Guild Wars 2

EDIT:
I have since figured out that the disconnect button will not remove a hacker from the game client. It only will remove them from the website account management. This is incredibly misleading, as the disconnect button appears when a hacker is logged into the game and, you would think, would remove them from it.

Original Post

Around two hours ago, roughly 3:10AM EST, I received an email notifying me of a login attempt from a Korean IP. I did not click anything in the email, navigated to the Guild Wars 2 website in my browser, logged into my account, and changed my password. Then I checked my Security page to make sure everyone was in order.

Everything was not in order. Somehow the Korean IP was listed under Authorized Networks and also had been logged in under Current Logins for about 5 minutes. I disconnected their current session and removed them from the Authorized Networks. I also noticed they added a mobile authenticator to the account, which is strange because it did not prompt me for a code when I logged in. I contacted Customer Support, who removed the authenticator about 6 minutes later. I also assumed my email must be compromised and took the steps of changing the password.

This should have been the end of the problem. However, despite having changed the game password, the email password, removing them from the Authorized Networks, and removing the mobile authenticator, the Korean IP continues to appear under Current Logins like clockwork almost as soon as I disconnect it. I would like to mention that the password I set was still working, so they had not reset my password and still somehow had maintained their login session.

Despite this, I reset my Guild Wars 2 password a second time. This did exactly nothing to stop the hacker. It was still appearing under the Current Logins (but not authorized networks) constantly. All the password changes did nothing to even slow this hacker down. At this point, the Customer Service changed my Guild Wars 2 email on the account to a different, secure gmail account (with account login history) and did a third password reset. This, again, had no effect. In gmail, I confirmed that no other IP has ever logged into that email address, and yet the hacker was still connecting without an issue.

It was now around 4:20AM EST, and despite constantly disconnecting them, two of my characters are completely naked with my gold, karma, bags, and gear gone. This brings up a number of issues.

1 – Hacker Persistant Log-In

While it is possible my first email was initially compromised, changing the password and even changing my Guild Wars 2 account email to a gmail account that I can 100% confirm was not compromised did not help secure my game account. Somehow, after the initial login session is granted to them, there was no way to revoke that login permission. I’m assuming the disconnect button on the Security page was booting them off the character, but not out of the launcher, but I have no way of confirming that. I was also unable to log into any characters during this entire period, as I would get a message alerting me that I was being logged in from another client during the loading screen every time.

2 – Why didn’t the Customer Support lock my account?

The damage could’ve been greatly reduced had the first action by Customer Support been to lock everyone, including me, out of the account while it was being fixed. I appreciate the quick response time to remove the mobile authenticator, but despite catching this person just 5 minutes into hacking my account, I still lost all of my currency/gear. I thought an account lock was standard procedure in these situations.

3 – Website Trouble

I spent the entire hour this was occuring refreshing the Account Security page and ran into two problems. Sometimes it would be blank below the Current Logins and Authenticated Networks, when I knew that was wrong because I was logged in myself. Other times it would load an XML error with the message “This XML file does not appear to have any style information associated with it. The document tree is shown below.” These errors greatly reduced how often I was able to disconnect this person, as reloading sometimes took a few minutes to get it to properly load.

This is something you would need to address with CS, not the forums. Good luck.

Yoshin.7102:

Around two hours ago, roughly 3:10AM EST, I received an email notifying me of a login attempt from a Korean IP. I did not click anything in the email, navigated to the Guild Wars 2 website in my browser, logged into my account, and changed my password. Then I checked my Security page to make sure everyone was in order.

Everything was not in order. Somehow the Korean IP was listed under Authorized Networks and also had been logged in under Current Logins for about 5 minutes. I disconnected their current session and removed them from the Authorized Networks. I also noticed they added a mobile authenticator to the account, which is strange because it did not prompt me for a code when I logged in. I contacted Customer Support, who removed the authenticator about 6 minutes later. I also assumed my email must be compromised and took the steps of changing the password.

This should have been the end of the problem. However, despite having changed the game password, the email password, removing them from the Authorized Networks, and removing the mobile authenticator, the Korean IP continues to appear under Current Logins like clockwork almost as soon as I disconnect it. I would like to mention that the password I set was still working, so they had not reset my password and still somehow had maintained their login session.

