Daily Archives: September 21, 2016

Pokemon Go Account Hacked and Recovered

I rolled over, waking as I shifted into a more comfortable position.  It was dark out and I was ready to fall back asleep until my eyes landed on the clock and saw that the alarm was going to go off in less than ten minutes.  I was done with sleep.

I reached over to the night stand and picked up the iPad, then rolled on to my back and propped myself up a bit on my pillow.  I unlocked it and first went to turn off the alarm.  That done, I went to browse email to see what might have come in over night.

Generally it is the same set of automated posts, spam, and press releases.  But there at the top of the pile was the following email:

From: Pokémon Customer Service
Date: Sep 20 at 5:11 AM
Subject:
A change has been made to your account.

Dear Pokémon Trainer Club Member,

This email is to inform you that your Pokémon Trainer Club password was recently changed. If this change was made in error or without your permission, please write us at support@pokemon.com or visit pokemon.com/support.

Sincerely,
The Pokémon Company International

I hadn’t changed anything on that account in quite a while.  Furthermore, the time stamp was just ten minutes past, strongly suggesting that the change had been done while I was asleep.

I got up, walked down the hall to start up my desktop computer, then wandered back to the bathroom to hop in the shower.

After getting showered and dressed, I kissed my still dozing wife good-bye and went back up the hall to check out my Pokemon Trainer Club account.  I tried logging in and got the following message:

Your username or password is incorrect. You have 4 attempts left before you will be locked out of your account for 15 minutes.

Well, I knew the username was correct, and I doubted that I had forgotten the password.  Back when I created the account I used one of my “this account doesn’t matter” passwords because, at the time, it didn’t seem like an account that I needed to worry about getting hacked.  There is almost nothing to “do” in the Pokemon Trainer Club, nothing to steal or wreck or anything so I chose an oft used password.

Of course, that was back when I made the account quite a while back.  Since then Pokemon Go showed up on the scene, and one of the login options was to use your Pokemon Trainer Club account, which I had done because people were freaking out about how Pokemon Go was reading your Google Mail or some such.

Anyway, somebody had clearly gotten into the account and changed the password, and now I could not get into the account.

So I clicked on the “Forgot Password” option and had them send a password reset link.  However, that was taking a while, so I went back to the login page and did four more bogus logins to lock the account for 15 minutes, then packed up and drove to the office.

By the time I got into work, the password reset email had finally arrived and the 15 minute lockout had just expired.  The joy of going to the office early is that traffic is light.  I hit the link and reset the password to something more secure and quickly received another email message from the Pokemon Trainer Club alerting me that the password on my account had been reset, with the elapsed time between the two alerts being just over an hour.

And then I had to text my wife to tell her that she would need a new password to login to Pokemon Go.  As I mentioned in a previous post, my wife took over my initial Pokemon Go account and has been playing it ever since.  She is up to level 22 and has been doing gym battles.

She was able to log back into the account with the new password and reported that while whoever took over the account had trashed a bunch of stuff out of her bag, including most of her carefully hoarded revives, so necessary for post-gym battle clean-up, the account seemed to be otherwise intact.  The in-game journal even showed that somebody was catching Pokemon while we were asleep.

Not our activity

Not our activity

So, account recovered.  However, we got lucky.  The person who took the account over didn’t have it for long and, aside from deleting those revives, didn’t do much with it.

They also didn’t bother to change the email address associated with the account.  Googling for tales of Pokemon Trainer Club accounts being hacked turned up some stories of that happening and people having to get in touch with the site support staff to try and recover their account.

I suppose the real questions here are how and why?

As noted, the password wasn’t very secure.  But given how many Pokemon Go characters are likely tied to Pokemon Trainer Club accounts, it seems unlikely to be hacked totally at random.  Was the account targeted and, if so, based on what?

And then there is why… or why bother… or why bother if you you’re going to do such a half-assed job?  The person who took it apparently just wanted to play on the account.  Did they think it was abandoned or unrecoverable?  So many questions.

I wish the journal told you which PokeStop they used… they are all associated with locations… so I could tell where they were.  My guess, given the time frame, is somewhere further east.