Why aren't refunds given to hacked accounts?

The encryption is strong enough. Of course passwords can be bruteforced or rainbow tabled, but that requires a hacker to get access to our database first. And as expected; we have no evidence of any breaches having taken place as we have plenty of security measures to protect the database from unauthorised access. Like I said previously, we are confident in the knowledge that leaked information from other sources are being used by attackers to gain access to peoples accounts, yet we are still improving security where we can.

 

I decided to shed some light into recent events regarding account hacking to make our decisions understandable. I'll put in some dates and times so you know how things went down along the line as well from my perspective:

April 30th (saturday)
- I went to look at some Royals stuff and I see that I have a bunch of messages from my guildmembers on skype regarding one of my friends' behavior in-game.
- He let us know he wouldn't be home until sunday / monday on the wednesday so he wasn't expected to log in at all. He didn't reply to anyone and he left the guild so people were wondering what was going on.
- I contacted him on skype and he says he it wasn't him, so I ban all of his accounts for precaution.
- I check the logs and see that a different connection has been used to log in and some of the items on that character (his INT gear and a gun that he borrowed from me) were all traded away to another character, which I also banned for suspicious activity
- I check previous similar cases, Christopher Chance's also came up, and Issued a refund based on how we did things in the past.
- I relay information about potential mass-login attempts over in our admin chatgroup for further investigation.


May 1st (sunday)
Lots of threads and notifications of account hackings have been rolling in. We're actively trying to figure out what's going on with all these hacking cases and wondering if we have a leak somewhere. There's no trace of anything like that nor can we find lists on the internet specificly for Royals.

May 2nd (monday)
- More people are getting hacked. Transfers relate to someone that has been selling hacked items for CSGO items (which he can sell for real money)
We're tracing down the login details that the hacker recently used and find that he's been inboxing people with the same IP address to get more info from them like skype contacts.
- The person in possession of my gun claims to be innocent in a ban appeal, which after some checking turns out correct. He had been paying 7B mesos for that to various characters of the hacker. The hacker then traded him the gun on the 29th of april from my friends' account. The trade has been reversed and he has been unbanned.
- Other internet searches result in really bad attempts at phising sites / supposed downloadable 'item generators for mapleroyals' which we doubt anyone fell for.
- At around 13:30 server time we compare results and notice a trend of similar Forum IDs to Game IDs or similar character names to Game IDs. We realize atleast part of the problem has something to do with poor account security which explains why not everyone is being hacked/ our database has no traces of being leaked.
- I propose making an announcement post with the following information to remind people about account security:

• Telling players not to use the same account ID/ password for forum and game
• Telling players not to use an easy password similar to their login ID
• Offering players to pm an admin if their forum ID is the same as their game ID so we can change it for free for them

- Other admins point out that the effectiveness of such warnings degrades if we do them too often and holding the players' hands in these cases is not something we should do, the post idea is scrapped after some discussion.

- At around 17:30 server time we start discussing how we will deal with refunds regarding the hacking cases that are related to poor account security from that point onwards.
- I point out that I have refunded some people between the 30th of april and may 2nd by reversing trades from sales of hacked items for some people, one of which is the first case that came to light, the one with my friends' INT gear and the gun he borrowed from me which was purchased for 7B by someone that was unaware that my friend was hacked and he thought he landed a good deal. The guy that purchased it got his 7B back and my friends' account got his equipment back that was sold by the hacker. This was not the only trade reversal of hacked characters that I did in that timeframe.
- The action is approved by other Admins.
- At this time the decision is also made that all cases of poor account security will not be eligible for refunds anymore because we pinned down that the problem is largely their own fault and our database is still secure.

May 3rd and onward
- Discussions regarding new security to prevent cases from this happening have been had and recently been implemented with the PIN system that should only bother people slightly that play from different IP addresses.