Despite this, I reset my Guild Wars 2 password a second time. This did exactly nothing to stop the hacker. It was still appearing under the Current Logins (but not authorized networks) constantly. All the password changes did nothing to even slow this hacker down. At this point, the Customer Service changed my Guild Wars 2 email on the account to a different, secure gmail account (with account login history) and did a third password reset. This, again, had no effect. In gmail, I confirmed that no other IP has ever logged into that email address, and yet the hacker was still connecting without an issue.

It was now around 4:20AM EST, and despite constantly disconnecting them, two of my characters are completely naked with my gold, karma, bags, and gear gone. This brings up a number of issues.

1 – Hacker Persistant Log-In

While it is possible my first email was initially compromised, changing the password and even changing my Guild Wars 2 account email to a gmail account that I can 100% confirm was not compromised did not help secure my game account. Somehow, after the initial login session is granted to them, there was no way to revoke that login permission. I’m assuming the disconnect button on the Security page was booting them off the character, but not out of the launcher, but I have no way of confirming that. I was also unable to log into any characters during this entire period, as I would get a message alerting me that I was being logged in from another client during the loading screen every time.

2 – Why didn’t the Customer Support lock my account?

The damage could’ve been greatly reduced had the first action by Customer Support been to lock everyone, including me, out of the account while it was being fixed. I appreciate the quick response time to remove the mobile authenticator, but despite catching this person just 5 minutes into hacking my account, I still lost all of my currency/gear. I thought an account lock was standard procedure in these situations.

3 – Website Trouble

I spent the entire hour this was occuring refreshing the Account Security page and ran into two problems. Sometimes it would be blank below the Current Logins and Authenticated Networks, when I knew that was wrong because I was logged in myself. Other times it would load an XML error with the message “This XML file does not appear to have any style information associated with it. The document tree is shown below.” These errors greatly reduced how often I was able to disconnect this person, as reloading sometimes took a few minutes to get it to properly load.

Very interesting and disturbing. There’s been a TON of account hacks going around recently. Anet, as well as certain forum regulars always find a way to blame the player, but it’s all really fishy, especially after hearing your story.

Don’t you find it funny how in less then an hour of an account being hacked, the email was changed. That is no way an account is hacked, proof of identity is done and the email is changed is the amount of time the OP posted. Also, if you re-read, the OP’s email was also hacked. That is not on Anet at all. When THAT occurs, it causes a lot of issues, outside of Anet’s control, especially when you leave the serial code to your game in your email, and the hack gets it.

Lord Kuru.3685:

Very interesting and disturbing. There’s been a TON of account hacks going around recently. Anet, as well as certain forum regulars always find a way to blame the player, but it’s all really fishy, especially after hearing your story.

It is indeed interesting. There are maybe a ton of account hacks. But there are also a ton who don’t get any hacks. Not even an attempt or something… How do you explain that ?
If Anet had an open backdoor, a lot more players would have been hacked.
Also if i read this post, all i can think of is a keylogger on the OP’s computer.
Or like he said, the hacker didn’t got really disconnected when you remove the ip access and he still was logged in on the launcher. Only in the last case it is Anet’s fault.

Ellieanna.5027:

Don’t you find it funny how in less then an hour of an account being hacked, the email was changed. That is no way an account is hacked, proof of identity is done and the email is changed is the amount of time the OP posted. Also, if you re-read, the OP’s email was also hacked. That is not on Anet at all. When THAT occurs, it causes a lot of issues, outside of Anet’s control, especially when you leave the serial code to your game in your email, and the hack gets it.

As soon as I found the authenticator attached, I opened a support ticket along with the last 4 digits of my credit card, my full name, and my birth date to verify my identity.

Regarding a keylogger, a full scan with MalwareBytes and Microsoft Security Essentials came up with nothing.

Finally, I am not sure that my email was hacked. I admit the possibility that the first email was initially compromised, though it may not have been. I just cannot verify it since that particular email doesn’t allow me to see previous logins. The Gmail account I switched to later does.

Despite verifying nobody had access to my gmail account, it did not do anything to boot the hacker off the account. That is the main reason I wrote this post. That seems to be a major security flaw that I hope will be addressed.

