For what it's worth, the hacker has been reported numerous times, for the same offense on en128. He's probably the most reported/banned player on en servers, if not all of grepolis, yet somehow inno hasn't done anything permanent about it
Fair enough ... then the fault has to be with the representatives of the game who's inaction created this mess especially since this wasn't the first time it was reported. Just a question though who's alliance was he in on en128?
Fair enough ... then the fault has to be with the representatives of the game who's inaction created this mess especially since this wasn't the first time it was reported. Just a question though who's alliance was he in on en128?
Nobody's. He had (forgive my crude explanation as I have no idea how to do this) computer-generated multi accounts accessing through VPNs to grow just big enough to run an auto-script to spam certain players round the clock. They regenerated like cockroaches spawning. That was his sole purpose on that world, and he announced it in his profiles, just like he announced his hacks here. We need to be fair to mods here-- they tried really hard to shut those down as soon as they showed up, and did a good job. It's very difficult when someone has chosen solely to destroy a game that allows external scripts, etc. And, he mostly targeted the mods themselves playing in that world. He was there solely to disrupt, did not play properly with any team.
I do apologize at hinting a Blood might be behind this. My outrage at you guys laughing and taking advantage of such a CRIME made me wonder if someone there was tied to Sema or got him to do the favor. Stranger things have happened. I simply do not understand wanting to gloat or gain from something like this, especially upon learning more details about how it happened... but I recognize not everyone shares my values. And I know many come to externals to be inflammatory, not to discuss true thoughts.
The source of the hack has been discovered and it wasn't a link. It's a database of IP addresses passwords, emails, from various games and other sources... and it's why he claimed he could doxx people one by one. There are many players on there and I suggest you all keep changing your login info on a regular basis. Inno's security doesn't verify a new ip address-- it let him log in AND change the email address without having access to the old email. Discord, on the other hand, wouldn't allow access unless he could verify in his email it was him (without email access he could not).
This is a frightening lack of security to allow access to your personal information and even an email change, without requiring verification.
I've submitted a ticket asking Inno to please immediately review this security feature and change it-- or I'm not sure I feel safe having an account here. I suggest more players look at this as something that could very easily happen to them today, tomorrow, the next day. This isn't "some other guy's problem". I can't say that I'm safe because I don't click links.
To defend Bloods-- a few players speak here, but this is not the voice of Bloods, and it does not reflect the character of all of their players. It's all the fun and games of externals. We've asked Bloods leadership for discourse on how, if Inno is unable to undo most losses of this crime by repairing the damaged wonder status and refilling Bloods level 10 fills, we as a community can figure out a solution that reflects the spirit of what was lost going forward. We'll see what comes of that.
We can be frustrated with Inno for security protocols and demand improvement there, but we also need to demand that each of us hold ourselves to a standard that eliminates the impact of violations like Ango is enduring-- or else we will lose the community we have left. Who will play, if outcomes like this are a real possibility? A combination of personal life fear, and months of game time/money/commitment lost?
This is not bickering over name calling, or players going AWOL, or spies dropping wonders... all things we have all encountered, where people choose sides based on loyalties and perceptions, with two sides to each coin. This one is crystal clear.
Fair enough ... then the fault has to be with the representatives of the game who's inaction created this mess especially since this wasn't the first time it was reported. Just a question though who's alliance was he in on en128?
@TimurTheGoat Not sure about en128......but your spot on about "the fault has to be with the representatives of the game who's inaction created this mess ".
Going to keep tagging you guys till we get some action...if what OOC says is true OOC's post "What really happened and why it is scary to all" please take action to protect exposed accounts with follow up mails asking players to reset their passwords....start monitoring known grepolis password dumps and write an automated script to inform the players.....or better yet force players to change their password every 3 months.
In any case you have to right the wrong done via malicious players in this world and all worlds. It is your duty to serve theplayer base and currently you guys are failing at it.
#JUSTICEFORANGO
PS -- Thank you for restoring ango's account.
( will continue tagging and hope to get replies and updates here as this is a wider issue affecting the players on en-133 and the grepolis community on the whole .... not talking about account details here but still asking for rollbacks and steps taken to actively protect players and their accounts!!)
By now most active players in 133 are aware that Ango's account was hacked, along with a few other player's accounts on other worlds, by a well known player who has bragged about it both in game, along with sending very explicit mm's all over.
What is not known is the extent of this breach-- how far into these player's laptops and passwords this player's attacks went, or even how many players could be impacted by the time he is done. Threats were made that this would happen account by account, so we don't really know what data this hacker has gained. Within the last few years there have been multiple instances of people I've known who had much more than their grep account wiped by people like this. It's extended into their personal financial lives and caused a lot of damage.
