Guild Wars 2

So now while they are working on getting my husbands account back (they have asked him for all information regarding his account) someone is playing on his account and has leveled him 8 levels. What I don’t understand is why they didn’t block his account when he first filed his incident report or at least by the time they got back to him on it. Everyone keeps talking about it being the fault of the players themselves for being hacked, but the fact is the game has been out only 18 days and there are thousands and thousands of people that have been hacked. So I find it hard to believe its the players who are at fault when the true fact is you didn’t even have to confirm the email address change. They just HOPE THIS IS YOU. If someone could please help on this situation it would be much appreciated.

Incident number is 120913-005691

There arent thousand and thousands of people that got hacked. And those who do get hacked, 99% of the compromises are caused by their own failings. Bad passwords, keyloggers, compromised email accounts etc.

Also note that when you get your account back, any items and currency that are missing cannot be restored.

NBC news claimed there were 11,000 accounts hacked on the 7th of Sept. it is now the 16th and it is still happening. There should have been a confirmation in email to click to confirm email change, or something simple like that.

They can claim what they like. Theres no proof, as no numbers have ever been officially released yet.

I fully agree with confirmation emails though.

Its not only nbc news you just need to do a basic google and its all over the place. For example one of my favourite sites
http://www.tomshardware.com/news/ArenaNet-Guild-Wars-2-MMOG-PC-Gaming-Hacking,17455.html

but i seriously hope i don’t get hacked the reason i came to guild wars 2 is because i was hacked on my last game after playing it for 4 years they took everything :c

If you lack the ability to keep your system secure, then its only a matter of time before you get compromised.

Perhaps you had the same details on a fansite that has been compromised, or you could even have had a keylogger on your system when registering the game. Most keyloggers hide and are not detectable until they are switched on and doing what they do.

Renegadeimp.8439:

If you lack the ability to keep your system secure, then its only a matter of time before you get compromised.

Perhaps you had the same details on a fansite that has been compromised, or you could even have had a keylogger on your system when registering the game. Most keyloggers hide and are not detectable until they are switched on and doing what they do.

Are you referring to me or Karissa?

I was talking generally. Not at a specific person.

Considering they’ve sold more than 2 million copies, and considering more than half of the players have very likely used the same login credentials that they’ve used at other sites (based on previously conducted studies about password security), I think the current rate of compromised accounts is relatively small.

If people insist on using the same login credentials that they’ve used elsewhere, this forum is going to be busy for a long time.

I don’t agree that crimes are “caused by” the victim in any crime. The criminal causes the crime to happen, the victim is innocent. All victims can do to prevent criminal behavior against them is take steps to prevent becoming victims, but they’re not part of the crime at all.

LeCreaux.3087:

I don’t agree that crimes are “caused by” the victim in any crime. The criminal causes the crime to happen, the victim is innocent. All victims can do to prevent criminal behavior against them is take steps to prevent becoming victims, but they’re not part of the crime at all.

I agree with you 100%, Its quite annoying when i see ppl on forums telling the victims its entirely their own fault with no mention of the criminal.

Of course the one who obtained the list of logins from other sites is responsible, but when you register for a site you have the option of creating login credentials that can’t be used anywhere else. People often are not doing that.

If you have a car and a house, would you want the same key used for both? No. People should be treating online data with more caution than they currently are.

infring.8942:

I agree with you 100%, Its quite annoying when i see ppl on forums telling the victims its entirely their own fault with no mention of the criminal.

Agreed. But it’s also annoying when victims try to place the blame the developer for something that’s technically not their fault. ANet can do a lot, but unfortunately, it has no control over security at fansites or rival MMO studios. ANet does not send out phishing emails and does not distribute keyloggers. If someone steals your car, you don’t blame the police for it.

While I don’t think anyone here goes out of their way to invite hackers to hijack their accounts or thinks to themselves “how can I be more negligent with net security today?” we’re all guilty somewhat when it comes down to being lazy about things.

How many of us used different emails for battle.net and Guild Wars, even after we heard about Blizz getting hacked? How many of us used different passwords for everything we sign up with, especially our email accounts? And if you took one or both of these precautions, did you still get hacked?

