The Art of Wushu: Hacking and account security

When people say they get hacked in online games, I always assume it's the user's fault. The one time I was ever hacked, I could trace it directly back to a situation where I knew my username/password was compromised and I used the same set anyway. Ever since then, I've used more secure logins and passwords, and I've never had an issue.

Age of Wushu has come under fire recently for a large string of hacks, and I jumped to the same conclusion. These hacks always seem like a big deal to the people who get hacked, and Age of Wushu is the kind of game where people are incentivized to steal other peoples' stuff. It's natural that people would hack forums or other less secure places and use that information to get whatever accounts they could find.

But I've started hearing rumors that people are getting hacked in spite of randomized passwords. One player told me of a friend who deliberately posted a valuable commodity in world chat, traded it to an alt, and logged in the original character later to find that the first character had lost all of her money. Is there something going on?

Customer relations fail

While I originally was planning on just talking about account security, players blowing things out of proportion, and conspiracy theories, one disturbing trend caught my attention: Snail isn't reimbursing people who get hacked.

If you get hacked, it's your fault. This is my mantra, and I stick to it. However, for a game company, it is very unprofessional to assign this blame to your customers, especially when you are most likely tracking down the hackers and banning them. I will continue to give Snail the benefit of the doubt in that regard; the studio isn't allowed to disclose punishments that it hands out.

If the money in question was banned (or used on a character who was then banned), and/or items of equivalent value were banned, then why wasn't the character who lost the money/items in the first place reimbursed? The point of customer service is to fix things like this. People make mistakes in account security, but they should feel that the game company is siding with them and not the hackers. The perception right now is that Snail is doing more to help the hackers (regardless of whether that is true) than to help the people getting hacked, and that is very damaging to the studio's image. I know of a fair number of people who have quit in response to Snail's poor handling of these situations.
"Watch me get hacked, guys!"

In addition to the "friend of a friend" story given above, there are people who have claimed that they had secure passwords and were still hacked. A common link is that these people were prolific vendors of large volumes of items.

Is there a connection? Obviously high-profile accounts are juicy targets, but most of the people who are very successful in the market are also smart enough to use secure passwords. I saw several big players get hacked, post huge forum rages about it, and get summarily ignored when Snail posted generic advice on how to secure an account followed by a thread lock.

I cannot say anything for certain, only that my doubts have been lingering for a while. A lot of you guys have emailed me with stories of accounts getting hacked through supposedly secure passwords, and it's definitely been disheartening, especially given the Snail responses.

Suspicions of a skeptic

The one thing that I'm certain of is that if there is some kind of client, website, or database vulnerability, it would be abused by hackers. I am certainly not saying that there is a security issue in any of those places. However, if there are any such loopholes, they will be discovered and utilized.

I am familiar with client vulnerabilities. Sometimes it's possible to find an account password through poor coding of a website or game client. Sometimes it's possible to tell the game to log in to a different account or character than the one a hacker provides the credentials for. Video games are made by people, and people make mistakes. If there is a security issue, it's a serious problem and needs to be addressed.

I've been told by the age-old "friends of friends" method that there are large security vulnerabilities in Age of Wushu's client or backend. I asked repeatedly for more specific details, but of course none came. If there is a problem, it is a serious issue. However, as of yet no hard information has been given to me, so I have to stay neutral.

In light of the current situation, I think it would be prudent of Snail to hire a security expert and make sure that there are no glaring flaws in its systems. If security flaws were discovered, even if none is serious, the company could easily post news about how it updated the client and backend to help improve account security.


No, your policy sucks

There are numerous conspiracy theories out there right now about hacker organizations invading Age of Wushu and corrupt Snail employees selling account information to gold selling websites. I think the chances that any of these rumors is actually true are about as likely as the idea that Beau Hindman is secretly a hardcore PKer.

However, this is the perception that Snail has allowed to rise. The perception of people is that there are tons of hacks, that nobody is safe, that Snail won't help you and doesn't care about you. Other game companies bend over backwards to help me with my problems. A smaller game studio like Snail has to rely on a positive image to keep positive word of mouth flowing.

If there is one thing I can say for certain in this article, it is that Snail has completely failed on that front. I'm one of the biggest advocates for Age of Wushu, but I have to be honest when I say that Snail needs to make some changes.

Age of Wushu is a wonderous place, full of hidden secrets, incredible vistas and fearsome martial arts. Join Patrick as he journeys through China, revealing the many secrets of this ancient land. The Ming Dynasty may be a tumultuous time, but studying The Art of Wushu will give you the techniques you need to prevail.
This article was originally published on Massively.