Player News Stolen house on Catskills

[Ivory Norwind]

I have 6 accounts. I almost always play on Europa and have a house per account. 4 houses are on Europe while the other two are one on Atlantic and one on Catskills. Yesterday I went to the Catskills house and I found myself with all the characters thrown out and in the sign it says that the house belongs to Locutus Of Fire. I have always paid all accounts and played all chars with all accounts. They stole some pretty expensive things (like a lot of Pigments of Tokuno with 40 charges each, Sorcerer suites does not replicate and little else) and all the money, they left me 833gp and now I don't know how to get back in possession of the house. In the information the house was built in 2006 and the last trade was in 2019 because I had made an exchange with another house on Europe. The house was private and now some of the GMs have to explain to me how it is possible to steal a house. How can I get it back? I repeat, I have always paid everything and that some of my chars play on Europa even if they have a house in other shards, it certainly does not affect the change of owner of the house. Name never heard, I have no char with the name Locutus Of Borg in any shard. I am desperate because, apart from the theft of money and objects I can no longer enter, it is no longer my home. What may have happened? What can I do to repossess the house? Help me please

 

[Lord Frodo]

CHANGE ALL OF YOUR PASSWORDS, NOW. The only way I can think of is that someone got your account name and password and took everything. Does anybody besides you have that info? Did you receive that account from someone else and they took it back and didn't bother changing your password?

 

[dvv]

Yes change your passwords. Besides that, I really am not sure how this could be done.

 

[Danpal]

Only way is for them to have the account information or they had help from someone in the development team. Very unlikely for the later but has happend before back around AoS times.

Change everything.

Contact mesanna she might help. She might not. Do you have a time frame when this happend. All depends on how much she likes you.

Have you provided your account information to anyone. Was it a account you opened your self or got from someone. If the account was gotten could have been old owner. I was able to get my one account back that someone had the account was sold a few times from what I was told.

Most likely they cleaned out the account of items and gold cleaned out the house then sold it to someone else in game. Even a dumb hacker is smart enough not to hold a stolen house.

Just luckly they did not delete the chars they done that In the past.

Unless they just put a random name and password and it worked very unlikely

 

[a wizard]

There is nothing you can do to retrieve anything that was lost or stolen. They will tell you that you are responsible for the safety of your account, it's always been this way.

Change your passwords immediately and often, enable two factor authentication for your e-mails.

 

[Stinky Pete]

Something tells me that there is more to this story that we will probably never know.

 

[Goldberg-Chessy]

This sucks.
Quite often though things like this happen because the account owner mistakenly trusted someone in the past with their account info

 

[Fortis]

can you show the location of the house in a picture

 

[Draza]

We had this happen on napa not long ago.
Guuld member logged in, was booted from his house, and 2 players werein there going through his stuff.

They got his house back to him, but he lost most of his pixel crack.

 

[Lex Darion]

Last week, player with fully paid up account lost their house.
The house idocer was nice enough to hand it back though. Veteran rewards gone though.

I wonder if this is something bigger on Broadswords end that is going on?

 

[Keven2002]

Why isn't this being posted on the official forum for the DEVs to look into?

 

[Lex Darion]

Why isn't this being posted on the official forum for the DEVs to look into?

Cause moderators lock those threads and tell people to just "page a GM".

 

[SugarMMM]

I was able to get my one account back that someone had the account was sold a few times from what I was told.

I have a couple accounts that were turned over to me when my friends passed away and I'm always freaked out that I could lose them!

I have been the owner for a good 15+ years on them and will keep the accounts paid for until the end!

 

[Xare]

Before everyone gets the torches and pitchforks, remember there's always three sides to story.

 

[Veldrane]

Before everyone gets the torches and pitchforks, remember there's always three sides to story.

but... but... I got this awesome new pitchfork I've been wanting to try out

 

[Stinky Pete]

but... but... I got this awesome new pitchfork I've been wanting to try out

I assume you bought it from my torch and pitchfork emporium.

