Guild Wars 2

When I tried to log in today I was asked to verify my account using 2-factor verification. I found this alarming, as I haven’t needed to use the authenticator since installing the game and I logged in just fine yesterday without needing to use it.

Unfortunately, it’s been so long since I used 2-factor verification that I have since had to wipe my phone and install a new ROM on it. I did this without first disabling two-factor verification in my GW2 account, because I didn’t realise I needed to. So today, when the game asked me for it, I had to re-download the Google Authenticator from the Play store, set it up and link it with my Google account as if this was the first time I was using it.

Then, when I finally entered the verification code in the game client, I got

The account name or password you entered is invalid. Please check your information and try again.

I assumed I had been hacked, so I went through to account recovery. However, after several hours of trying to find my original serial code, I can’t find a single trace of it – I don’t even remember if it came in a box or an email (though I’ve asked a few friends who bought the game from the same e-tailer as I did so I’ll hopefully have an answer to that soon).

After a bit of calm reflection though, I realised it’s unlikely that I have been hacked, for the following reasons:
1. if a hacker had accessed my account and changed my password, I would have received an email notifying me of this at the email addressed associated with my GW2 account. You know, the type of emails with “if you did not change your password click here” links. I’ve combed through my account and there’s no such email.
2. Additionally, during log in, I’m first asked for my username and password, and then for the verification code, and only after that am I told that my login details are invalid. I believe if my password had been changed by a hacker and I was entering the wrong one, the client would have stopped me before reaching the 2-factor verification stage, not afterwards. So the invalid info must be the authentication code I entered.
3. if my account had been hacked, surely the first thing a hacker would have done is disable 2-factor verification so they could log in from anywhere?

I’ve therefore concluded that it’s more likely an authenticator issue: I did not unlink the authenticator from my account before I went and wiped my phone. The Google Authenticator needed setting up and associating with my account all over again (scanned the barcode off google’s website and everything), so it counts as a new instance of the authenticator, one which my GW2 account is not associated with!

Since I can’t log into my account without a linked authenticator app, I can’t disable two-factor verification. And since I can’t find my serial code,, I can’t use the “recover your account” option either. So I’m kinda stuck!

My questions for support:
1. Based on the information I provided above, do you believe I have been hacked, or is this a 2-factor verification issue
2. can you disable 2-factor verification from my account for me?
3. can I recover access to my account without my serial code?

Thanks!

This isn’t something for the forums, but for Customer Support. Top of Page – Support – Submit a Request. Good luck.

I’ve contacted support as well, but I’d appreciate opinions on whether my problem is a hacked account or 2-step verification based on other people’s experiences as it might help my interactions with support.

The only opinion that would really matter would be Customer Support’s. They have all the necessary data to determine what the issue is.

Support got back to me, disabled 2sv on my account, and I’m able to log in, so it’s safe to say I haven’t been hacked!

I don’t know if this is the place for suggestions, but it’d be nice if ANet could implement backup codes for 2-step verification, like Google has: https://support.google.com/accounts/answer/1187538?hl=en
In my case it was a case of my own stupidity not disabling 2step before reflashing my phone, but in cases where someone’s phone breaks or is stolen they’ll be locked out of their account. Backup codes are already built into Google’s system so they should be an easy backup to implement!

As others have stated, this needs to be taken up with a Support Ticket, but keep in mind that if someone hacked your email, they could easily be logged into your email when they request the PW change and delete the notification and link email before you ever get a chance to see it. They do NOT want you to know the email has been hacked so they can continue to use it to try and compromise anything you have connected to it.

This happened to me about a month ago and the only thing that tipped me off (I am not regularly playing the game at this point) was the “How was your support experience?” email I got from GW2. I immediately changed the email password and contacted support to regain my account (that I was sure had been stripped and ravaged).

Turns out I either didn’t have anything the hacker wanted or he was planning to come back and clean me out at a future time (I had 100G in a personal Guild he didn’t touch). I couldn’t find a thing he removed or sold (I still had about 10 G in my wallet and over 1200 gems). Support told me he logged in for about 3 minutes over a week before I even knew what had happened, so I guess I got off lucky.

I’m not sure I want to discuss the events of how easy it was for the hacker to change my password via support in the first place. I’m still quite upset that he could send a 6 word email to them and get the password reset and I had to answer over a dozen questions to get it reset after I told them i never asked for the original password reset.

Bottom line is the email account I was using had an old password that I reused for over a decade, so it’s no surprise that account got hacked. Funny / Stupid thing is I had been changing all my passwords for over a few years so none of them were ever reused, but since I use that email account so rarely, I never got around to changing the password (should have been the first one to change since it was the password I had reused at dozens of sites over the last 15 years).

I had the same problem today also. Also a new phone. I received an answer from Anet within 5 minutes of sending in my support ticket. That’s pretty speedy. They removed my authenticator for me.

Yep, mine was sorted pretty quickly as well

@Grimm that gave me something to think about, think I’m gonna change all my passwords just in case then. (though I also have 2fv on my GMail, and if anyone managed to bypass that for both gmail and gw2 that’s pretty worrying!)

@Gaile thanks for passing it along!