So I just logged into my account and had 5 unread emails....and they were all gold spammers:mad:. I've been playing online games and MUD's for awhile now so spam has become a fact of life for online gaming. That's why I set up a email spam account. However when it is a GAME account that recieves these types of emails, I have an issue with that.

With the rise of gaming accounts being hacked (NCSoft, Blizzard, Turbine,etc.), it concerns me about these emails because I do not want my account banned or my payment information compromised. I'm not concerned about the emails themselves, it's the door this potentially leads to.

So how did they get my email? why zonechat of course. Admittedly, I'm guessing about that, but that would seem like a obvious choice. If I am wrong about that, so be it. That format needs to change, because Cryptic, while account security is a two-way street, the burden is on you to take reasonable precautions to protect our information.

I definatly would like a response back from Cryptic to see what they have to say about this...and yes, I have opened a ticket on this :p

If you're worried about them having your login name by seeing your display name in game, then you shouldn't have set your display name to be the same as your login name.

Accounts aren't being hacked. "Hackers" could care less about your account. They don't run brute forces on your pc much less on Cryptic's servers to figure out your password.

Account passwords are being figured out easily because most gamers don't even have elementary IT security knowledge. Simple as that.

The account creation tool needs to be altered to not allow "average user" to put in the same display name as account name. When you first enter all that information, the average person doesn't understand the difference. A simple check on account name being similar to display name and not allowing that to occur will solve that for the future. In the mean time, people who have entered the same display name as account name need help getting the display name changed.

If you're worried about them having your login name by seeing your display name in game, then you shouldn't have set your display name to be the same as your login name.


Good point. I didnt stop to think about that...and yes they are different, it was just first thing that seemed a possiblity. Now that I stop to think about it, I'm trying to remember if it will allow you to create the account with the same login (it's been awhile). So if that isn't the case, it does bring up the question just where the hell are they getting it from?

By the way to make it clear this is not my personal email account, this is my STO email account.

zone chat puts your name as being displayname@login name so even if you have a diffrent display name your log in name is still revealed

Yeah, having the account login displayed for all to see isn't exactly best practice. The singular naming idea is great, but we should be able to choose that and keep our account name hidden.

This should be implemented asap.

If you're worried about them having your login name by seeing your display name in game, then you shouldn't have set your display name to be the same as your login name.

Actually, your wrong - my account name and display name are different, I still get the odd gold spam. Since your display name is name@[name], they only need the [name] [ part to figure out who the account belongs too, if they removed [name] then it would help but it still wouldn't stop spam.

MMo breed gold farmers = spam = MMo, unfortuntely its become a standard practice with every MMo, at least there not as aggressive as in some F2P MMos, where they run bots who spam chat 24/7.

Accounts aren't being hacked. "Hackers" could care less about your account. They don't run brute forces on your pc much less on Cryptic's servers to figure out your password.

Account passwords are being figured out easily because most gamers don't even have elementary IT security knowledge. Simple as that.

I am a sys admin, so yes I do have knowledge about password security ( no dictionary words, make it alphanumeric, etc.).

And that is wrong about hackers not caring about accounts. I know of atleast 2 people in RL (not just Online) who have had their WoW account hacked, because it is Big Money. They get into the account, sell off all the stuff, transfer the gold to other accounts and sell the gold for real currency. Blizzard offers a RSA tokens for 6 Dollars to protect accounts now (which I hoope will eventually become a standard procedure for the larger online games). Turbine has, in big, bold red letters about accounts being hacked or comprimised on their launcher for Lord of the Rings Online.

When economists start using gold farming as an economic indicator for third-world countries ( they use it because it increase the IT infrastructure of countries that otherwise would never have invested in it, which apparently indicates a growing economy and plays into GNP calculations), when Governments (China, Korea, etc.) have to pass laws to regulate the impact of virtual currency in exchange for RL life currency, that means it has had an impact on national econonmies.

I'm not talking about the "Lone Geek in the basement" kind of hacker, I'm talking about organized businesses that do these type of things because there is very little regulation or oversight of these buisnesses.

And by the way, I am not saying or suggesting my account DID get hacked, but this shows a vunerability that needs to be addressed. I invested alot into this game, and do not want to lose it because of something as stupid as being hacked.

