Guild Wars 2

I have seen some people claim that the reason there are so many “hacked” accounts is because ArenaNet’s servers were “hacked” and that is how peoples’ accounts are being compromised.

Allow me to be clear, I do not believe this in the slightest.

What I would like, is for ArenaNet to PLEASE shoot this rumor down in any sort of official capacity so people will let that one go.

Like this guy who posted on my website:

“The reason so many accounts are getting hacked IS NOT because people have bad passwords. Although many people do have bad passwords, accounts are getting hacked because people have been getting through ArenaNet firewalls and are stealing account information.”

I mean, seriously? Without even a shred of evidence to support his claim. If any GW2/ArenaNet staff (nobody else) would like his IP so you can send the corresponding player-account a message, feel free to PM me =P.

That guy must really be naive, to think that just because lots of players get their accounts compromised, that it has to be a problem with Anet, is about as naive as you can get.

I have seen these kinds of unfounded statements made on the forums of other MMOs, they are usually made by people who are unable or unwilling to accept the fact that the problem is in fact on their end, and are just looking for a scapegoat

If it was the case that Anet had their system compromised they would be required to inform us of that.
And I have no reason to think that Anet has had any issues on their end in that regard.

Dragonlord.6748:

That guy must really be naive, to think that just because lots of players get their accounts compromised, that it has to be a problem with Anet, is about as naive as you can get.

I have seen these kinds of unfounded statements made on the forums of other MMOs, they are usually made by people who are unable or unwilling to accept the fact that the problem is in fact on their end, and are just looking for a scapegoat

If it was the case that Anet had their system compromised they would be required to inform us of that.
And I have no reason to think that Anet has had any issues on their end in that regard.

I’ve never lost an account to ‘hackers’ since I started playing subscription online games in 1997.
I’ve had no authentication emails on the email address for gw2, I was logged in and playing just 30 mins before my account was banned, neither my email or password has been changed by someone else and the only inkling of it being hacked was my ticket subject was changed by CS from “perma-banned for unknown reason” to “compromised account”.
Even the perma-ban message on attempting to log in doesn’t indicate any hacking.

but you’re suggesting that suddenly my account gets hacked and its my fault?

I run dual firewalls [one on my PC and then at router level].
So unsolicited incoming connections are refused and any time a program wants to connect out I have to allow it.

so how did these ‘hackers’ get my password as well as apparently so many others in such a short time?

none of my other game accounts [all with different passwords mine you] were hacked.

not my starcraft 2 account, my rift account, my SWtoR account … just gw2…

So no, it certainly looks like the problem is not on my end and rather someone else’s security is lax.

guess I’ll go back to waiting for the 7th day to see if my account gets any attention from CS despite a ticket [with subject edited by CS], posting on their sub-reddit and posting in the thread on this forum.

While I do think it is naive to assume that it is Anet’s fault automatically, I do think it is odd that people are being hacked so frequently, and it is the beginning of the launch of GW2, when they are most susceptible to hackers. And it would be easy for them to cover it up as well. If they said it didn’t happen, who would be the wiser?

Just because you have been playing for 15 years without getting hacked does not mean it cant happen or that you didnt do anything to cause it.

Did you use the same email and password for all games?
Do you use the same password for your email and your game accounts?

They have a list of emails and password from other games that has been compromised, since it seems a significant number of players use the same email and password combo for all games.

Its not like this is rocket science, common sense will get you a long way.
Dual firewalls helps nothing if they already have your password and email.

They dont necessarily have to hack your account, they could have gotten the information in other ways.

In 95% of cases like this the problem is with the user, either because they are stupid enough to use the same mail/password combo everywhere, falling for phising mails or a number of other reasons.

But to outright state that the problem is with Anet with no proof whatsoever to support it is just stupid.

Like yourself I have never had any issues with account security in my 15+ years of gaming, not even with GW2, because I take my computer and account security seriously.

Despite having a unique password for GW2 I still decided to change that as well as my mail address just in case.

If ArenaNet’s databases were “hacked”, there would be FAR FAR more “hacked” accounts and ArenaNet would be scrambling to force everybody to change their passwords/etc.

Compared to how many people are in-game, there really aren’t that many “hacked” accounts.

The problem, as has been stated by ArenaNet, is that other sites have been hacked and their databases mined for account info. Between that 3rd party security failure and typical brute-force methods (which only works on weak passwords), I think there are just the “right” amount of “hacked” accounts.

