Guild Wars 2

I think this is the perfect time to give Gaile her frogs back from GW as compensation.

nice reaction..
“bla… we are sorry… security is important… bla” – deal with it

Wildkitten.3872:

Just to follow up on my previous post, something else occurs to me. I would assume Gaile’s GW1 account is linked to her GW2 account and if so, then the reset link would allow the PW to be changed inside of the GW2 account page as that controls the linked GW1 account. It would seem as if the two factor authentication for GW2 would be at risk because of the reset allowing them access to change the PW for GW1 inside it.

You really need to allow the use of more than one choice of two factor authentication and once again, a dedicated GW2 authenticator needs to be one of those options.

According to the original post on reddit, this was Gailes GM account that was hacked not her personal one, as someone posted a screen shot from the guild she was in showing she hadn’t logged in for 4 years, so AFAIK her personal account on GW1/GW2 was not affected.

But in saying that, I read what the person wrote on reddit, and it is scary to think that someone could just keep requesting from support until they find a support member who gives out the links to reset passwords etc, im guessing we wont hear a follow up about that though, but it will leave a lot of people wondering just how safe are their accounts even with 2 step auth on it.

Ok I Did It.2854:

but it will leave a lot of people wondering just how safe are their accounts even with 2 step auth on it.

If the third-party company isn’t following the rules, then not safe at all. You could have 900 security measures on the account and the CS reps could still hand out the account to anyone the jolly well felt like.

Haha, ggwp; Resetting a GM’s password without even checking anything. Hacker didn’t really do any harm he just proved a point. Your CS is bad and you should feel bad. Reading this post you’re not actually gonna DO anything though, good on you!

I’ll be impressed if you even manage to restore all the gold trims. Fun detail, most of the deleted trims were bought and sold. How are you gonna deal with that little conundrum? Since actually banning people for botting, gold trading, etc in GW1 is out of the question…

I think Anet got what it deserved. Just pointing out a very important fact, Anet was warned about their lack of account security. Who ever did this repetitively exclaimed, Anet has bad security. If anyone bothered to read the screenshots of what the hacker said while using the account, they would know.

The hacker did what is right using the wrong methods because nobody would listen. Now Anet has reaped what it has sown. They deserve it for ignoring an important issue brought to their attention months ago.

Sucks for Gaile but if Anet actually listened to the community this hack would have never happened (Either she did not do her job or she was ignored by management which would mean she did not lobby enough to do her job effectively).

When Anet does actually listen to the community they listen to the wrong segment of the community. Example go to GW1 guru to instead of Top GW1 guild forums for balance. They made HA 6v6 after consulting pve community in GW1, it killed HA so bad they had to revert it back to 8v8. This is just one example of how Anet implement changes with input from the wrong segment of the community another is example WvW community being decimated by Anet’s incompetence.

Do not forget recent unwanted changes because they no foresight such as the GoB changes in GW2, due to over rewarding badges in WvW. Anet has a long standing history of screwing up their games. Luckily for them GW1 was an amazing that their poor management couldn’t kill until they released gw2 and ceased to support it. GW2 is also a good game yet they continually make questionable choices.

Conclusion/TLDR: Gaile or another employee had it coming. Kind of appropriate that Gaile was hacked though due to being the community liaison not being able to lobby enough to get serious security issue fixed. Anet has a long standing history of listening to the wrong segment of the community when making decisions or not listening at all. Anet was warned about this security threat months ago. The hacker even laments over the fact he was able to do what he did. Anet was warned their failed CS protocol implementation. Good Day, now maybe you Anet will be embarrassed enough to take action.

Fluffball.8307:

Ok I Did It.2854:

but it will leave a lot of people wondering just how safe are their accounts even with 2 step auth on it.

If the third-party company isn’t following the rules, then not safe at all. You could have 900 security measures on the account and the CS reps could still hand out the account to anyone the jolly well felt like.

