please set up at least a strong pin/pic. - For that staff who reads this, I'm very sorry to you who worked hard, very hard, to resolve this issue. Yet here I am stating things in a very crude way, with 0 intention to defame the staff, but I can't unsee what I'm seeing. It seriously seems like you guys are just sweeping things under the rug after 6 months. What I see here from Mapleroyals is doing what all cyber companies victim to a breach would do by trying to bury it and move on without losing the playerbase integrity I'd be very thankful if any staff with appropriate power can make an announcement & reply with the reason why MapleRoyals are unable to return these gears.
Thank you for making this post. I was not directly affected by the breach but a good friend of mine was. He would constantly tell me how much he wanted to return to royals but he was afraid he would mess up his account logs and make it impossible to roll back. He hasn’t logged in since the attack (besides once or twice to check his inventories) just so that the admins wouldn’t have any excuse to deny him. Then, after 6 months of a supposed investigation, every player is hit with a blanket no. What was happening during those 6 months? Was there even any kind of investigation into these accounts or was staff just hoping players would forget? Clearly some kind of mistake was made either with restoring every account or with pinpointing the start of the attack because there are way too many players affected for this to be a coincidence. The staff took a stance by rolling back (some of) the accounts of the attack and therefore I think it’s their responsibility to do it correctly and remedy every account.
If staff thinks this is not supposed to be here please remove it. The above is to a certain staff. I do understand when it comes down to illegal & RWT players, they have to be banned, and yes the staff gets lots of hate for it, seems like everyone wants Tim's neck huh. and yes Tim works really hard for this server. please appreciate him. But when this happens when they get upset and attack our server. be it ddos-ing or w/e nonsense you see above. -Players with cyber security skillset just PM-ed me and just quoting their words. Cybersecurity is that whenever a data breach happens, its 99% of the time a flaw in the company's security company = royals and whenever they make a public statement to address it, they're saying some BS to hide the real facts which is what royals is doing here, in my eyes Not our fault not a security breach on our end except allowing brute force login attempts through another faulty control panel exploit ** @affected users if it is indeed a faulty control panel exploit, you guys deserve all your gears back. Still, not sure if this is true, sure correct me if i'm wrong but the control panel could (past tense) be easily brute forced. Usually, if you input 5 invalid attempts, it kicks you out and bans the account for 10 mins but I think hackers bypassed that and just used a bot to continuously trial-and-error every single possible combination, it better be fixed if it's true. - The fact that Whiskey said "i'm going back, harder this time" just raises a lot of questions as to the future of our security system, i'm just glad it was only a single wave of attack. Yeah, we all know in 2023 or 2024, hackers are easily gonna be more powerful than it is now. Our item have value in dollars, and we cherish them, yet its just all dollar signs out of MapleRoyals. Our server economy is built for many years, and it has a chance to be destroyed. can we seriously just believe the announcement that it's alright and simply leave it as it is? That it might be just merely poor account security? Our account and equipment matters, every single one. The economy we built over the years matters. Perhaps another thing to add to the feedback. It's not a matter of, What's going to happen IF if a breach were to happen again? The main concern: Are we even prepared for WHEN it's going to happen again? -Should we rollback everytime this occurs? or would the players who draw the short straw simply leave the server? Currently, if you draw the short straw, you leave or rebuild. simple as that. I don't think that's okay, and seriously that is not okay.
As someone who thanked staff for their work on the breach in my thread here (I still have the same sentiment), I'm disappointed to see the outcome of the investigations, and I'm sorry to those who suffered. Also, I wish at the very least an announcement had been made before or concurrent with these posts and closures of the character issue threads, so the "swept under the rug" thought is understandable from players. I don't think your post is crude. It asks necessary questions that I hope we can gain some clarification on soon, and it's the best use of this section. Quite frankly, we are all thinking the same thing after seeing these results, so someone has to say it.
