Select Page

Supercell, you MUST STOP this. Everyones ACCOUNTS are AT RISK. [Rant]

Supercell, you MUST STOP this. Everyones ACCOUNTS are AT RISK. [Rant]

Yes, I know you are here for the memes. But please hold on and read the TL;DR because this is something which can very well affect **you** in the future.

## TL;DR
The account recovery system of the game is broken and vulnerable in its current form. It encourages:

1. People stealing **any** account in the game. Yes, any, yours included.
2. People getting banned on their own accounts for illegitimate reasons.

We need to change this immediately, or everyone’s accounts are at risk.

## So what is really going on here?
This is not a problem you all don’t already know about. It has been going on for multiple years, but it needs to stop now because it is getting even crazier. For the ones which have been scrolling through this subreddit for some time, you will have realized that there is an increasing number of posts of two types:

### 1 – A guy hacked in our clan and banned all of us / My TH13 account just got hacked.
As crazy as it sounds, this is not an uncommon issue. Here are some examples:

* 2800+ upvotes:
* Just some days ago:
* Another, again all of these less than a week ago:
* A poor guy which suddenly found himself without the account:
* Another guy which spent money in the game:

Do you want more? Because the list keeps going and going. These are only the *latest* posts, and note that this is **only for redditors**. Many other people have had this issue but they just did not know this place. If you want to read more, just search the keyword “hack” in the subreddit.

So what does this mean? That your own account, after years of hard work and (possibly) spending money, **could be suddenly locked or stolen**. The best thing of all this? That **SUPPORT IS NOT DOING ANYTHING**. More on this later. I know, I know there are people which received help. But if you go onto those posts and others, the common pattern is complete silence from the support team.

### 2 – I got banned from the game when trying to recover my old / alt account!!
Again, this is even more common than the previous issue. But although it may seem to be an unrelated topic, it is actually occurring because of the same broken system as the previous one.

Do you wanna read some examples? Here you go, but again, if you use the keyword “ban” in the subreddit you will find not one or two more, but *lots* more of cases:

* Less than a day ago as I am writing this:
* 2 days ago. *1 DAY BEFORE THE PREVIOUS*:
* Another one:
* Same case:
* This is not the same case, but it can be explained because of what is going on:

The list keeps going and going. Trust me, this is not happening to one or two people which behaved like weirdos when talking to support. It looks like almost everyone contacting support because of lost accounts is getting banned. I repeat, **almost**. For sure some people are actually getting their accounts back. But this is simply wrong.

And of course. I have one example more of this case. Myself!! I got banned for 31 days just for talking to support trying to recover my alt just a day ago.

***>Oh now I got you, this is all a rant about your case.***

I know it will seem like that. And in the end it is. I would now be writing all this if I was not banned. But I would not accomplish anything by writing a post like “[RANT]My account was banned”. Because we are all players and, by ourselves, we cannot change how Supercell does their things. I want to **get to the BIG PICTURE** and address this really big problem. And to do so, I will use my own case to explain to those you don’t know it yet what is really going on here and **why** it is such a problem Luckily, someone from Supercell may read this and do something. At least I would have tried. If at least someone is informed about this thanks to my post then I would be happy enough.

Also my ban is just for 31 days, I was lucky (in the past it was permanent, I will address this too) and although probably the clan leader will kick my ass because I have green shield I’ll simply take a break from the game.

## Okay, I get that there is something going on, but why all this posts?
There is a clear reason why this is happening. The account recovery system is simply bad implemented by Supercell. It makes it easy for thieves to steal others’ accounts (and Supercell knows it!!) and at the same time leads to players getting banned when trying to recover their legitimate accounts because the support team will think they are the aforementioned thieves.

But in order to explain why this is happening, let’s compare how the system works in Supercell VS. how it works in other online platforms. Bare in mind that this is all for Google Play linked accounts, and **I think** it is better implemented for Supercell ID accounts, but I have not had the pleasure (/s) to test it myself.