I 100% agree, I just read the update on the topic on reddit, and the person who did it posted the full convo with support, its kind of shocking just how easy it was for them, and considering that some people have put $1000’s into there account it makes it even worse, Anet need to hammer down really hard on the support team that deals with these kind of requests, the fact its now been posted all over reddit just how easy it is, its only a matter of time until we see people posting on here that they have lost there accounts because support gave them away.

Hvaran.6327:

Mike O Brien.4613:

Mo

How do we know that it’s you and not hacker posting from your account?

Tell me the name of your first pet, please.

I admit I chuckle at this every time I see it.

Maybe you should have handled it like you handled someone hacking one of my accounts. Have support give it back to me THREE times after proving personal credit card info used to purchase it, then claim the other party had data sufficient to claim it as theirs as well, then completely ban the account and just kept the money I spent on the purchase. (No offer of a refund, just a big middle finger after banning me off the forums claiming it wasn’t my account.) I hope they gave away everything and deleted all of the characters. Couldn’t happen to a more deserving person. Tastes a bit like Karma.

Heisenberg.1403:

Maybe you should have handled it like you handled someone hacking one of my accounts. Have support give it back to me THREE times after proving personal credit card info used to purchase it, then claim the other party had data sufficient to claim it as theirs as well, then completely ban the account and just kept the money I spent on the purchase. (No offer of a refund, just a big middle finger after banning me off the forums claiming it wasn’t my account.) I hope they gave away everything and deleted all of the characters. Couldn’t happen to a more deserving person. Tastes a bit like Karma.

Gaile doesn’t handle support tickets, so I’m not sure why she’s the one who would deserve such a thing.

RedZebra.2345:

Seera ? No one has to worry. Account was given away. And that won’t happen again after this. And the wondering thing ? Why you say that? Any proof ? Oh the reddit 50% post, y lol.

And what proof do you have that it won’t happen again?

And it was not just any account that was given away. It was a GM’s account. An account that you would think have STRICTER security on it given that it has moderation abilities. So if their support staff gives away a GM’s account so easily, what does that say about how easily they could get ahold of my account or your account or someone else’s account.

Players have every right to be wary of how secure their account is after such a grievous error was made by support. I’m not so worried that I’m panicked, but I will definitely be keeping an eye out for anything suspicious to indicate someone else has access to my account.

RoseofGilead.8907:

Heisenberg.1403:

Maybe you should have handled it like you handled someone hacking one of my accounts. Have support give it back to me THREE times after proving personal credit card info used to purchase it, then claim the other party had data sufficient to claim it as theirs as well, then completely ban the account and just kept the money I spent on the purchase. (No offer of a refund, just a big middle finger after banning me off the forums claiming it wasn’t my account.) I hope they gave away everything and deleted all of the characters. Couldn’t happen to a more deserving person. Tastes a bit like Karma.

Gaile doesn’t handle support tickets, so I’m not sure why she’s the one who would deserve such a thing.

At that point and time, YES, she did. Tickets that were 3 days and older. My ticket fit that criteria because it was over a MONTH old.

Mister O Brien, I hope you’ll read and I’ll be grateful if you recognize your implication in the recent events.

I’ve been hacked in July by the same method. Emails were changed by the support, and not only on one account, but on three of them in the same week. So a hacker can take the access to anybody’s accounts in a couple of days, but it took me 2 weeks to get the access back.

The result is the loss of everything I did the last 10 years, the hundreds of euros spent in your compagny for nothing.
You said support needs very specifics information to be sure to talk with the owner of the account, so tell me what information the hacker sent you to get the access to my 3 accounts ? They were all different, with different personal information, emails not used for 10 years, so don’t tell me to securize my computer.

During the last few months, many people with money have been hacked by the support and you didn’t give a kitten about it. Don’t tell us our accounts are safe, I lost my beloved characters and hundreds of hours of hunt for my collections thank to your incompetence. I had a part of Guild Wars history in my possession, all in hacker’s hands now.

I want my characters and stuff back, it’s time to wake up and realize there’s a serious problem with your teams.