I also do not have the serial code for GW2 saved in my email account history.

For proof of the customer service response times, I’ve included the full email below (Read from the bottom up). The times are in PST instead of EST, but you can see the ticket was submitted around 00:36 (3:36 EST) which was about 25 minutes after I initially received the first login email. The delay was the result of trying to look up where to submit a ticket, changing my GW2 info, changing my email password, all while trying to constantly disconnect the hacker.

By 0:42, a support representative was able to remove the mobile authenticator off my acount. By 0:55-0:59, the representative was in touch to change my email to another secure email. I was honestly impressed with the speed of the communication.

I’ve included the email in the next post because this post got too long to include it here.

Here is the full text of my ticket and timestamps, with my emails redacted.

Edit:

Added lines to make it more readable.

When you contacted CS on May 26 at 00:56, did you use the old email address to send the correspondence, or the new email address to send the correspondence? I didn’t see anything in the letter to indicate who you were, or that this should be associated with the old Account Name, etc.

Some people use the old address to update to the new address, and that can be problematic, because it gives the new information to the usurper of the accounts.

I used the old email address while sending all the messages to CS. However, when I sent it I had already changed my email password. Furthermore, even if he had the name of the new email, it has an entirely different password. It also allows me to check the IP of recent connections to my new email, allowing me to verify that nobody other than me has accessed it.

Even if he had access to my email, I believe the only way to use it to gain access would be to do a password reset, but the passwords I set never stopped working. At one point, I reset my password, logged into the Security page and disconnected the IP. I hit refresh almost right away and they were already logged back in. It did not seem to slow them down at all.

My concern was that there was some way for them to keep a persistent connection after obtaining access once, despite login details changing.

EDIT:
I’d also like to mention that I changed my account password three times throughout this time period. Each time was with a new password I’ve never used anywhere before, all 20+ characters long.

After some testing this morning, I’ve realized why I had strange behavior with the Disconnect button on the security page.

It appears to do nothing. Absolutely nothing.

I logged into the Guild Wars 2 game on one computer and the guildwars2.com security page on another computer. While logged into the game, I removed myself from the Authorized Networks and then clicked disconnect on my own IP that I had the game running on. It did nothing to my game. I could still run around and freely change characters. The only thing I could tell it did was reset the time the security page said I’d been online back to 1 minute. That explains how the hacker always seemed to be instantly back online.

I then tried changing the password. Same thing. Despite my account password changing, I was never booted from the game. Only upon logging out completely did it prevent me from getting back on without the new password/mobile authentication code.

What is the point of the Disconnect button if it is going to do nothing? I spent the entire hour I was being hacked clicking it every minute because I was convinced it did something.

I’m going to install GW2 on another computer and see if getting booted from the game because another client logs in will force a person out of the account. If I had to guess, it won’t since I did try to log on during this.

Edit: I found a use for the disconnect button.. It will disconnect them from your account management page on the guildwars2.com website. I do not know why the button appears when they are only logged into the game if it’s not going to do anything to remove them from it.

When you were logged in on another computer, were you using the same IP address as the computer that was logged into the game? That might make a difference of being unable to disconnect the log-in from the game. /shrug

The initial tests were on the same IP address. I have since tested it with two different IPs with the same conclusion. The disconnect button will only kick them out of the website. It will do nothing to remove them from your actual game account.

This is incredibly misleading and I think should either be fixed to remove them from the game as well, or to prevent the disconnect button from appearing if the hacker is in the game but not on the website, since it would do nothing in that situation other than offer a false sense of control.

Well, you might bring that issue to the attention of CS or Tech CS, if you haven’t already. Might be helpful.

Good luck. =)

Once a hacker has gotten in to your email once, and they get your cdkey, thats all they need in order to submit a ticket for email change. I kept my cd key in my email because I bought the game digitally, big mistake on my part. They’ve changed the email associated with my account three times now. I know I don’t have a keylogger, and my gw2 account and emails (all of them) have two step authentication now. My security is airtight. But as long as my account has that same cd key associated with it, the hacker can change my login info seemingly whenever he wants.