 

[Veldrane]

I assume you bought it from my torch and pitchfork emporium.

You were out of torches; there was only flame throwers left

 

[Lord Frodo]

Cause moderators lock those threads and tell people to just "page a GM".

Bull Crap

 

[Lex Darion]

Bull Crap

No?
Pages usually end with "I believe" and then a moderators opinion on the matter and then closure.
UO forums dont discuss potential account hacks and potential exploits performed by other players due to risk of speculation.

 

[MalagAste]

No?
Pages usually end with "I believe" and then a moderators opinion on the matter and then closure.
UO forums dont discuss potential account hacks and potential exploits performed by other players due to risk of speculation.

Or the truth coming to light about just how jacked it is... and how this happens all the time for fear it'll create panic and make people want to quit...

 

[Lex Darion]

Or the truth coming to light about just how jacked it is... and how this happens all the time for fear it'll create panic and make people want to quit...

I'm not saying that a lot of posts do happen due to conspiracy and just unfounded facts. But those posts should be combined into a megathread where it is allowed to discuss and where devs/GMs respond.
We've seen Broadsword "pause" timers in the past on the house keeping system due to "abnormal high IDOCs" . Seen in UO news on official page not too long ago. They dont release info about the findings, which I find sad.

The whole secrecy is what causes a lot of miscommunication. OSI started the whole silence culture, not being allowed to quote GMs from calls etc (or risk ban) and lots of other weird policies. Broadsword has continued this trend which is not befitting a game studio in 2021. Open communications with the players is a must for other studios. UO players I suppose are just so used to it they dont question it very often.

 

[MalagAste]

I'm not saying that a lot of posts do happen due to conspiracy and just unfounded facts. But those posts should be combined into a megathread where it is allowed to discuss and where devs/GMs respond.
We've seen Broadsword "pause" timers in the past on the house keeping system due to "abnormal high IDOCs" . Seen in UO news on official page not too long ago. They dont release info about the findings, which I find sad.

The whole secrecy is what causes a lot of miscommunication. OSI started the whole silence culture, not being allowed to quote GMs from calls etc (or risk ban) and lots of other weird policies. Broadsword has continued this trend which is not befitting a game studio in 2021. Open communications with the players is a must for other studios. UO players I suppose are just so used to it they dont question it very often.

It's not that we are used to it... it's that there is NO alternative... we aren't ever going to change their players be damned mentality... they honestly couldn't give a rats about what you lost, who took it, how it was done, or any of that... their entire stance is that you had to have done something to get hacked and therefore you are guilty... not the hacker... It's literally putting all blame on the victim... and taking ZERO response...

Most other games will get back what was stolen from you and ban the person who did the taking... I know several games that will ban the both of you... but UO has long held the stance that the player be damned and they aren't about to ever change.

 

[Stinky Pete]

If they started giving things back that were taken from players who complained about it. I would have like literally nothing. On a side note, I don't think they have the logging capability to facilitate that

 

[GarthGrey]

My guess is, you accepted a script from someone and it had bad things in it.

 

[railshot]

Everybody who is suggesting the password was compromised through sharing, or a script or through using "password1" for password, why would the thief steal the house but leave the account alone? Would not the first thing for them to do would be a password change so that OP could not log in?

 

[Pawain]

Everybody who is suggesting the password was compromised through sharing, or a script or through using "password1" for password, why would the thief steal the house but leave the account alone? Would not the first thing for them to do would be a password change so that OP could not log in?

She said they took the gold and the sorcerers suits they were wearing. They took everything and did not need the toons. Also I think you need to have an email address to log into the account menu to change the passwords. Also they are not stupid enough to link the accounts to their own.

 

[Danpal]

Everybody who is suggesting the password was compromised through sharing, or a script or through using "password1" for password, why would the thief steal the house but leave the account alone? Would not the first thing for them to do would be a password change so that OP could not log in?