Mike, I have all of my account verification info and so I am not at all concerned that I will ever need to email support and ask for access to my account without, say, my serial number. Can I send a support ticket for my account to be flagged with something like “Attention CS Agent: If someone requests access to this account and does not have every little verification detail you’d like to see, have no mercy, grant no access.”? Is the answer that this is your policy anyway so no need to flag?

When the same thing happened to me and my GW1 account was cleaned out I felt pretty violated, and didn’t even want to log into GW1 again afterward – and I’m pretty attached to the game. GW1 security is terrible, and if not for two factor authentication they would have been able to get into and clean out my GW2 account as well from the security holes in the old system.

I’m really sorry to hear this happened to Gaile, though not surprised – enough famous accounts / guilds have been cleaned out and stolen at this point that it was probably only a matter of time. If only this can be the one to force security procedures to be cleaned up.

Might as well throw in that I know numerous people were able to get accounts back with little to no info at all for a long time now, at this point you can just tell support to give you this account email back and they will do it.

This is the best first hand example i have, everything is verbatim from the email except for info being taken out (this account was perma banned as well as had a forgotten password):

Hello, I wanted to try and get out some nostalgia out playing guild wars, but I’m having trouble logging into my account, is there any way you can help me out? Thanks

Hello *******,

Thank you for contacting Guild Wars 2. I am sorry you are having issues with your account.
I have verified your information, unblocked your account, and sent a password reset to your email. If you have any other problems please feel free to contact me. Have a good night.

Regards,

GM ********
Guild Wars 2 Support Team
http://help.guildwars2.com/

I can see this takes some pretty hardcore “social engineering”.

K A O S Theory.6825:

Might as well throw in that I know numerous people were able to get accounts back with little to no info at all for a long time now, at this point you can just tell support to give you this account email back and they will do it.

This is the best first hand example i have, everything is verbatim from the email except for info being taken out (this account was perma banned as well as had a forgotten password):

Hello, I wanted to try and get out some nostalgia out playing guild wars, but I’m having trouble logging into my account, is there any way you can help me out? Thanks

Hello *******,

Thank you for contacting Guild Wars 2. I am sorry you are having issues with your account.
I have verified your information, unblocked your account, and sent a password reset to your email. If you have any other problems please feel free to contact me. Have a good night.

Regards,

GM ********
Guild Wars 2 Support Team
http://help.guildwars2.com/

I can see this takes some pretty hardcore “social engineering”.

It’s obvious you asked for a reset with the same mail than the account. There is absolutely no need for them to ask more informations since you already have everything you need : the e-mail attached to the account.

However, it wasn’t exactly the case if you asked your account back with another e-mail that doesn’t match with it. And the issue is the fact that it’s apparently easy to steal an account using a new e-mail adress.

I’m pretty sure Gaile was the Team Lead for the CS Team, just as Michael is now.

According to Michael, she used to ‘handle tickets’, just as he does now.

http://www.guildwars2guru.com/arenanet-tracker/topic/339870-a-little-movement-here-in-cs-world/

Inculpatus cedo.9234:

I’m pretty sure Gaile was the Team Lead for the CS Team, just as Michael is now.

According to Michael, she used to ‘handle tickets’, just as he does now.

http://www.guildwars2guru.com/arenanet-tracker/topic/339870-a-little-movement-here-in-cs-world/

My bad then. I stand corrected.

the only sort of two-factor auth GW1 have is the character name, if you even call that two-factor auth.

Mike O Brien.4613:

[…]
The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.
[…]

Mo

sooo does that mean some other players now has the unique frog minipets from gaile? :O

And this is why there should be item recovery systems in place.

I sure as hell hope you guys reimburse Gaile.

