What happens when someone loots your MTGO account

I’m going to go ahead and preface this by telling you to change your MTGO password today. If you just want the TLDR for this post, that was it.

On June 6th, someone logged into my MTGO account and took everything. Not everything everything – they didn’t do me the favor of clearing out the thousands of excess unplayable commons, but they took every card worth more than a nickel, along with all my packs and tickets.

I told very few people about this for a few reasons:

  1. I thought there was a good chance that the thief was someone I knew and didn’t want to provide them with any extra information.
  2. I was already putting a lot of time and energy into fixing the issue and I didn’t want to field a bunch of questions or engage in a lot of sympathy conversations.
  3. Most people just really didn’t need to know. I saw another person post that their account had also been broken into during this time (more on this later) and them making the information public didn’t really seem to do anything.

So why am I posting now? Honestly, the official WOTC investigation process was very slow and opaque, and I was left in the dark about what was going on behind the scenes, which was frustrating and left me wondering what was going on constantly. I had a moment of questioning about whether I should share this information at all, as it might make it easier for someone to steal in the future, but a minimally intelligent thief would likely look into all this in advance anyway while a victim would be forced to play catch-up after they’ve already been swindled.

Okay, onto the narrative.

I share cards with a handful of people on MTGO. It’s one of the best ways to save money. Rather than spending 100 dollars on a playset of some modern staple, you can spend 30 seconds logging onto a friend’s account and borrowing cards you know they’re not using, and then just put them back when you’re done. It’s fast, it saves you a ton of money, and it’s super insecure. Anyone with access to your account can really do anything they want with it in any window of time when they know you won’t be logging on.

But that’s always the big tradeoff with security, right? No one wants to be inconvenienced with 2FA or extra logon checks or even keeping your password to yourself, because that takes time.

So on Tuesday night, June 5th, I logged onto two friends accounts to borrow some cards in order to test for the Standard RPTQ. During this transaction, I VERY luckily noticed that I still had a lot of modern cards from {person}, maybe $3-350 worth, and returned them. This was late at night so after I had the standard deck together, I logged off.

After work the next day, I logged on to play a league and noticed that it said I didn’t have any legal decks together. On occasion, MTGO takes an unreasonably long time to load your collection and that was the first explanation I reached.

I switched over to my collection tab, noticed a couple of “reward” packs (you know, the blue ones that have one promo card inside them?), and cracked them open. That part all seemed to work fine. Next I clicked on the deck I built the night before – about 80% of it was marked as missing. The most likely explanation in this moment was that one of my friends had logged onto my account and taken the cards they needed for this same deck without telling me. Wouldn’t be the first time.

So now I check my “MTGO Borrows” Google doc that shows who has borrowed cards from each other, and nothing looks like it matches up with this recent change. I look back in my collection tab, filter for all mythic rares, and find that they’re basically all gone. I re-logged once more, just to make sure this wasn’t just some bug, but everything is still gone.

At this point, I’m in damage evaluation mode. I check my rares, flip through old decks, look at my ticket count, scan my old packs, and come to the conclusion that it’s a total loss. I didn’t really have a good idea for what my account was worth at the start, but I figured that, with a solid collection of modern staples, it was likely at least $1500 worth, and now we were down to scraps.

I actually had plans that night that I ended up keeping (we won bar trivia), but before I left for that, I:

  • Changed my MTGO password
  • Told the very small handful of people from whom I had borrowed more than ~$40 worth of cards about the breach
  • Messaged a friend who works at WOTC to ask if there were any steps I should take, on top of opening a customer service ticket
  • Opened a customer service ticket – I made sure to tell them about my movement of cards on Tuesday, so that they wouldn’t suspect {person} for taking a bunch of modern cards late at night
  • Googled “sell MTGO account” and emailed every company on the first page of results asking if they had any records of transactions. During this process, I noticed that a few bots will pay out in Bitcoin, and that if the thief used this payment method, I was very likely to never see any kind of justice

For most of the people I talked to about it, I just said “My stuff got stolen. I have no idea if or when I’ll be getting it back. If you need your cards back before that gets figured out, let me know and I’ll reimburse you for the cost.”

My WOTC friend basically told me to go with the standard practice of opening a ticket, but that they’d see if there were any extra actions I should take (Nothing came of this, which was fine. I don’t expect every person at a company to have influence over unrelated tasks).

