Security & anti-phishing
Effective: 16 July 2026 · Last updated: 16 July 2026
The short version.
- We will never ask you for your password, your two-factor codes, your recovery codes, or your security-question answers — not by email, and not in game. Anyone who does is not us.
- Check the domain. We only ever ask you to sign in on
account.islesofcalamity.com,create.islesofcalamity.com,recover.islesofcalamity.comandbilling.islesofcalamity.com, or in the game client itself. - Our automated email only ever comes from
no-reply@islesofcalamity.com, and it never asks you for a credential. But a From line can be faked — judge a message by what it asks you to do. - Turn on two-factor authentication. It is the single best thing you can do for your Account. Two things worth knowing before you do: once it is on, neither you nor our staff can switch it off, and recovery codes reset your password — they do not get you past the two-factor prompt. If you lose your authenticator app, you will need to submit a recovery request and wait for a human. Keep your recovery codes.
- Secure the email address on your Account. It is where your security alerts land, and it is one of the two things needed to reset your password if you have set security questions.
- Think you have been hijacked? If you can still sign in, change
your password first — that signs out every other device and cancels any
pending email change. If you cannot sign in, go to
recover.islesofcalamity.com. Then check your sessions and sign-in history, and contact us. - Found a security flaw? Tell us through support and we will not come after you for it. We do not pay bug bounties. Please do not exploit what you find — that is a separate matter under the Game Rules.
This summary is here to be read. It is not a substitute for the clauses below, and where it is shorter than they are, they govern.
1. Scope and defined terms
- Who we are. This page is published by Pixel Glitch Studios ("we", "us"), trading as Isles of Calamity. "You" means the player reading it.
- Defined terms. "Account", "Character", "the Game", "the Site", "Membership" and "Membership Credits" have the meanings given to them in the Terms of Service. This document does not redefine them.
- What this page is. It does two things: it tells you how we contact you, so that you can recognise someone pretending to be us; and it sets out how to report a security vulnerability to us (section 8).
- What this page is not. It is guidance and a disclosure policy. It is not a warranty, guarantee or representation that the Site, the Game or your Account is or will remain free from compromise, and it does not add to or reduce the liability provisions of the Terms of Service. Section 9 applies.
- This page forms part of the Terms of Service. Where it conflicts with them, the Terms of Service govern.
2. What we will never ask you for
- The undertaking. We will never ask you to tell us, type into a
form we send you, or otherwise disclose to us or to anyone else:
- your password;
- a two-factor authentication code from your authenticator app;
- a recovery code; or
- an answer to one of your security questions.
- Consequence. Any message that asks you for any of the items in clause 2.1 did not come from us, whatever it looks like, whatever name it uses and whatever address appears in its From line. Do not answer it. Report it to us under clause 7.6.
- Where you do enter your password. You type your password only into a sign-in surface listed in clause 3.2, or into the sign-in screen of the Game client you downloaded from us. Nowhere else, and never at anyone's request.
- Staff contact. Our staff will not ask you to hand over your Account, to move it to a different email address, to send a two-factor code "to verify you", or to share your screen while you sign in.
- Recovery is the exception that proves the rule. When you use
the security-questions route at
recover.islesofcalamity.com, you enter your answers into that page, on your own initiative. We never initiate that exchange, and we never ask for those answers in a message.
3. How to tell our site from a fake one
- Check the domain, not the design. A convincing copy of the Site is cheap to make. The one thing an impersonator cannot copy is our domain name. Read the address bar before you type anything into a page.
- Our sign-in surfaces. We ask you to sign in to your Account at
these addresses and no others:
account.islesofcalamity.com— your Account settings;create.islesofcalamity.com— registration;recover.islesofcalamity.com— Account recovery;billing.islesofcalamity.com— Membership purchases; and- the sign-in screen of the Game client.
- How to read an address. Look at the label immediately before
the first single slash. It must be exactly
islesofcalamity.com.account.islesofcalamity.comis ours;islesofcalamity.com.example.net,islesofcalamity-login.comandislesofcalamity.com.signin.exampleare not, no matter what precedes them. - Connections are encrypted. The Site is served over HTTPS only. A browser warning about a certificate on a page bearing our name is a reason to stop, not a reason to click through.
- Links from strangers. Treat any link to a "free membership",
a "giveaway", a "beta key", a stream-drop page or an item-duplication trick as
hostile. Where you want to reach the Site, type
islesofcalamity.comyourself rather than following a link someone gave you. - Third-party sign-in. If you link a Google, Apple, Discord or Steam sign-in to your Account, that provider's own sign-in page will appear on their domain. Check it is theirs by the same rule in clause 3.3. We never see, and never ask for, the password you use with them.