While people joke about things in externals, this is not something to be taken lightly. Every single player on this server and in this game should be hoping that Inno is able to stop this type of hacker and eliminate the effects of their abuse. This exposes all of us not just to game consequences, but real life consequences as well.
I personally am angry at the responses in the sink or swim thread because those posters are selfish and short-sighted-- how can you not hope and even demand that Inno roll back the effects of such criminal behavior, with the impact it has on the integrity of the community and our lives? We have all these discussions about not wanting the game to die and how to improve the community. A start would be to stand up ourselves against criminal hacking, stop viewing these things as funny, eliminate these types of players from all chats and teams, and ask Inno to update their security protocols to make all of us safer. To give us a sense of security that if something this major happens-- Inno will make it right. (Unless of course the player exposed themselves by providing their passwords to buy one of the cheating products out there.)
This extends to all of us. If you say-- well, I like what it's done for me on this server-- you are supporting this behavior. None of us should ever hope to gain from acts such as this, and we should be shamed if we joyfully take advantage of it. The next could be you. We should all be appalled and demand better for Ango and for anyone involved in this type of attack.
If we as a community think this behavior is fine "as long as it benefits me and hurts someone else", then we are pushing its death. The community is not other people-- it is each and every voice among us.
You make it sound like it is Inno's fault. If Inno's security protocols are not up to the mark then it needs to be proved before an accusation like this can be made.
If the hacker got into your laptop and other places (no pun intended) then Inno cannot be faulted, unless it can be proved that their server/scripts was compromised.
Most of the time it is the carelessness of the individual. Your laptop, your account is your responsibility. If you did not follow good practices for password change etc, then you cannot cry afterwards.
A good practice is to use a separate email and password combination for online games, which most people do not do. Google, Yahoo, Firefox, Security software like 'lookout' etc warn users if there is a breach and their email or id is found in that breach. These kinds of warnings should be taken seriously.
As much as I sympathise with the victim of a hack, the fact is the world is filled with careless people. As a retired software developer, I have seen this kind of stuff happen a few times and invariably the victim cries out in "righteous anger".
P.S. Immediately removed saved passwords from the browser and changed my password in the game. Had been using the same password from the time I started playing. Time to follow the advice I give others.
For what it's worth, the hacker has been reported numerous times, for the same offense on en128. He's probably the most reported/banned player on en servers, if not all of grepolis, yet somehow inno hasn't done anything permanent about it
If a player's account gets hacked who is responsible?
The morality if Bloods should take advantage of what has fallen in our laps is different from issues about security etc. Emotions run high in this game, true, still the tone of this thread is really not all that reconciliatory. If people are to work togather than at the least we should not get personal.
As for the hack, some amount of fear mongering is happening here. Wanting Inno to improve their systems is fine, but there is nothing stopping you from following a better level of discipline yourself. Just because somebody got hacked does not mean all of us will get hacked. Change your email, change your password, use a Password manager. Follow best practices yourself. Nobody is stopping you.
Just because you got hacked does not mean you lose it and panic. There is nothing scary here, if anything it will probably motivate everybody to change their password and improve their habits.
The way I see it:
Never attribute to malice that which can be attributed to stupidity.
As much as I agree, it would be nice to see Inno's security systems upgraded to more recent standards for security, even if as you said individuals can improve their own security measures, I don't see why a push for Inno to improve it on their end too is a negative for the community.
To answer your questions on the hacker, again if you look at any of the profiles of the players hacked, you can clearly see good old "Semajoes" claiming responsibility for it (on top of all the other reasons for identification above). I Will let you look him up by yourself.
Props to @RaniRup for making a good point that was detached from the politics of the game. This thread should be about the impact on the community of hacks like these, not the politics that go on in-game, so as you said whether bloods choose to take advantage of the hack is another issue that can be discussed in top 12.
Are you slow? He signed 'hacked by Semajoes' on the hacked players' profiles. I figured even bloods could have worked out that mystery but apparently not
You make it sound like it is Inno's fault. If Inno's security protocols are not up to the mark then it needs to be proved before an accusation like this can be made.
P.S. Immediately removed saved passwords from the browser and changed my password in the game. Had been using the same password from the time I started playing. Time to follow the advice I give others.
These are good points. The fault lies with the creation of circumstances that could allow this to happen, which requires multiple parties. Yes, changing passwords frequently helps protect-- but you haven't done it either, and many players haven't. Ango being the subject of the attack is dumb luck if you think of it this way (though it was actually purposely malicious). And even changing passwords... how often is often enough? They say 30 days typically, but does that still protect us if a breach occurs on day 1?
The "accusation" is that with only one data piece needed to log in from virtually anywhere (the password), and with the prevalence of personal info/login stuff being sent around and purchased by crooks these days, providing new ip's access to log in without requiring any verification, is outdated. Ango's finances outside of grep were secure, along with his other things like discord, etc... due to a combination of being smart with different passwords for RL stuff (finances), and the stronger security protocols they have in place requiring you to confirm from your email if a new login is legit before allowing it.
