This makes me think your email has been hacked as well. Humble usually does an IP check before allowing you to access your keys, meaning the thief would need access to the code Humble emailed to you.
Comment has been collapsed.
I change my email password regularly, every other month, and a lot of more sensitive data and much more valuable is intact.
I do not think this was done using the email. I've read other posts where people talk of brute force and such, wtv it is, its not pleasant and I have HB can manage to somehow get those replaced.
Comment has been collapsed.
Ah, I didn't realize you had already created the gift links. In that case, they certainly could have been brute forced. It's good practice to only create a gift link immediately before you send it to someone.
Comment has been collapsed.
I dont think I'm ever creating gift links again :D but you're right.
Comment has been collapsed.
they certainly could have been brute forced
While there certainly is a chance for some links getting brute forced, I highly doubt someone managed to brute force 114 from the same user.
Comment has been collapsed.
I agree, it's certainly suspect. But at the moment, there's no way of knowing for sure.
Comment has been collapsed.
Hi LordGorzul,
Sadly we are in the same boat and for me this is at even worse level. It is not HB gift links they hacked, it is the whole HB account - my unrevealed games were turned into gift links and used. I never turn my games into gift links and this is how I discovered it. Some of the games were also revealed as key and used. HB support is now trying to resolve this for me.
Now this is where it gets worse - I had same login credentials for HB and BundleStars and both were hacked. I don't know from which it started but BundleStars has a faulty feature that supports one click PayPal checkout without asking PP password. I don't know why it still works since this feature is disabled in PP but it somehow does. For me they were able to buy 2 games on BundleStars thanks to this feature - in total of 26 EUR loss :D. I now got this solved with BS support and the money refunded. Of course the BS support is denying they have this fast checkout feature and saying they are using external service for payments and bla bla bla.
It all happened on 24th September. So pls check or your other accounts that possibly had same login credentials.
PS! The IP and new browser check wont work at 100%. I tried to log in from another browser - it popped up a window asking a security code sent to email. I cancelled the login process and tried later again with that same new browser and no code was asked at that time.
Comment has been collapsed.
HB generated new game codes and send individual gift links to my email. Im not able to see those in my account library but at least I got the games back.
Also Im now smarter and know the secret page on PayPal where I can remove those Autopay settings for web stores: https://www.paypal.com/myaccount/autopay/
Comment has been collapsed.
I don't know exactly what has happened, but this isn't the first thread I've seen on this topic...
https://www.steamgifts.com/discussion/yPn2a/all-humble-bundle-gift-links-used
Comment has been collapsed.
thanks. the fact they solved his issue gives me a glimmer of hope.
Comment has been collapsed.
I had the same issue about 2 weeks ago and it took support a week to solve the problem. As for now i think it is a bad idea to us gift link on humble bundle. The problem is just isolated to links and key seem to be fine.
Comment has been collapsed.
I had a hack attempt on my Humble account a little while ago, luckily stopped by the Humble account protection. Needless to say any of your key purchasing accounts should never share a password with anything. Now that grey market key reselling has become a thing you can expect more and more sophisticated attacks to be launched.
However, in your case it's always possible that there's a compromise of Humble itself, an error in their security that allows access escalation somehow. Certainly with the grey market there's a motive for people to do so. If you've been in online gaming long enough you eventually run into this - with 2-factor authentication rising in use it's arguably easier to try to compromise things at the source...
Comment has been collapsed.
As someone who has never used the gift link feature, I have to ask something foolish: Can you see that a link has been used before you try to give it to someone to redeem?
Comment has been collapsed.
well usually you would just give them the link, but yes if you clicked on it, you could see if it was used already or not. Without redeeming it. I usually create giftlinks to make sure my keys are good when I'm ready to give them away. but I've learned the hard way not to use that feature anymore.
Comment has been collapsed.
Silver lining is that you noticed this now and didn't end up having to wonder about the situation when/if keys didn't work for other people. Hopefully HB support gets back to you soon.
Comment has been collapsed.
Comment has been collapsed.
thank you. yes heavenhairsixes posted it just above.
Comment has been collapsed.
It could just be a default message, and at some point all older gift links got corrupted or expired. There's no real way of telling if actual hacking occurred, and that seems a bit less probable a basis than HB having done something themselves.
In fact, it could even be intentional- Humble may automatically assume that all gift links are made by users only when they plan to be used, and if they don't get used, they assume the account was hacked and disable the links.
Comment has been collapsed.
1 month expiration timeout, perhaps. But, well, maybe not, then. :P
Comment has been collapsed.
nah, my links are as old as 2014 and as new as the September monthly. some even form last week.
