Topic

Account Security?

Before anyone suggests it - I changed my password as soon as I thought something fishy was going on. 

When I logged out 6-7 hours ago I had almost 8,000 currants. I know, its not a lot so I'm not torn to pieces or anything. When I sat back down to my computer I was showing 4 currants and I had 5 messages in my mailbox for auction house items I didn't purchase. The purchase times on them were during the hours I wasn't playing. No one has access to my pc (I rarely leave the room it's in) and my passwords are unusual and hard to guess. I don't know if this was an account compromise (I dont have zip on my account as I'm lower level and the AH items are available to me so I can just use or resell) or just some weird incident with the AH, but change your passwords frequently!

Posted 92 days ago by Switchmode Subscriber! | Permalink

Replies

  • Just to be safe I use Last Pass and anytime I play a free to play game I always let it randomly generate a password for me. (Actually I don't even have a clue what my password actually is without looking)

    After playing Glitch for awhile I now know I can give TS my full trust when it comes to security but other sites I don't want to get in a situation where a password may be accidentally recycled and their database gets compromised.
    Posted 92 days ago by Mithax Subscriber! | Permalink
  • As you're new, I'm assuming you didn't use a third party site to set up automatic auction house purchases?  When that's done, it goes through the API and your account info and such should be safe, but if you've set up a rule that says "purchase item X below cost Y" it'll purchase all items that fit the rule until you stop the rule or your currants run out.

    I don't know if the sites even still run now (it's been a while since I've looked at them) or if they even do furniture and as I said I don't think this is your issue but I'd like to throw it out there in case it helps people who stumble upon the topic in the future.
    Posted 92 days ago by diaveborn ♥ Subscriber! | Permalink
  • Auction sniper that I know of is a script that would keep working until TS changes the auction page buy procedures.

    I have it on a browser that I no longer use for glitch and it went off like crazy clearing a good deal of currants b/c I'd forgotten about it. 

    It would seem especially odd that someone would log in as you to buy you stuff though...I guess...what else are they going to do lol

    thanks Mithax for the Last Pass tip :)
    Posted 92 days ago by M<3tra, obviously Subscriber! | Permalink
  • Switchmode: If you file this as a bug report, staff can probably check the logs and see whether someone was logged in to your account when the auction purchases were made. If someone was logged in, they should be able to tell whether or not it was from the IP address you regularly use (your computer).
    Posted 92 days ago by Hawkwell Subscriber! | Permalink
  • plus, maybe there's a way to find out whom you bought that stuff from. if it's all from the same user, then yeah...
    Posted 92 days ago by Posh Subscriber! | Permalink
  • Did you sleep walk??
    Posted 92 days ago by daniel5457 Subscriber! | Permalink
  • Let's talk security.

    I would disagree with the original poster that changing your password regularly just for the sake of changing them  is a good idea. It doesn't make your account significantly more secure while adding a lot of time wasted on changing passwords and remembering them.

    Instead, the easiest thing to do as a website user is to use a unique, long and random (high entropy) password for every site you use - even unimportant ones. The easiest way to accomplish this is to use a password manager, as mentioned above. You should also install a good anti-virus software and keep it up to date to stop malware stealing your password (though they're more likely to be after your credit card number / bank password than your Glitch account).

    It's also important that the developers take steps to ensure the password is secure. This means salting and hashing the password with something that takes a long time to calculate. If, however, they do not do this, then using a unique and long password as mentioned above should ensure that your password takes a longer time to crack, and other accounts do not get affected in case Glitch's servers do get compromised.
    Posted 92 days ago by Boom and Bust Subscriber! | Permalink
  • Given that the glitch login process is done in via unencrypted POST, it's definitely a good idea to use a completely unique password for this site. It might also be worthwhile to think twice before logging into Glitch on untrusted or unencrypted wireless networks, because the login cookie could also be pretty easily snooped and then potentially replayed by an attacker.

    And a good question for any Tiny Speck employees who might see this thread: are there any plans to move Glitch to SSL? Granted, it's a bit of overhead from the encryption/decryption process, but almost certainly worth it in the long run.

    The option of two-step verification would be nice, too, but having just set that up for my entire company, I also know how much of a hassle it is to configure and roll out.
    Posted 91 days ago by devlogic Subscriber! | Permalink
  • Thanks for all the replies! I have Last Pass but have not set it up yet. I probably need to fix that! I don't use third party sites and checked my browser extensions just to be safe. The items in my mailbox are things I can use so I'm not too distraught but figured this would be a good time to discuss account security rather than later when something big goes down. xD

    Thanks again community!
    Posted 91 days ago by Switchmode Subscriber! | Permalink
  • Even if you don't use or remember using 3rd party sites, in case your account was momentarily compromised I would make sure that the potential perpetrator didn't setup any.

    To check just click the "Account" link at the top right of the page, scoll down to the bottom and near the bottom you'll see the human section and "View the applications you have authorized for use with Glitch's API." (edit: actually the prior link should also take you straight there, it worked better than I though)

    This way you can be sure that nothing is accessing your account in the background.
    Posted 91 days ago by Mithax Subscriber! | Permalink