Why was this a limitation in the first place? Correct me if I'm wrong but it seems like staff could confidently identify each hacked account since they were banned as a security precaution. Why couldn't the restoration program be run over all of these accounts? Additionally, one of my friends ( @HylianBum -- same IGN ) is in this "1%" subset of accounts that were not successfully recovered. I told him about the hack as it was happening and he immediately attempted to login but was greeted with a ban message; he never successfully connected to any of his characters after the hack had taken place until after his details were changed through the ban appeal process. Did the act of attempting a login to a banned change the "last connection" field in your database and therefore remove his name from the restoration list? I counted the number of threads in the character support section that relate to the mass hacking incident. Of those threads, I identified less than 20 that seem to be involved with the mass hacking incident in February and did not receive their items back. A couple of them even seemed to follow the trend of initially finding themselves banned, resetting their info, and then logging in to their "restored" account with all of their items still missing. I'm grateful for all the work that went into fixing the mess in the first place -- I know it wasn't easy -- but I don't think the job is finished. I don't expect staff to individually investigate 20,000 accounts... but if I'm being honest, I would expect them to investigate the 20 that cared enough to make a thread.
I understand that repeating passwords from other websites being a main issue but the fact that the control panel used to have unlimited attempts meant that there was basically no deterrence to brute forcing. I know it has since been addressed but this is no fault of the players who actually had good PINs and PICs and were hacked anyways. "Unfortunately we don't have the manpower to go over the individual cases that require us to load up multiple backup dates, compare them individually and grant them their most preferred backup inventory pre being hacked by writing another program to be able to do this." ANY backup is better than none at all. Which is why we are simply asking that you guys do SOMETHING instead of telling us after 6 months of "work", you guys finally decided that you couldn't do anything after all.
Insufficient cyber security leading to malicious hacking versus dressing provocatively that incites rape are definitely not two sides of the same coin.. People can dress how they want but should be extremely cautious (VPN, password/pic rotation, etc..) when it comes to protecting 5 years worth of assets. I get the message you are trying to send though.
I just want to mention, I did not use the same credential for my password :< Moreover, I am thankful for the time and effort spend by the staff. Yes, my years of investment in-game over the 4 years. time, energy. TBH, might not even have the time now as we grow older to rebuild another. Did not even manage to finish my lv 200 dreams while busying farming for my gears. However, if the recovery could be made for individual accounts if we were to provide actual time and date?
These numbers are irrelevant. Yes 20k accounts may have been brute forced but you certainly did not get 20,000 "Gimme back my account" requests. This comes across so disingenuous to me. You don't have to research 20k accounts, you just have to research those who claim high returns. I mean honestly if a guy comes to you saying they had a perfect Dragon sleeve, you're going to be able to see that fairly quickly with character activity. I mean that one guy who came back as an example had 100b accumulated over the last 6 years, that isn't unreasonable. When it comes down to it, some of these players, for the sake of keeping them, you should in fact just give the benefit of the doubt. Are you really going to question a guy who's been here for like a year and asks for about 2-3b in equipment? I suggest you look up something called the Cohan rule, it's a great example of applying common sense to scenarios like this.
I don't understand just 1 thing, when there's a RWT suspicion you guys are all over that like flies on shit (no offence), banning left and right - tracking every single item and person involved in the case, when and to whom was it transferred as it is seen in the ban appeals section. But when someone gets hacked (sure you can't deal with 20k claims but there never were that much, lets take one of the few high value hacked accounts for example) you guys are so lost and cannot track to whom the stolen stuff were transferred even when provided with a tremendous amount of details and dates, that alone doesn't make any sense to me. In the scenario where your database was not breached (apparently you have a better database than gmail who are breached nearly every year) are you seriously gonna blame people for not setting 3 extra complicated passwords that god knows how one will remember them? say someone has 5 accounts, that's 15 password for gods sake, there HAS to be a recovery option in case someone's account is hacked and the staff is 100% to take responsibility for it if you wish to have a respected and functioning server. A simple tracking of the accounts login, movement, trade, drops etc. can resolve the cases where people loose years of spending time on your server, take responsibility for your players who make this server possible. we are all just people but all the understanding comes from the players side for some reason, none from the staff.
I'll do you one better, if you knew which PIN accounts were hacked, couldn't you be one step ahead of these hackers? How about notifying those players to change their passwords, a simple popup when someone logs in or how about a notice that everybody sees saying "if your pin is xxxx you are at risk of being hacked with no chance of refund", anything, at least then your hands would be clean because you warned us and did your best, they are YOUR players at the end of the day which you will loose if you don't show care for (at least to the best of your ability) Everything feels like its operating backwards in this server, I'm surprised it still has this much players.