Heck, I’m guilty of using the same email. 2nd day of launch I get hit with a hacking attempt complements of my old compromised WoW account. Luckily, I’ve long since stopped using that password for anything. So they were not able to get into my GW2 account. They then tried to reset my password which required email confirmation. Once again I was lucky that I’ve have a different password on that as well.

I do hope everything works out for the OP, and instead of taking sides on who the criminal is, we should all focus on how we can protect ourselves and keep from becoming victims. Well… that or petition GW2 to put skeletons into the game so that it becomes outlawed in China due to censorship.

TL;DR: Let’s all remember to not used compromised Email/PW from other games. And have a UNIQUE PW for your email. Don’t let hackers make you a victim.

I agree wholeheartedly with sdsakuragi, if somebody buys a house and installs the same lock on all the doors using the same key as their car, office and safe, they can’t very well blame the architect for it when one key goes missing and they come home to an empty house.

It’s one thing to blame the victim of a crime when it’s a totally random mugging on the street or brute-force password crack. When the person is walking around with their wallet hanging from their pants by a thread or with the same password and e-mail for another account on this one(ESPECIALLY if that other database was compromised, that includes a lot of Bnet and other MMOs).

The thing is, this may seem like 11,000 totally random victims, but in all honesty, I would bet good money that their e-mail and password combination for their hacked accounts was used on a website/game that was compromised or was otherwise keylogged or intercepted. If you were to hear about 11,000 random muggings, it would indicate a lack of security and police enforcement. If you were to hear of 11,000 unlocked houses being burgled, it would indicate…that these houses were indeed unlocked.

Lastly, I’d like to point out that hackers often work in communities, sometimes even in ‘syndicates,’ and have access to thousands of credentials from their own community and likely many others. If your password has been cracked ever, they’ll probably have it on file in a spreadsheet, and it’s as simple as plugging the sheet into a bot program that auto-tries every known compromised e-mail/password combo.

I did a paper on this subject in college and found a larger problem. Research shows that approximately 7% of the IT workforce has “ethical flexibility” when it comes to online crime (i.e. it’s ethically OK if they’re not stopped from doing it).

Take note…these are the people who manage the IT where your name and password are stored. As all IT security professionals are trained, the biggest threat is NOT the unknown hacker outside—-it’s the system administrator with a login working for the company. Yes, it really happens, the system does not have to get hacked for your information to get out to the buyers.

Never trust that your login is protected within a system. It’s only as secure as the most dishonest employee of the company. Always assume that your login has already been stolen and never use the same one between systems.

Source: Inside the Mind of the Insider
http://www.securitymanagement.com/archive/library/000762

Aren’t passwords supposed to be encrypted within the database? Specifically against hackers and unscrupulous employees the same? You usually will see some sort of disclaimer of “If you lose your password we cannot retrieve it”. I would imagine that this is the industry standard, but if not, it could be cause for investigation…

I think the point LeCreaux was making was that you should assume that whenever you register with a site, your credentials are not secure. Even if a site where you register has never been hacked, you should always assume that it will be eventually, and create a unique, strong, and long password that you have not used before and will never use anywhere else ever again.

Just 2 months ago close to half a million yahoo login credentials were leaked. Many of those passwords were ridiculously weak, and it’s very possible there were some login credentials in that exposed list that are also used here in gw2. But I bet when most people sign up for an email service, they never think their accounts will be hijacked or their login credentials posted on the internet for anyone to see.

It doesn’t matter if ArenaNet’s system is secure (no system is every 100% secure) and is never hacked, and it doesn’t matter if you think your email provider is 100% secure (it’s not). Always, always, always specify a new password, and preferably a new email address, when you sign up for a site where you care about keeping your account secure. There should be NO exceptions to this. And imo ArenaNet should not have required you to use the same email for gw2 and gw1, but that’s another topic for another day. lol

I see. On the note of same e-mails, I used my GW1 e-mail to reserve my name, then changed my registered e-mail to my unique one.