No it does not work like that. Frist off you need your master account password to change a accounts password. If the master was hacked then they would control all send accounts on master account and change passwords on them all. This was just one of there accounts so that was not the issue.

If you have access to one of the account you could sit back and take your time. Checking everything on account before you make a major move. A theif will by his or her time if they know what there doing. Start off taking one or two items. Owner will think oh I missed placed said item. I thought I had something locked down could I have hit release by accident. After that they make there move. And only a dumb theif would keep said items. House would be sold and any vaule items as well. They don't want to be caught red handed.

Railshot put it this way you leave your keys in the front door. Theif takes said keys makes a copy. Theif then puts your keys back in the door. Next morning you can't find your keys you grab your spare keys as you leave you notice your keys in the door. You say to your self dang I drank to much last night or must of been tired. Are you going to change the locks? You keys are there and its only been one night.

Now the theif has full access to your house with out you knowing. He will watch you see what you do each day. He will go inside take something small check around then leave. When he knows he has a window he will move in for the score. You come home to a empty house with no sign of forced entry your insurance will see it as a inside job. Think of home alone movie.

Just to be clear I did security for years

 

[DreadLord Lestat]

UO is an outlier because there is not 2-factor authentication to log into the game itself. They really need to change that and a lot of the theft would go away. The only time I hear of WoW accounts or Eve Online accounts being hacked into are the ones that the owner did not set up 2-factor authentication. UO has it for the master account but not the actual game accounts when logging into the game.

 

[Keven2002]

UO is an outlier because there is not 2-factor authentication to log into the game itself. They really need to change that and a lot of the theft would go away. The only time I hear of WoW accounts or Eve Online accounts being hacked into are the ones that the owner did not set up 2-factor authentication. UO has it for the master account but not the actual game accounts when logging into the game.

Not sure how welcomed this would because people are already saying they shouldn't even need to put their password every time they log back in to "speed up logging in"; this was something brought up literally like 4 M&G ago. I then saw either here or in the forums people agreeing that they shouldn't need to type their password each time.

Before everyone gets the torches and pitchforks, remember there's always three sides to story.

This is my guess...something doesn't sound right here. The OP makes a claim here (again if it's as they claim why not at least put 1 post on the official forum about it; don't give me the "they lock threads over there" excuse) and then doesn't come back to give further details of what happened. My guess is because they have an idea of what happened (ie they were sharing an account or doing something they shouldn't have been doing like running a script they found online) and don't want to incriminate themselves.

This is truly concerning if it's legit but part of me thinks that the OP has some similarities to the person who posted about them getting a DDOS attack during a Fel IDOC and missed out placing a castle because their internet told them so; just throw out a half pieced together idea and then leave the thread when people ask questions..... I think that person actually posted on the official forums though so maybe they are more legit.

 

[Jasoninator]

I have 6 accounts. I almost always play on Europa and have a house per account. 4 houses are on Europe while the other two are one on Atlantic and one on Catskills. Yesterday I went to the Catskills house and I found myself with all the characters thrown out and in the sign it says that the house belongs to Locutus Of Fire. I have always paid all accounts and played all chars with all accounts. They stole some pretty expensive things (like a lot of Pigments of Tokuno with 40 charges each, Sorcerer suites does not replicate and little else) and all the money, they left me 833gp and now I don't know how to get back in possession of the house. In the information the house was built in 2006 and the last trade was in 2019 because I had made an exchange with another house on Europe. The house was private and now some of the GMs have to explain to me how it is possible to steal a house. How can I get it back? I repeat, I have always paid everything and that some of my chars play on Europa even if they have a house in other shards, it certainly does not affect the change of owner of the house. Name never heard, I have no char with the name Locutus Of Borg in any shard. I am desperate because, apart from the theft of money and objects I can no longer enter, it is no longer my home. What may have happened? What can I do to repossess the house? Help me please

Who is Locutus of Borg? I thought Locutus Of Fire owned the house.
Maybe it's something simple as you placed a house on that account causing it to go idoc and never realized?

