TonyZales

Account security

Every purchase moves real money. We apply bank-grade protections so neither your account nor your money is exposed.

Mandatory 2FA for everyone

Even if someone gets your password through a leak, phishing or cross-site reuse, they cannot enter without the authenticator code. Activation is mandatory from the first login. We accept Google Authenticator, Authy, 1Password and any standard TOTP app. Step-by-step guide.

10 backup codes

When you enable 2FA you receive 10 single-use backup codes. If you lose the authenticator, you can enter with one. Each code is hashed with bcrypt in our database. Not even we can read them.

Country re-verification

If we detect your session is being used from a country different from the original login, we force immediate 2FA verification. Mitigates stolen sessions used from another location.

HMAC-signed cookies

2FA session cookies are signed with HMAC-SHA256 using a server secret. They cannot be forged or reused between users. Admin 4h, customer 24h. Stricter for sensitive roles.

Codes never by email

Tibia Game Codes are delivered inside your order panel, protected by your session + 2FA. We never send codes by email. Drastically reduces phishing and accidental forwarding risk.

Verifiable payments

Stripe, PayPal and NowPayments. Recognized processors with buyer protection. We do not process cards directly. Our database does not store PAN, CVV or similar.

Mind your side

We cover our part, you cover yours: do not reuse passwords across sites, do not share backup codes by chat, and do not trust “cheaper” offers in private messages. Any official Tonyzales communication comes from @tonyzales.com or from our authorized WhatsApp.

Audits and reviews

Every change to the payment or authentication flow passes external review (Codex audit) before merging to production. Critical findings are closed before deploy, minor ones are documented and resolved in recurring security sprints.

If you find a security issue, write to [email protected] with the detail. We do not publicly expose unpatched vulnerabilities.

Haven’t enabled 2FA yet?

It is mandatory to buy. Takes 2 minutes together.

Enable 2FA now