Sure, ArenaNet can implement extra security measures to help protect people but that would be out of the kindness of the developers, not because it’s their responsibility to protect people from themselves.

If ArenaNet comes on and says that they were “hacked” themselves, then I’ll retract my statements.

TouchOfRed.8359:

While I do think it is naive to assume that it is Anet’s fault automatically, I do think it is odd that people are being hacked so frequently, and it is the beginning of the launch of GW2, when they are most susceptible to hackers. And it would be easy for them to cover it up as well. If they said it didn’t happen, who would be the wiser?

I hate to burst your bubble, but I saw exactly the same problem with the launch of both Rift and SWTOR.
Thousands of players getting their accounts compromised in the first week after that game was launched.
I think its even more odd that it would happen with multiple games if the problem was with the company and not the player.

The account isn’t really with the company or with the players. Computerized programs such as bots can easily spam logins continuoustly for hours non end trying the most popular/most common user names. Alot of players use the same username for more then one game, which also means its much easier to find with a bot then if you switch it from time to time. Even changing or adding 1 letter/number to your username/password will decrease your chances of getting hacked. Hackers tend to simply steal your account, not for goods but to advertise a website.

I’m not saying everyone who got hacked and gets hacked uses easy to figure out account names, i’m just saying its probably bots that are spamming usernames and passwords non stop 24hours a day gaining access to hundreds of new accounts daily.

“I simply locked my account to my IP, it tells me the location, the IP, the time of whoever attempts to log on to my account. Therefor even if figured out, cannot be entered unless I approve”.

There’s always “flares” of compromised accounts starting with the game’s launch. Bottom line is, people can’t or are not willing to take responsibility for themselves and would rather blame the authority.

InstantIdiocy.8126:

I mean, seriously? Without even a shred of evidence to support his claim. If any GW2/ArenaNet staff (nobody else) would like his IP so you can send the corresponding player-account a message, feel free to PM me =P.

Do you have a shred of evidence to say that arena net wasnt hacked?

didnt think so.

Evarfrost.2741:

InstantIdiocy.8126:

I mean, seriously? Without even a shred of evidence to support his claim. If any GW2/ArenaNet staff (nobody else) would like his IP so you can send the corresponding player-account a message, feel free to PM me =P.

Do you have a shred of evidence to say that arena net wasnt hacked?

didnt think so.

If ArenaNet was compromised, they are required by law to report it to affected users. The fact that they haven’t yet is a good indication that there’s no problem on their side, and history has shown that most of the time it’s a user who failed on their side of security.

yes by law, look at other comapnies that have been “compramised” sony, took them over a week to tell people that credit cards have been stolen.

Blizzard took over a week to tell iran that WOW was no longer availible in thair country even though they baught mist of pandaria and are not giving refunds.

yes companies are supposed to tell us by law, doesnt mean they do.

Evarfrost.2741:

yes by law, look at other comapnies that have been “compramised” sony, took them over a week to tell people that credit cards have been stolen.

Blizzard took over a week to tell iran that WOW was no longer availible in thair country even though they baught mist of pandaria and are not giving refunds.

yes companies are supposed to tell us by law, doesnt mean they do.

Yet you cited companies that did report breaches. (Sony reported in a week, Blizzard reported in four days, Trion Worlds reported in less than six days.)

Blizzard’s issue with Iran is completely different and has nothing to do with IT security.

It’s really very obvious.

If ArenaNet’s servers were compromised, we would ALL be forced to change our passwords and such because we would all be compromised. They would not be just waiting for people to get hacked and tell them to send a ticket.

We don’t need to prove ArenaNet innocent of being hacked when all the available evidence points to poor personal security and 3rd party databases being hacked & mined for login data. The burden of proof is on the accusers, not the defenders.

they could have at least lessened this headache if they just did something simple like a mobile authenticator but apparently they thought otherwise

I’m not sure how much clearer they can make it than what’s posted on the Game status updates page.

Hackers have lists of email addresses and passwords stolen from other games and web sites, and collected through spyware, and are systematically testing Guild Wars 2 looking for matching accounts. To protect yourself, use a strong, unique password for Guild Wars 2 that you’ve never used anywhere else!

The ultimate problem is people using the same password on multiple sites (and yes I believe the responsibility lies on the users shoulders, not ANet). This is a simple problem to solve, just grab a copy of KeePass (or any of the other programs like it out there), install it, and use unique passwords everywhere. Yes it’s a bit of a pain, but it’s worth it in the long run.