Seeing as how GW2 accounts can be protected thanks to 2-factor authentication, now the concern is how secure is my personal information with Anet? For the longest time, I assumed Anet provided an in-house team of Customer Service agents. It made sense, because they’d respond with “GM” nicknames, making them sound official. Now that people are saying everything’s been outsourced, I’m wondering how much access this 3rd party company has. Is my creditcard number encrypted, so even CS or Anet employees can’t see it? Should I worry that my personal info is accessible to people outside of Anet? Or the million dollar question: Can we trust this 3rd party company with our info?

sirsquishy.2619:

MO – then explain how exactly they obtained access into the GM’s account if you do not accept personal details as proof of account ownership.

So much contradiction in your statement there, its not even funny.

He did explain. The hacker found a CS Agent who ignored the requirements.

Smooth Penguin.5294:

Seeing as how GW2 accounts can be protected thanks to 2-factor authentication, now the concern is how secure is my personal information with Anet? For the longest time, I assumed Anet provided an in-house team of Customer Service agents. It made sense, because they’d respond with “GM” nicknames, making them sound official. Now that people are saying everything’s been outsourced, I’m wondering how much access this 3rd party company has. Is my creditcard number encrypted, so even CS or Anet employees can’t see it? Should I worry that my personal info is accessible to people outside of Anet? Or the million dollar question: Can we trust this 3rd party company with our info?

I must admit to being a bit curious about this as well.

Oh hey, so now GW2 has had its own version of the Bashiok incident from WoW.

It’s always sad how stuff like this has to happen before a company learns its lesson in regards to things like security. Well, sad for the company. I find this hilarious and hope it finally lights a fire under ANet’s collective buttocks. As they say: ggnore

oshilator.4681:

I used to do CS for a large banking company in my area. We would occasionally have somebody call in & attempt to fraudulently gain control of a customers account. After the first attempt, notations would be made on the account to give the next CS rep a heads up. After the second attempt, the account would be marked as “Transfer to Fraud Dept Immediately” if the hacker called again and the account would be locked down. The customer would also be notified.

Yeah this should be mandatory procedure and so easy to do.

Thank-you for the update.

There’s a few posts blaming ZenDesk. I wouldn’t blame ZenDesk, it’s a customer service platform (like WordPress is to websites) not a service provider. More than likely it’s a breakdown in the understanding of the standard operating procedure for these ticket types. I’m sure Anet is having some strong words with the service provider.

No. Now that this is rapped up…

I’m not really happy with this answer at all. It seems to imply all is well and wonderful as long as you have an authenticator. But if any joe schmoe can just email support and ask for it to be removed than there is no point to the authenticator. If this guy was so easily able to get them to reset the email for him with the WRONG information (he posted what he wrote on Reddit and the only correct info he gave was her name, email address and the name of her character), then what is going to stop this same thing from happening when a “hacker” decides to remove an authenticator?

And there are reports that this is not a one off incident either. You need to retrain your CS staff or get a new company to do it. There needs to be more stringent measures for password resets and authenticator removals. You should not be able to get a reset with simply your name, email and name of character.

Gaile Gray.6029:

RoseofGilead.8907:

Inculpatus cedo.9234:

I’m pretty sure Gaile was the Team Lead for the CS Team, just as Michael is now.

According to Michael, she used to ‘handle tickets’, just as he does now.

http://www.guildwars2guru.com/arenanet-tracker/topic/339870-a-little-movement-here-in-cs-world/

My bad then. I stand corrected.

No, Rose, you were correct.

I was never CS Lead. I was Support Liaison, and the thread I created and maintained was in place to allow me to review CS decisions and see if we could come up with a better outcome for players. It also allowed me to ask CS of they could handle tickets that may have lingered too long in the system, or have fallen through the cracks. I didn’t make CS decisions; I aided players in getting the most positive outcome possible. Get it? I wasn’t making decisions — I was helping players.

And whether I was CS Lead or not, saying “You deserved it” is inappropriate and cruel.

Saying I failed at my job — which I have not held in two years — is unfair and inaccurate. If the company erred in handling someone’s issue, or if there were issues that were not handled to the satisfaction of a player or group of plalyers, whyever would it be seen as “karma” for me, personally, to suffer loss?