Most of the bot chain companies got back to me, but none of them had any real information other than CardBot, whose account “TheBuyBot” was very involved. Here’s the log they sent me:

https://docs.google.com/document/d/1HVQz82MDbWLdZxI1Y29RAaIUunRC7FqnQN5C13OtQBI/edit?usp=sharing

Some things to note:

  • They turned my cards / packs into 1594 tickets. This probably means the cost of my collection was somewhere in the range of 1800-2000 in order to buy it all back.
  • The traded in two major chunks, three transactions between 5:45am and 5:47am, and another seven transactions between 11:20am and 11:29am.  Whoever this was, they were sloppy/bold enough to return after getting away with $1200 on the first pass.

I updated my WOTC ticket with this information, and waited for a reply. They got back to me the next day, June 7th, with this. Bolding is my own, in case you want to just skim this form letter:

Hello,

We are sorry this happened to you. We will investigate the incident and take appropriate action. We have opened an investigation regarding your account. To ensure there is no further damage to your account we have deactivated it until we can verify the details of the account with you and make any changes necessary to secure your account again. I would also recommend that you change the passwords on your computer and e-mail accounts as these may have been compromised as well.

Investigations typically last about two weeks. After the investigation has been completed we will contact you to inform you of our findings.

Please be aware that the security of your account and any action taken with your account are your responsibility as per the Terms of Service. Trades cannot be reversed and no compensation will be given for any potential loss.

Bear in mind that per our privacy policy we do not discuss disciplinary action taken on other players. Depending on the circumstances and results of the investigation a player may receive a warning, a suspension or termination if warranted.

You can assist our investigation by answering the following questions:

1) Do you share this account with anyone else?

2) Does anyone else use your computer?

3) Is your password easily guessable?

4) Do you run any mod or bot programs for Magic Online or any other game?

5) Have you recently run a virus scan on your computer?

6) Is there anyone else who would know the password or security answer to this account?

7) Do you use any Magic or gaming related websites or apps that would use the same username as your Magic Online username and/ or that you would list your Magic Online username on?

We appreciate your patience during the investigation, we will update you when we are able to reactivate your account.

Grant

Account Specialist

Wizards of the Coast

 

I answered the questions as best I could, truthfully, and replied within a few minutes.

The next few days were pretty miserable, flipping between thoughts like:

“Well, I probably just won’t be able to justify playing MTGO anymore.”

“I’m very thankful I’m in a position where losing an asset worth almost 2K isn’t going to majorly disrupt my life.”

“It’s likely that a friend stole $1600 from me, and WOTC isn’t going to tell me who it was.”

“Well, testing for the RPTQ just got a lot more annoying.”

The most lingering and disturbing aspect of all this was the idea that a friend stole from me. I’ve trusted a dozen or so people with my MTGO password over the years, and who knows how many of them gave it to someone else? It seemed SO MUCH more likely that one of those people opportunistically raided my account than that another person was able to just crack my password. I’m certainly an over-trusting person, and generally an apologist, but this was seriously testing my beliefs.

So I miserably made a list. I went back through my facebook chatlogs and searched for my MTGO handle. Made a spreadsheet of everyone I could imagine I might have given my password to, or was close enough that a mutual friend might have given it to them, considered how much they had to lose by becoming a pariah of the Magic community, how much I modeled them taking a major risk for $1600, etc. I thought about all the extra little factors: Who had messaged me out of the blue in the few days leading up to the theft? Who had used my computer in the days and weeks leading up to the theft?

It sucked, but I figured that I couldn’t help but think about all these things anyway, and maybe condensing all these negative thought into the block of an evening would let me stop wondering about them while I waited to hear more, and it mostly did its job. Nothing was really conclusive though – all it did was make me consider how much of a rampant sociopath someone would have to be to pull off a move like this.

On June 13th, a week later, WOTC got back to me:

Hi Louis,

Thanks for your patience while we have continued to investigate this situation.

We have determined the following details:

On 6/6 your account was accessed via its username and password from IP address {REDACTED}

During that login session items in your collection were traded to users “TheBuyBot” and “GoatBotsB” in exchange for event tickets.

Afterward 1225 event tickets were traded from your account to the user “xiggison” who was operating on the same IP address at that time.

Do you know this user, or have any information about anyone in the area of this IP address? Have you discovered any further information about this incident since you first contacted us?

Thank you for your patience and cooperation.