### How the account recovery system works, and why it is SO wrong
You lost your account, or you want to access that alt you had years ago. The email the account was linked to is not working, so after a quick search online, a clear solution arises. This is Supercell’s [support page](, and the same can be accessed in-game clicking “help and support”.

You see that the first entry is “I lost my account”. Great! I don’t have that Supercell ID thingy, and in the second entry it says “Contact Us” if I don’t. Let’s go for it then. There is no button for this in the website, but if you are in the game you will find in the menu a button “Contact Us”. Click it and you are welcomed by OTTO. Welcome to ~~human support~~ a bot.

Whatever, Supercell is a small team, they cannot attend everyone at the same time. OTTO gives us a set of topics to select. “Lost account” is the first one! It really looks they are taking this seriously. Let’s go for it. Multiple options again “Lost Village” looks like the best for this case, you click it.

Now, Boom. OTTO starts to ask you questions. First of all, the player tag of the lost account. The name of the account (why?? Can’t they access it with the player tag). The TH level (My first thought is whaaat? They need this to recover the account?). And finally, OTTO tells me to explain the situation in order to prove that I am the account owner. At this point, I am simply socked. What it is this, I have to tell them a story to prove I am the owner? It actually is this. What follows? Usually in 2-3 days a member of the support team will join the chat and keep asking *more detailed, extremely specific questions*. Which names the account had in the past, a list of devices you played the account on, the date you began playing, the location where you play this account, etc.

As you can see they are all questions which the average human being does not remember the answer if this is an alt you had 3 years ago, but this is not the main point I want to highlight here. If you do not still see **why this is VERY wrong**, think about the following scenario: You are on Twitter and you want to steal Elon Musk’s account. You obviously do not know the email or anything, but whatever (since Supercell does not even ask about this), you go to support and try to guess where he lives, where he accesses the account and which is the phone model for example. They also ask you about what the account name is (= player name in our case), which is the number of followers (= TH level) and all kind of questions publicly available. You will probably get the set of questions wrong, **but if many people try it, in the end they will get it right**. And then, boom. You are now Elon Musk (= your account is gone and your game progress is lost). Good luck for the real Elon Musk proving he is the owner.

The above can go to even more extreme levels by what is called an “spear phishing” attack, and which is Supercell’s main headache. Spear phishing is a type of what is known in the cybersecurity industry as social engineering, and consists on gathering information about an specific person (in social media for example, like in Reddit) so that you can later impersonate them and trick someone (in this case a member of the support team) into giving you access to something (your account) which should be restricted for the thief. In this case, attackers may look at your reddit posts and gather information about your account, the amount of gems and level, your player tag (which is also accessible once they know your name with webpages such as, where do you live (if you mention it in another subreddit, or in another social media they think you are the owner), your device brand (you might have mentioned it, or if you are subscribed to r/IOS it’s a matter of trying with their devices, it is not that difficult). You get the idea. They will later try luck with the Supercell support team and at some point they will get the whole information right, specially if they are answering support’s questions and suddenly when answering the wrong one they get banned (that may even indicate which question is wrong).

#### **Supercell countermeasures**
Obviously Supercell will now simply sit there when their users’ accounts are getting stolen, but once again **instead of solving the security issue, they make the situation worse**. Their solution? Since we are having a lot of thieves accounts trying to steal others’ accounts, we will simply ban them once they get the information wrong. It is that simple!!!!! Problem solved!!!!!!!

****BUT NOOOO**** that is not the solution! Because now, **this is what is happening**:

1. Thieves are getting banned trying to solve the questions, but they simply create another account and try it again. In the end they reach their goal, and your account is now gone. This is why all the “X has been hacked” posts appear.
2. Legitimate players try to recover their accounts and then they are asked lots of specific questions. If they get a single one wrong, or they are unsure, or simply the support team thinks they have no proof enough, they get banned from the account they have reached the support team from, which is usually their main’s. And this people are not thieves. They will not try again with another account. They just want to play, and now they are banned! Note that once you start this process of questions there is no going back, someone in a previous post mentioned that, after seeing how specific were the questions, he just told the support team to forget about his alt. Still, a day later, he was banned because of “phishing”.