They need track ip’s on email change attempts any one from usa or any specific country isn’t magically going to be living in north korea or china in just few days time. maybe step up security request for credit card info for an email change so far im lucky they haven’t changed my email it’s been 5 days before i found out i was hacked so they had time to pull that off I’d expect. I think they know I’ve cought on to them I belive they changed my email pw way my email works wont log you out if another ip or pc connects so im still logged into my email but i cant seem to change my pw as keeps saying im not correct. Only hassle is it’s sunday i can’t contact my ISP for support just local phone company no body there on sunday just like anet this making things hard to get resolved.

Yeah, its brutal knowing that someone else has control of your stuff and theres nothing you can do about it but wait…

Well atleast the emaol is through my isp i’ll have that changed when anet hits my ticket up but in away good thing it is on my isp even though their webmail is so out of date and unsecure is crappy part but good thing is easily recovered all i gotta do call my isp give them my landline/broadband acc # and say hey my email been hacked and pw changed i need you reset my goodies and force d/c the Koreans off my account lol have it back in less than 10 mins on gmail yahoo etc thats even bigger hassle as i gotta prove its my email i dont have a mobile device so cant use this fancy 2 step auth at same time that 2 step auth what messing with me as we speak cause that Korea dude got his mobile assigned to my stuff he over there laughing everytime i change the gw2 pass anyways anyone in tarnished coast sees my char running around as my char name is this forum name and other 80 he stripped naked (not much name variation) probably selling his gold :/ thats mr Korean. As i know he using my account for illegal activities cause says i can’t log in due to another client being connected which is total crap I manged get in it earlier not really sure how i just kept trying till i got in he probably lagged out i just got lucky. All i know is i found my char next to a resource node in cursed shore ( yea we all know what he using my account for now dont we?) and my silvari next to trader in divinity reach
Either way im not to happy sorta sad sorta mad

Dude the only reason I even figured out my account was being hacked is because of an email saying someone requested to change my password. I got to it and stopped it in time but kitten…you’d think the kittening authenticators would make you put in the code to get to your account kitten…BLIZZARD makes you do that.

Tell you how secure his account what i did hacker can’t get back in game because i used unicode for my password if unicode is more of a regional thing so a Korean keyboard isnt going to be able to type a unicode password created in america so i got him by the hootie he hasnt been back on game with my account in 2 days and anet just now getting to my account after a 3 day old ticket but im waiting patiently today they are confirming my owner ship so hopfuly soon i get my chars rolled back to a non-hacker date and my new email linked to the gw2 account all be back good except for the hacker probably made my name in game look bad cause he probably botting or selling gold with my name glad anet gave us name change slips cause I’ll probably need a few :/ If you need understand unicode for a password google “unicode for passwords” and you’ll find all the info you need heres an example of my unicode only password look at how long take them poor hackers to crack that bad boy heck I’ll be long dead before they get it. Yes gw2 password box does support unicode atleast from usa any other country you just have to try yourself.

I want to update what i just said so people will understand, When you run the client and the window for logging in pops up, there is 2 ways to get your password in there type it which is less secure if you are key logged and didn’t know it.
or
2 paste your pw into the password box you can not right click paste though but ctrl+V does work.

On the website right click paste works as normal.

I seen a quote some where I’m going to start living by for my internet passwords
“the best passwords are the ones you can’t remember” lol.
I believe what it means is the password is so complex that one can not simply remember them. I feel it dont get no more complex than using the unicode password.

Most accounts are now hacked by hackers getting the GW2 account password changed….not it being guessed (or key logged). Anet Support will change a password without question if it comes from your associated email account (that has been hacked).

I got the problem too. My gold and item gone and they set Mobile Authentication. How to remove the Mobile Authentication. Should i remove it.
May be if I change something they will hack me again and change something that I can’t bring my account back again.
Now they login my account for 11 min. I don’t know what to do please help.

Keng.9105:

I got the problem too. My gold and item gone and they set Mobile Authentication. How to remove the Mobile Authentication. Should i remove it.
May be if I change something they will hack me again and change something that I can’t bring my account back again.
Now they login my account for 11 min. I don’t know what to do please help.

Contact CS for assistance, and submit a request.

https://help.guildwars2.com/anonymous_requests/new

Make sure to secure your computer and email address.

https://help.guildwars2.com/forums/22305053-Account-Security