Hey, everyone,

We wish we didn’t have to write this post, but it seems to be the appropriate time to do so. For starters, we are sure you all are aware of what has been happening lately in the game, so there is no need to delve deeply into what is going on, but we will briefly explain what has happened.

If you hadn’t heard, some players had their pirates and guilds deleted because some other players were able to get onto their accounts. They were able to do this because of a database leak from other websites entirely unaffiliated with TLOPO, such as Club Penguin Rewritten. Additionally, a few other players had shared their accounts and unfortunately saw their credentials eventually land in the hands of individuals who did not have the best intentions.

We want to be absolutely clear. TLOPO was not compromised, and never has been, ever. We store passwords with thousands of iterations of a modern hashing algorithm with unique salts per password. It is impossible for TLOPO to see any user's password under any circumstance.

Anyways, we think this is the perfect time to teach everyone how to practice proper security when playing TLOPO, and also using the internet in general.


1. Do Not Reuse Passwords. 

It does not matter how meaningless the application or service is DO NOT reuse passwords, no matter what. Reusing the same password online poses a number of serious risks. If any website you use ends up having their database stolen, whether through a hack or other means, your credentials get caught up in that. Eventually, these database leaks end up online and bad people try those passwords on other services in hopes that you reused your passwords across multiple services. This is what has happened to the vast majority of recent account break-ins.


2. Do Not Share Your Accounts or Credentials.

This is self-explanatory but even if you trust someone, they could accidentally reveal your credentials. It is best to not take this risk. Do not share your usernames and passwords (and email for that matter) with anyone.


3. Enable Two-Factor Authentication!

2FA is by far the best security measure you can have on your account.

Having 2FA enabled makes it practically impossible for anyone to breach your account. Two-factor authentication works by having two methods of authentication, requiring an additional piece of information when logging in - typically a code or token. To obtain these codes, you use a 2FA app. The best applications that we suggest are "Authy" or "Google Authenticator". People have their preferences, but both get the job done.

Additionally, TLOPO does not require 2FA codes to be entered on every single login on remembered devices, making the feature almost invisible for everyone who has it enabled - unless someone tries to break into your account, where it swoops in and saves you. To enable 2FA, please go to https://tlopo.com/account.

If everyone in the game did this, bad people are powerless.


4. Enable Arrmor!

If you do not have it enabled, enable Arrmor. Arrmor is not the perfect security measure, but it is a good first step. If you do not know what Arrmor is, check out the following link: https://tlopo.com/help/arrrmor/.  To enable Arrrmor, please go to https://tlopo.com/account.


5. Use a Strong Password

Good passwords should never have personally identifiable information and should have a mixture of capital letters, lower case letters, numbers and symbols. All passwords should be at least 8 characters in length, preferably more (we require 12). The key to having a strong password is to use a phrase; they’re hard to guess for others and easy for you to remember.


6. Use a Password Manager

There are many services out there that provide good password managing. We would suggest LastPass. There are many others out there, but do your research. These services store your passwords and encrypt them so it is easy to have them all in one place. 


7. Avoid Clicking Suspicious Links

Always look at links before you click them. Some malicious links can grab your IP address, opening the door to a Denial of Service attack (DDoS).


8. Periodically Change Your Passwords

This requires discipline, but changing your passwords up (as long as they are not repeated) can strengthen your security. This is important in the event a website leaks.

If you are concerned that your password may have been breached at some point from a different website, you can check out the following database: https://haveibeenpwned.com/.

This service keeps updated copies of almost every known database leak, and can inform you if your credentials have been leaked virtually anywhere online.

We would also encourage checking out the following forums post to tie up any loose ends: https://piratesforums.co/threads/internet-security-explained.13205/#post-192647 

We hope this is the last time anything like this happens, but we suspect that is unlikely. We have tried numerous times to warn players, to generally no avail. It is frustrating for us because we want everyone to be safe, but it seems our warnings generally go unheeded. Please take your account security seriously so you can continue to enjoy the Caribbean.

Lastly, TLOPO will make no effort to restore any lost progress on any compromised accounts if you do not have Arrrmor AND Two-Factor Authentication enabled. You must have both enabled in order to receive ANY support from TLOPO. They can be enabled at https://tlopo.com/account. If you need assistance setting either of these systems up, please contact us at [email protected]

~ The Crew