The links dont expire at all.
Apparently gift links get brute forced, and its something that has been happening quite often lately.
they've told me that my account was hacked and they are working to resolve it, lets see what happens.
Comment has been collapsed.
thank you
It's always very easy to put blame on the victim.
He should have been more secure online. He shouldn't have started the argument in the bar. She shouldn't have worn that short dress, etc.
Very unfortunate and that doesn't help anyone.
Comment has been collapsed.
I have read about this before, maybe it's in fact one of those links users posted below.
Even tho I've had good experiences with HB support, I'm not sure they'd admit if the problem (or screw up) was on their side.. with the charity help I'm certainly glad to buy/help whenever possible.
Now, why would you keep unredeemed keys & hb links that far behind? I mean they said multiple times it's risky to have 'em and they cannot offer nor guarantees a replacement if keys are not used in like 60 days.. Don't quote me on that but I think I've read it somewhere..
Tough luck Lord, sucks to be you right now..
ps. Thought you might be joking or hiding a message because of typos but I don't think that's the case.. I mean hadent isn't a word. (yet) :P
Comment has been collapsed.
I mean they said multiple times it's risky to have 'em and they cannot offer nor guarantees a replacement if keys are not used in like 60 days.. Don't quote me on that but I think I've read it somewhere..
Just quoted you! :P
Maybe you're thinking of Indiegala?
If anyone has a link to Humble saying something like this, please reply.
Comment has been collapsed.
Wow, the typo police is getting ruthless! It's just one letter, find forgiveness in your heart :)
Yes of course it was a typo. Then again English is my 5th language :)
I never saw anything about gift links not being safe or expiring on their site, and if that's indeed the case I believe it should be posted all over. I haven't had any issues with those in the past three years, but it's been happening quite a bit recently by the looks of it.
They also told me that my account had been compromised and that they will help resolve the issue. Let's see what happens.
Comment has been collapsed.
hahaha but but but I said it was a typo :P
I'm not native either, and I guess I could also say it's my (or the) 5th lang I learned or learnt? :P
True that it should be plastered all over! also true it's been happpeningg quit resettly zo hopefully it'll be resolvved zoon. Sorry for any pun or poor joke that may or may not hurt or is it hurted? your feelings, btw:
My heart is big enough for you too so no worries, it's just cold now because there's nobody in it..
Comment has been collapsed.
hehe, where are you from?
And do list the 5 languages you speak, we might be able to continue in another common one :)
Comment has been collapsed.
Argentina, it's right there on my profile! :P can't believe you're not a stalker I mean everyone and their mother here checks other people's profiles XD
So native lang spanish, then english, portuguese, french and dips in japanese, maybe I just say 4 instead :P
btw think SG rules want us to use common tongue unless one want to explicitly mess, confuse, and or "make niche conversation"
Comment has been collapsed.
French is my 2nd so I can definitely do that :) , Spanish I would say 6th but I manage ok. As for the rest they are Serbian, Arabic and Italian. Bits of Japanese, depends what you mean, but i know a few words too !
Comment has been collapsed.
Lol i had one gift link in my account too, after reading this topic, i checked it. and its used as well. i think its general problem, im pretty sure i'm not hacked.
Comment has been collapsed.
Quoting doctorofjournalism:
"It's good practice to only create a gift link immediately before you send it to someone."
That is the single best policy; it limits the opportunity for the code to be forced.
Comment has been collapsed.
I do wonder how this is possible that so many gift links got hacked/used :x
Comment has been collapsed.
The more likely answer is that HB got compromised and they haven't told us yet. I doubt someone out there is gonna bruteforce gift links of all things.
Comment has been collapsed.
That maybe so if the links are completely random.
If they follow a certain pattern linked to game name and account id, then the universe is smaller. When redeeming or gifting a link ,there is at least one piece of info that the user knows (gamekey) . If somewhat someone manage to figure out , then it makes sense that all gift links to be figured if someone got the user info.
Also , the reason why only gift links and not all links is because to redeem yourself you need to be logged in , but not for gift links.
So, it makes sense that it will happen for every gift for an account , and only for some accounts (More public, more risk)
Comment has been collapsed.
After a couple of months or so don't they send the unused keys back to the devs?
Comment has been collapsed.
No. Humble keys are linked to your account and can be revealed or converted into gift links at any time. I've used keys after several years without issue. The only issues appear to be with gift links occasionally not sending out properly, or becoming unusable if you leave them sitting unused for too long. Revealing the key directly (or only making gift links near to when you plan to use them) doesn't seem to run you into any issues.