This far after the incident it doesn't look like there will be compensation for those who haven't already been compensated, and if I was in that position I would probably just quit... If items aren't being returned, then they must be just hitting the RWT market right? The best we can hope for now is better security and other ways to protect high value items. Multiple security breaches could very well kill this server, if not enough people are hit at once to justify a mass rollback and not everyone is compensated, all we do is bleed players. And security breaches are inevitable
One of the reasons is simply because they don't even have the logs to verify what a player had in his/her inventory before losing their items/gears. As far as I know, all the items that were given back (in all situations in character issues over the years, not only this one mentioned in this thread) was simply because players were not asking for too much, and they trusted the players with their screenshots and such
Maybe it's time to advice player uses more complex password(with symbols) to strengthen their passwords. It will be much harder for attackers to brute force I think.
Closed - Hacked | MapleRoyals Apologizing for my use of language If they were too strong but I would really like justice for my friend and for everyone who did not receive their items back that got their threads closed. It was an announcement that everyone who got attacked hoped for and yet not everyone has received their items. The ones that just received an apology message and while a response is still better than none, It's still not quite helpful because that announcement is like a promise to the players to get their items back. "We cannot take responsibility for issues related to a player's personal account security and cannot assist with recovering your stolen items" I would have found this valid If this wasn't related to this incident but you guys spoke about it to help the players, I know it's hard to help everybody but It's just really unfair for the ones that didn't get the help and has waited for a very long time. As Joon said: It is not okay. Why would you want some of the players to choose with these two options when others had a third option? I know it's not a simple task and It's a huge responsibility to get everything right but realistically speaking, most of the players that have not received their items would just leave and that's not okay. I'll miss my friends. I know how much it pains them to rebuild again when some took ages to do so. Plus this is a game. A game full of grinding they do for fun. Most players in this game are fully grown adults and I don't think they can rebuild what they did years ago.
Imagine to lose 5 years of your life expended on a game with a "we're sorry but we can't help you, thanks for coming" Also, blaming the victims is just like saying girls gets raped because they dress too provocatively and no, IT IS NOT the victims fault if some mf hacked them, despite the "poor security of the account" the fact is that somebody purposely breaked on their accounts to steal their hard worked items, come on.
You know I genuinely had hope that the admins were actually doing a diligent job, turns out over the last 6 months this was what happened.
And I'm sorry if this comment is too rude but if you weren't planning on refunding players what was all that bs about asking dates, screenshots, proof of the items, etc for? I mean, for real, people were months waiting for the "investigation" to be done, looking for pictures of their items, trying hard to remember the exact dates, times, item stats, everything they had and what was that for? Man, this is just sad and upsetting. I don't even believe it was for poor security on the accounts, even if they had stronger passwords or something it would just take a little bit more of time. If it was for poor account security on that time I had the same password for all of my accounts, same id and everything for almost all my games, while being on a break for more than 4 years here and none of my accounts werent touched at all when I came back (April this year). I'm sorry @staff and i truly appreciate your work on the server, but this is not ok... You're killing some guys that invested a lot of time and their soul on this server because some nerd wake up feeling like hacking some pixels coz he was mad at some mapleroyals staff.
I wouldn't even mind partial restoration. Restore back my seasonal equips, CWK items, most expensive gear and some goodwill. Right now we are getting absolutely nothing. I think that a vast majority of the affected players would settle for such compensation rather nothing at all.
