HDUmi avatar image
HDUmi asked

Help me answer questions about MAU, PlayStream and Webhook

Hi PlayFab Support,

I have some questions about the PlayFab system.

1. About MAU Calculation: Users who log in once a month are counted as 1 MAU. What happens when people with malicious intent get the Title ID code and register a large number of accounts in my system? Will all accounts and visits count as MAU ?.

2. Does Playfab have a mechanism to remove fake MAU?

3. Is there a mechanism that limits the number of registered accounts per 1 IP / hour? I used firebase, they allow to limit the number of accounts created on 1 IP / hour

4. How can I limit some countries to not use my service?

5. Can the RegisterPlayFabUser feature be disabled on the client?

6. Does PlayFab provide 2-layer security for accounts when logging in? eg verification by phone number or authetication. Because we can for some reason expose passwords or caches, others can access the account and disturb the system.

7. Does PlayFab provide individual user data recovery, user groups or entire users?

8. PlayStream Event Archive feature is currently available for AWS service. I want to use with Azure Event Hub and Data Lake to save PlayStream data for data analysis, do you have a solution to help me? Thank you very much.

Account ManagementTitle DatawebhooksPlayStream
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

brendan avatar image
brendan answered

Basically, you're concerned about a hacker creating fake accounts and increasing your MAU. At a base, all the calls to PlayFab are Web API endpoints, meaning we have no way of knowing whether calls are made from inside your game or not.

We've never seen a title get attacked in this manner, but if you're concerned about this, there are some things that can help (both that we already do, and that you can do):

1. All API calls are rate limited by IP Address in PlayFab, with the login (and register) calls being the most limited.

2. You can use a sign-in that requires a real account in another service. For example, if you're shipping a game on Steam, only use the Steam login.

3. You should disable all the other login calls, so that nothing else can make a player account. That's considered a Best Practice and we encourage all titles to do so. You can turn off all the Client API endpoints you're not using via the permission policies (

4. If you believe you're seeing this behavior and you're in the Pro or Enterprise tier (the only cases where it would matter, since they're the only ones that have a MAU-based fee), let us know and provide all the details you can. If we find that there's clear evidence of a hacker messing with you, we'll help however we can.

Specific to your questions:

1. and 2. See above. While we haven't seen this, if you think it's happening to you, let us know via the ticket support system.

3. Yes. Also above.

4. Not currently, and trying to do so wouldn't help much for your scenario, in any case. Anyone with even a small amount of technical skill would use things like VPNs to appear to be coming from different locations. Geo restrictions are really only effective for closed platforms like consoles - and even then, they're not 100% protected against a sophisticated attacker.

5. Yes, see above (permission policies).

6. Not currently, but feel free to "like" that in our Feature Request backlog: But what are you referring to when you say you could "expose passwords or caches"? What are you storing that could do that? If you mean passwords stored in PlayFab, they're not stored as passwords. They're one-way crypto-hashed data, so that not even we can get the password from it. We just compare the hash of what's submitted on a sign-in to it, to see if they match. As an aside, any site that can send you your current password is storing them insecurely, and you should help them to understand that they shouldn't do that. I personally will not use any site or service that I determine stores passwords insecurely.

7. No. All data for the service is backed up in a triple-redundant manner as part of our disaster recovery plan, but it is not stored on a per-title or per-user basis.

8. The newer data store we use is Azure Data Warehouse, which you can use in conjunction with other Azure data services. That's in private preview right now, but it will be in public preview later in the summer, barring any issues. To be clear, no, we cannot re-route all your title event traffic to an Event Hub in your Azure account. But it is possible to pull data from the Azure Data Explorer link we provide to use in your own account however you like.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

HDUmi avatar image HDUmi commented ·

Hi Brenda.

Wish you a good day.

Thank you for the enthusiastic help.

I understood the problem and went on with PlayFab.

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.