Realms Server breaches are not my responsibility...

[adam11544]

I hadn't used one of my accounts in quite a while and went to log into it only to find that the password had been changed by someone other than me. I have never given my account credentials out to anyone nor have I ever entered them on any site whatsoever outside of warmane. I was able to reset the password with my email and log into my account, however I then found that my characters name had been changed. I submitted a ticket requesting that the name be changed back to my original name as it was still available. I received a reply stating that account security is my own responsibility and to use the account retrieval methods on the website. Not only was this entirely not what I was requesting, but it is entirely wrong. Basic IT security ethics 101: a server side breach IS THE SERVERS FAULT. The only currently available option to deal with warmanes significant security issues is 2 factor authentication which in no way prevents someone from actually gaining access to my account credentials, it only makes it more difficult to actually log in. 2 factor authentication for every login is a completely unnecessary and downright overkill inconvenience for customers that are supposed to be motivated to spend money on this game in order to support it's continued operation. If our information is never going to be secure no matter what we spend and at any given time some random person can just breach your servers to gain access to our accounts and essentially do whatever they want with them, leaving us as owners with a nice big "ops guess you're SOL", why is anyone supporting this server at all?

My suggestion: there needs to be new security measures implemented. IP's are recorded - force email confirmation or 2FA of login and "trust" of new IP when an account is access from an unrecognized IP rather than on every single log in; And force email confirmation or 2FA of any (including administrative access) password or email address changes. These are 2 measures that are simply off the top of my head which still don't prevent our credentials from falling into unauthorized hands but they are more intuitive alternatives to overkill use of 2FA, are not that complicated or expensive to implement, and there are no excuses to not have them and other simple security measures other than downright cheapskate laziness. /endrant.

[dolcokidol]

IPs are recorded, one you enter your 2FA from one IP it's remembered until you enter it from another IP.
Confirming via email about email change or password change would be a welcome thing, I don't think it exists now, but some also change email because their old email is inaccessible so they're gonna need another way.