People cant quit cause they heavily invested in this game. The only real way to quit is via banned or being hacked >.<
To add: I don't think anyone was asking to cherry pick their best backup. All these players wanted was to have their accounts restored to before the incident. The hack happened at time *x*. Why couldn't the backup immediately before time *x* be chosen for these ~20 or so accounts that got wrongfully skipped? Was it that the problem was realized too late and fear that these players modified their accounts too much to be eligible of a restoration?
Man I'm sorry to hear this. My heart goes out to the people who got hacked. Hope all the best for you guys. On the bright side if there is any, I hope there's other games or hobbies out there you can enjoy more. It's not fair at all but maybe it's easier to move to greener pastures when you lost your investment on one. In the big picture this is like a 15+ year old game small server and there's a lot of other good stuff out there. It's still not fair but hopefully that's better than nothing.
1. its technically possible however that comes with a lot of extra 'forgotten password' requests from casual players that dont log in daily 2. we already had a rule in place where your pic cant have the same sequence of numbers that your pin has, other than that it depends on how far you'd be willing to go in what's considered simple or common 3. we have this in place for staff tools however we're not sure if its possible to change the login system for the game-client 4. as always, soontm The character IDs for backups were selected based on last logged in by the list of hacker hwids, mac addresses and ip addresses we had. That excludes the few players that connected after being accessed by a hacker. Some accounts like your friend might have been hacked multiple times between late 2020 and early 2021 and got restored to what we considered the nearest backup to them being hacked while they already no longer had items from previous hackers accessing their accounts. Unfortunately we're not able to simply open a file and compare their inventories until we find a suitable one where we think they have all the equipment they need. Loading in a backup of a single day took about 40 minutes, if their inventory is still the same on that day we cant just keep clicking random days to load and hope for the best for each of these players. Do keep in mind I'm just one guy that tries to help out this game in some of my free time and the workflow I described above here isn't feasible to do. I'm not sure if you missed the part about our control panel already being limited in attempts from one IP address so there was deterrence to brute forcing in place, we just didn't expect someone to rent services that would grand them access to thousands of IP addresses in addition to writing a script to connect to the next IP after x amount of attempts. We're aware of the date and time that the hacker accessed your account, we just weren't able to rewrite your inventory from a backup due to our system Providing random items that people claim they are missing based on how reasonable we think it is that they earned those before doesn't seem like a suitable solution to us. We don't doubt that these players lost their items as we can see they were accessed like the others that we were able to restore properly, common sense to us is restoring what we can based on backup data. I'm not sure what you're referring to as I mentioned the accounts that the items were transferred to were banned and remained banned. Our database isn't as heavily targeted as gmail is. We don't have a 'better database' than they do. We're not blaming the people that didn't have strong account security, we're simply saying they share responsibility in being hacked due to their choices. I'm starting to think you haven't read my first post thoroughly as we didn't know what PINs were being hacked, I just provided an example of poor account security choices by selecting 10 common PINs used by our players. These aren't the 'only pins that got hacked' or anything like that. How would you suggest being a step ahead of these hackers other than the player choosing for proper account security? What we did upon noticing hacks is banning all accessed accounts and conformed them to only being unlockable by recovering and changing their account details and stopping the attempts with new limits in place. I don't think simply giving them a popup of: 'you're being hacked change your info' is a better solution. they didn't all get hacked at the same time 'x' and some got hacked multiple times or didnt happen to have some of their items in a previous backup due to having them on another character or lending them out to a friend etc.
The type of enviroment/game you have developed is one that requires month of progress of accumulating resources to be successful, in such an environment, player retention I feel should be more on your priority list since your systems are not "new account friendly". When you share responsibility for a consequence, you also share the responsibility of restitution, which I feel was lost when you leave players hanging like this. You have three options: Make players restart solely putting the blame on them for their poor password security Create a standardized compensation package that is calculated solely by time played Research every account that makes a claim What I find troubling is that businesses would look at this and find that if the claim is reasonable, they would just push it forward as the resources to verify every claim is not worth the time. If someone comes to you playing for 2 years saying they had a 10/10/5 attack set, what consequence do you think that is going to have? Market isn't going to care, do a quick start date/activity review, not every account hacked was that active and you can pressure them to provide more evidence. Also additional benefit of filtering out RWT Community isn't going to care, it's not an exploitable venture as long as you have appropriate internal controls Brings player retention of the players who actually play the game with sincerity. Mapleroyals should do more for the players, especially when sharing responsibility; even Nexon gave compensation packages to those who were hacked by exploits, albeit not much. I may have a higher standard because I deal with actual financial/tax investigations but I feel you're missing a good will opportunity here. I also speak as someone not affected so I have no real horse in this race.
