Accounts hacked - one question.

[Vydamo]

Re-opened because I believe my thread was closed prematurely.

I wasn't asking for anyone to save my accounts, and I realise that no-one can help me. I just needed questions answered so I can make sure It doesn't happen again. I also realise that as soon as one of these threads pop up the immediate reaction is "this idiot has downloaded something and deserved it".

I have that reaction aswell. I'm not computer illiterate, and i didn't click on anything I shouldn't have.

Thankyou for saying they weren't bruteforced PKTINOS, I just have one last question. If they were taken by a malicious program, why would only half my muledump be changed (all stored on same accounts.js) and my main untouched. All password requests for ~40 mules were sent at the same time which was why i assumed they were bruteforced.

I'm literally just trying to confirm whether they were bruteforced or whether or not I need to wipe my computer because Sophos is showing nothing.

Sorry to be a pain.

Obviously in hindsight making mules that aren't disposable emails would be ideal, but if it's a virus my few accounts that aren't disposable would've also been hacked would they not?

Also wondering on the off chance that the passwords were reset by DECA or some sort of bug, as nothing has been taken from any of the accounts as of yet.

[Luis]

Theres a difference between a sol stealer and a virus. One just has malicious codes, one infects you. Granted... Now that's changing a bit.

[059]

If you don't mind saying it, what were the emails? It's possible they were guessed.

Also, if they were in any way related to your mpgh name and mpgh email, it's entirely possible someone used that information and tried guessing some.

[Vydamo]

If you don't mind saying it, what were the emails? It's possible they were guessed.

Also, if they were in any way related to your mpgh name and mpgh email, it's entirely possible someone used that information and tried guessing some.

They weren't related to any name i have ever used on a forum, and don't want to say the email because all items are still on every account i've checked, But it was two unrelated words followed by a number (obviously not the most secure but never expected this, most were above 11 characters long), If they were guessed I think the person would've kept checking numbers until they stopped working.

Does half my accounts.js not being changed rule out malicious software or a sol stealer (which I have never heard about so unaware of how they work)?

[New]

why would only half my muledump be changed (all stored on same accounts.js) and my main untouched.

Why?

IF you did run a program and IF you ran it in the past and maybe you forgot about it, this program could have not been programmed well, and it only grabbed one of your multiple accounts.js (I think you said you have many)

Are you at risk?

Possibly.

Can you run regedit and check these locations for keys?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce

Also don't forget to check the Startup folder.

Check the registry keys thoroughly, viruses and other malware tend to try to hide themselves, they can name themselves "Windows" to disguise as keys set by Windows. However, you should look at the data of the registry key. If it runs from a random file, it means it could try to hide itself there and run from there on startup.

Of course, stay safe when messing with registry, don't delete any keys without being sure they are unsafe.

Apart from that there could in theory still be ways that the program has overwritten its data / infected some other program and runs when you run it.

That would be too advanced for sol stealer creators to do, if someone has the knowledge to do that, I would doubt he would code sol stealers.

Anyways, for the bruteforcing part.

Bruteforcing was patched. How?

Before, all bruteforcing did, was use an algorithm, actually use this algorithm (or similar)

Code:

Start with one char, and check each letter and number combination (for example a@domain.com, b@domain.com)
Then, two chars, aa@domain.com, ab@domain.com up to zz@domain.com
That would continue up to zzz...z (n amount of z's)       @Domain.com at which point every possible combination would have been checked. (assuming the charset ends in a z)

But, in order to check if the accounts existed, the bruteforcing programs exploited a loop hole in the game.
When you changed password, it would either say "Email sent." or "Incorrect email"
This, is very bad, because this way you can know 100% that if it says "Email sent." , that email exists, thus you can gain access to that disposable.

This was patched however, now, it doesnt matter whether your email is correct or not, it will always return "Email sent.".
Patched doesnt mean impossible.

There are still methods to do it, the reason why noone makes programs for them, is because bruteforcing era is pretty much over / not worth it / they want it private.

For example, a method would be

"Forgot password" request -> check email -> if the email received any new emails in the last 5 mins, it means it exists.