Comment has been collapsed.
I believe gift links can be "guessed" hence i never generate them before I need to use them.
Happened to me too, but with few enough games I could give list to HiB support and they were kind enough to give me new ones! :D
Comment has been collapsed.
pretty much what spigias said
brute forcing is not the only way in it world.
There was a guy who could find private GA links with a program... and they're not that easy either.
Comment has been collapsed.
oh my... it seems the one time I did accidentally do it, the gift link is now used... and I certainly did not create a GA of it or to anyone, guess I need to talk with support too :x
Comment has been collapsed.
My humble account was hacked two weeks ago and they took every game that they could still waiting for support to get back with me to see if they are going to fix it.
Comment has been collapsed.
Have they replied to you at all so far, or nothing?
Comment has been collapsed.
they replied wanting to know all the keys that were took i listed all the keys and gift links that some one created i never use gift links. That was 2 days ago now.
Comment has been collapsed.
yes I got the same request from them just now.
Based on other people's experience with the same problem, it should take about a week to get resolved.
Comment has been collapsed.
gah... can't believe it. But I think i'm hacked as well.
All gift links (about 110 of them) on HB have been used by someone.
I think this happened around end of november 2018.... so it's still going on :(
How was this solved for you?
Comment has been collapsed.
they fixed it but it was a struggle you have to give them which games where hacked and taken and then wait for support to get back with you.
Comment has been collapsed.
yeah I already contacted them and given them the links. Luckily I keep track of everything in an Excel sheet, so that's how I noticed something wasn't right.
Comment has been collapsed.
The very first thing you should do is change your HB password and your email password tied to the account. Removing all connections you have to your HB account would be a good idea.
This article from Webroot gives some solid advice about creating strong passwords. Use the info to create a good password.
Next request an IP log from HB from November 2018 till now.
Does someone else have access to your pc or whatever it is to get on the net(laptop, cell phone etc.)?
Have you logged into HB anywhere else besides your devices? Like a friends house? Library pc? Somewhere with not secure wi-fi?
Have you used a good malware/AV to see if you might have something on your pc that may be gathering information? The good news is when something like this happens isn't normally because they want important info like your banking/CC info, not games.
Comment has been collapsed.
Thank you for the advice. Yeah I've changed my password right away.
That's also probably how they got in. On investigation this password has gotten public on a hack on LinkedIn or DLH.net. :(
They just tried to see if they could get into other services with that I guess and got lucky on my HB account.
Although I don't think any banking details were captured, it's mostly the unused games I had in my HB account. About 110 HB monthly games were still sitting there, and they have all been redeemed. So the damage is still considerabel (110 AAA games is still a few hundred dollars to replace). Let's wait if HB will provide any assistance.
Let's hope to get also the email and IP address of the attacker. Although I fear that if it isn't an IP that resides in my country, nothing will be done to it. If it's in my country, maybe the local police will look into it though, but since they are very understaffed I fear this is a crime that doesn't get any penalties.
Comment has been collapsed.
Shit, they took my gift links aswell x.x I guess it's time to open a ticket and wish for the best
Comment has been collapsed.
https://support.humblebundle.com/hc/en-us/articles/204975607-Requesting-Help-With-A-Hacked-Account
I know you already did that. It's for others finding this thread.
Comment has been collapsed.
Oh well, this seems to be catching on ...
Just checked my account (xls file) i don't keep gift links as their crap to benign with - clicking a gift link leaves you exactly in the dark.
Not knowing what you're claiming unless you've made a note - the ones i got from trades (claimed gift links) were fine, might still
change the HB PW just in case ... as i wouldn't be surprised if hb had lax security measures.
Good luck.
Comment has been collapsed.
Time to enable Humble Bundle Two-Step Verification. I just did, let's see if I can last longer than the last time I enabled this annoyance...
Comment has been collapsed.
So, did you guys/girls find out how did scammers steal your keys? Is there a logical explanation to this?
Comment has been collapsed.
Nope, what they said in the email was...
It does appear that your account was accessed without your permission, and I'd strongly recommend taking steps to secure your account. You might consider changing your password if you haven't already, and enabling two-step authentication. Here's an article you might find helpful:
Securing your Humble Account
Even if it may be true, I would find it strange that they didn't take every unused game off my account.
Edit: However, they have managed to get me new links for games I've lost.
Comment has been collapsed.
So, hackers started accessing multiple accounts. Maybe they hacked another site, like they already did in dlh for example, and people had the same exact password for their e-mail? Isn't this the only possible explanation?