What would be handy is website that permits multiple e-mails addresses that forward to one central inbox, using the domain name as the unique user name, and the prefix as the e-mail descriptor e.g. “facebook@alecowlyear.gmail.com” and “GW2@alecowlyear.gmail.com” forward to the same inbox and are managed centrally. I know this is possible now, but not widely practically available. Perhaps a total rehashing of the age old e-mail system is in order?

Alec Owlyear.6782:

Aren’t passwords supposed to be encrypted within the database? Specifically against hackers and unscrupulous employees the same? You usually will see some sort of disclaimer of “If you lose your password we cannot retrieve it”. I would imagine that this is the industry standard, but if not, it could be cause for investigation…

Except Anet’s database was NOT the one hacked. The hackers got into Blizzard’s databases more than a year back if I recall correctly. And there was also a GW2 fansite which got hacked due to weak, amateurish security. Using the lists of emails and passwords from those databases, the hackers basically tried them all in an attempt to log in to GW2 and hijack the accounts of players. They were banking on people being complacent and reusing the same email/PW for everything, because who wants to remember 10 different passwords?

For people who did have a different password for GW2 than for battle.net or the fansite, they’d send, using the login launcher, a request to reset the password. Then they would try their list of compromised passwords with your email accounts to get in and confirm the requests to change the passwords (or in some cases the registered email address).

For those of us who had a compromised battle.net account but used unique passwords for GW2 and email, like me, we woke up the first week to emails from ANet asking us to confirm password resets, clear evidence of a failed hacking attempt.

“Hacking,” in real life, is not always dude sitting at a multi screen setup with lines of assembly language streaming across monitors as his fingers fly over keyboard as he engages in mortal combat with firewalls. Mostly it’s a con-game, based on human psychology; in this case, we tend to be too lazy use multiple passwords, we think we are more secure than we actually are, we are under the assumption that ANet can perform sorcery and instantly restore hacked accounts, and sites offering free exotics if we sign up must be legit because we like what we hear.

Not trying to place blame on the victims, but seeing the numbers of posts on here relying solely, demanding even, that ANet “fix these hacks now!” demonstrates exactly the kind of psychological profile and lack of understanding of how net security works that these hackers look for in their victims. When the problem is behavioral rather than coding related, there’s very little, anyone other than you yourself, who can prevent hacks.

TL;DR: First, ANet didn’t get hacked, it was other databases also used by GW2 players. Also, ANet security isn’t the weak link if hackers are relying on the complacency of players when it comes to actively protecting themselves.

With blizzard, the “hackers” got into a disused database that wasnt tied to the MMO. It contained old usernames and passwords, which blizzard then forced people to change.

But due to me quitting WoW before WotLK, they never bothered notifying me. I didn’t find out the old account info was compromised until I tried to sign up for D3 beta. I’m sure had the hackers gotten access to a more up to date list of player credentials, we wouldn’t be talking about just 11,000 reported hacked accounts. But either way, it just goes to show the extent how long some people use the same password for everything. My dad’s one of those people who’s been using the same password for all his email accounts since he first got AOL Dialup Service in the 90s. So glad he doesn’t play GW2.

You can use gmail to set up email aliases that are sent to the same gmail account by using “+whatever” within your gmail email address, such as alicebob+yahoo@example.com and alicebob+microsoft@example.com (replace example.com with gmail.com when reading that). Any email messages sent to those email addresses would go to the same gmail account (alicebob).

However, if those email addresses appeared in a list, the person with the list could just remove the +yahoo or +microsoft and have the account ID used to sign into gmail.

Some email services, such as fastmail.fm, allow you to create email address aliases that are nothing like the email address you use to sign into the service (different user name, different domain). Any email sent to those aliases ends up in your email account. But the email address you use to sign into the service is one you can keep to yourself and never use anywhere else. I’m sure there are others, but fastmail.fm is the only one I know of offhand.

Alec Owlyear.6782:

Aren’t passwords supposed to be encrypted within the database? Specifically against hackers and unscrupulous employees the same? You usually will see some sort of disclaimer of “If you lose your password we cannot retrieve it”. I would imagine that this is the industry standard, but if not, it could be cause for investigation…

Yes, a secured system would have encrypted passwords. The decryption is done on copies of the files containing the encrypted logins. Typically the entire files are decrypted, not just a single password, revealing every login on the system.