While we all need to practice cybersecurity, even if I use one password for only games-- if one is hacked and the info sold, then all are susceptible without a secondary protocol.
This incident boils down to maintaining your online security. Please let me stress that this "hacker" isn't anything to fear, the accounts were compromised due to a public database leak. Absolutely anyone can pay £2 to access a leaked database, run a search query and retrieve a password.
It's always a good idea to routinely update your password as well as using different passwords for the various services that you use online. Even if you are just changing a couple of characters, it will make the difference.
I reccomend checking your personal details on the following website to see if any of your information has been released on a database leak:
See if you spent money and your details are on your account aint that a GDPR breach, maybe if your account is hacked and your details are compromised maybe a class action suit against Grepolis and Innogames maybe then they sit up and notice.
I'll give an update on what we do know currently. There were a couple of accounts that were accessed by another player and it seems the access was gained via a data breach from another unrelated game that occurred some time ago. If you use the same or very similar passwords across multiple games/websites and there is a data breach you should make sure to change your passwords as was mentioned in a few previous posts. While we will certainly be bringing up the topic of two factor authentification with Innogames another good way to protect your account is to make sure to always use unique and strong passwords for each site you use. Re-using passwords or using similar passwords isn't a good way to secure any account.
I'll give an update on what we do know currently. There were a couple of accounts that were accessed by another player and it seems the access was gained via a data breach from another unrelated game that occurred some time ago. If you use the same or very similar passwords across multiple games/websites and there is a data breach you should make sure to change your passwords as was mentioned in a few previous posts. While we will certainly be bringing up the topic of two factor authentification with Innogames another good way to protect your account is to make sure to always use unique and strong passwords for each site you use. Re-using passwords or using similar passwords isn't a good way to secure any account.
Seems like inno is finally catching on that their security is horrible … I mean discord kept Sema out ffs but grep didnt :facepalm:
Thank you more specifically to the messengers ( support ) for middle manning this with back end…
Although it seems a bit negligent seeing as our personal data is accessible, payment methods are linked to grep, and we pay for services, and inno still doesnt have duel authentication after years of ppl sayinf VPNs and false IPs are an issue and hackers use them to do whatever attacks they do with them. Catch up to the times, this isnt 2010 anymore…. We the customers give money for a service and in my opinion Inno is negligent on their end in ensuring their customers enjoy their product worry free
I'll give an update on what we do know currently. There were a couple of accounts that were accessed by another player and it seems the access was gained via a data breach from another unrelated game that occurred some time ago. If you use the same or very similar passwords across multiple games/websites and there is a data breach you should make sure to change your passwords as was mentioned in a few previous posts. While we will certainly be bringing up the topic of two factor authentification with Innogames another good way to protect your account is to make sure to always use unique and strong passwords for each site you use. Re-using passwords or using similar passwords isn't a good way to secure any account.
@Baudin Toolan
Just a suggestion.....instead of spending time and efforts on 2FA.....I suggest exploring and implementing Zero Trust Models they are more secure than 2FA.
Also a quick question any chance inno games would consider organizing bug bounty programs. I know its a game but it seems to be earning inno a lot of money.
Are mods still going to remain helpless against hackers ??....there might not be a precedent but you can start it here.....revert the malicious actions and its effects from this servers and all servers hence.
It is ridiculous that inno cannot rollback actions....even a simple db update would help....sure players will lose resources sent to ww's but I am sure they would be a good sport about it or an agreement can be struck after discussion with the players on the server.
Implementing 2FA sure would be a step in the right direction but the community wants a lot more...how about asking devs for implementing Zero Trust Models, mandatory password change after a set number of months and the new password cannot be a previously used password otherwise its a joke, checking IP addresses and whitelisting IP addresses per account basis if players have problems and regular in game mails about account security, automated scripts for checking known password dumps once a week or at-least once a month.
Also get some more powers or rights from the dev's for mods such as reverting actions or suspending ally wide actions etc....so the next time this affects the legitimate flow of world events ....mods can quickly and temporarily suspend play ( in better words pause the world) while corrective action is taken.....if that is implemented you do not have to worry about replaying so called millions of server actions.
In any case you have to right the wrong done via malicious players in this world and all worlds. It is your duty to serve the players and currently you guys are failing at it.
#JUSTICEFORANGO
PS ---
@RaniRup ---> your points are valid and I agree with you on changing passwords etc......is it wrong to ask for better authentication controls for our accounts.....people still share their bank details.....I am certain security needs to be improved and you as a former software dev could perhaps read these (points made by me above) from the community perspective and hopefully maybe agree.....which ever way this world goes more security is always better.
mention count -2 (a half hearted reply does not bode well for reseting the count....please address all points)