This is obviously slower than just getting the response from the rotmg server, but it still works.

When I said "Your emails were not bruteforced" well, this was an assumption, in theory they could still very well be.

It depends though, are your emails 1-7 chars in the name OR guessable?

Then yes, they could have been bruteforced.

- - - Updated - - -

Oh I just saw they were 11 chars long.

11 chars would be 131,621,703,842,267,136 possible combinations (assuming you have 36 chars in the charset, aka a-z + 0-9), which is about 131 quadrillion

It's pretty big, would take a lot of resources to get all of them. Like a lot of resources.

It would take maybe even a super computer.

A trillion by itself is very big, but this has multiple quadrillions.

The only other way your email could've been bruteforced, is just guessed.
Otherwise, it was caused by a 3rd party program..

Or a database leak..
Or a SE attack towards the Kabam / Deca support to trick them into giving the attacker access to the account? You never know.

- - - Updated - - -

(btw that number isnt big for a quantum computer, just felt like saying that)

- - - Updated - - -

(which I have never heard about so unaware of how they work)?

The flashplayer stores data in %appdata% in the file macromedia with the extension ".sol", just so happens that it saves your email : pass there so it can re-login you every time.

A sol stealer, grabs the information of the sol or the sol itself and sends it to the virus creator.

[059]

Or a database leak..

This is my guess at this point.

[Vydamo]

Thanks so much for the in-depth reply. I'm on a mac so there is no registry to search (as far as i'm aware).


Just realised that the only accounts that have had their password changed are all my mules with key packs/backpacks. They would've all used the same mass package buyer found on here. Still nothing taken from any of them.


Either way i've cut my losses as half of my muledump and my main is untouched so i'm just happy that i still have that and am very appreciative of the time you spent writing that reply, I would love any further thoughts on the matter but don't expect them.

[New]

I'm on a mac

This cleans out most of the causes leaving out SE attacks and a database leak.

Have you ever used the e-mails that were stolen from you in order to register in a website?

[supM8]

I'm on a mac

HIGH FIVE BRUH, the one thing mac is good for!

[ReySharlLel]

this is cuz u dontloaded the fake realmbot crack ?

[Vydamo]

This cleans out most of the causes leaving out SE attacks and a database leak.

Have you ever used the e-mails that were stolen from you in order to register in a website?

No, used for the mules only. Still nothing taken from them and have started changing passwords back. Will never keep anything of value on them but the mystery remains unsolved. Still only mules with backpacks and keys on them affected, not sure if this is just coincidence.

[New]

No, used for the mules only. Still nothing taken from them and have started changing passwords back. Will never keep anything of value on them but the mystery remains unsolved. Still only mules with backpacks and keys on them affected, not sure if this is just coincidence.

Well honestly the only thing left would be a social engineering attack..?

There used to be a trick where, if someone knew your email he could be 5$ worth of gold 3 times on your account, then tell Kabam his account (your account) is stolen, and kabam would ask "What was your 3 last payments?", then since they knew they bought 5$ gold 3 times, they would tell kabam and kabam would give them the account.

Not sure if it still works.. But thats the only thing I can think of at this point.

[Vydamo]

Well honestly the only thing left would be a social engineering attack..?

There used to be a trick where, if someone knew your email he could be 5$ worth of gold 3 times on your account, then tell Kabam his account (your account) is stolen, and kabam would ask "What was your 3 last payments?", then since they knew they bought 5$ gold 3 times, they would tell kabam and kabam would give them the account.

Not sure if it still works.. But thats the only thing I can think of at this point.

There would need to be gold on the accounts for this to work would there not? Anyway dude, thanks so much for your help. I really appreciate it. If you play realm and need to max def, attack or vit (or all three) hit me up.

[New]

There would need to be gold on the accounts for this to work would there not? Anyway dude, thanks so much for your help. I really appreciate it. If you play realm and need to max def, attack or vit (or all three) hit me up.

Yes there would be gold, they could've spent it though to hide the evidence?
I have no idea.

Anyways glad to help, stay safe.