Anyways, maybe the servers are back up....

a lot of the spam comes from the forums, not in just in game.

all they need is your forum name to send you email.

as a Sys Admin, you should know that your completely safe as long as you don't stumble onto a booby trapped web page that hits you with a key logger or some other sneaky spyware thing like that.

they can't magically extract your password from the cryptic servers.

Actually, your wrong - my account name and display name are different, I still get the odd gold spam. Since your display name is name@[name], they only need the [name] [ part to figure out who the account belongs too, if they removed [name] then it would help but it still wouldn't stop spam.

MMo breed gold farmers = spam = MMo, unfortuntely its become a standard practice with every MMo, at least there not as aggressive as in some F2P MMos, where they run bots who spam chat 24/7.

you would also have to stop posting in the form couse i pretty sure they are getting names from the form not the game

So I just logged into my account and had 5 unread emails....and they were all gold spammers:mad:. I've been playing online games and MUD's for awhile now so spam has become a fact of life for online gaming. That's why I set up a email spam account. However when it is a GAME account that recieves these types of emails, I have an issue with that.

With the rise of gaming accounts being hacked (NCSoft, Blizzard, Turbine,etc.), it concerns me about these emails because I do not want my account banned or my payment information compromised. I'm not concerned about the emails themselves, it's the door this potentially leads to.

So how did they get my email? why zonechat of course. Admittedly, I'm guessing about that, but that would seem like a obvious choice. If I am wrong about that, so be it. That format needs to change, because Cryptic, while account security is a two-way street, the burden is on you to take reasonable precautions to protect our information.

I definatly would like a response back from Cryptic to see what they have to say about this...and yes, I have opened a ticket on this :p

I was just going to post about this... I too had this happen... What are you, Cryptic, going to do about it?

Can we forward these emails to a certain mail box?

zone chat puts your name as being displayname@login name so even if you have a diffrent display name your log in name is still revealed

its not listed as displayname@login name, it comes up as the name you chose for your character@your forum display name, which isn't necessarily your login name. When you create your account, there is a field for both. For example, Binball, my forum display name and my @name, is not my login name.

zone chat puts your name as being displayname@login name so even if you have a diffrent display name your log in name is still revealed

its not listed as displayname@login name, it comes up as the name you chose for your character@your forum display name, which isn't necessarily your login name. When you create your account, there is a field for both. For example, Binball, my forum display name and my @name, is not my login name.

So what is your login name? I wantz to sellz u sum gooooold.

Yes, PLEASE let us change our display names in game! I had no idea that "maryvarn" was going to actually be seen in game. That's a separate issue for me then the spamming, but I had to chime in about the name thing. It may be my fault that I chose it as my display name, but as a WoW player new to STO and other MMOs, I just assumed that any name I register for here on the site wouldn't be seen in game. My mistake, but please let me correct it.

So I just logged into my account and had 5 unread emails....and they were all gold spammers:mad:. I've been playing online games and MUD's for awhile now so spam has become a fact of life for online gaming. That's why I set up a email spam account. However when it is a GAME account that recieves these types of emails, I have an issue with that.

With the rise of gaming accounts being hacked (NCSoft, Blizzard, Turbine,etc.), it concerns me about these emails because I do not want my account banned or my payment information compromised. I'm not concerned about the emails themselves, it's the door this potentially leads to.

So how did they get my email? why zonechat of course. Admittedly, I'm guessing about that, but that would seem like a obvious choice. If I am wrong about that, so be it. That format needs to change, because Cryptic, while account security is a two-way street, the burden is on you to take reasonable precautions to protect our information.

I definatly would like a response back from Cryptic to see what they have to say about this...and yes, I have opened a ticket on this :p

Oh Ye Ghods.

Shall we put the tinfoil hat on?

Getting your account name means nothing - they need the password to get onto it. Most of those account compromises you speak of were caused by Trojans being drive-by installed on people's systems. Yes, even the infamous one that attached itself to the EvE CLient itself was gotten from a couple of gold-selling sites.

Your in-game name has NOTHING to do with your real Email address. All it is is <charactername>@<account nickname>, which is pretty much public information, ESPECIALLY if you post on these Forums, as it's the account nickname used here.

Same thibng elsewhere - the EvE Forums even go so far as to attach the character names to the messages permanently, so in-Foum douchebaggery can be identified in-game and vice-versa. When your reputation follows you...you either get civil real quick or you go through a bunch of posting alts :)

Here, you don't have the option of posting alts.

