[SOLVED] Suspicious website with datamining from accounts

On reddit I saw suspicious topic with linked website where you can ask for data statistics from your Hitman account. Its fake? Iooks shady for me.

.io domain? IOI logo in header redirect to auth.hitman.io not to ioi.dk. I don’t belive is real, looks like some kind of data stealing.

@Travis_IOI ?

The e-mail from which you get reply is on a @ioi.dk domain. There’s also not much data that can be stolen if you’re the one requesting and getting it.


It’s ran by IO.

You can also found the discussion here and some requesting the data

Nothing shady.



You have the right to access your information, and you may request to have it deleted (GDPR Art. 15 and 17). If you wish to do either, please visit https://personal.hitman.io. Please see section 5 for more details on deletion.

Hitman.io is the official technical domain behind all Hitman game services.


It’s really interesting to see what IO actually record - which is basically everything.

I was interested to see they even log (on PS4) how many of your friends own HITMAN/HITMAN 2.

As already commented by a couple of people here, yes, this is our official personal data portal, linked to from ioi.dk.
hitman.io is indeed our primary domain for Hitman related cloud services (we found it cool as we are IO Interactive to have it on .io :stuck_out_tongue: ).

@thrison As the online servers are responsible for player progression and providing data for the game menus, we do need fairly granular data up there.
PS4 friends are not kept on our servers, but we do use the information for friends-related features while you are online, and we track the friends count for statistical purposes.


It’s quite cool combing through all the data though. Especially seeing all the stats that used to be available in-game before they were patched out long ago.

The figure of my time spent playing the game is scary to look at though - since normally you can’t see time spent on the PS4. :joy:

1 Like

That’s all good, but there is no front page by this link :slight_smile:
It just says

I once requested my data recently, was quite much!
What I wondered about is there is no position data on the maps. In an old video some IO guy showed a heatmap in Freeform Testing during a presentation. Is this data anonymized?


IOI pls give our old statistics screen back. Having to do a GDPR request every time I want to see them is annoying :stuck_out_tongue:


Good to have confirmation on the website’s legitimacy, but I’m not sure why there was any doubt in the first place.

1 Like

Good to know! I’m just cautious :slight_smile:


It’s a good attitude, keep being cautious :wink:
We just tend to assume people reach that website from our privacy policy page.

True, because there is nothing on the naked “hitman.io” url, all services are hosted on subdomains and they are faceless endpoints.
We might consider hosting a redirect to hitman.com, just to help clear the confusion.


What the hell could someone do with HITMAN data :laughing: truth be told it just shows cool stuff like how you killed a elusive target and all your progression. I think we are fine boys!

With the time stamps you can see at which times at least someone was at home at his PC. Even if Steam is set to invisible to other users.
Useful for your employer if you really was sick in your bed or again called in sick to play that new Hitman Dlc.

Anything can be sensible data.


This site is ask for access to your Steam/Xbox/PS account and you have no idea what actually third party websites could retrieve from your account if that would be a fake IOI site.

Just a suggestion…since the site has been confirmed…don’t you wanna change the title of the thread to not have the word, suspicious? @Affliction


The Steam/PS4/Xbox One login goes directly through the first party gates. You need to login directly on Valve’s, Sony’s or Microsoft’s domain that’ll then give authority to the site to identify your account (so that person A can’t get person’s B data just like that). The only thing the site asking for login gets is the account name, some mumbo-jumbo indentificator and any information that’s public either way. It’s quite the similar thing to when you’re paying with your credit card online - the shop should always forward you to the bank’s/your online bank account’s gate and you work with your sensitive information only there - when the gate says the transaction went fine, it tells the shop “it’s fine mate” and the shop tells you “yay, bought!”.

I have an idea on it just not the broader picture.

To quote a great man…

1 Like