And this could have been prevented to certain extend if you didnt take Authorization/control of peoples paypal accounts for transactions. Instead you should let the enduser login once more with paypal username and password to finalize that transaction. If he used the same username and password on his paypal account his bankaccount would still be raided, but you can't really counter stupidity too much.But right now, you are also punishing people who use paypal and did thought of using different passwords for different things.Right now if I want to use Paypal as payment method, I have to authorize TrionWorlds by logging in once with my paypal username and password.Once that proces is done, from then on every purchase I make will be directly billed with paypal as medium from my own bankaccount. And I never have to use my paypal username and password again to finalize a transaction making my TRION Account a Single Point of Failure.As any IT Specialist would know, SPOF's are BAD and you served eventually. Think about that, you are part of the problem just like the players who use same passwords accross multiple services are.in many ways starting with the fact this forum doesnt even use SSL Certificates so when we login this data is not encrypted. So a hacker with some skills and ill intentions could sniff out login credentials each time we login onto this forum.Nice job! Crappy Paypal payment solution where you dont always ask for user paypal login credentials before finalizing a payment.No SSL Certificate / encrypted for Archeagegame.com domain.... Why? You use one for the trionworlds.com domain. Why not the forum too?I would wonder how vulnerable you are to sequel injections and stuff.... leaves me wondering when from my point of view you didnt invest much in security either.Also, doing that IP thing on Glyph is nice, but not impressive. I much rather see a 2nd verification where you need to use your enter the code (with mouseclicks only) that people have selected. Like 8 characters long consisting of only numbers. Though, i'll admit you already have something similar with the Authenticator token thing. You should enforce 2nd verification for additional account security.I don't particularly like the Authenticator thing, so I rather like how they do it in AION. You need to enter your 8 digit code before you can actually logon to the world with the character you selected. Even if your password was breached, if the hacker doesnt know your 8 digit code too he still cant do anything with your ingame character cuz he cant login.Sorry, I have been ranting a bit but security is your responsibility as a publisher alot more then it is to the enduser. I know the enduser is generally stupid. But its up to you to enforce security upon them. So force a 2nd and/or 3rd layer of security.Invest some money in good Security. It is really worth alot especially in MMO's where account theft means a major hassle for both the enduser and customer support. Something that can be prevented or made considerably harder with better enforced security measures.