Ok, that’s what I thought, but I wasn’t completely sure. Regardless, as you said, it doesn’t really matter what your job was or what cases you might have participated in because it doesn’t mean you deserve to have your account hacked.

oshilator.4681:

I used to do CS for a large banking company in my area. We would occasionally have somebody call in & attempt to fraudulently gain control of a customers account. After the first attempt, notations would be made on the account to give the next CS rep a heads up. After the second attempt, the account would be marked as “Transfer to Fraud Dept Immediately” if the hacker called again and the account would be locked down. The customer would also be notified.

Long story short – At what point was Gaile notified and what, if any, actions were taken by your CS team to secure the account before it was compromised?

If this is how your CS team handles situations like this, then we have a problem.

Probably a few thousand problems.

There are a few.logistics.limitations that have come underaporeciated.
You, as a.bank, have access.to several.contact details, like phone, email address, fax whatsapp, person-to-person villager shouting train express, etc.

Arenanet, however, only has your account and the mail associated with it as a method to contact you, so they can’t.exactly communicate with you through a ‘safe’ method as the mail is likely to have been ‘dobiously accessed’. There is also no local office where you’ll see an angry client will enter asking why their account was locked, so you can’t “bet” the client will get the initiative and ask.

They also might have contact.data based on purchases of.digital versions of things, but that they arent.exactly allowed to.keep as.they.don’t process it either.

My bad. I stand corrected. My apologies, as well.

Gaile Gray.6029:

No, Rose, you were correct.

I was never CS Lead. I was Support Liaison, and the thread I created and maintained was in place to allow me to review CS decisions and see if we could come up with a better outcome for players. It also allowed me to ask CS of they could handle tickets that may have lingered too long in the system, or have fallen through the cracks. I didn’t make CS decisions; I aided players in getting the most positive outcome possible. Get it? I wasn’t making decisions — I was helping players.

And whether I was CS Lead or not, saying “You deserved it” is inappropriate and cruel.

Saying I failed at that job — which incidentally I have not held in two years — is unfair and inaccurate. If an agent erred in handling someone’s issue, or if there were security issues that were not handled to the satisfaction of a player or group of players, whyever would it be seen as “karma” for me, personally, to suffer loss?

And saying “We/I did this to get your (company’s) attention” is reprehensible. Hurting a person to send a message is inhumane and wrong.

Gaile, is it true you lost your frog? ;-; I hope you can get your frog back if you lost it.

Rainiris.1975:

oshilator.4681:

I used to do CS for a large banking company in my area. We would occasionally have somebody call in & attempt to fraudulently gain control of a customers account. After the first attempt, notations would be made on the account to give the next CS rep a heads up. After the second attempt, the account would be marked as “Transfer to Fraud Dept Immediately” if the hacker called again and the account would be locked down. The customer would also be notified.

Long story short – At what point was Gaile notified and what, if any, actions were taken by your CS team to secure the account before it was compromised?

If this is how your CS team handles situations like this, then we have a problem.

Probably a few thousand problems.

There are a few.logistics.limitations that have come underaporeciated.
You, as a.bank, have access.to several.contact details, like phone, email address, fax whatsapp, person-to-person villager shouting train express, etc.

Arenanet, however, only has your account and the mail associated with it as a method to contact you, so they can’t.exactly communicate with you through a ‘safe’ method as the mail is likely to have been ‘dobiously accessed’. There is also no local office where you’ll see an angry client will enter asking why their account was locked, so you can’t “bet” the client will get the initiative and ask.

They also might have contact.data based on purchases of.digital versions of things, but that they arent.exactly allowed to.keep as.they.don’t process it either.

I would gladly give them my phone number so they can verify with me personally if in the future some mysterious person decides they want to reset my password or something. I would also gladly even send them a photo id. Really would prefer stricter measures for account security in general.

back when i was playing GW1, i had character with 23/30 title. account got hacked. gold and items lost, and to make matter worse the hacker deleted that character with 23/30 title. i gave up interest playing GW1 after that.