Your story is highly conflicting saying they took all your money though which is meaning they logged on your account and emptied your bank as well but no mention of that? No mention of missing items on the characters either?
I would be willing to bet this is user-error.

 

[Wharton]

There is nothing you can do to retrieve anything that was lost or stolen. They will tell you that you are responsible for the safety of your account, it's always been this way.

Change your passwords immediately and often, enable two factor authentication for your e-mails.

How do you enable two factor authentication? Is it something you do at ultima, or with your email service?

 

[Danpal]

Who is Locutus of Borg? I thought Locutus Of Fire owned the house.
Maybe it's something simple as you placed a house on that account causing it to go idoc and never realized?

Your story is highly conflicting saying they took all your money though which is meaning they logged on your account and emptied your bank as well but no mention of that? No mention of missing items on the characters either?
I would be willing to bet this is user-error.

If you read her post it is someone that is fluent in English but not a native speaker or writer of it. (Wife is from Iran so remindsme of her typing and gamer)

A name is a name one could have been a type or auto correct locutus of borg was Star trek char. So auto correct could have done it.

She stated that the Mage clean up non replica set was missing am assuming thats what her characters wear. All 70s 100 lrc its a nice set for new or for characters that don't play much. Said gold was gone all but 800 something. Theif not going to worry about 800gp they most likely just round down.

Remember in all honesty the less time a theif is on a account the better for them.

Login to game on each char strip there clothing off throw in chest. Log out. Last char Login trade house and gold to theifs own character. 7 chars if all loged in house would be less then 10mins to do it.

 

[Amber Witch]

Ivory, if this gets resolved please update us. Sorry for your loss.

 

[Elessar]

I'm sorry to hear about your situation Ivory. I hope you can get it resolved to your satisfaction.

 

[Kas Althume]

That's one of the reasons why UO should NEVER have linked their stupid official forum to the UO accounts. How secure is that forum? Maybe they got account informations that way.

 

[Lord Frodo]

LMAO You people are so funny. If half of what you people think happened then why hasn't every bodies accounts been hacked. Pure BULLCRAP that UO would lock a post if this was a valid complaint. Where is the OP, why hasn't she added anymore info? Why was her house targeted? You can place a house just about anywhere on Cats but someone is going to take the time to hack her account but leave all her other accounts alone. The story does not add up.

Everybody better change all your passwords because everybody is going to be hacked and lose everything. What a friggen joke this thread has been turned into.

 

[Ivory Norwind]

All accounts are mine. I can log into the shard where my house was stolen if I go there with a char from another account. Nobody stole my password otherwise they would have done me more damage.
Please i know english very bad. How can write to Mesanna? Thanks

 

[railshot]

Not sure how welcomed this would because people are already saying they shouldn't even need to put their password every time they log back in to "speed up logging in"; this was something brought up literally like 4 M&G ago. I then saw either here or in the forums people agreeing that they shouldn't need to type their password each time.

One does not preclude the other. 2FA can be set up in a way where it provides security, yet does not annoy users to death.

Example: On any new installation, a user is required to go through 2FA. They have an option to turn it off, along with the password on this specific installation. If there is a new installation or a login attempt from a different IP, you are asked for 2FA again. Gmail and a host of other services, including games, have been operating like this for ages, so it's not like it's a big revelation.

 

[Danpal]

All accounts are mine. I can log into the shard where my house was stolen if I go there with a char from another account. Nobody stole my password otherwise they would have done me more damage.
Please i know english very bad. How can write to Mesanna? Thanks

Your English is very good for someone that its not native to it. An sorry this has happend.

I am not sure what language you speak but maybe a EM on your main shard can help. I know Asian shards have Asian speaking EM and assume the EU shards speak other then English.

If all else fails use Google translate and state in the email the language you can talk and type in in the start of it. Start would be.

