I had an incident last month where my account was compromised, but fortunately the intruder did not do any damage (that I could find). While all that ended well (up to this point) and I did not need a rollback, the method that was used to access my account is very concerning to me and I apologize that I took this long to bring it up here and request that policy or something be changed at Anet’s customer support to try and prevent this from happening to others. in the future.
My email associated with my GW account was compromised first (I can only guess, in fact, I have no direct proof of this as nothing looked out of place in the email account (that I rarely access). This was 100% my fault as it was a decade old email account that I have NEVER changed the password on and I have admittedly used that password at dozens of sites in the past. It should have been the FIRST one I changed when I started using unique passwords for all my log ins several years ago, but since I rarely access the account, I never changed it. My bad and if I had lost everything in GW2, I would have accepted this as my stupidity.
HOWEVER, with only access to my email account, I still do not believe the hacker should have been able to send a single sentence email to GW2 support and get the password reset without a single question or verification of who the owner actually was. I GET that if the email came from the proper email address and did not appear to be spoofed Support would have no reason to suspect a hacker was pretending to be me and I understand they are busy and I’m sure they get those kinds of requests by the bucket full every hour but the fact that it was THAT easy to change the password still has me VERY concerned.
I had recently quit playing daily so the only thing that made me aware of this was an email from GW2 support in my email box asking, “How would you rate your recent support experience?”. I changed my email password immediately and had the horrid deep hole in the stomach feeling as I failed to log in here and my GW2 account. Looking at the email I realized what had happened and contacted support to try and regain control of my account (and prepare for a rollback (that I did not need). Ironically, Support asked me about a dozen questions that I couldn’t even answer all of them without access to the account (I’m guessing I got about 9 or 10 correct with some possible spelling mistakes on character names) before resetting the password again. My mind continually went back to the fact that if they had asked these questions on the original request, my account would never have been at risk.
In the end it all appears to have worked out ok, but the ease with which my password was changed still upsets me and I eventually decided to write this (way too long) post in hopes that this can be avoided by others.
Gaile, PLEASE can you request that support obtain some level of information to verify the user / player prior to EVER considering changing a password? Thanks for the consideration (and sorry for the way too long post).
Wow… just… wow. You had your e-mail compromised, and you have the nerve to blame Anet for allowing the hacker to gain access to your Guild Wars 2 account… through your e-mail address? If you had bank account information in your inbox, would you blame your bank of the hacker gained access to your financial information?
There’s already steps available to provide multi-layered security to access your GW2 account. If you aren’t using them, that’s not Anet’s fault either. Please read the following:
https://www.guildwars2.com/en/news/mike-obrien-on-account-security/
(edited by Smooth Penguin.5294)
Do, or did, you have email or mobile authentication on your account? That might have been helpful, even with a new password. Was the email asking for a password change still sitting in your email account log? Usually people post about how many questions CS always asks whenever someone tries to access an account. They sure asked me a lot, and several times, as well.
I did not blame them, but asked that they consider changing their policy for changing a password. I get this is 100% my fault (and I THINK I stated that several times in my post).
My post is for someone to consider that this type of email compromise is VERY common these days and if a simple email exchange of information can prevent accounts from being compromised in the future, shouldn’t it be considered.
That is ALL I am asking.
Inculpatus – I agree the mobile authentication would have secured the account and I fully agree this an example of WHY it should be used. Again, this compromise is 100% my fault and I accept that.
Here is what the hacker sent to support and the reply (I’ve banked out personal info). This came from the “How was your Support” email that tipped me off.
xxxxx(Guild Wars 2 Support)
Jan 24 05:21
Hello xxxx,
Thank you for your patience during our investigation.
I have reset your Guild Wars 2 account password and an automatically generated e-mail containing a link has been sent to your xxxxxx@xxxxxx.net e-mail address. After clicking the link in the e-mail, you will be directed to the Guild Wars 2 Account Management page to enter your Guild Wars 2 account name and set a new password of your choosing. For maximum account security, please use a complex password that is used only for Guild Wars 2.
If you did not receive the automatically-generated e-mail, please check any spam/junk mail folders, because some e-mail services might flag the auto-generated password e-mail as spam.
Please let us know if you still are unable to locate the password reset e-mail, or if you need assistance with anything else.
Regards,
xxxxx
Guild Wars 2 Support Team
http://support.guildwars2.com/
xxxxxx
Jan 24 05:18
I LOST MY GW2 ACCT, NEED SOME HELP!
(edited by Brother Grimm.5176)
So because your security is lacking, you want the company to put in even more verifications beyond what’s currently available? How far are you asking them to go? Phone call? If so, how do the CS Agents know that’s you on the other end of the line? Want them to request a signed letter? How do the CS Agents know if you really signed it, and it’s not a forgery?
You do realize that the best way to determine if someone is who they are is through the e-mail address connected to their game account? If you lose access to one of the things that should be the most secure, far worse things could happen than just losing a video game account.
(edited by Smooth Penguin.5294)
I understand your situation, Brother Grimm, and I am sorry that that happened to you. (Glad, too, that the account was intact. Well, glad and about 100% shocked, too — usually the RMTers that steal accounts strip them within minutes, so this was an exceptional case!) I also can see that your post was made with a true motivation of helping, not blaming anyone for the compromise incident and I thank you for that.
I have mixed feelings about your suggestion. I’ve actually taken this up with the team on several occasions, advocating just what you seek. However, the bottom line is, if you lose your e-mail account, you’re at risk of much worse things that the loss of a game account.
We could institute more checks, yes. But presenting everyone with hurdles to get access through the e-mail address directly tied to the account would inconvenience a bunch of people — hundreds a day, I’d imagine — as opposed to preventing a tiny number of situations like the one you found yourself in.
I like the ideas in this thread: We offer e-mail and mobile authentication. We give you the tools to protect your account, rather than trying to block someone on the other side of an e-mail account compromise. I think that’s a pretty good system and I encourage players to take advantage of one of the authentication options for that extra security it offers.
Thanks for the reply and I just wanted to make the suggestion. Thanks for listening.
@ smooth Penguin – I have no idea why you felt the need to verbally attack my suggestion like this. Have a nice day.
Thanks for the reply and I just wanted to make the suggestion. Thanks for listening.
@ smooth Penguin – I have no idea why you felt the need to verbally attack my suggestion like this. Have a nice day.
Because it’s not Anet’s fault, so they shouldn’t have to create additional barriers for a player’s lack of security. Plain and simple. By doing so, the actions of a single individual create inconveniences for thousands of others.
You’re welcome, BG!
Not affiliated with ArenaNet or NCSOFT. No support is provided.
All assets, page layout, visual style belong to ArenaNet and are used solely to replicate the original design and preserve the original look and feel.
Contact /u/e-scrape-artist on reddit if you encounter a bug.