If you have reached this point, thank you for reading all this. Hopefully you now understand how big is the problem, but you may be wondering *”what could Supercell do?”*. Well, what about simply implementing the same secure and trustworthy recovery system as other platforms? But before going with that, let me tell you about the icing on the cake.

Supercell, after seeing that legitimate players are getting angry and banned **permanently** for the game, decided that they would change the permanent ban into a 31-day long ban, probably because this still prevents thieves from reusing accounts and it gives a chance for legitimate players to go back to playing and spending. However, this is not the solution and I hope you agree with me. Getting banned 31 days may not mean much for the casual player, but is not acceptable for others, specially if they did nothing wrong.

Yes, the Terms of Service state that Supercell has the right to ban players which are suspect of breaking them. And yes, they do have that right, we all accepted those terms. But **even if the terms are right**, **the way this terms are being applied is wrong**. I apologize for saying it like this but it is truly pathetic what Supercell has been doing here. This system does not live up to the expectations I had of such an important company.

Again, I am nobody to tell how Supercell should do things, but since I had to take the time to write why the system is wrong, I am going to take the liberty to write how a secure and healthy system should be to put a stop to this whole nightmare.

### How the account recovery SHOULD work
First of all, it is just a matter of recognizing which pieces of information truly recognize the owner of an account. Is the player name, player tag, TH level, last time played, when the in-game purchases took place, the device in which you play the game… identifying information? Clearly they are not. They are unique for the player, but after some social engineering or guessing we all can see the system breaks. Also come on, we are all human, and we forget things. If I tell the support guy I played in Taiwan but I have recently gone on holidays to France, is it truly fair to ban me?

So what is truly unique for each player? The answer is **their email, and the password** to which the game is uniquely linked. If you ***have ACCESS to the email***, it means you know both the email and the password. The “access” part is important, just by knowing the email of an account and telling it to Support you must not be given the account immediately. In order to guarantee that the user has access, the process should consist on:
1. You cannot access an account. There is an error, you changed device, maybe you do not even remember which email was being used for the game.
2. You contact support (or this could even be automated!) and you tell them you need to access X account. NO MORE INFO NEEDED
3. Support, or the automated system, sends a recovery code to the email linked to the X account.
4. The player sees that the recovery code was received in his/her email, or it could even be a link to a webpage to re-link the account to a new email. Clicks it, and the process is finished.
5. The thief does not have access to the email, so the worst that happened to the player is one new email which can be safely ignored. Hurry!

I must say that obviously this is not the only way of doing this, but hopefully we all agree that this is a secure and scalable system which will solve everyone’s problems. No more thieves “””hacking”””, no more players banned. Also note that if you do not have access to the email **then bad luck, it is not Supercell’s problem**. If you forgot your password or whatever, then it is Google’s duty to recover it for you. A system commonly relies or trusts on others to reduce complexity and problems, and this is the same case. Supercell, by using Google accounts, must rely on Google system to identify its players, instead of the broken system which is currently on place.

And in the case there already exists a similar system for Supercell ID already implemented, I must say that then:
1. Supercell must *enforce* using Supercell ID to all players. OR
2. Supercell must implement *the same system* to Google Play accounts. In the end, people are lazy (I include myself here), and if you want to ensure maximum security for everyone you must do it easy and not force them create another account.

And this is the end of this post which OH GOD took me too much time, but I would have procrastinated more playing Clash and I can’t, so whatever. I’ll be very glad of reading any suggestions you may have on how to improve the situation but what I please ask you the most is to take this up for a chance of Supercell reading it. Even if they see it and don’t do anything, then it will not be because we, the players, have not warned them. Supercell, stop creating webpages like [this](, and start doing things right.

About The Author

1 Comment

  1. marsanpat27

    I am open to read your thoughts. Maybe you have a reason why you think the current system works, and that is perfectly fine. But as of now, it is very clear there is an open issue here.


Leave a reply

Your email address will not be published. Required fields are marked *

Recent Tweets

Recent Videos


Recent Reviews