Hello guys,
I haven't played in several months... 2 days ago I received a mail about an attempted access to my account.
The IP traced back to Russia... I changed password - good length, upper / lower case characters, numbers, very uncommon word.
Despite that, I received another attempted access right now, this time from Latvia.
Are these mails sent if someone actually used my password, or just if someone tries logging in with my username, using any password?
If it's the former, I have to nuke my PC asap...
-
Member
Attempted accesses on my account, despite changed password
-
Forum Veteran
What kind of mails are those? If it's 2 step authentication mails then those are sent only when someone manages to log on your account. If it's password reset mails or something similar then they only need account name to send you those.
-
Member
Just received one as well. Apparently Warmane does not allow us to use SPECIAL characters in our passwords? An hour ago, tracking back to Switzerland.
IP: 191.101.54.56
Mine was a 2step auth, meaning must have been able to logEdited: March 3, 2017
-
Member
It was 2 step auth, in both cases...
The new password I used is completely new, never used it anywhere... this is worrying...
IPs were:
91.204.15.166
5.62.154.17
EDIT: I wiped my hard drive just in case, better safe than sorryEdited: March 3, 2017
-
Member
I got a 2-step email not long ago too with a Russian IP. Haven't really played in months either. Are they just brute forcing? No symbols in the passwords makes it a bit easier.. Guess it's time to just mash random numbers and letters and see how that goes.
-
Member
same here.. i had not logged on in a long while. i haven't even fired up the desktop with WOW on it, nor hv i used a browser synced the password to my account. no ties at all between the newer desktop and molten or warmane. i finally turned it on, checked the associated email..and i see i hv 3 attempted logons stopped thx to 2factor. ip's from Russian, Italy, and VN. all within the last week, starting the day after Cloudbleed was all over the news. hopefully this is not related. i'm grateful that at least 2fa has shielded this account so far. :-D
-
Member
Got the same issue yesterday : Two Factor Authentication Authentication requested March 2, 2017 at 21:47 188.72.127.137
Seems some security issues are there already, if its cloudflare or warmane.. seems it happend yesterday when the server dc'd twice.
Nslookup, tracert and ping to the ip adress didnt solve any info.
The only info I had was : 188.72.127.137 Russian Federation Kaluzhskaya oblast' Kaluga
I changed my password immediately ofcourse and so far.. haven't seen any changes without my account.
-
Moderator
I could be wrong, but from my other experiences with Google, that sort of email is sent when someone tried to login, but didn't succeed (hence "attempt"). For them to actually succeed in logging in to an account with 2-step authorization on they would either need access to the device running the app or to the email where the code is sent to, depending on which type you're using. Not to mention that the first thing people who succeed in logging in to an account belonging to someone else is to change emails and password, which doesn't seems to have happened to anyone posting here.
-
Forum Veteran
That's correct but it means that username and password were entered correctly. So they managed to log on the account til the point where they are asked to enter 2 step authentication code. At that point they could use forum from that account (if that has not changed lately) or log in game since email 2 step authentication does not protect in-game account.
It's possible that some passwords could be found on cached pages from search engines after Cloudbleed but the chance of it happening seems very low. Google has removed affected pages from their cache but other search engines could still have them. Author of the thread said it happened to him twice, from which one time was after changing password 2 days ago. That's after Cloudbleed was fixed so that can't be the cause in his case.
-
Member
I got the same problem, bad for me I didnt have 2 step auth. Somebody from remote IP (Belarus) got in to my account and stole my coins. I'm not really sure why he didn't change the e-mail and password while he was in,it's really a mystery. Maybe somebody found out a way how to bypass the login, but doesnt really know the passwords. I mean I know for a fact there is no way him/they could've known my password. This whole thing is really sketchy.
-
Member
Source: whois.ripe.netIP Address: 188.72.127.137
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '188.72.127.128 - 188.72.127.255'
% Abuse contact for '188.72.127.128 - 188.72.127.255' is '[email protected]'
inetnum: 188.72.127.128 - 188.72.127.255
netname: DEPO40-NET
descr: Depo40 PA Block
country: NO
admin-c: TII31-RIPE
tech-c: TII31-RIPE
status: ASSIGNED PA
mnt-by: leadertelecombv-mnt
mnt-routes: MNT-DEPO40
created: 2015-01-26T09:11:06Z
last-modified: 2015-01-26T09:11:06Z
source: RIPE
person: Trusov Ilya Igorevych
address: 249806, Russia, Kaluga region, Moscow Street 258, office 16
phone: +79533100064
abuse-mailbox: [email protected]
nic-hdl: TII31-RIPE
mnt-by: MNT-DEPO40
created: 2015-01-24T19:53:31Z
last-modified: 2015-11-20T19:03:56Z
source: RIPE
% Information related to '188.72.127.0/24AS200557'
route: 188.72.127.0/24
origin: AS200557
mnt-by: REGION40-MNT
mnt-by: MNT-DEPO40
created: 2016-08-28T17:22:29Z
last-modified: 2016-08-28T17:22:29Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.88 (ANGUS)
-
Member
Does Warmane use Cloudflare? This is concerning.
-
Forum Veteran
Yes, Warmane is using Cloudflare.