It probably makes most sense for me to reply to this feedback as I had a large stake in taking this issue on and 'resolving' it to the best of our abilities with the help of Kevin's programming. While the OP did link t0 our announcements at the time (https://royals.ms/forum/threads/account-security.184904/) there seem to be some misunderstandings still regarding how 19.700 out of our (at the time) 600.000 accounts could've been accessed over the months of late 2020 and early 2021. The majority of them that were actually logged in on in game as they had no pin and pic (older abandoned accounts as less than halve of our accounts had pins and pics at the time), some didn't even get many attempts towards logging in on and didn't make it past the control panel. A third category in this is accounts that had their pins and pics 'brute forced' due to a flaw in our control panel system where you were able to attempt x amounts of log ins with a pin for example, change your IP address, and attempt more logins on the same account without getting a cooldown on login attempts like you would if you just kept trying from the same IP address. The whole hacking/breaching ordeal should make you wonder; why wouldn't they target specific high value targets or simply more accounts if they had the ability to do so? The simple answer is that they weren't able to choose what account they got access to. They just wrote a script that tried account ID and password combinations that they found elsewhere online on data breaches of other online services (and I bet they got the majority of them of ex-private servers and other game breaches) that also changed their IP when needed until they got a match to a MapleRoyals account. contrary to what some people seem to believe Mapleroyals didn't have their database compromised. To us this matter was, for the majority, an issue with the personal account security of the players after we looked into it and determined how these accounts were able to be accessed with login data found elsewhere online. To provide an example of personal account security; we investigated that at the time out of the 254480 accounts that have valid pins, 34% of them can be 'brute forced' in the first 10 attempts due to players using the most common/obvious pins despite all the warnings that you shouldn't be using easy to guess pins or birthdays for pins. Data from march 4th 2021: PIN 0000 - 17769 accounts PIN 1111 - 41635 accounts PIN 1234 - 18616 accounts PIN 9999 - 1101 accounts PIN 1992 - 993 accounts PIN 1993 - 912 accounts PIN 1994 - 1548 accounts PIN 1995 - 1688 accounts PIN 1996 - 1766 accounts PIN 1997 - 1339 accounts (seriously guys, if you have one of these please change it!) We do however realize that pointing fingers at each other like the spiderman meme to determine who's to blame for all of this doesn't help anyone and we decided that MapleRoyals and the players have a shared responsibility in this case, where the players should make sure they don't use the same account ID and passwords that they use elsewhere online for anything, not just mapleroyals, if they don't want to risk becoming a victim of credential stuffing attacks. On our end we believe that MapleRoyals should've had more restrictions in place on control panel account logins from different IP addresses like we have now! So how could we help the players return to the game and assist them in account, meso and item recovery? Obviously Kevin and I couldn't go over the 19700 accounts one by one and look in their inventories to see if something had been missing between the closest backup to when they last logged in from their original connection and the time they were logged in on one of the hackers' connections. After banning all of the accounts we spend some days figuring out how we could categorize the accounts and determine what backup of their inventories would be closest to what they had before being accessed by the hacker with SQL queries and newly written programs by Kevin that checks and restores inventory data from a backup to the current banned account. One of our limitations here was that players that recovered their accounts and last connected from their own connection, not one of the hackers' connections, weren't able to be included in this mass-recovery query and program that was written. This meant that after our (mostly successful) recovery attempt there were still a handful of players that played on their account around and after the same days as the hacker did that haven't had their inventories restored by a backup. While I did investigate and explore additional options for these players eventually it comes down to the lack of my ability: Unfortunately we don't have the manpower to go over the individual cases that require us to load up multiple backup dates, compare them individually and grant them their most preferred backup inventory pre being hacked by writing another program to be able to do this. Unfortunately for a few players this is the case as it stands because I'm not capable enough to help them further. The hacker didn't have time to offset most of the items in the timeframe and was mostly collecting them on certain accounts that have all been banned or overwritten with other inventory data in case the collecting account belonged to a player that was recovering their account. While we do believe our security upgrades help it's still possible for future attacks to happen. I hope to be able to help even more than the 99% of players that were recovered this time and not leave anyone out. I disagree with this as this wasn't a case of random username + random password = successful brute force, the data was all collected from other online sources for credential stuffing attacks, not 'all information brute forces'. The best way to defend yourself against this is by using an account ID and password that's not used anywhere else in combination with an uncommon pin and difficult pic. MapleRoyals database hasn't been breached and we're not attempting to sweep things under the rug, I'm happy to share how we tried our best to recover from an attack. I hope I answered the uncertainties and questions you may have had regarding this topic. Feel free to comment more if you're still wondering about certain details. - Tim
@Tim A few questions I had about account security 1. Is it possible to force accounts to change account information regularly, my company makes us change quite often for any accounts, and we are forced to use an alpha-numeric password with a capital letter and at least 1 symbol. 2. Do you think it would be better if accounts were forced to have a pin and pic which aren't simple or common? 3. Is 2-Factor Authentication possible? 4. Item lock when