Hello Masanna English is not my native language. I can Communicate in (this is wear you put it) then go on in English with the issue. You could then type it in your native language maybe she or someone at the office will understand the native language.

Something like this happend to me in 2003 they did nothing but then the game was much bigger then it is now and one person did not matter to them.

Mesanna does have a good heart when it comes to things I will say that about her.

Wish I could help more but only know english and how to talk in farsi

 

[Danpal]

I looked in your profile here is Google translate of what I said.

Il tuo inglese è molto buono per qualcuno che non è nativo. Mi dispiace che sia successo. Non sono sicuro della lingua che parli, ma forse un EM sul tuo frammento principale può aiutare. So che i frammenti asiatici hanno EM di lingua asiatica e presumo che i frammenti dell'UE parlino altro oltre all'inglese. Se tutto il resto fallisce, usa Google Translate e indica nell'e-mail la lingua con cui puoi parlare e digitarla all'inizio. Inizio sarebbe. Ciao Masanna L'inglese non è la mia lingua madre. Posso comunicare in (questo è l'usura che lo metti) e poi andare avanti in inglese con il problema. Potresti quindi digitarlo nella tua lingua madre, forse lei o qualcuno in ufficio capirà la lingua madre. Qualcosa del genere mi è successo nel 2003, non hanno fatto nulla, ma poi il gioco era molto più grande di adesso e una persona non aveva importanza per loro. Mesanna ha un buon cuore quando si tratta di cose che dirò di lei. Vorrei poter aiutare di più ma conosco solo l'inglese e come parlare in farsi

 

[Stinky Pete]

If half of what you people think happened then why hasn't every bodies accounts been hacked.

How do you know that they haven't?

Let's say, hypothetically, I managed to get everyone's login info, how would I go about using it without raising an alarm? It would have to be done slowly because if I logged into 50 accounts and cleaned them out in a day, 50 people would complain about it, BS would know there is a breach and steps would be taken to mitigate, including a revert of all affected shards and I would end up with nothing. No intelligent person is going to do it like that, it would have to be a rather slow process.

Why was her house targeted? You can place a house just about anywhere on Cats but someone is going to take the time to hack her account but leave all her other accounts alone.

If I gave you a list of everyone's usernames and passwords, how would you find mine? It isn't necessarily a targeted attack, just a random account chosen from a list of accounts. Also, not all accounts have the same value, I imagine you would have to go through a few accounts to get a decent one with enough goodies to steal for it to be worth the time. As far as her other accounts go, they may have access, but no way to know which accounts are hers.

This is all speculation, mind you, I am in no way saying that the account database has been breached. I am just trying to show you that it is very possible that this has occurred and we don't even know it. You always come to the defense of the official forum when it comes to account security. I don't understand why nobody can convince you that linking the forum accounts to the game accounts was a terrible idea and should have never been done. It unnecessarily increased the attack surface of the account database. For what? To make sure that only active accounts can post on their forum? To prevent spammers and bots from posting? It was a horrible call, plain and simple, there is no justifiable reason for it.

 

[Alexey Kurkdjian]

90% the time that this happened is bc the house owner shared his acc info with someone and that someone transfer the house, that simple. There is no hacking or this and that, like the someone said, if this was anything different than somone had access to your acc, the damage would be greater, like people would strip all toons and than delete and so on. The fact that her toons were still at the location, means whoever she gave access, just transferred the house amd left.

 

[Danpal]

How do you know that they haven't?

Let's say, hypothetically, I managed to get everyone's login info, how would I go about using it without raising an alarm? It would have to be done slowly because if I logged into 50 accounts and cleaned them out in a day, 50 people would complain about it, BS would know there is a breach and steps would be taken to mitigate, including a revert of all affected shards and I would end up with nothing. No intelligent person is going to do it like that, it would have to be a rather slow process.



