Guild Wars 2

I was checking my emails and found no less than three emails claiming to say that an account password change was requested. I deleted these emails without clicking any link in them, so cannot provide any information about their source.

As I also play World of Warcraft I am pretty strict with keeping my login information for games I play safe. And after hearing what happened to Ebay I decided to make sure I had a new password for my GW2 account too.

My post is more meant as a warning to others playing to NEVER EVER click any link in an email even if it seems to come from the correct source. For example, if you receive an email telling you there’s an password change (like happened to me in triplicate) then delete the email, and go to your account and make sure you change the password used immediately. I also suggest to delete old login locations listed too, as I think keeping them on file increases the chance of someone compromising your account.

Also the same thing I always state for WoW applies here too. If an email claims to offer you something then always check that it’s actually valid and an active offer.

And finally do not ever go to sites other than the GW2 site because any unauthorized site could have code on it to key log stuff you do, such as capturing your username and password so therefore also make sure the two boxes to remember them are ticked.

And now for a question for the GW2 team: Are you ever going to make a version of the mobile phone authenticator that’s compatible with Blackberries. The versions you got right now seem not to work with my Blackberry.

Yep. I’ve gotten 6 password reset emails. After seeing them, I went and changed my GW2 password, partly for security purposes but also out of curiosity over whether or not the emails were legit Anet pw reset emails. Sure enough, they were because they were identical to the one I just generated myself. I haven’t played the game in months, so something’s going on judging by the amount of people I’m seeing are reporting this same thing.

To be safe, do the following:

1. Run a virus/malware scan on ALL computers that you use to access the game or these forums.
2. Change your EMAIL password.
3. Change your GW2 password.
4. If not already enabled, turn on Email or 2-Factor Authentication.
5. Purge all allowed IPs from your Account Security page and re-authenticate.

If you are getting password reset emails, one thing is for certain: someone has your email address.

I have gotten 6 password change notices in the last few days, often multiple times a day. I certainly did not click the link in the email although it did appear to be valid, but I did come to the GW2 site and change my password.

I got one today, so I changed both my email password and GW2 account password.

If you get one of those emails and suspect it may be VALID I would suggest opening a ticket with Support and asking them if any current or recent open tickets for your account (if you can log in, they are obviously NOT valid). If they are obvious phishing emails, all you can do is ignore them….However, you may want to consider changing your GW2 associated email to either a PROXY address or a completely different email account (or BOTH).

I’ve gotten two of these in the past few days and I know I definitely haven’t requested password changes. I’ve already sent a support ticket about the issue; both to alert them to it and see what is going on/can be done on my end.

No one has seemed to get into my account, but I have gotten 6 of them. I’ve changed my e-mail and scanned already.

Yup, got two of them myself this morning, and I hadn’t touched the game in quite a while.

So… what the crap is going on?

Gaile Gray.6029:

Would-be hackers obtain lists of valid e-mail addresses and “ping” them against Guild Wars 2 to see if they can steal an account. They hope that they can get you to react carelessly, to approve access for them by not paying attention to the mail, not reading the remote location they’re coming from, etc.

They also obtain huge lists of “known passwords” through hacks of sites, such as the recent PayPal and eBay incidents.

And finally, a lot — the majority — of hacked game accounts are tied to hacked e-mail accounts. If I got those e-mails, I’d be asking a lot of questions, like “Is my e-mail secure?” or “Does my computer have a key-logger?”

If you want to change your user name, contact Support and we’ll work with you on that. I strongly encourage you to use a new e-mail account that you use nowhere else and that you chose passwords that are used only one time, and are quite complex. Be aware that if you issue a request for a new Account Name we will be required to establish that you’re the owner of the account, go through a verification process. But really, for security’s sake, you wouldn’t want us to react any other way.

Out of curiosity Gaile, why doesn’t Guild Wars have some form of bruteforce/dictionary attack protection? Such as if an account attempts 5 invalid credential sets in a row, they now have to solve a CAPTCHA, or they have to wait a minute before attempting again.

I work in Web Application Security myself, and a protection like this would vastly help reduce the amount of automated account hacks from guessing passwords. I understand that this does nothing to help when people get infected with a keylogger/RAT, get their email account compromised, etc. But it is something that might be worth the money to implement. A control like that can make bruteforce/dictionary attacks mathematically infeasible.

Just a suggestion from my own knowledge. I know that Anet takes security very seriously, so just thought I would offer up some advice.

EDIT: Removed the word simple because I understand that while the idea of something in IT is simple, it always takes a lot of hours to implement. Didn’t want to be insensitive.

Nothing ANet can do will help against phishing.

frans.8092:

Nothing ANet can do will help against phishing.

Thought this was fitting when I saw it last Monday.

Behellagh.1468:

frans.8092:

Nothing ANet can do will help against phishing.

Thought this was fitting when I saw it last Monday.

I thought the same thing. We’ve had 3 officers in our guild hacked. These are all adults with college degrees and yet they fell for simple tricks. It seems that this latest round of hacks are attacking e-mail accounts. If your game is tied to a major e-mail provider (yahoo, gmail, hotmail, etc) then be careful. Your email password should be just as complex as your game password. Also make sure it’s never used elsewhere.

Years ago, my gw1 account was stolen. However I got lucky. The thieves were never able to log into the account because of the extra character name prompt on the login screen. They got my account thru Guru, a popular fansite. Guru had their database hacked and exposed lots of usernames and passwords. The admins at the site put out a message instantly warning everyone that if you were dumb enough to use the same password for the game and the fansite, you were at risk. I had a strong unique game password so I wasn’t worried. My guru password was a common throwaway one I use on forums.

A month later, my GW account was stolen. While trying to recover it I discovered my NCSoft master account that I had set up for a free storage pane and completely forgotten about. That master account had the same throwaway password on it. Ooops.

^ Scarlet, you suffered the EXACT same fate I did. XD My Guru password got stolen, but I thought I was safe too since my game password was exponentially more complex. But I also forgot that I’d created an NCSoft Master account years ago and forgotten that it even existed.

Lesson learned now. EVERY site/forum/game I have a login for has a unique password.

i dont use my gw email anywhere else, and even i
get the occasional ‘password reset’ email.

no one even knows this email adress exist except gmail.

I just delete them and check if i see any weird login ip’s.
So far i did nog see any 8-).

Same here innocens I’m in the case where the spam mails arrive on an email address that isn’t even used to play guild wars ….
My guess is that they target forums or fan websites with poor security and then try to access the account.
Also for gmail users, it is pretty easy to make a lot of secondary emails of you need.

sadly i was hacked too. But i dont remember changing my password via an email msg link.
I did change my password thru the game client login module, forgot password function, because I cant log in anymore. then tada!!! stripped naked

Behellagh.1468:

frans.8092:

Nothing ANet can do will help against phishing.

Thought this was fitting when I saw it last Monday.

A quote from a previous boss I had….., “You can’t fix stupid”.

And for those who will listen, if you use a personal bank or guild bank make sure that the permissions for inactive accounts are updated to not be able to withdraw. As a personal victim, inactive accounts can still be hacked through emails and take anything that the permissions allow. This is especially the case in guild banks that have somewhat valuable items in them. In addition Anet employees cannot restore these items so its better to be safe than sorry.