4. How our email works
- One sending address. Every automated message we send — address
verification, email-change confirmations, security alerts, password-reset notices,
and the newsletter if you subscribe to it — is sent from
no-reply@islesofcalamity.com, under the display name "Isles of Calamity". - Replies from a human. If you write to us, a reply may come from
support@islesofcalamity.com. That is our support inbox, and it is where you should write to us. - Our email never asks for a credential. No message we send will ever contain a field for your password, ask you to reply with a two-factor code, or ask you to confirm a recovery answer. See clause 2.1.
- A From line can be forged. Anyone can put our name and our address in the From line of an email. Do not treat the sender as proof. Judge the message by what it asks you to do: if it asks for something in clause 2.1, or hurries you toward a sign-in page, it is not ours.
- Do not trust the link; reach us yourself. If a message
concerns your Account, you never need its link. Go to
account.islesofcalamity.comdirectly and look. Anything genuine will be visible there. - Alerts we do send. Two are worth knowing, because they are how
you find out about an intrusion:
- if someone asks to change the email address on your Account, we email the existing address to tell you — and we do so even when the request fails; and
- if your password is reset through recovery, we email the registered address to tell you which recovery route was used.
5. Securing your Account
5.1 Your password
- A password must be between 10 and 128 characters. We store it only as an Argon2 hash; we do not store, and cannot read, the password itself.
- Every time you set a password we check it against the Have I Been Pwned database of passwords exposed in third-party breaches, and refuse it if it appears there. The check is made by k-anonymity: only the first five characters of a SHA-1 hash of the password leave our servers. Your password, your email address and your identity are not sent, and cannot be inferred from what is.
- Use a password you use nowhere else. The commonest way an Account is lost is a password reused from a site that was breached.
5.2 Two-factor authentication
- What it is. You can enable two-factor authentication (TOTP)
from
account.islesofcalamity.comusing any standard authenticator app. Once you confirm it, every sign-in requires a code from that app in addition to your password. We recommend it without reservation. - Brute force. Repeated wrong codes lock the second factor on your Account for a cooling-off period, during which no further guess is accepted.
- It cannot currently be switched off. There is no facility on the Site, and none available to our staff, to remove two-factor authentication from an Account once it is confirmed. It is removed only if the Account is deleted. Please read clause 5.3 before you enable it, and keep your recovery codes.
5.3 Recovery codes
- What they are. When you enable two-factor authentication we issue you a set of one-time recovery codes. You can generate a fresh set at any time from your Account; doing so immediately invalidates the previous set. Store them somewhere that is not the device holding your authenticator app.
- What they do, exactly. A recovery code lets you
reset your password at
recover.islesofcalamity.comwithout access to your email. A recovery code is not a way past the two-factor prompt. If you have two-factor authentication enabled and you have lost the authenticator app, a recovery code will not sign you in: your only route is the recovery request in clause 5.5.3, which a person reviews. - Each code works once. Using one signs out every session on the Account and emails the registered address.
5.4 Security questions
- Security questions are optional and are set from your Account. We store only a hash of each answer.
- They open a recovery route only once you have set at least three, and that route then requires every stored answer to be correct — there is no partial credit — together with a one-time code emailed to your registered address. Like recovery codes, they reset a password only: they do not affect two-factor authentication.
- Answers that can be researched — a pet's name you have posted, a school you have named on a profile — are not answers. Treat each one as a second password.
5.5 Your email address
- Why it matters. Your registered address is where every security alert we send you arrives, and — if you have set security questions — it supplies one of the two factors the recovery route in clause 5.4 requires. Control of that inbox is not on its own enough to take your Account, and it is not meant to be the last thing standing. Secure it at least as well as you secure this one, with its own unique password and its own two-factor authentication.
- Changing it. An email change requires your password, is confirmed by a link sent to the new address, and is announced to the old one (clause 4.6.1). Until the new address is confirmed, nothing changes.
- If all else fails. Where no self-service route is open to you,
recover.islesofcalamity.comlets you submit a recovery request for review by a person. We do not commit to a turnaround time for these.
5.6 Linked sign-ins
- Linking a Google, Apple, Discord or Steam sign-in to your Account is optional. Linking one does not disable your password: your email address and password continue to work, and remain the route we support.
- A linked provider is a second door to your Account. Secure the account you link at least as well as this one.
6. Sessions and sign-in history
- Active sessions. Your Account page lists every device currently signed in, showing when the session began, when it expires, the IP address and the browser or device it reports, and which one you are reading it on.