Gaile Gray.6029:

I aided players in getting the most positive outcome possible.

Where I work, I sit next to a team of people who have roles similar to this. All they want for the community is the very best, and I know that’s what you want for the community of GW. I know I’m just one of many many people on this forum, but I’m upset for you and what’s going on. I hope things get better soon

Hmmm, this is true. How much can we really trust these people? Who are they? What is the name of the company they use for this? I wouldn’t mind having more info about them.

Mike O Brien.4613:

Last night a hacker socially engineered one of our CS agents to gain control of Gaile’s account, and accessed GW1 using it. Gaile of course has two-factor auth on her account, and despite the social engineering, the two-factor auth worked and protected her, so the hacker had no access to her forum or GW2 accounts. Only GW1 pre-dates our 2FA/SMS system.

To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.

Mo

Again,

Is Robert Gee going to re-add the gold capes? Since THIS incident is related no thanks to the mod who removed my post rude.

Sorry to hear about your account Gaile. I hope you’ll get your items back.

Is Social Engineering a clever way to say “charmed”? I’m just not familiar with such a term.

Gaile Gray.6029:

If an agent erred in handling someone’s issue, or if there were security issues that were not handled to the satisfaction of a player or group of players, whyever would it be seen as “karma” for me, personally, to suffer loss?

And saying “We/I did this to get your (company’s) attention” is reprehensible. Hurting a person to send a message is inhumane and wrong.

The hacker(s) certainly went too far if their intent was to send a message or get attention to the issue. Proving you can access something or even drawing some attention to yourself (like was done in GW’s chat) while doing it can be effective, and isn’t uncommon in the security world. But using that access to steal/destroy items or deal damage to other people is way over the line of making a point. There is no excuse for doing that, and no one deserved having it done to them.

It’s very unfortunate that you were the target of this, and I hope you’re able to recover anything of value (real or sentimental) that was lost.

And looking forward, I hope this does show the need for getting strict adherence to support policies. The policies in place seem to be mostly good, but they don’t mean anything if agents aren’t following them. There needs to be some change to make sure this doesn’t happen again…to any of us.

Obtena.7952:

Is Social Engineering a clever way to say “charmed”? I’m just not familiar with such a term.

Yes, sort of.

‘Charmed’ implies getting someone to change their mind via charisma (or perhaps magic?). Social Engineering suggests that the ‘hacker’ does research first about what sort of systems are likely to be vulnerable, the type of people within those systems, and then uses specifically-chosen ‘facts’ to fool the weakest links.

In contrast, a confidence scheme requires knowing the actual people, rather than just knowing things about them.

That said, a lot of people throw around the various terms indiscriminately. “Hacking” in its original usage just meant getting around a systemic problem by doing something clever (many of the most infamous ‘hacks’ were physical and social, nothing to do with computers). Now, of course, most it’s more often used to refer to people using technology in some way to do something wrong.

tl;dr MO described a social engineering hack that shouldn’t have succeeded based on ANet’s guidelines/procedures and yet somehow did.

Gaile Gray.6029:

RoseofGilead.8907:

Inculpatus cedo.9234:

I’m pretty sure Gaile was the Team Lead for the CS Team, just as Michael is now.

According to Michael, she used to ‘handle tickets’, just as he does now.

http://www.guildwars2guru.com/arenanet-tracker/topic/339870-a-little-movement-here-in-cs-world/

My bad then. I stand corrected.

No, Rose, you were correct.

I was never CS Lead. I was Support Liaison, and the thread I created and maintained was in place to allow me to review CS decisions and see if we could come up with a better outcome for players. It also allowed me to ask CS of they could handle tickets that may have lingered too long in the system, or have fallen through the cracks. I didn’t make CS decisions; I aided players in getting the most positive outcome possible. So as you can see, I wasn’t making decisions — I was helping players.

And whether I was CS Lead or not, saying “You deserved it” is inappropriate and cruel.

