2011-10-03 Path of Exile brute force attack incident report
Over the weekend our servers were subject to a brute force attack in an attempt to guess login details for Path of Exile.
The attacker used a database of 2,257,699 unique email addresses and attempted 20,396,984 times to log into Path of Exile using these email addresses and guessed passwords.
Of the email addresses that were used, only 191 actually corresponded to Path of Exile accounts.
Unfortunately the attacker successfully guessed the passwords of 16 user accounts, 1 of which had access to the Path of Exile beta.
We have emailed the 16 accounts in question informing them that their account has been compromised, and that they need to change their password to something more secure.
While we had always intended to add a login attempt limit to our login servers, we had not yet implemented one and this is why the attacker was able to make so many attempts within such a short period of time.
We will be making the following changes in response to this incident:
1) We will be adding a limit on the number of login attempts that are allowed from a single IP address within a given time frame. We will also restrict login attempts to a particular account within a given time frame.
2) We will be adding the ability to lock an account until the password has been changed in the case that we suspect that an account has been compromised in the future.
We take the security of your account very seriously and as such we take many precautions such as not saving your passwords in clear text in our databases but ultimately your account is only as secure as your password. We would advise everyone to reconsider how strong their password is, and change any weak passwords to stronger ones.