Hey guys, you may or may not know me but I've lost over 14b on items because my account got hacked. This happened because my password was leaked from a different site that was hacked, it does not even seem to matter if your ID has been leaked or not. So heres a simple way to check if your info has been leaked somewhere; - go to https://haveibeenpwned.com/ - Fill in either the email adress that you've used for creating mapleroyals OR your account ID. If you get a result like this: Then I suggest you INSTANTLY change all your passwords to something that you have not used on those websites. If you get hacked and your password matches that of the leaked files (which appearently the mapleroyals staff has access to) then you will not get a refund. Dont go through what I went through and keep your stuff safe, if you dont (even if you werent aware of those sites being leaked) you will end up doing the same as I did; Quit mapleroyals because of it. -Darius
Not sure if i can confirm its a good site, but i will attest to getting hacked. I lost only about 3-4b worth of stuff but it pisses me off a lot that i did get hacked, and according to my buddylist, lots of people are currently experiencing this. Id recommend that even if you didnt get hacked you all go change your password.
The website has been created by Troy Hunt , a respectable security expert & microsoft regional director. You can find his info here if you like to verify if this site is legit or not; https://www.troyhunt.com/
General internet security is to keep separate account information anyway, don't use the same passwords and don't use simple easy to guess passwords. But thanks for providing the link - hopefully other people learn from it too.
Im still wondering where you guys get the plain text passwords from... The leaked databases were ALL still encrypted with MD5 etc.
Just because a password is stored as a hash does not make it entirely foolproof, brute force attacks or rainbow attacks still allow attackers (hackers if you may) to reverse or rather, crack hashed-passwords into plaintext. Having a strong password is probably the best way to protect yourself in the event of a breach such as having alphanumeric password with symbols that is more than 8 characters long, and also ensuring your password does not have dictionary words/personal information/patterns like asdf or qwerty. And like Sila had mentioned, don't use same passwords for different sites especially websites you are signing up for fun and might not return such as forums (which often restricts content unless registered). Personally I use a different and weak password for websites like these and only change them after I've decided I want to stick around. Most importantly, don't set your password as password
I did not intend to say that just because passwords were hashed that they were foolproof, I'm wondering why the mapleroyals staff would go over the efford of finding my hashed password and brute force it?
Well I have all different password for my accounts. If so do happen I got hack, do I get refund? Since it's not my fault at all. My password is all different and pretty complicated tbh.
There was no brute forcing involved. The data (and in some leaks, passwords) is also available in plain text.
Could you link me up to the source you claim you got the plain text passwords from? since its publically available to the internet?
I don't trust the site you linked, even though it may be created by a good source. Nothing personal, just the internet is always full of new ways to get someone's info. I just think maybe Royals needs a more secure way of someone's account. Maybe allow users to be able to not only change their passwords but maybe their usernames aswell, or add a Pin like GMS? In the meantime I would advise everyone to change their passwords frequently (maybe every couple months), don't use a pass you use for other sites and most importantly DO NOT share account information
https://www.leakedsource.com/ You need to pay for a subscription to view more details, including the cleartext passwords.
I see, thanks for letting me know. So you're paying to view every person's plaintext leaked passwords.
You're implying (rather wrongly, in fact) that the staff have any interest in hacking your account. That we have any interest in knowing your account details at all. Or maybe even implying that we're the ones who gave the hackers the information? Staff are chosen for a reason, and being trustworthy is one of the important factors into it. We have no interest in your personal information. The only reason we even found the source of the leaks was to determine that it wasn't a security issue on our end - for obvious reasons, right? I'd sure hope that you'd like us to find out if there's a security leak somewhere that went unnoticed until people got hacked, or if the issue truly did reside somewhere else. By finding the source of the information, we ruled out that there was no way the information was leaked from our server.
Truthfully, the only reason I had to pay in the first place was to confirm that our server did not have any security flaws. You had claimed in your character issue post that the password associated with you in the leak was NOT what you used here on Royals, which worried me as all the other people hacked had indeed used the same password. So, money had to be spent to verify your claim, which turned out to be untrue, and determine the password you had been using was the same as what you had used across other accounts that had been leaked from other websites. These posts coupled with the PMs you sent me keep trying to paint the picture that the staff was somehow doing something wrong by verifying the server's security. I think it is quite clear that if best practices were followed by everyone and passwords were not used by a user in more than one location, we wouldn't even have the need for a user awareness thread like this one.
@John @Sila First off I was not implying that the mapleroyals staff has any intrest in hacking my account. I completely agree with the fact that you want to make sure that your servers are 100% safe. Second of all, I already explained to John that I believed I used a different password for those sites since the last time I used those sites was over 5 years ago. Let me make it very clear that I completely understand the reason WHY you did this. In reality doing it this way is NOT the correct way as regardless of your intentions you paid to view my passwords from illegal sources. Also I should note that you broke the TOS of leakedsource by doing this; "You may only use this tool for your own personal security and data research. You may only search information about yourself, or those you are authorized in writing to do so. Searching information on others is strictly prohibited. In the event somebody else shares the same username or full name as yourself, you must delete any data of theirs that is displayed." found at https://www.leakedsource.com/main/tos/ Either way, your actions are not legal , eventhough I understand why you took them.
It's also not very often that a "professional" set of staff members expects their users to keep to their ToS which they DO while at the same time they break ToS's of other parties they are supposed to follow. Also dont start about wasting time, since the ammount spent on this drama is not even comparable into the time I've wasted on your game.
Okay, you keep attempting to play lawyer, which is fine, but please know what you are talking about. LeakedSource is not an illegal source. A quick Google search yields security blogs and articles about the service. If it truly was illegal, it would have been long gone by now. A quick example of what I mean: http://www.bankinfosecurity.com/leakedsource-assume-every-website-has-been-hacked-a-9176 It is a repository that collects information that has been publicized. They don't buy accounts from hackers, or buy dumps to add to their database. If they do that, then it is illegal. And okay fair point about violating the TOS. It's a good thing I closed my account, so as to prevent them from needing to terminate my account. I (or anyone else) can go to any number of other repositories to get the same information which would be just as legal and would not violate the TOS. Again, you're REALLY splitting hairs here. If you have a suggestion for how to keep the community safe, please do share it. In the meantime, we will continue doing what is necessary to protect our users.
Please do keep your servers safe, You do have to understand that the reason I keep poking you with this is the fact that you need to actually be professional. Breaking ToS's on those sources by comparing leaked/hacked databases is not very professional. If you actually followed their ToS all of this would've never happened, You would also not be accused of identity theft eventhough you never intended to do so. Sure it would cause you to not be able to verify if my account had been leaked somewhere else since there is no (legal) way for you to check if it did, but that would be policies and being professional is also following your own policies without breaking them eventhough you might "suspect" that something else happened.
