Notice Account Security: A Reminder

Greetings Royallers,

There have been a handful of players claiming their accounts were hacked recently. The administrators have investigated and continue to watch to ensure that accounts are not compromised due to MapleRoyals security. There are currently no database leaks in relation to MapleRoyals and its servers. Unfortunately, without evidence that MapleRoyals servers have been breached, we cannot issue refunds for items lost.

This notice serves two functions. One, the staff team would like to be transparent and communicative; account security is a top priority, and we take our players' information seriously. Two, this notice serves as a reminder to all players to safeguard their information, and actively engage in proper security practices.

As many of you know, there have been large scale attempts by hackers to access player accounts in the past, most recently in February of 2021. Since then, various counter-measures have been put in place to prevent brute force attacks via the Control Panel. However, damage from certain attacks, such as credential stuffing, may only be mitigated and not entirely prevented. If you use the same information across multiple platforms, and that information is leaked, hackers can use it to access your MapleRoyals accounts as if they were you. While our developers increase protections to prevent successful hacking attempts, there must be effort on the player's side as well to ensure airtight security. That is, a chain is only as strong as its weakest link.

Here is an overview of account features, with recommendations to keep your account secure.

1. Username
   • Do not share your username with any other user.
   • Do not share your username publicly such as on a public forum thread (Character Issues or Ban Appeals, e.g.).
   • Do not use the same username for your game account and forum account. If your forum account and game accounts share the same username, please make a thread in this private section to change your forum username: https://royals.ms/forum/forums/name-change-requests.112/
   • Do not make a character with the same name as your username.
2. Password - This is the true first line of defense.
   • Choose a unique password that you do not use on any other platform.
   • Your password should be long, but memorable.
   • We recommend players use a password manager.
   • Use a different password for each of your MapleRoyals accounts. In the event that an account becomes compromised via credential stuffing, this will help to prevent all of your accounts from being hacked simultaneously.
3. PIN - The second line of defense. A mandatory four digit number.
   • Avoid using simple PINs such as 0000, 1111, 1234, birth years (1990, 1991, 1992, etc.) and so on.
   • The PIN prompt will appear upon login when an account is being accessed from an irregular location.
4. PIC - The third line of defense. An optional, but highly recommended third line of defense.
   • Avoid using simple PICs such as 000000, 111111, 123456, and any combination of simplistic PINs (12345678, 19911992, etc.)
   • Keep PIC enabled at all times. Some players disable their PIC in order to speed up their login time to obtain desirable FM spots. Know that you are trading account security for this convenience.
5. Email - Used to verify account ownership and streamline account information changes
   • Use a unique email address not publicly available anywhere.
   • Practice all aforementioned guidelines for your email password.
   • Use Two-Factor Authentication if possible.
   • Check to make sure your account email is verified.
   • One website to check if you have been part of any leaks: https://haveibeenpwned.com/
6. Two-Factor Authentication - Use 2FA wherever possible, such as for your forum account.

There are reasons why we preach these recommendations. Information is key, and the more information that is available publicly in relation to your account, the more likely it is to be a target. For example, suppose a wealthy, well-known player's game account username is the same as their forum username. A prospective hacker targeting this player wouldn't know that beforehand, but by collecting forum user names, they can search publicly available database leaks from other platforms (social media, other MapleStory private servers, etc.) and see what sticks. It is your responsibility to ensure that these malicious actors cannot 'connect the dots' with your account information. It is extremely common that compromised accounts have PINs and PICs that are very easy to guess.

TL; DR: Do not use the same information across different platforms. Take care in what information you make publicly available, and make sure that there is no connection between your private information and public. Make use of all security features available to you, properly (strong passwords, PINs, PICs.)

We hope that all players take these guidelines seriously, and protect their accounts properly.

Stay safe,
-The MapleRoyals Staff