Best regards,

Matthew

Account Specialist

Wizards of the Coast

 

I looked up the IP address and saw it was a major city that a friend of mine was near, but that person was, in terms of social and moral value, very close to last place on people I had considered suspects. It was certainly a piece of evidence, but nowhere near conclusive. IP addresses are not difficult to manipulate, so if the thief were very cunning, they could even be using this as a false lead.

I messaged all the bot chains again with this new account name, and one of them got back to me:

Hello Louis,

Thank you for your message.

We are sorry to hear this. Was Wizards so far helpful in any way?

You can always check your full trade history here: https://www.goatbots.com/trade_history

There you can also see the trade with GoatBotsB, although that was just 19 tickets. So the majority of your collection was probably sold elsewhere.

However, the other account you mentioned did sell event tickets to us a week ago. If you let the Wizards support contact us, we can provide them with the personal information of the receiver of the payment (bank account number, full name, address, zipcode, etc). Please note that from our experience, the receiver of the payment is not always involved in the hack; sometimes it’s a careless bitcoin seller that was waiting for a bank transfer, before sending bitcoins to the hacker in return.

I’ve suggested Wizards a few times to implement some kind of ip-address protection (click on an email-link to approve when somebody from a different ip-address logs into your account) or a 2 factor authentication, but so far they’ve not implemented anything of the kind.

Kind regards,

Bram

GoatBots

 

A major step forward. I messaged WOTC once again, relaying all this information. At this moment I was really hopeful. GoatBots was cooperating and the information would surely be valuable. I also sent them a list of friends’ screen names, just in case any of them had ever been used from that IP address.

There were still a few missing pieces, though – in WOTC’s email, they said that 1225 tickets had been transferred to that other screen name, but the trade logs showed that my thief had liquidated my collection for 1594 tickets, plus some tickets of my own.

The hope faded quickly over the next few weeks. I hadn’t heard anything from WOTC, they weren’t responding to my emails, and I even noticed on twitter that Andrew “JohnnyHotsauce” Shrout had his account broken into just a few days before my breach, and he had seen no progress.

And that’s where it stood for a while. If you’re hoping for a dramatic ending where I unmask the thief, let me apologize in advance.

I got this email on Friday June 29th, 23 days after the looting:

Louis,

Thanks very much for your patience while we have continued to investigate this situation.

Our investigation has concluded that your account was accessed using your registered username and password, by a malicious actor from an IP address in Sweden. During this access the malicious actor traded with users to liquidate items from your collection to event tickets, which they later sold to a 3rd party.

Unfortunately, the cards traded could not be recovered as they have entered the greater trade sphere of Magic Online and are with users totally unrelated to your account’s compromise. We have reclaimed the event ticket items sold from your account (1625), those should now be returned to your collection.

We believe your account’s compromise is the result of compromised login information from outside sites or services. We urge you to ensure your login information is unique from service to service to protect you from situations such as these. Unfortunately, we have no further information to provide regarding the malicious actor.

At this time, we consider this investigation closed. Please be aware that the security of your account is your responsibility and that Wizards of the Coast cannot assume responsibility for any potential losses incurred.

Regards,

Magic Online Digital Security

Wizards of the Coast

 

On first reading I completely glossed over the sentence where they mention returning 1625 tickets to my account, but I logged on and there they were. I’m certainly out quite a bit from the process, in terms of time, money, stress, and as it turns out, undue suspicions.

I checked Twitter later that day and found that Andrew Shrout’s case had also been resolved on the same day, and that the thief had also been from the same place. It now seems like too much of a coincidence for it to be anyone but a person unknown to me. If you stole it, are a friend of mine, and are reading this right now, damn. You’re good at this and could probably make way more money doing something legitimate.

My guess, after all of this, is that I made an account on a Magic message board at some point in the last 15 years, and that my credentials were a bit too close to those of my MTGO account. Someone probably got ahold of the wildly unsecured data through there and went on a thieving spree using the information.

If you talked to me at any point in the last month and I seemed distant or out of it, there’s a good chance it was as a result of all this. Maybe I was working through some new information, maybe I had spent the afternoon putting your name on a list. Sorry about all that –  I’m sure if you know me well enough at all, you know what affect doing that kind of thing would have on me, and how relieved I was to discover that the thief was almost certainly not a friend.

Now go change your MTGO password.

Advertisements