Saying I failed at that job — which incidentally I have not held in two years — is unfair and inaccurate. If an agent erred in handling someone’s issue, or if there were security issues that were not handled to the satisfaction of a player or group of players, whyever would it be seen as “karma” for me, personally, to suffer loss?

And saying “We/I did this to get your (company’s) attention” is reprehensible. Hurting a person to send a message is inhumane and wrong.

Wow

Gaile Gray.6029:

No, Rose, you were correct.

I was never CS Lead. I was Support Liaison, and the thread I created and maintained was in place to allow me to review CS decisions and see if we could come up with a better outcome for players. It also allowed me to ask CS of they could handle tickets that may have lingered too long in the system, or have fallen through the cracks. I didn’t make CS decisions; I aided players in getting the most positive outcome possible. So as you can see, I wasn’t making decisions — I was helping players.

And whether I was CS Lead or not, saying “You deserved it” is inappropriate and cruel.

Saying I failed at that job — which incidentally I have not held in two years — is unfair and inaccurate. If an agent erred in handling someone’s issue, or if there were security issues that were not handled to the satisfaction of a player or group of players, whyever would it be seen as “karma” for me, personally, to suffer loss?

And saying “We/I did this to get your (company’s) attention” is reprehensible. Hurting a person to send a message is inhumane and wrong.

Oh, Gaile. ;.; My heart is broken for you. I can’t even conceive of losing so many irreplaceable items, to say nothing of the gut punch this must have been for you. I’m so sorry this happened. I really hope you get your stuff back — after everything you’ve done for ANet and this community, if anyone deserves a restoration, it’s you.

Gaile Gray.6029:

RoseofGilead.8907:

Inculpatus cedo.9234:

I’m pretty sure Gaile was the Team Lead for the CS Team, just as Michael is now.

According to Michael, she used to ‘handle tickets’, just as he does now.

http://www.guildwars2guru.com/arenanet-tracker/topic/339870-a-little-movement-here-in-cs-world/

My bad then. I stand corrected.

No, Rose, you were correct.

I was never CS Lead. I was Support Liaison, and the thread I created and maintained was in place to allow me to review CS decisions and see if we could come up with a better outcome for players. It also allowed me to ask CS of they could handle tickets that may have lingered too long in the system, or have fallen through the cracks. I didn’t make CS decisions; I aided players in getting the most positive outcome possible. So as you can see, I wasn’t making decisions — I was helping players.

And whether I was CS Lead or not, saying “You deserved it” is inappropriate and cruel.

Saying I failed at that job — which incidentally I have not held in two years — is unfair and inaccurate. If an agent erred in handling someone’s issue, or if there were security issues that were not handled to the satisfaction of a player or group of players, whyever would it be seen as “karma” for me, personally, to suffer loss?

And saying “We/I did this to get your (company’s) attention” is reprehensible. Hurting a person to send a message is inhumane and wrong.

Sorry this happened to you Gaile, I hope CS over there can find out who is responsible for this and dish out the punishment they deserve! I think that the original Guild Wars could use a little more love and moderation too. I see gold sellers in every main city and district now and I know a lot of Guild Wars 2 players who never played the original Guild Wars are just starting out and mention that the game seems like it was abandoned.

Nothing is 100% secure. Nothing.

What you do with your sensitive information while knowing that is up to you.

~EW

Mike O Brien.4613:

To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

*We want to protect all accounts as much as we want to protect our own.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.*

Mo

As more than one person said in this very thread this is not the first and it will not be the last time it happened. You as Arenanet need to review all the policies that are in place for the CS support. You as Arenanet (as per the part that are in bold in the message quoted) need to change the way the CS works after changing the third-party company that handles your CS.

This is what serious companies do when they got these enormous security issues.

Mike O Brien.4613:

We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.

We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.

Mo

These two sentences bother me the most.

WHY wasn’t Gaile’s account flagged after the first two or three attempts? Do your CS reps not talk to eachother?

Color me skeptical about just how seriously you take account security.