Guild Wars 2

Password change? I get what you are saying, hackers are trying email addys/usernames and known passwords to grab accounts.

But why the rush now? Are you guys aware of a specific threat of this nature? And is it not just random emails – is there a list floating around with specific usernames on it? I’ve never posted on the forums or social media in any way that could relate my email back to an active GW2 accounts. Which makes me wonder – why me? and why right now?

Reason I ask is that early this morning I had your “dodgy IP address” email pop up relating to a an IP address in China. Never had one of these before (apart from legitimate access attempts). Seems an odd coincidence that it’s around the same time you start beefing up security.

It’s almost as it a list has got out, and it’s trying to be nipped in the bud on the QQ. Please tell me to put my tinfoil hat away

On the plus side, the IP vertification token idea clearly does work – as long as you make your GW2 password different

All bold text is from September 21, 2012, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Lorimar.6235:

Password change? I get what you are saying, hackers are trying email addys/usernames and known passwords to grab accounts.

But why the rush now? Are you guys aware of a specific threat of this nature? And is it not just random emails – is there a list floating around with specific usernames on it?

“We watch as hackers use tens of thousands of different IP addresses to scan through millions of attempted account names and passwords, almost all of which are for accounts that don’t even exist in our database, looking for matches. They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101?. If they don’t get a match immediately, they may try a variant like “alligator100? or “alligator102?, then they quickly move on to the next entry on their list. "
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Lorimar.6235:

I’ve never posted on the forums or social media in any way that could relate my email back to an active GW2 accounts. Which makes me wonder – why me? and why right now?

Blacklist was enforced before September 21, 2012, password change wasn’t mandatory I think.
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Lorimar.6235:

Reason I ask is that early this morning I had your “dodgy IP address” email pop up relating to a an IP address in China. Never had one of these before (apart from legitimate access attempts). Seems an odd coincidence that it’s around the same time you start beefing up security.

Either you used the same information for GW2 on other sites that have been compromised, you’ve fallen for a phishing scam, password is too easy or you have a keylogger on your PC.
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Lorimar.6235:

It’s almost as it a list has got out, and it’s trying to be nipped in the bud on the QQ. Please tell me to put my tinfoil hat away

“The information stolen from database breaches is worth a lot of money to hackers, who can take the stolen account credentials and use them to attack each new game that’s released.”
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Lorimar.6235:

On the plus side, the IP vertification token idea clearly does work – as long as you make your GW2 password different

Thousands of people still use the same password for GW2 as they do for many other sites.

I guess they are fed up with letting their support people working overtime with resurrecting accounts that have been stolen because of recycled passwords. An easy solution is to force anybody to change their passwords at least once.
If people start to recycle their passwords again, the mandatory change might be repeated.

I have unique mail and password and I will have to change it too. (In fact I have done it already.)

Veeber.3192:

All bold text is from September 21, 2012, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/
. . .

That link addresses your concern. This isn’t “new”. It was published back in September:

“Password Blacklisting

Since we’ve been observing hackers constantly scanning accounts that don’t even exist yet, waiting for someone to create those accounts, we obviously want to make sure that if those new customers do join the game, they don’t use the password that the hackers are waiting for. Thus we’re building a blacklist of all the passwords that hackers are scanning for — it’s already at 20 million passwords and growing — and we’re preventing new customers from choosing any of those passwords. (The blacklist contains passwords only, not account names.)

This system has substantially eliminated hackers’ ability to steal new accounts, as all new accounts now cannot possibly match what the hackers have been scanning for. The rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after.

Because this has been so successful at protecting new accounts, we want to extend it to protect existing accounts too. But it’s harder for us to know whether passwords of existing accounts are known to hackers: it’s difficult to distinguish between a login attempt by the real customer and a login attempt by a hacker. So we’ll take the safe approach and ask all existing customers to change their passwords, and blacklist everyone’s old password in the process.

. . .In the coming weeks we’ll ramp up this call for players to change their passwords, and may require a password change for those users who haven’t already voluntarily changed their passwords." (September 21, 2012)