Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
itch.io Community » itch.io » Questions & Support

Main itch.io account was compromised.

A topic by StaticNebula created Nov 27, 2023 Views: 738 Replies: 10
Viewing posts 1 to 3
StaticNebula1 year ago

Hello, I'm posting here to hopefully get in touch with someone who can help, but my main account (MysticalDevelopers) has been breached and my email address was changed, so I can't contact support from that email. I received no email about my email or password attempting to be changed, and I have 2FA enabled on that account. When I went to log in to update one of my games, I couldn't. Thinking I just forgot my password, I went to reset it and it said there was no account with that email. The account is still active and is being used by a third party. I can tell by there being a game I did not release, nor even make those types of games, on my account. 

Help is greatly appreciated.

Thanks.

Reply
redonihunter1 year ago
and my email address was changed, so I can't contact support from that email

Why not? Just send an email to support@itch.io explaining the situation.

You think they simply forget the "old" mail account and would not see the suspicous activity on that account?

Also, did you try logging in with the username instead of the email?

Reply
StaticNebula1 year ago

I've tried logging in via both username and email, didn't work. On the email side, I've sent them an email ticket 11 days ago (Nov 16) and no response. I've also reported the game that I didn't make, and haven't seen anything happen yet.

Reply
leafoAdmin1 year ago(+1)

I’m sorry that happened to you, but you still need to read the rules of the board before posting.

If you still need to make a topic about a Support Request, you must include your ticket ID with your message.

Thanks

Reply
redonihunter1 year ago(+1)

Makes sense.

This is at least the second thread about a situation where 2fa did not help against account theft.

It is possible to change passwords with activated 2fa, without providing the 2fa token. This is a desgin flaw. It needs to be asked every time the password is asked. Such as for password change or email change.

Those cookie stealing attacks are nasty. I wonder how they aquire the password, or if they found a way around the password as well. Or maybe they simply managed to take it from the browser database along with the session cookie.

And if this is done with session stealing, the host should ask for login again when the ip suddenly changes. Or is this prohibitive, because of people using their phone's internet and switching to different wlan all day. 

Reply
leafoAdmin1 year ago

It is possible to change passwords with activated 2fa, without providing the 2fa token. This is a desgin flaw. It needs to be asked every time the password is asked. Such as for password change or email change.

This is a bit tricky, we would also need to disable the ability for an account to turn off 2fa without a 2fa token, otherwise the person who hijacked the account would disable 2fa before making their changes. This could cause people to get locked out of their account. At this point though, the risks of being locked out of an account and having to contact support probably aren’t as bad as the damage a hacked account can do.

For context, changing password, email, and two-factor auth settings requires the account password. If someone is stealing a session and able to take over the account by changing its details, then they also have the account password.

Reply
redonihunter1 year ago

You know better what is more work for support.

People losing their accounts due to hackers or people shutting themselves out of their account due to screwing up the 2fa.

It just makes 2fa less secure than one might think.

Least intrusive might be to ramp up the session hijacking detection, if possible.

Reply
StaticNebula1 year ago

thank you everyone for explaining and helping. Itch support just got back to me and I'm reclaiming my account now.

Reply
redonihunter1 year ago

You did try to find out, how your account was hijacked, did you?

Worst case, the methods to do this are still in place and your account will be hijacked again.

And if you did find out and know for sure, a warning for others might be usefull. The itch security team might also be interested.

Reply
StaticNebula1 year ago

Yeah they did ask me about how it may have happened, I don't usually download games on that account since it's meant for uploading, and any games I do download are usually well-known and are verified to be safe. One incident that I can only think though, is when at some point, Windows Defender constantly said there were threats found but after opening Security Center, it said everything was OK, nothing even in quarantine.

Reply
redonihunter1 year ago

So you assume it might have been an infected download. But no scan afterwards showed anything. You did try other scanners, did you? I know that some malware deletes itself after stealing things, as to not get detected. But worst case would be, that you currently have a full suite of root kit and keylogger installed and your machine is part of a bot net.

Also, as long as you do not log out with your uploading account, any cookie and password stealing attack will not care with wich acccount you download and install things. This stuff is scary, and I would hope that the OS and browsers would provide more means of securing against this type of attacks.

Reply
This topic has been auto-archived and can no longer be posted in because there haven't been any posts in a while.
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies