I am careful, my OS, anti-virus, firewall & anti-malware software is all up to date.
I do not share passwords or give out my details to others.
Yet to today my STO account got hacked.
First sign was an email from PWE saying my email address for my account, had been changed at "my" request.
This was at 8:54am GMT, I swiftly reacted and despite getting control of my account back at 9:17am GMT. 3 of my 4 characters had been stripped of all EC, refined dilithium, my account bank emptied of EC and all the saved ZEN I had was gone.
I literally interrupted the guy in the act, as I was checking what had gone, I was de-friended by "@*******", an account handle I do not know.
I had saved over 60million EC up for a Tholian Recluse Carrier or Jem'Hadar
Dreadnought, still had not made my mind over which to go for.
I had over 7000 ZEN saved for when 'Legacy of Romulas' came out to buy a few ships.
my refined dilithium was bening saved for buying fleet ship and equipment.
ALL THIS now gone, and so is my enthusiasm for playing STO.
EDIT account handle removed, since suspicion not proof.
Sorry for your lose, but these days, most account hacks occur due to malicious 'Flash' or 'Java' banner adds with 'keylogger' functionality. The best advice is to avoid using your Browser when you play STO.
Cryptic/PWE does have the ability to roll back accounts, so you should send a support ticket or contact Support with 'Account Hacked' as the subject...
Same thing happened to me, it seems roughly an hour or two before it happened to the OP. It took them a day and a half to lock my account, by which time it was far too late. Then it took them another three days to unlock it once I verified my identity. I'm still waiting to see if they're going to restore all the stuff that was taken or destroyed. Been about two and a half days since their last reply.
I think the worst part of it is how easy PWE makes it for somebody to steal. I can't speak for the OP, but the fact that the thief was able to change the email address on the account (in both of these cases it seems) with no confirmation needed from the real account holder or registered email address, thus bypassing any safeties of the "Account Guard" system they have in place...it's just insane.
I run NoScript on my browser, which stop any adverts like that.
Though, of course, this would be useless if the link to the malicious script was embedded in the webpage itself.. This happened once to the Fleet Website I visit, and was quickly detected by Google search. Took a couple of weeks to clean up that mess...