Final Fantasy XI hacked; Square-Enix hides behind policy

by Akela Talamasca Dec 17th 2007 at 10:00AM

Filed under: Fantasy, Final Fantasy XI, Economy, Expansions, Exploits, Game mechanics, New titles, Making money, News items, Politics, Legal

Numerous reports have come in concerning the recent hacking of Final Fantasy XI player accounts, with the concomitant liquidation of assets, leaving many users without gear and gil. Although complaints to the game admins have been many and passionate, Square-Enix seems to be employing a strategy of claiming that the hacked users are somehow to be found at fault for downloading keylogging software, or somehow allowing their account information to be taken by malicious hackers.

There is an interesting theory circulating that the attacks are in response to S-E's crackdown on real money trading (or RMT) activities, which in general drive up inflation of in-game economies. It's been supposed that " ... RMT have decided for Christmas to meet demands for the people who buy the games currency (gil) to hack droves of veteran characters and sell everything of value in an attempt to meet the demand with the least amount of labor as possible", to quote player Sparthos.

Interestingly, many of the hacked account holders place the inception of these attacks as occurring shortly after the release of FFXI's newest expansion, Wings of the Goddess. If there is a connection, it might be possible for there to be some weak code in the expansion that allows a hack of this nature to occur. With S-E's refusal to acknowledge legitimate grievances on the part of the players, however, it's not likely that we'll have this either confirmed or denied. We'll keep an eye on this story and see how it develops.

[Thanks to everyone who sent this in!]

Tags: final-fantasy-xi, hacked, real-money-trading, rmt, square-enix, wings-of-the-goddess

Related From Massively

Reader Comments (Page 1 of 1)

Markymark said on 1:01PM 12-17-2007

As much as I love FF11, i'm glad i got out when i could... that game seriously is a grind fest. I'd be pissed i used no mods and rmt hacked my stuff.. i'd just quit.. period!

edie said on 6:40PM 12-17-2007

It's worse than stated. Many gamers have lost their characters that they have enjoyed for years.

Additionally, CC's were charged on 12/1 for the month so gamers are out real money along with the initial cost of the FFXI software and expansions.

SE's refuses to return characters, gil, or gear to players. In the case of characters, 2+ years of information on the billing, CC, and user information is not enough to convince SE that the account was comprimised. Ownership is based up the current CC and billing information that was changed when the account was hacked.

SE's customer service sucks.

troy said on 12:10PM 12-18-2007

It's not just their customer service that sucks, it seems to be part of their corporate culture. From the dismissive and rude GMs, the arrogant call center staff, all the way to the indifferent and incomprehensible dev team.

FFXI really has no support, feedback or communication between customers and staff. Even at their "fanfests" they avoid questions and give vague answers to even the most basic questions.

I liked the game, but just trying to deal with their support system made me give up and move on.

trorg said on 7:49PM 12-17-2007

Square Enix has an absolutely antiquated system in place for account recovery, that it essentially rules out any chance of the victim of a hack any chance of retrieving their account once compromised.

They really really need to change their policies before this gets worse than it already is.

Torzak said on 4:49AM 12-18-2007

The concern for many, as above said, is really in SE's policy to use the current information including Password, Credit Card #, and Billing Address information to determine SE's ability to do bussiness with or for the person with a problem wether by phone or other channels.

The problem with this method is that the first thing the person responsible for a compromised account is going to do is change that very information. Effectively leaving the rightful owner of the account with little to no chance of getting their account back since the information that was accurate prior to the theft, is somehow completely and 100% disregarded by SE.

And a game, that for many, has past the 5 year mark, SE really should do away with the use of the original registration code as a source to verify the account's ownership.

People join the military, fly over seas, move houses, spring cleaning, etc. That darn book with the code printed on it is about garbage to many. Let's not mention how many of those books I actually have in my house right now! Lord knows which code goes to which account...

Writing that registration code down somewhere, saving it in a text document on a Flash Drive... You know what? stuff happens. Seen so many Flash Drives die in Iraq... so many pieces of work that had to be completely redone.

Anyway, all that aside...

It's not like Secret Questions + Answers is a new concept SE

Cat said on 5:52AM 12-18-2007

So far, on a rather popular forum, over 100 alone have come forward and stated that they were hacked since the end of November. And that doesn't count any Japanese or any other people that decided to keep it private, and also there are plenty of people that are trying to deal with SE directly, or have quit altogether after losing their account.

And who knows how many more accounts have been compromised, as RMT seem to be processing the information they stole in waves: they clean an account, use info they got before, or that are somehow still getting, and clean out the next account.

Many people, myself included, are wary of investing more time and money in something that can just be taken away like that, and leaving everyone without any viable recourse, since SE's answer to this has been to tell people to subpoena them for it or flat out telling people that the account is no longer theirs and that they aren't entitled to anything whatsoever.

Blanchard said on 1:12PM 12-18-2007

What I don't understand is that if the accounts aren't supposed to be transferable, why does SE allow you to change any of your private data. I know addresses change from time to time, but names rarely do, and birth dates never do. I mean, once a name is entered, you shouldn't be able to change that name easily. So for example when I registered the game, if I entered my name as John B Smith, that information should be permanent. This would make it extremely difficult for anyone else to change the billing information, since they shouldn't have a credit card with your name on it, nevermind a matching birthday. And therefore you would be able to reclaim your account should it be stolen, It wouldn't let you reclaim any items or gil that was lost, but atleast you'd have your character back. By extension it would also put an end to selling accounts.

Under section 5.4 of the POL User Agreement; "You agree promptly to notify SEI if you lose or forget your User ID or password, or if you believe that others are making use of your PlayOnline user account." I'm not sure if they would return the character to you. But if you have the registration code, that should be sufficient under section 6.2 a) of the POL User Agreement to have the account suspended until they can confirm that you are in compliance with the POL User Agreement and likely terminated from breaches of section 4.2 b), and 4.4 h). The question is if they would act on this without lawyers getting involved. But if you were going to go that far, I'm not sure how California law would deal with SEI facilitating fraudulent use of your online persona.

Ravenskye said on 7:09PM 1-07-2008

My account was hacked on Dec 22.Couldn't contact them untill the 24th and still no word. The hackers didn't change the name or birthdate on the account only the address and CC number.SE requires you to verify 5 items and if you can't they won't help you. The current address and CC number being 2 of them. Ravenskye - Hades server hacked ; ;