Either way, NO hacker's gonna waste their time trying to do a brute-force attack just to get into your account and loot it. Unless you give your actual login name/password away - OR give hints as to what it might be - you'll be OK.

The account creation tool needs to be altered to not allow "average user" to put in the same display name as account name. When you first enter all that information, the average person doesn't understand the difference. A simple check on account name being similar to display name and not allowing that to occur will solve that for the future. In the mean time, people who have entered the same display name as account name need help getting the display name changed.


File a GM help request. The GM's will help you change your display name if it is the same as your account name.

IMHO you shouldn't be allowed to set your display name to your login name, that would improve security for the average user right there. But realistically the threat is minimal, the vast majority of 'hacked' accounts aren't bruteforced or password cracked but either social-engineered or keylogged, which the whole display/login name issue has no affect on.

And by the way, I am not saying or suggesting my account DID get hacked, but this shows a vunerability that needs to be addressed. I invested alot into this game, and do not want to lose it because of something as stupid as being hacked.

Then use a strong password. You're a system admin, you should know exactly how long/hard it is to crack a good password. Let's see what's allowed for passwords. I was able to enter, without an error or anything, a 15 character alphanumeric+special characters password. That's a combination range of (26 characters + 10 numbers + at least 10 special characters)^15 = 46^15 = 8.73*10^24. And that's just a lowball estimate, I don't know how many characters they'll allow you to use but it's at least 15. So a possible range of ~10^25 passwords (assuming either +1 special character or +1 character allowed from my test). *

To crack this password via brute-force in, say, a day (and what business is going to dedicate an entire day of work to cracking a single password when there are dozens of users who can be hit with dictionary attacks?) via brute-force would require 10^20 tests per second, or around a zettaflop total processing power...or around 100,000,000 top notch computers. And that's assuming there's no 3-strikes you're out password protection (like most games/online apps have, where you have to wait between entries if you get it wrong X number of times) or anything.

No one is going to be throwing that kind of hardware at your password and even extending it out to longer amounts of time won't reduce it that much, if they spend a year on that password they'd still need almost an exaflop, or 1,000,000 top notch machines. For a business with, say, a dozen good machines (1 teraflop) running on your password it'll be around 317 centuries before they can test all the possible passwords in that range. If they've got 10 of the best computers in existance (cray XT5's, 1.75 petaflops) it drops to 17 years.**

Brute-force attacks are relatively useless now-a-days. Pretty much since the dawn of alphanumeric and special character passwords whose lengths are at least 7 or so characters brute-forcing has become impractical for most applications, that's why social engineering and keyloggers are such big deals. You're far FAR more likely to be 'hacked' via one of those methods than any brute-force password attack, especially if you have a good password. Displaying your login name helps neither of those methods in the long run, social will get both as will keyloggers.

*All this assumes, of course, that passwords are stored well on Cryptic's system and that long passwords aren't truncated before being tested, both of which, I feel, are safe assumptions to make.
** There might be some faulty assumptions in my analysis, it's been a couple of months since I took a class on the subject of passwords and brute-forcing and I might have forgotten something important. However the fact is that brute-forcing a good long password is effectively impossible in any reasonable amount of time without quantum computing or something similar, that's something I clearly remember, even if my math is a little bit off.
EDIT: Oh, and I just remembered, my numbers are actually a bit off...on the low side. I ran the math for if they knew your password was X characters long, if that's not known then all passwords of length <= your password length are possibilities as well, which increases the password space quite a bit as well.

zone chat puts your name as being displayname@login name so even if you have a diffrent display name your log in name is still revealed

Only if you set it up that way. My login name is different from my Forum and @name.

My @name is the same as my forum display name, but to log in its different.

Those of us who signed up for the original website had no choice to have two different names.

Our login name IS our display name.

Those of us who signed up for the original website had no choice to have two different names.

Our login name IS our display name.

I was going to say this but couldn't remember that far back. I was signed up on the original site and never remember being asked. Didn't know if it really happened or was just old age setting in though lol.

As long as you don't have a 2 digit password but a good and long combination i couldn't care less if someone knows the login name. The login name would be the easiest to figure out.

And hacking a 12 digit password or longer would...oh well..take you a whole lifetime i suppose unless your a hacking genius who i suppose would care less than to get an account from some game.