I used a unique pass, made no difference as I still got hacked.

I don’t think the question should be is this Anet’s fault or ours. The main question is why are all of these accounts still permanently banned a full week later?

Diablo.8650:

I used a unique pass, made no difference as I still got hacked.

A unique password isn’t the only consideration but it is important.

Diablo.8650:

I used a unique pass, made no difference as I still got hacked.

Right, but if they have your e-mail account information, that’s simple to change. The point is to keep everything unique and secure (and you might want to check your machine to make sure they’re not getting the info directly from you), so that even if a hacker manages to get access to account information through somewhere (Blizzard, Sony, etc.) that they only get access to that single account.

One of the problems here is that an unique password is not sufficient.

“test123” and “test124” are unique passwords. They are both horrible passwords, however.

“Jvnm6GFLtkFjoHShQ9GT” and “s1HnIbrHzDmh9b0Y1tlr” are also unique passwords. And they are strong: they are length 20, and entirely random. Note that both length and randomness are pre-requisites for a strong password. Simple substitution (e.g., “3gr355” for “egress”) doesn’t create a random password, nor a strong one. Password cracking software these days can trivially do the same types of substitutions on dictionary words.

Pukka.6389:

The ultimate problem is people using the same password on multiple sites (and yes I believe the responsibility lies on the users shoulders, not ANet). This is a simple problem to solve, just grab a copy of KeePass (or any of the other programs like it out there), install it, and use unique passwords everywhere. Yes it’s a bit of a pain, but it’s worth it in the long run.

though I can’t completely disagree with this, they failed HARD even with their only line of security (which is a POS to begin with). You can’t expect people to spend real money if you can’t even do the bare bone basics in protecting your consumer base

mcl.9240:

One of the problems here is that an unique password is not sufficient.

“test123” and “test124” are unique passwords. They are both horrible passwords, however.

“Jvnm6GFLtkFjoHShQ9GT” and “s1HnIbrHzDmh9b0Y1tlr” are also unique passwords. And they are strong: they are length 20, and entirely random. Note that both length and randomness are pre-requisites for a strong password. Simple substitution (e.g., “3gr355” for “egress”) doesn’t create a random password, nor a strong one. Password cracking software these days can trivially do the same types of substitutions on dictionary words.

Correct, and the problem is a Strong password is one that can’t be easily remembered. I am going through a massive battle where I work trying to enforce strong password requirements, and all the business people are upset that they can no longer remember their passwords. This is why I suggested using something like KeePass to actually create and manage the passwords for you.

I got hacked on Tuesday and I believe though that it was probably due to bad practice on my behalf, I was using the same email and password I had used for Rift, that was the first game I was ever hacked in. They hackers are probably using the same list they got there and finding foolish people like me who didn’t change.

Having said that, I think more could be done by arenanet and in fact all MMO developers, to secure up things. Authenticators should be standard, accessing the ability to change key aspects of an account such as the email address too should be tightened up.

@Pukka: True. This article is a good (albeit shallow) overview of the issue: http://lifehacker.com/5785420/the-only-secure-password-is-the-one-you-cant-remember

fartbubble.1543:

though I can’t completely disagree with this, they failed HARD even with their only line of security (which is a POS to begin with). You can’t expect people to spend real money if you can’t even do the bare bone basics in protecting your consumer base

At the moment, they have the same amount of password security as most banks I’ve worked with. Yes I agree it would be nice to have additional security, but that’s only necessary to mask bad behavior in most cases.

Only time I have had an account hacked was when SOE had their database servers compromised a year ago by an outdated firewall compromising thousands of credit card holders (my credit card company disabled my card and notified me of it), and my WoW account that was inactive for 3+ years (I only played 4 months in 2006 and it was compromised in 2009 before the battle.net merge when I wasn’t even playing it). I rarely ever use the same login/password for each online game I play, I don’t even use the same password for my email and banking accounts, I have tons of different passwords to remember. And I don’t visit unfamiliar websites, I only surf on some forums and certain news sites.

Using simple passwords are the hackers’ wet dream, my sister uses “hawaii” for her email password, we didn’t even have to try to figure out what her password was, we just figured out what her obsession was and tried it- it was that stupidly simple.

I’m just afraid that it might happen to my GW2 account one day as well, I rather they added a security question to make it more difficult to hijack and change email/password under your nose.