Back to Today's Deal

Major security problem (stolen account)


#21

I sympathize with what you’re experiencing Sinael (it’s happened to me before) and perhaps I’m not fully understanding the issue with Chrono.gg’s account recovery/update system but I don’t see this as a security failure. I’m not sure if the email associated with your Chrono.gg account was changed after reading your post (which understandably you’d want changed) but emailing the original account of an email change is a security feature to let the original account owner know if it has been compromised and linked to an email they don’t control so they can begin the account recovery process and change it back. I’ve had multiple sites notify me of a password or email change after doing so that were sent to my account’s original email for the reason I just mentioned.

If your Chrono.gg account’s email wasn’t updated like your post said that is a problem and needs to be fixed because it doesn’t seem to be functioning like it should be at all. Simply notifying the original email that the account’s email was changed, even what that email address was, shouldn’t be a security concern if you’re using unique passwords for different sites. The worst that could be done is reset your Chrono.gg account password to gain access to it and then steal any keys that haven’t been redeemed. I think this is something you’re concerned about potentially happening.

This is a bit anecdotal since I have no evidence of the contrary, but I’ve had my Steam account (compromised once) for 14 years and I’ve never heard of Steam accepting digital Steam keys to verify proof of ownership. In fact Steam does not list digital keys as one of the accepted forms for proof of ownership in the account recovery process. I had to submit a photocopy of a retail key printed in the TF2 manual in my case. For what it’s worth, the last discussion I read regarding Steam’s account recovery process required even more legwork because the original account owner had their account compromised multiple times in the past and took issue with Steam Support requesting additional retail keys because of their specific case and the fact that few people still posses retail keys after all this time. Steam takes account security seriously and I really don’t think you should be worried about having your Steam account stolen because of your email address being hijacked as long you update your Steam account’s associated email address. If your redeemed Chrono.gg keys are attempted to be activated again and the account reminder option is selected it will send the updated, current email address the reminder email. Since my Steam account is old my login is the original email I used to create the account but have since changed it. My current email address receives the reminder message if I try activating a key I already have. You should also have Steam Guard activated to ensure the most safety with your Steam account but may want to create new backup codes within the app for additional assurance.

I hope I was able to ease your mind a bit and that you’re able to get all your accounts recovered safely. If Chrono’s account information updating process isn’t changing the email address when requested to then it definitely needs to be looked at since it seems to somehow have become broken - literally unplayable! :laughing:

Edit: I think it’s https://haveibeenpwned.com that’s implemented a secure feature where you can input passwords you may have used (like the one for your email address) and check to see if it’s listed in any of the account info dumps the site uses for its databases. This would be useful if you used the hijacked account’s password elsewhere so you can make sure to change it on those sites and may even provide you the proverbial smoking gun that caused your email account’s compromise in the first place. If I recall correctly, the password is hashed client-side in the browser and never transmitted to the site in any functional form as a password during the lookup process. Troy Hunt made an interesting, although lengthy and technical blog post explaining the security behind it when he added the feature onto the site.


#22

That’s the reason why one of my emails gets spam all day long. The email is my name and I only got it and started using it when I was job searching, I’m pretty sure one of the job search sites I was registered with gave/sold it away.

I hate checking that address now even though everything gets sent to the spam folder and because I don’t check it I recently missed out on a permanent opportunity at a company I sometimes do casual work for. I had to explain to them why I never applied and when I was there a couple weeks ago I got jokes about never checking my email (always fair jokes, sucks though when all you have as a come back is ‘yep that’s true’)


#23

Real estate sites sell your addy too…:rage:


#24

spudmuffin
Contrary to your claim, it was digital keys to my Steam purchases that helped me get my Steam account back. So i figured if someone got their hands on them they might use the same thing against me by impersonating me and filing the same claim I did.
I have it back, and secured with 2FA and a new address.

As I said before - while altering my account info on loads of different resources, this one was the only to send notification back to the initial one. Perhaps that is because those sites have additional security measures like safety questions and such, but Chrono.gg has not, so it uses what it has, but that only means that more security features must be implemented.

Also that haveibeenpwned.com site lists my old mail as breached (probably it’s being used as a spam host now), but somehow the password I used for it was not.
Surprisingly, another reserve mail that I have was also listed as breached even though it has a different password, is pristinely clean and I haven’t used it anywhere at all. The password for that one is not breached either. Maybe that site lists any mail on hosts sites as “breached”, justifiably or not.

Anyway, I got response from the ChronoGG and they’ve said they will resolve the issue.


#25

glad to hear things should work out, :+1:
:hugs:

omg can’t believe i forgot to reply to that, with this obvious gem

:rofl:


#26

golden oldie

and this guy basically made it his job; he calls scammers all day long just to waste their time so that they can scam less innocent ppl (he sometimes keeps them up to an hour on the phone):


#27

Since the compromised mail’s password was not “breached” either, that just means the passwords aren’t in the dump(s), but there was (probably) a way to gain access just by knowing a legitimate mail address. This means that even if your secondary mail hasn’t been touched YET! it may be exposed in the future if the host doesn’t change their insecure systems.