Your Pokémon Account Has Been Hacked

by Brock

Last night I received the following email.

2016-11-23 20_52_03-Inbox – tekchip@gmail.com

Having not been to the Pokémon site in many months, since about the time Pokémon Go came out, I found this odd. I promptly emailed the recommended address with a call for help as advised.

I then realized that perhaps I had forgotten to secure my account properly. Or maybe I could reset the password again before the attackers could change any vital account details.

I went to Pokemon.com and found the reset password link. https://club.pokemon.com/us/pokemon-trainer-club/forgot-password, provided my email address(widely available from many sources) and was taken to this page. This page then sends you a link to what I would hope is a random and secure page to do the password rest. That page looks like this.

2016-11-23 21_01_03-The Official Pokémon Website _ Pokemon.com

So I fill out all the information to the best of my ability and attempt to issue the rest. I can’t remember a Player ID, I look through my email to see if I got assigned one I don’t remember, and having not found one elsewhere I fill in the same as my username. I also apparently fat fingered one of my two passwords. On submission of the form I get the following message.

2016-11-23 21_02_24-The Official Pokémon Website _ Pokemon.com

I did eventually get my password reset. This does not make me feel safe. Why is that? Because what I’m able to change in no way negates what the attackers know to do the reset so they can simply reset my password again.

Lets Talk About Password Security

First lets be clear. Someone is negating Pokémon Company’s security somehow. I don’t know how. Perhaps they have access to one of my other accounts which let them bypass the randomized “reset your password” email link? Perhaps they’ve actually bypassed that on Pokémon Companie’s side via some form of man in the middle. That’s not what I’m here to call out.

What I am here to call out is all the ways that Pokémon Company has failed to provide additional security that could secure an account even in the face of the aforementioned penetrations. Lets start at the beginning of this story.

I received a notification that my password was changed AFTER the password had already been changed. This was received at 8:16PM CST. I received no prior link to authorize the reset before this communication. Which does hint at perhaps a man in the middle intercepting the email on it’s way to my account or perhaps no email was sent at all because Pokémon Company is compromised in some way. Either way it looks less like my Gmail account, which is phone app based 2FA and password reset regularly, is the culprit. This is where the single point of failure seems to lay because the rest of this password reset procedure is laughable. Had this not been such a joke for Pokémon Company perhaps this account compromise may not have succeeded.

First the date of birth is a super insecure piece of information as verification. Jump on Youtube and search “how to dox” and you’ll find a wealth of resources at easily obtaining this information.

Second the username…the one on the public facing profile for every Pokémon game you play? Do I really need to spell out how worthless that is as security?

Finally the Player ID which I presume is some number assigned via one of the games which is probably at least semi-private. This was the last best hope for stopping the compromise and it’s not even required!(see the screenshot above).

The TL:DR is that none of the steps following the email link do anything at all to keep the account secure. No “reminder questions”, no bot preventative captcha, no option to change username, and lack of any proper 2FA.  At the moment there is no way for myself or anyone else to properly secure their account because of the initial compromise however that happened.

Failing to find a way to properly secure my account I went looking for a way to close/remove my account. As it turns out there are absolutely no entries in the FAQ about how to do this. Doing a little Googling I came across a way to request a specifically Pokémon Go account removal here. But there doesn’t appear to be an easy way to close an actual Pokemon.com account.  This website seems to indicate the only way to close an account is to send a piece of real world mail to Pokémon Company asking them to remove you. In the intervening week the crackers will have run off with at the least your account and probably leveraged it to gain access to your other accounts and information. Reviewing their Privacy Policy brought up this joke of a statement “…verify your identity by asking you for an email address or by other means…”. As you can see above the email verification is performed by the randomized link but absolutely no “…other means…” are employed to verify your identity.

Pokémon Company you should be ashamed. The rest of us should be really, really concerned.

drunk_charmander_appeared_by_potemkill-d8q22bl
Image by potemkill@deviantart

P.S. In doing some Googling for “Pokémon Shit”(I needed a cover graphic) I found this lovely piece about previous security issues surrounding Pokémon games. http://effortlessoffice.com/pokemon-go-security-risk/