While system administrators are able to do this at any time, it’s not done to recover a password for a user. It’s more secure to make you prove your identity and then reset your password. Although that “prove your identity part” can be real iffy.

I just retired from almost 30 years in IT security. In all that time we suffered constant attempts from outside, but in my experience most successful events were either from inside or socially engineered using somebody on the inside. Regardless, the safe bet is to protect all of your logins from each other.

…which is what ArenaNet has been preaching, just without the back story.

Renegadeimp.8439:

There arent thousand and thousands of people that got hacked. And those who do get hacked, 99% of the compromises are caused by their own failings. Bad passwords, keyloggers, compromised email accounts etc.

Also note that when you get your account back, any items and currency that are missing cannot be restored.

If there were thousands the server then will be down by ArenaNet for fixing
For criminals its better to make their job smooth and slowly.
As you can see – the wave of those hacked is growing.

tldr; It’s in RMT companies’ best interests to get as much gold as possible as quickly as possible, and if they had access to a list of GW2 credentials obtained from hacking a database then the 5-hour delivery times would be much shorter.

There actually were several thousand accounts compromised according to ArenaNet, and ArenaNet stated that evil-doers are trying to find accounts by using known lists of emails and passwords. ArenaNet engineers/admins have access to their own login server logs, so they know better than any of us about the types of authentications that are occurring.

If someone has a list of valid gw2 credentials that they obtained by compromising a database, they aren’t going to bother slowing down their login rates by intentionally mixing in invalid auth attempts. They’re going to go straight for the goods. These are people whose goal it is to get as much gold as they can, as quickly as they can.

The buyers don’t want to be kept waiting. Some of the RMT spammers advertise a 5 hour delivery, or something like that. If they really did have access to a list of valid GW2 credentials, that 5 hours would be 1 hour, or “instant delivery” as I would see in FFXI, which was rampant with RMT bots. People don’t want to wait 5 hours to buy their illegitimately obtained gold and are more likely to buy if there is immediate gratification, just like buying many other things. If you can get something at Best Buy in half an hour or wait a week or 2 for delivery, you are going to go for the more immediate gratification. Assuming there are multiple RMT companies involved with GW2, it’s in their financial best interest to have gold available before their competitor, and of course at a cheaper price.

Yep and they know that my password was not qwerty then (it was smthing like cB’gO=KGfzH7kJQ`2=78U#@o)
But ofcourse they answered that this is not their fault, this is my fault. I’ve used to simple passw. Or passwd used somwhere else.
And of course this is not their fault when criminal can change email without any confirmation.

Forwarded message —-———-
From: ArenaNet <noreply@guildwars2.com>
Date: 2012/9/17
Subject: The e-mail address for your Guild Wars account has been changed
To: zerort@gmail.com

Someone -hopefully you!- has requested to change the email address associated with your Guild Wars account.

Need help or have questions about your Guild Wars account? Visit our support site: http://support.guildwars2.com/.

Thanks!

-The ArenaNet Team

this was THE ONLY ONE email i’ve received from AN. So yep. Thx.
Your acc was stolen. Have Fun. Messege should look like this.
(email acc have sms confirmation so… and keyloggers etc is silly. I was building new system and so have clean OS install for rhat time with antivirus and etc.) If you think AN is not involved or this is not their fault. Than for example, it will be normal that someone changes sms report number for your CC and than stole all your money. And bank will do nothing. Enjoy…

BTW I still have no answer for my tiket about message above. For first tiket respons wath within 5 minets. Refund has no answer too.

infring.8942:

LeCreaux.3087:

I don’t agree that crimes are “caused by” the victim in any crime. The criminal causes the crime to happen, the victim is innocent. All victims can do to prevent criminal behavior against them is take steps to prevent becoming victims, but they’re not part of the crime at all.

I agree with you 100%, Its quite annoying when i see ppl on forums telling the victims its entirely their own fault with no mention of the criminal.

You’re right, but we don’t live in a criminal-less world and conducting your life based on a world that is is very naive. Therefore, you as a ‘victim’ are to blame for not protecting yourself against criminals.

