It Has To Be One Of The Private Servers

The only thing I'm really talking about is how they link your hacked self, to here. Just knowing a user name and password won't bring you here. This place is too niche.

People get hacked all the time, but they never post their ***here. Something is verify specific.

Yea, that's part of my point above. If you do have a SQL bug in a private server that you exploit and get a dump of passwords, it would take a human to manually correlate that someone there might have accounts with the same creds here, which is unlikely in this case given the scale which these messages are being spammed.

Given how many of these posts exist, this is likely someone running an automated tool to spam it using a list of stolen credentials tied to certain websites, like a password vault or a bunch of creds harvested years ago using malware (more likely, this would also directly point to this site with the stolen creds).

A post on a phpBB forum also mentioned they were mainly older accounts on those boards, as well, and a lot of the forums I see it on are obscure or older also.

Running Guildwork plugin on private server, syncing specific data updates here via some code shenanigans and using AH crystal verification to "steal" existing characters on ffxiah? Even if that were a thing (unlikely) why go to all that trouble rather than spam crypto links with fresh accounts to accomplish the same thing.

Thats why I suggested it was some sort of password database that got hacked or exposed or something. No ones getting their hands on a password dump just to test accounts on some niche websites like ffxiah. I just did another google search for the channel name:
https://webcache.googleusercontent.com/search?q=cache:PZw_31SiXjIJ:https://www.oregonhikers.org/forum/viewtopic.php%3Ff%3D9%26p%3D225099&cd=2&hl=en&ct=clnk&gl=ca

OREGON HIKERS DOT ORG
No ones getting a login name / password dump from a hacked database and testing them out on niche sites like oregonhikers.org

What I dont get though...presuming they hacked a password database, its highly likely there are accounts with direct access to financials. Why not go for the goods instead of spamming their stupid crypto telegram channel?

Then again, I have a pretty good idea why they wouldnt do that: hacking accounts to spam their telegram channel = "who cares" from any law enforcement whereas stealing money from various countries across the world = 6 star wanted level.

Their telegram and website are actually selling stolen bank accounts, paypal accounts, etc. I took a look at it (on a clean VM, of course) the first time it was posted out of curiosity.

its ok we are going to fight them hackers

I'm gay

Funny how different culture produces different types of comedy

Whelp
there goes that theory.
I guess these people should keep an eye on their financial accounts.

Me tooooooooooooooooooo

I don't know whether the recent FFXIAH account hackings are related to Horizon, but they could be. The bootloader for private servers sends user credentials unencrypted over the wire. You can read the source code here. It's a well-known issue in the private server community.

The problem is that Horizon has created a launcher and account creation system without informing its users of the security flaw. The launcher downloads and launches the game. It feels very streamlined. People are going to assume that their credentials are handled securely. They are more likely to re-use passwords and do other things that are not in best practice but are also normal human behavior.

The issue has been raised by several people but has largely been ignored or suppressed by the Horizon team. I wouldn't have even launched the game without addressing it. I think it's totally fine not to fix it, but if that's the plan then users should be informed of the security flaw. Currently, they are taking on risks that they never consented to.

there have been random bouts of phishing links via spam pm basically as long as ffxiah has been a thing. most of the time it gets resolved because someone clicks "report spam". seriously, the mental gymnastics some of you will do just cause some people like old ffxi more than current retail. *** christ...

Randomly, occassionally, one, sure

There have been 12 in 2 days. That I've seen. Maybe more.

If you search for the patterns being posted on Google, they are being posted everywhere and more are posted day by day. In just the last 12 hours, the number of results has jumped from 143k to 180k on Google (admittedly this may be due to crawling also). The oldest post I could find was 3 days ago and most forums are getting hit with several posts a day, no different than here.

I looked at some of the users posting the messages last night, where possible (most threads are deleted), they have account ages ranging from 2008 to 2020 on other forums. Most of them have 0-3 post counts on those forums. Some sites weren't even forums and were sites like job posts.

This is just an internet wide spam campaign, although admittedly using it to sell stolen financial credentials is a bit odd considering there are already places that facilitate that.

I reported this to them. They said they are working on building encryption into the launcher. I don't know why the ability to even save your login credentials was available without encryption being in place tbh. I suspected this when signing up so I used a never before used password during registration.

Never use the same login info no matter how safe you feel it to be.

Also, I do know how *** irritating it is to do exactly that. Too many logins.

Not saying it's from using discord.

Like it’s been posted numerous times, these are all old *** accounts that are posting these links. If it was from that Discord breach or w/e, there would be more active accounts spamming.

Oh I get it, you're one of those *** posters.

After thinking about it, I think I'm coming around on these being credentials from an old leak or even several old leaks, and this is just the first guy to build a spambot for AH. Most people wouldn't bother, since what would be the point, but someone did and threw a list of leaked email addresses/passwords at it. In a sufficiently large leak, there's going to be at least a couple of AH users.

If this were truly something XI focused, the body count would be quite a bit higher, I think.

The timing of it is what makes it so suspicious.

You wouldn't do it the first day you got the creds.

I mean, if you're still thinking it's Horizon, I've talked to at least one of the victims (who was an active user, just not poster) and they didn't have anything to do with Horizon. You can probably leave that horse corpse alone for the time being.

They should have a general idea where they got got then

Unless they use the same pass everywhere

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
This was published less than a month ago.

Thats likely how niche sites like ffxiah or oregonhiking have spam posted on their forums from random accounts.

Isn't a LastPass user and says they don't re-use passwords. I'm inclined to believe them, but that just raises more questions.

As I learn things, I will let y'all know. But we can rule out Horizon as the root of all this, I think.

Doesnt have to be LastPass, could be from any password database breach, even old ones as you said.

I dont think this is a case of someone getting a bunch of accounts with their password and trying to get lucky on popular websites. Its more likely they have the account and they know what website to use them on.

Does this person you've talked to use any kind of password management software?

Most password vaults will have a master key only known to the user that is used to decrypt the vault, so even if the vault is leaked, the encrypted contents are not available unless they can brute force the password to decrypt it. That's not terribly unlikely on a smaller scale, but seems unlikely at this scale.

More than likely it's malware that has, at some point, stolen these credentials from infected systems and reported them back alongside the sites they are used on. Given that they are using this spam to sell stolen financial credentials, it's likely those were stolen the same way.