- Signing out elsewhere. "Sign out everywhere else" revokes every session except the one you are using. Changing your password does the same thing automatically.
- Recent sign-ins. Your Account page lists the last 20 sign-in attempts on your Account: when, from what IP address, whether it succeeded, and whether two-factor authentication was used. Both successes and failures appear.
- How long a session lasts. A web session lasts 12 hours from the moment you sign in, after which you sign in again. Where you ask the Game client to keep you signed in, that session lasts up to 30 days. No session outlives 30 days, and every session remains revocable at any time.
- What to look for. A successful sign-in you did not make; a sign-in from a place or network you do not recognise; a session on a device that is not yours; a two-factor prompt you did not trigger. Any of these is a reason to work through section 7.
- Note on IP addresses. An IP address is a coarse signal. Mobile networks, VPNs and internet providers move them around, so an unfamiliar address is not proof of intrusion — and a familiar one is not proof of safety. Read it alongside the rest.
7. If you think your Account has been taken over
- Act on the first sign. An alert you did not expect, a sign-in you do not recognise, a Character renamed, items gone, a mute or a ban you did not earn. Do not wait to be certain.
- If you can still sign in — change your password first. Go to
account.islesofcalamity.comand change it. This one act does three things: it locks out anyone using your old password, it signs out every other session on the Account, and it cancels any pending email change. That last point matters: an intruder's next move is to move your Account to an address they control, and a password change is what voids that request. - If you cannot sign in — recover. Go to
recover.islesofcalamity.com, which offers three routes:- a recovery code — instant, and needs no access to your email;
- your security questions, together with a one-time code emailed to your registered address, if you set at least three of them beforehand; or
- a recovery request, reviewed by a person, where neither of the above is open to you. This is also the only route if you have lost your authenticator app (clause 5.3.2).
- Important limitation of recovery. Resetting your password through recovery signs out every session, but — unlike the password change in clause 7.2 — it does not cancel a pending email change. A confirmation link an intruder requested stays live for up to 24 hours. So: if you have received an "email change requested" alert that was not you, then after recovering, either sign in and change your password again from your Account page, or contact us at support@islesofcalamity.com straight away. Do not assume recovery alone has closed it.
- Then, in order.
- Secure the email address on your Account (clause 5.5.1). If the intruder reached your Account through your inbox, everything else is temporary.
- Read your sessions and sign-in history (section 6) and sign out everywhere else.
- Enable two-factor authentication if it was not on.
- Generate a fresh set of recovery codes, which invalidates any set the intruder may hold.
- Change your password anywhere else you used the same one.
- Tell us. Contact support@islesofcalamity.com or use the support form under "Account help". Tell us what you saw and when. If you received a phishing message, send it to us — it helps us warn other players.
- What we do not promise. Nothing in this section is an undertaking to restore a Character, items, Membership Credits or progress lost through a compromise, or to identify who was responsible. We will help where we reasonably can.
8. Reporting a security vulnerability
8.1 How to report
- Email support@islesofcalamity.com,
or use the support form and choose "Bug report". Our
machine-readable security contact is published at
/.well-known/security.txtin the format of RFC 9116. - Please include: what you found, where, and the steps to reproduce it; what an attacker could achieve with it; and anything we need in order to see it ourselves — a proof of concept, a request, a screenshot, a short video. A report we cannot reproduce is a report we cannot fix.
- Report in English where you can. Tell us if you want to be credited, and how.
- We read every report. We do not commit to a response time, and you should not read silence as dismissal.
8.2 What is in scope
islesofcalamity.comand its subdomains, includingaccount.,create.,recover.,billing.,api.andstatus..- The Game client we distribute, and the game servers it connects to.
- Vulnerabilities of the ordinary kinds: authentication and session flaws, authorisation bypass, injection, remote code execution, exposure of another player's personal data, flaws in payment or Membership Credit handling, and server-authority bypasses in the Game.
8.3 What is out of scope
- Our service providers' own systems. Amazon Web Services, Stripe, PayPal, Cloudflare, Google, Apple, Discord, Steam and Have I Been Pwned each run their own disclosure programmes. Report to them, not to us, and do not test them under this policy.
- Findings that require physical access to a player's device, or a device or account already compromised by other means.
- Social engineering of our staff, our service providers or our players; phishing; and physical intrusion.
- Denial of service, volumetric or resource-exhaustion testing, and anything that degrades the service for other players. Never test this.
- Automated scanner output with no demonstrated impact; missing hardening headers, cookie flags or TLS-configuration preferences with no working exploit; self-XSS; and reports whose substance is that a version number is old.