If I gave you a list of everyone's usernames and passwords, how would you find mine? It isn't necessarily a targeted attack, just a random account chosen from a list of accounts. Also, not all accounts have the same value, I imagine you would have to go through a few accounts to get a decent one with enough goodies to steal for it to be worth the time. As far as her other accounts go, they may have access, but no way to know which accounts are hers.

This is all speculation, mind you, I am in no way saying that the account database has been breached. I am just trying to show you that it is very possible that this has occurred and we don't even know it. You always come to the defense of the official forum when it comes to account security. I don't understand why nobody can convince you that linking the forum accounts to the game accounts was a terrible idea and should have never been done. It unnecessarily increased the attack surface of the account database. For what? To make sure that only active accounts can post on their forum? To prevent spammers and bots from posting? It was a horrible call, plain and simple, there is no justifiable reason for it.

I agree we do not know the who what when where and why of the issue that's for the team to find out.

As Sticky pete says there is no way anyone can link a account to someone unless they know the information. users names are not that hard to find. miss enter your password and you see a log in fail now enter in a random username and its diffent you can keep trying until you find one. then after that its just a matter of time to find the password, this game does not have you put in 3 wrong passwords account is locked.

This game came out in the start of the internet I am sure there are quite a few user names that are the peoples real name and at one point you could have a 5 letter password with no upper lower case and number signs, most common passwords are password, Passwrd, power, 123456789 just look at the list.

 

[Pawain]

All accounts are mine. I can log into the shard where my house was stolen if I go there with a char from another account. Nobody stole my password otherwise they would have done me more damage.
Please i know english very bad. How can write to Mesanna? Thanks

[email protected]

 

[Merlin]

Folks -

The OP made this post seeking help. I understand it's a unique issue and the cause may be opaque and require some theoretical suggestions that will be subject to debate, however, please take the petty bickering elsewhere.

 

[Victim of Siege]

Folks -

The OP made this post seeking help. I understand it's a unique issue and the cause may be opaque and require some theoretical suggestions that will be subject to debate, however, please take the petty bickering elsewhere.

But, But, This is Uhall . . .

 

[Lex Darion]

Did you make the decision to do this? You defend it every time it is brought up. I have explained to you over and over again how dumb the decision was and why, and you just keep coming back with insults and dumb reasons why it couldn't possibly happen. As I have explained in the post you quoted and other posts that it is possible for a breach to have occurred and you or I to be none the wiser. The undeniable fact is that the attack surface of the account database was increased in order to verify accounts on the forums, which is, in my opinion, not worth it and a very bad decision.

That being said, I don't believe this is the case here, but it is not outside the realm of possibility. The possibility of it happening is a fact, yet you deny it every time it is mentioned. I will never understand that.

Would be interesting to see if the increased amount of 503's from UO.com and white pages is a sign of bruteforcing.
If the forums are a vector that has no ratelimiting on login attempts, it could very well be a huge entrypoint.

- Easily guessable usernames + bad passwords.
- Known dictionary attacks.
- Password re-use on other breached pages.

 

[MalagAste]

Would be interesting to see if the increased amount of 503's from UO.com and white pages is a sign of bruteforcing.
If the forums are a vector that has no ratelimiting on login attempts, it could very well be a huge entrypoint.

- Easily guessable usernames + bad passwords.
- Known dictionary attacks.
- Password re-use on other breached pages.

Another good reason to never ever log in there.

 

[petemage]

- Easily guessable usernames [...]

Just for the record, you can find a ton of account names just by using the origin people search. Every UO account is listed there. Try it with your own

 

[Lady Michelle]

only forums I use are these forums here. Ages ago I set up no one can see me on Orgin. Have a email just for my accounts only. My passwords are just not a word its more like n3wpassw0rdsb1t3. I don't social media my accounts meaning I have facebook but only family never used for game purposes. I avoid answering any questions about me won't join any guild that wants to much of my personal info to join. You get comfortable with certain players without realizing it they start asking certain questions because you feel comfortable with them so you answer them giving away personal info.