Would you leave your wallet with money out in an unlocked car in a busy parking lot? Well, using the same credentials for this game or an easy to guess password is the same thing as leaving the door unlocked.

No, literally, people use the password: password123 and think it’s safe.

No, you’d either hide the wallet, you’d lock your doors and you’d take measures to protect your money. This should be the case for creating an online game account. The information of people being hacked and why they are being hacked is out there. People refusing to listen to the advice should shoulder some of the blame.

I have a car alarm and a $200 deadbolt on my front door to my house. This is because I’d like to take measures to protect my assets. This same train of thought needs to be used when creating passwords for your game accounts and you should never use the same ‘key’ for everything.

So what about my case?
I’m paranoiac because I live in Russia bro.
Tell me about your $200 deadbolt…
We all here have 10cm thick ssteel doors and etc.
So what? I have cB’gO=KGfzH7kJQ`2=78U#@o or smth like this passw.
It doesnt help. And know what. AN dont send me confirmation request when somebody was changin my account name email. So? My fault?

I don’t buy it. Who among us hasn’t forgotten to lock their car, their house, their garage or their computer. Those are self-defenses against crime not the blame for crime. It’s an ethical leap to blame the victim’s poor self-defense as the cause for the crime. We can’t all be martial artists and computer experts.

Sure, when I see a neighbor forget to close their garage I do think “he might get robbed” but not “he deserves to get robbed” or “it’s his fault if he gets robbed”. We have to keep our empathy for the innocent or the criminals begin to look like the innocent ones.

They can claim what they like. Theres no proof, as no numbers have ever been officially released yet.
I fully agree with confirmation emails though.

There most certainly has been, an NCsoft rep even said so.

KOS.1057:

Yep and they know that my password was not qwerty then (it was smthing like cB’gO=KGfzH7kJQ`2=78U#@o)
But ofcourse they answered that this is not their fault, this is my fault. I’ve used to simple passw. Or passwd used somwhere else.
And of course this is not their fault when criminal can change email without any confirmation.

---

Forwarded message —-———-
From: ArenaNet <noreply@guildwars2.com>
Date: 2012/9/17
Subject: The e-mail address for your Guild Wars account has been changed
To: zerort@gmail.com

Someone -hopefully you!- has requested to change the email address associated with your Guild Wars account.

Need help or have questions about your Guild Wars account? Visit our support site: http://support.guildwars2.com/.

Thanks!

-The ArenaNet Team

this was THE ONLY ONE email i’ve received from AN. So yep. Thx.
Your acc was stolen. Have Fun. Messege should look like this.
(email acc have sms confirmation so… and keyloggers etc is silly. I was building new system and so have clean OS install for rhat time with antivirus and etc.) If you think AN is not involved or this is not their fault. Than for example, it will be normal that someone changes sms report number for your CC and than stole all your money. And bank will do nothing. Enjoy…

BTW I still have no answer for my tiket about message above. For first tiket respons wath within 5 minets. Refund has no answer too.

No its not ANets fault at all. You probably used this password on an old account on some other forum/website/game or on a compromised computer.(If you make passwords like that I highly highly doubt you make more than 1-2 of them that you have to remember at a time) And also, kudos for a password like that but check this out: http://i56.tinypic.com/2gweyd1.png

Youd be better off with a password like ‘mountainsapplesaucerocketcake’ that takes 550 years to crack than something hard to remember like your example that can be guessed in 3 days.

There are over 2 million players, give the support team some time to get through stuff. They aren’t ignoring your ticket on purpose.

Masterpyro.4310:

KOS.1057:

Yep and they know that my password was not qwerty then (it was smthing like cB’gO=KGfzH7kJQ`2=78U#@o)
But ofcourse they answered that this is not their fault, this is my fault. I’ve used to simple passw. Or passwd used somwhere else.
And of course this is not their fault when criminal can change email without any confirmation.

---

Forwarded message —-———-
From: ArenaNet <noreply@guildwars2.com>
Date: 2012/9/17
Subject: The e-mail address for your Guild Wars account has been changed
To: zerort@gmail.com

Someone -hopefully you!- has requested to change the email address associated with your Guild Wars account.

