Guild Wars 2

I’d like to thank Anet support for re-instating access to my account, I can’t praise them highly enough, especially Barracuda, and Marlin.

Ok serious part of this post time.

I recently had my account hacked. However this was no ordinary hack. What I believe happened, was that my NCSoft Master Account was somehow compromised. Don’t ask me how because I haven’t even logged into it since 2011.

Next I believe they changed the e-mail address for the NCSoft account, and then proceeded to change the passwords to two Guild Wars accounts attached to that account. One of the two affected accounts was attached to both GW1 and GW2.

Now here is where it starts getting weird. All through this I had NO e-mails. None from NCSoft, when (I assume) the attached e-mail address was changed), and again none from Anet when GW2 was accessed. I also had an authenticator attached to the GW2 account at the time. And yet somehow they managed to login to both GW1 and GW2 accounts, bypassing the authenticator.

Now I know some of the questions that people are thinking of..

No the passwords were not stupidly simple to guess (the GW2 password WAS 9SeIdeYcAqS699VL52V5ZL9upNKc1, yes 29 characters long for example)

No-one has access to my PC, (which was turned off at the time), indeed no-one has even been inside my home in over a year (yeah I’m a real sociable type, see my username for example).

Scans by MBAM, Spybot and MSE all say nothing was found, so it’s highly unlikely to be a keylogger or other trojan, especially as I haven’t even accessed NCSoft in over 2 years.

My mobile, with the only copy of the authenticator (and it’s secret key), has NEVER left my possession.

So the issue is, how kitten did my account get compromised? And what can be done to prevent this happening again (and to other people).

I can’t speak for the authenticator as I do not use it, but from what you describe, it sounds like that had access to your email account. They could then just ask for a password reset. Just in case, I would change the email password if you have not done it already.

E-mail password has already been changed, however the access logs I saw said no-one had logged in but me, although to be honest it only records the last 3 connections

The authenticator is supposed to be un-removeable unless you a) have the serial code and b) contact support.

Sounds like it needs review, it is possible they spoofed their way through support to get the authenticator deactivated. hopefully anet can figure out what happened and fix it for the rest of us.

Spoofing is a possibilty, and I would have dismissed it, until I read a reply from support this evening.

I would like to believe that it didn’t happen, as 2 seperate GW1 accounts were changed at the same time. Unless they’re linked they’d both have to been brute forced at the same time, and as both accounts had seperate random passwords, I don’t think they were brute forced.

The thing is though that the accounts are actually linked to my NCSoft account which appears to have also been compromised, and once you gain that, you can change the passwords for accounts linked to it, regardless of if you know them or not.. however it should e-mail you when this occurs, as I have received these previously when this occured. This occasion I got nothing.

Like I said there’s more to this than meets the eye…

Hi Gaile,

Yes I am involved in an ongoing discussion with support about this. I posted here in the hopes of understanding actually how this occured in the first place.

Thing is that the NCSoft account got compromised 2 years ago, and back then the same 2 accounts got accessed. I personally suspect that the same person was involved this time, and they remembered some of my account details from back then.

At the moment, from what I can tell it’s only my GW/NCSoft accounts that are affected. Everything else is aok (SWTOR, STO, Path of Exile, Torchlight, Steam… ). Which is what leads me to think that it’s the NCSoft account that the real problem here.

Thanks for the ongoing updates about this. Please post what the problem was/is if you’re able to figure it out so the rest of us know to avoid the same situation. Good luck!

I’m actually really concerned about this one. Can you let us know what happened? Like the OP my GW1 account was hacked a few years ago (I suspect it was because my account email at the time was used on several GW fan websites and one of them was compromised). I’m curious if you were able to find out any more info… I never want my account hacked again. Good luck, OP!

Hi Kilaelya.

I believe I understand what transpired. And the basic gist is that the NCSoft Master Account is the bane of my kitten GW life. This account is protected by a weak 13 char password which has to start with a letter and have at least 1 number, with no symbols.

So once you log in to NCSoft, if your IP is not known on the NCSoft account, you have to answer two secret questions. (what colour is your car is one..), get the answers right and NCSoft asks you if you want to remember the location you logged in from…

And bingo, your authenticator is now useless, because they’ve breached your NCSoft account, added their IP to your account, and they can now also change the password to your account at their whim, and log in, because the IP is already on NCSoft’s whitelist which Anet uses for the authenticator.

<Hudson from Aliens>Game Over Man!! Game Over!</Hudson>

4 Months ago Gaile said “In the future, we will allow you to always require approval of an IP, even if it’s you logging in for the fourth time in a day from the same computer at the same location.”.

If this had been acted upon, I would not have been hacked… AND OF STORY… Mind you if NCSoft didn’t have such kitten security I wouldn’t have got hacked either.

Having Anet whitelist your IP is all well and good, but if your account is tied to a NCSoft Master Account, with its lack-lustre security.. you’re walking on eggshells, because once they get in, and added their IP, your account is theirs, and there’s nothing you can do about it.

In the attachment you can see the authorised IP’s that were attached to my account. My IP’s were the 80.5.* and the 86.17.. However the 151.201. actually belongs to the hacker.

And I know this wasn’t a key logger on my system, because I hadn’t even logged into my NCSoft Master Account in over a year. So somewhere there’s a weakness in NCSoft’s security and it’s getting peoples GW accounts compromised.

As for the secret questions pertaining to the NCSoft Master account, what color is your car? is a secret question for you…not for everyone. You choose the questions for security on your account. It may not be much, but choosing a question that has a wider range of ‘correct’ answers might be helpful. =)

Actually I don’t even have a car, it’s just an example of the questions it can ask.

In my case though the answers were ‘secret’ in that they were only stored in my head, and I’ve NEVER used them on the NCSoft website or anywhere else, in the 2 years since I last changed my NCSoft password/ secret answers.

My secret answers were definately NOT keylogged, and are actually not even stored anywhere on my PC, or even ANYWHERE online.

This being the case how did they gain access to my account? Brute force? Cos I’m stumped to think how the hacker actually managed this.

All I know is that as it stands, my NCSoft Master Account has me worried. In that it’ll be breached again, and next time I won’t be able to get a roll-back, unless A-net introduce the “we’ll always ask to authentication even if you store your IP address in the whitelist”, like what was promised 4 months ago, to prevent exactly this type of hack.

Did you not receive the notification from NCSoft when a new IP address was added to the list? They send one and ask if you performed this action, and if not, to contact them immediately. I do not know exactly what is going on with your account, but I am sure Support would be interested in hearing all the details. Good luck. =)