Pokemon Go Account Hacked and Recovered

I rolled over, waking as I shifted into a more comfortable position.  It was dark out and I was ready to fall back asleep until my eyes landed on the clock and saw that the alarm was going to go off in less than ten minutes.  I was done with sleep.

I reached over to the night stand and picked up the iPad, then rolled on to my back and propped myself up a bit on my pillow.  I unlocked it and first went to turn off the alarm.  That done, I went to browse email to see what might have come in over night.

Generally it is the same set of automated posts, spam, and press releases.  But there at the top of the pile was the following email:

From: Pokémon Customer Service
Date: Sep 20 at 5:11 AM
Subject:
A change has been made to your account.

Dear Pokémon Trainer Club Member,

This email is to inform you that your Pokémon Trainer Club password was recently changed. If this change was made in error or without your permission, please write us at support@pokemon.com or visit pokemon.com/support.

Sincerely,
The Pokémon Company International

I hadn’t changed anything on that account in quite a while.  Furthermore, the time stamp was just ten minutes past, strongly suggesting that the change had been done while I was asleep.

I got up, walked down the hall to start up my desktop computer, then wandered back to the bathroom to hop in the shower.

After getting showered and dressed, I kissed my still dozing wife good-bye and went back up the hall to check out my Pokemon Trainer Club account.  I tried logging in and got the following message:

Your username or password is incorrect. You have 4 attempts left before you will be locked out of your account for 15 minutes.

Well, I knew the username was correct, and I doubted that I had forgotten the password.  Back when I created the account I used one of my “this account doesn’t matter” passwords because, at the time, it didn’t seem like an account that I needed to worry about getting hacked.  There is almost nothing to “do” in the Pokemon Trainer Club, nothing to steal or wreck or anything so I chose an oft used password.

Of course, that was back when I made the account quite a while back.  Since then Pokemon Go showed up on the scene, and one of the login options was to use your Pokemon Trainer Club account, which I had done because people were freaking out about how Pokemon Go was reading your Google Mail or some such.

Anyway, somebody had clearly gotten into the account and changed the password, and now I could not get into the account.

So I clicked on the “Forgot Password” option and had them send a password reset link.  However, that was taking a while, so I went back to the login page and did four more bogus logins to lock the account for 15 minutes, then packed up and drove to the office.

By the time I got into work, the password reset email had finally arrived and the 15 minute lockout had just expired.  The joy of going to the office early is that traffic is light.  I hit the link and reset the password to something more secure and quickly received another email message from the Pokemon Trainer Club alerting me that the password on my account had been reset, with the elapsed time between the two alerts being just over an hour.

And then I had to text my wife to tell her that she would need a new password to login to Pokemon Go.  As I mentioned in a previous post, my wife took over my initial Pokemon Go account and has been playing it ever since.  She is up to level 22 and has been doing gym battles.

She was able to log back into the account with the new password and reported that while whoever took over the account had trashed a bunch of stuff out of her bag, including most of her carefully hoarded revives, so necessary for post-gym battle clean-up, the account seemed to be otherwise intact.  The in-game journal even showed that somebody was catching Pokemon while we were asleep.

Not our activity

Not our activity

So, account recovered.  However, we got lucky.  The person who took the account over didn’t have it for long and, aside from deleting those revives, didn’t do much with it.

They also didn’t bother to change the email address associated with the account.  Googling for tales of Pokemon Trainer Club accounts being hacked turned up some stories of that happening and people having to get in touch with the site support staff to try and recover their account.

I suppose the real questions here are how and why?

As noted, the password wasn’t very secure.  But given how many Pokemon Go characters are likely tied to Pokemon Trainer Club accounts, it seems unlikely to be hacked totally at random.  Was the account targeted and, if so, based on what?

And then there is why… or why bother… or why bother if you you’re going to do such a half-assed job?  The person who took it apparently just wanted to play on the account.  Did they think it was abandoned or unrecoverable?  So many questions.

I wish the journal told you which PokeStop they used… they are all associated with locations… so I could tell where they were.  My guess, given the time frame, is somewhere further east.

9 thoughts on “Pokemon Go Account Hacked and Recovered

  1. Mazer

    For a moment there at the beginning I thought you were branching out into narrative fiction or something. : )

    Maybe this is somebody’s new EVE spying initiative.. tell us which CSAAs are active or the Vaporeon gets it.

    Like

  2. Shintar

    I know that the newest thing with credit sellers in SWTOR is that they offer you a free high-level Pokemon Go account if you buy x amount of fake money. Why? Who knows, but I guess they’ve got to get them somewhere. Once again, gold sellers are to blame for everything.

    Liked by 1 person

  3. Wilhelm Arcturus Post author

    @Shintar – I wonder if some SWTOR player is wondering what happened to his free level 22 account… though if they Googled the player name, it would have brought them here… so maybe they know already. Hrmm…

    @Jeromai – I know, right? And the one Pokemon that would have been of some use, since Magikarp are rare-ish in our area.

    Like

  4. Toldain

    Here’s a theory. They had new geospoofing tools and wanted to test them. Geospoofing will get you banned from the game. This way they don’t risk anything they care about.

    Liked by 1 person

  5. Wilhelm Arcturus Post author

    @Toldain – That seems like a lot more work than just making a throw-away Pokemon Trainer Club or Google account. I’d be more likely to go with it being somebody in a country where Pokemon Go hasn’t yet been released. You couldn’t yet play in Russia the last I checked, a country with no shortage of hackers. And Russians stole my ICQ account, so we have a history there.

    Liked by 1 person

Voice your opinion... but be nice about it...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s