Need help or have questions about your Guild Wars account? Visit our support site: http://support.guildwars2.com/.

Thanks!

-The ArenaNet Team

this was THE ONLY ONE email i’ve received from AN. So yep. Thx.
Your acc was stolen. Have Fun. Messege should look like this.
(email acc have sms confirmation so… and keyloggers etc is silly. I was building new system and so have clean OS install for rhat time with antivirus and etc.) If you think AN is not involved or this is not their fault. Than for example, it will be normal that someone changes sms report number for your CC and than stole all your money. And bank will do nothing. Enjoy…

BTW I still have no answer for my tiket about message above. For first tiket respons wath within 5 minets. Refund has no answer too.

No its not ANets fault at all. You probably used this password on an old account on some other forum/website/game or on a compromised computer.(If you make passwords like that I highly highly doubt you make more than 1-2 of them that you have to remember at a time) And also, kudos for a password like that but check this out: http://i56.tinypic.com/2gweyd1.png

Youd be better off with a password like ‘mountainsapplesaucerocketcake’ that takes 550 years to crack than something hard to remember like your example that can be guessed in 3 days.

There are over 2 million players, give the support team some time to get through stuff. They aren’t ignoring your ticket on purpose.

You not reading at all?
It was random gen pawwd exatly for GW2. It was generated special for it.
Thats it!

And yep I don’t kep them in head. I use flasdrive.
(And yes its keep in safe place and OS was installed from 0. no keyloggers or troyans)

READ IT CAREFYLLY
The hacker changed email account name, i.e. login email! WITHOUT any confirmation on my current email!
Its like i call in your bank and chage phone number for secret sms verification on my number. And you even know. Do you like it?

About your password. Its not 50000000 years
I can use bruteforce dictionary to combine words not symbols like in my passwd

And yep. They are ignoring.
Still no answer. Why there were no confirmation request when this hacher changed my email?

Did what I could, your post isn’t exactly written clearly.

What if I didn’t have access to my old email and needed to change my email? There are few systems out there that actually confirm with your old email. You have to keep your credentials safe, that is your responsibility. Did you reformat with a legal copy of windows or did you download it? It could have keyloggers built in if that is the case. Maybe the random generator you used wasn’t so safe either.

There’s just so many possibilities, hackers are smart. There was a virus that laid dormant in systems for many years until it found the nuclear reactor it was looking for and changed variables to ruin uranium enriching in the middle east. It’s not hard to figure out your password.

Shure. But here we can se what? They provide ability to change it without proper autentification and authorization.

Clear install from my W7U box version. And ofcourse the second step was installig and configuring antiviral software and firewall, then plugin ethernet cable to update antiviral data bases. So yes. I pretty paranoical for such questions and its very interesting for me how and when. Btw I know what virus you are talking about. I’m not just simple user.

There’s just so many possibilities, hackers are smart. There was a virus that laid dormant in systems for many years until it found the nuclear reactor it was looking for and changed variables to ruin uranium enriching in the middle east. It’s not hard to figure out your password.

OMG, why would they even hook a uranium enrichening system to the internet? kitten like that shouldn’t even be connected to anything outside the facility.

I’ve heard about people using Kepersky generated passwords and having their accounts broken into (not just GW2), my thoughts is keepersky or some other password generator uses the same type of hash or PSK that’s possible to decode (cough Anonymous hacking SOE servers).

Simply put, the internet isn’t safe from anything these days, I prefer Anet add a security layer to accounts (secret question, possibly authenticator), you can’t expect the general public to understand what they’re doing. I know people IRL that uses the same username/password across several things and that can be a dangerous thing, mass majority of people on the internet does this.

I tested my account by changing my email address to another one of my email addresses, and was able to do it without a confirmation step… that makes me steam.

I don’t think it was online, it just eventually spread to a device that was attached to the system. It’s could be on your computer right now, but it’s harmless as its only goal was to find that reactor. Link for more since it’s off topic: http://en.wikipedia.org/wiki/Stuxnet

Also, Anonymous didn’t hack Sony, just some random guys hiding under its name did