Comment has been collapsed.
Certainly may be possible. Although I think Humble has a check when a new browser is used? and I push my point of IF my account was compromised, wouldn't all unused keys be taken?
Comment has been collapsed.
But if they can access your e-mail, then what's the difficult part after it? :P
Comment has been collapsed.
Then RIP xD
But I will say my email password is definitely different to the one I use for HB.
Comment has been collapsed.
If they can access your e-mail, they can change your passwords or check your messages for passwords, etc. :P
Comment has been collapsed.
I don't know if anyone mentioned two-factor authentication or not but i think you should use it , it doesn't need a powerful smartphone , just any smartphone could do it , i use authy and a lot of sites support this feature including humble bundle
Edit : This is a site which tells you which sites do support two factor auth or not
Comment has been collapsed.
I personally do use it, unfortunately this happened on their side. Nothing you could do about it.
Comment has been collapsed.
So he stole all of those links while you have two-factor auth on ?
Comment has been collapsed.
yeah it was an attack on the HB server, multiple accounts were affected not just mine.
Comment has been collapsed.
Have they said anything about it ? I mean any numbers about how many accounts were affected or how many gift links were stolen ?
Comment has been collapsed.
from what I understand it seems only gift links that are NOT linked to an account were hacked.(the gift links that ask to enter an email address)
Those gift links, since they are not linked to a HB account do not trigger the HB ip/browser check system.
My guess is that the hackers are using a brute force system on multiple remote controlled computers to find unclaimed gift links.
Either that or they are somehow spying on HB server when they receive request to generate a gift link then intercept the answer.
As far as I see my claimed and linked(to my account) gift links are not uncover.
Comment has been collapsed.
Yeah all of my games which are linked to my account are good.
Looking at the amount of gift links stolen from the same users , I doubt it's a brute force :/
Comment has been collapsed.
At least we know our accounts weren't compromised, only the unprotected gift links were.
It's possible that all gift links were compromised and only some users noticed it.
since those who noticed reported it then it looks like it was a targeted attack.
That or the "random" part of the link is not random but is generated from some kind of "HB user ID" and those hackers found how those random part are generated and how to obtain said user ID from a few users.(maybe finding the HB user name is enough).
Comment has been collapsed.
It's possible that all gift links were compromised and only some users noticed it.
Several days ago I checked my gift links that were revealed but not tied to an email account, and they were all ok. I only have a few of them, including some revealed several months ago.
Comment has been collapsed.
That's good to know. I consider all other HB link to be compromised too but since they are protected by the ip/browser check weren't accessed so now I activated the 2 way identification.
I hope HB are working on upgrade their protection system
Comment has been collapsed.
I see, now I understand why my replacement gift links were linked to my account. This is making sense now.
Comment has been collapsed.
I wouldn't create gift link till you need to use them. I wish the bundle sites had more security, I lost about 2000 games when someone accessed my bundle accounts. Everything non bundle related was fine.
Comment has been collapsed.
damn, didnt hb replace them for you? or was this not on HB?
Comment has been collapsed.
None of them did. Was Bundlestars, Humble Bundle, Groupees, Indie Royale and Indie Game Stand. I had been buying them and not redeeming them right away so I lost entire bundles as well as older games I hadn't used like Cryostasis. Pissed me off so much.
Comment has been collapsed.
Well as far I can tell HB has a bug when you click the first time"click to redeem on Steam" all goes fine but when you refresh the page again and search for that same game it appears as like New even tho is already used. I have to click "click to redeem on Steam" again to make sure stays like it should.
Comment has been collapsed.
Using Humble Transaction ID's they will simply scrap those keys, rendering them useless, and give you new ones..?
Comment has been collapsed.
Comment has been collapsed.
Hello,
Just a warning to you all, today I was trying to redeem one of my gift links, when I noticed it was used I thought maybe I had used it and forgot, but I was fairly certain I hadent. I decided to check another, same thing, next thing you know, I checked all my links going back to 2014, and all have been "used". It was now clear that I got hacked, and 114 giftlinks have been stolen.
Many of which were pretty good and expensive games.
I have written HB waiting for their response and hoping for the best, thought I'm not sure how they'd manage to replace some of the keys for games that were bundled with them almost 3 years ago.
My advice, do not used the gift link feature at all, and change your password, get all the protection you can get.
I will update with whatever happens.
UPDATE: Wanted to update and give credit to fantastic work by the HB support after much back and forth and a lot of work from everybody. all the keys were returned.
Comment has been collapsed.