- In-game bugs, exploits and duplication. Report them under this section if they let a player break server authority or reach another player's data. Everything else — an item behaving oddly, a quest that will not advance — is an ordinary bug report. Either way: report it, do not use it. Exploiting a bug is a breach of the Game Rules and this policy does not licence it (clause 8.5.4).
8.4 Rules of engagement
- Test only against your own Account, your own Characters and your own data. Never access, modify or retain another player's data. If you encounter someone else's personal data by accident, stop, do not save a copy, and tell us what you saw.
- Do not destroy, corrupt or modify data that is not yours; do not degrade the service; do not run denial-of-service tests.
- Stop at the first confirmation. Prove the vulnerability exists — do not see how far it goes, how much you can extract, or what else it reaches.
- Do not use a finding for gain — in the Game or outside it — and do not sell it or pass it to anyone else.
- Give us a reasonable opportunity to fix the issue before you tell anyone else about it. Unless we agree otherwise in writing, please do not disclose publicly for 90 days from your report. If you think an issue needs to be public sooner, say so and we will discuss it.
- Comply with the law and with the Terms of Service in all other respects.
8.5 Safe harbour
- Our undertaking. Where you make a good-faith effort to comply with this section, we will regard your security research as authorised. We will not initiate or support legal proceedings against you in respect of that research, including under the Computer Fraud and Abuse Act (18 U.S.C. §1030), section 502 of the California Penal Code, or the anti-circumvention provisions of 17 U.S.C. §1201. We will not treat it as a breach of the Terms of Service or the Game Rules, and we will not sanction your Account for it.
- If a third party brings proceedings against you in respect of research that complied with this section, we will take reasonable steps to make known that your conduct was authorised under it.
- What we cannot give you. This safe harbour is limited to claims that are ours to bring. We cannot waive the rights of any third party — including our service providers listed in clause 8.3.1 — and we cannot bind any prosecutor, regulator or court. If your testing touches a third party's systems, their terms govern your position with them, not ours.
- Its limits. Conduct outside this section is outside the safe harbour: exploiting a finding for advantage, accessing or keeping another player's data, degrading the service, extortion, or a demand for payment in exchange for silence. Good faith is judged by what you did, not by what you called it.
- If you are unsure whether something is authorised, ask us before you do it. We would rather answer the question than argue about it afterwards.
8.6 Rewards
- We do not operate a bug bounty. We do not pay for vulnerability reports. Submitting one creates no expectation of and no entitlement to payment, and we do not negotiate a fee in exchange for the details of a report.
- If we later offer rewards, the scope and terms will be published in this clause: we do not currently offer a paid bug bounty.
- We may, at our discretion and with your permission, credit you for a report.
- Nothing you send us obliges us to act on it, and we may fix an issue you report without notice to you.
9. Limits, governing law, and your statutory rights
- No guarantee. The guidance on this page reduces risk; it does not eliminate it. We do not warrant that the Site, the Game or your Account is or will remain secure or free from unauthorised access, and following this guidance does not make us liable for a compromise that occurs anyway.
- Your part. As set out in the Terms of Service, you are responsible for keeping your password and your two-factor device secure, and for activity under your Account. Section 7 tells you what to do when that goes wrong; it does not shift that responsibility onto us.
- No enlargement of liability. Nothing on this page adds to, reduces or otherwise varies the liability provisions of the Terms of Service, which continue to apply in full.
- Governing law. This page is governed by the law of the State of California and applicable United States federal law, as provided in the Terms of Service.
- Consumers in the EU and the UK. If you are a consumer resident in the European Union or the United Kingdom, clauses 9.1 to 9.4 do not deprive you of the protection of the mandatory rules of the law of your country of residence, and nothing on this page — including any limitation, exclusion or choice of law — affects your statutory rights. Where a provision of this page conflicts with a mandatory consumer protection you enjoy under that law, that protection prevails and the rest of this page continues to apply. You may bring proceedings in the courts of your country of residence.
- Consumers elsewhere. Mandatory consumer-protection law in your jurisdiction may give you rights that a limitation on this page cannot remove. Where it does, it prevails over this page to the extent of the conflict.
- Severability. If any provision of this page is held unenforceable, it is severed and the remainder continues in force.
10. Changes and contact
- We may update this page as the Site, the Game and the threats to them change. The date at the top records the current version, and we will note a material change on the Site.
- Where a change materially reduces the protection given by section 8 (safe harbour), it applies only to research begun after the change is published.
- Contact for everything on this page, including vulnerability reports: support@islesofcalamity.com, or the support form. Our identity and postal contact details are in the Terms of Service.
- Related documents: the Terms of Service, the Privacy Policy, and the Game Rules.