Guild Wars 2

Anet I don’t know why this is an issue? Day 1 of headstart I tweeted you and said this was going to happen… There’s nothing confirming the change of the accounts. Nor anything for “forgot password” to try to recover your account thru email.

And now look at the mess we’re all in… This has got to be creating more trouble than it would have taken to put some kind of security bulkhead into changing the account information. Every free web game on the net practically has you right your name in blood to change your password. But we can do it freely here and without a thought. Database of email addresses and 10000 free pw guessing utilities and your losing paying players left and right.

Just saying something like this should have never been. I’m sad, for all of us waiting to be a victim and to all that have been victimized. Good luck Tyria!

I’m sorry Gaile, but there is no confirmation for changing a password. I changed mine earlier today and received no notification what-so-ever.

There is no confirmation for changing an email either, I may add.

Nope. There is not. Just an e-mail saying “Someone, hopefully you, has changed the e-mail on this account. If it wasn’t you, contact support.” -or something very similar.

Great system.

Once again Arenanet trying to push the responsibility of this enormous security joke onto its customers. This game has less security then most free FORUMS, much less a multi-million dollar MMO.

But i guess its forgivable as it’s their first game…wait…well surely first MMO…

"
ArenaNet noreply@guildwars2.com
Sep 12 (1 day ago)

to me
Someone -hopefully you!- has requested to change the email address associated with your Guild Wars account.

Need help or have questions about your Guild Wars account? Visit our support site: http://support.guildwars2.com/.

Thanks!

-The ArenaNet Team"

This has to be a bad joke, I keep telling myself.

… So umm there IS a confirmation….

However it only says something like “If you did not make this change please contact support.” It SHOULD do a “click this link” to confirm the change, but it doesn’t.

There is absolutely nothing to stop anyone from changing your account information once they have it, the account is theirs.

I know I sent a tweet to you guys like day of or day before head start for this exact issue. And now we have tons and tons of people with no accounts. Worse you have tons and tons of people buying accounts that were hacked, hackers making $ of your game and the real people that would have bought more gems etc giving absolutely nothing towards your profit margin because their account was stolen.

Pretty nice cycle of everyone getting screwed and the hacker’s coming out on top currently.

They steal legit accounts sell em for cash, people with lots of cash buy the accounts. Now you have 2 people claiming ownership of 1 account. Or you just have the hackers spamming gold or just utterly abusing the account in general.

No matter the outcome you’ve got 1 foot in the grave currently if the security doesn’t get fixed. If you can’t keep up with the current flood, how are you going to keep up as the flood intensifies? Pretty soon you won’t have anyone to pay for your game except the hackers that are willing to do anything and everything to not only steal and cheat the players but also you.

GaileGray.9587:

People are only able to change account credentials if they know the account credentials, which is something that is happening outside of our game where a database for a forum, game, website, etc., is stolen and where the player is reusing credentials — something we’ve warned against for years!

Someone can try all day and night to change your email address, but they can only do that if they know the email address and the password. They can try to reset the password, but that is only processed if you confirm it.

Account security is important to us, but the principal owner of security is the account holder him- or herself.

Let me start off by saying my account has been hacked and I have taken the appropriate measures to get it back….hopefully. Now then…..

So wait, Anet doesn’t even realize that their is NO confirmation link required and all that the hackers need to steal our accounts is an email and a PW cracking program? There is absolutely no confirmation activation required to change the account information which is resulting in the theft of so many accounts.

I have been playing MMO’s since 1993 and have NEVER had a single account hacked because of how cautious I am. (posting from my sons account since I do not have access to mine) Now suddenly your inadequate system is somehow my fault? I have spent over $500.00 on your game (3 copies for my family plus gems) and you have the audacity to say I am solely at fault? Your company has failed to provide the security that companies with 100th of your budget do. That is fact. This is at best arrogant and at worst negligent.

I do not feel I am wrong in expecting a higher standard of security than what your company has initially provided for it’s consumers. If they had, Anet would not be making all these upgrades to security after coming to the realization that what they have provided is not adequate.

I am still waiting for my account to be restored, but I assure you Anet is already on the verge of losing another very large group of family and friends simply due to a lack of security and customer service.

While I do realize that user error can result in accounts being compromised, Anet needs to step up and admit they are wrong in some theft cases regarding security measures. Anet should also consider that they were warned of this issue by their customers prior to all of these account thefts.

I would also like to point out that we are told to change our email and passwords because they may have been compromised, only these options do not work for us when we try to use them. When our accounts are stolen the hackers are able to to change it all with out any check points what so ever. Seriously, this mess is all our fault? That’s what your telling me? Good job PR.

Gail, there is no mandatory confirmation for changing the account email being sent to the ORIGINAL email address, which means accounts can be stolen without the hackers having access to the email address the account is tied to. This is a serious oversight.

“Someone can try all day and night to change your email address, but they can only do that if they know the email address and the password. They can try to reset the password, but that is only processed if you confirm it.”

I know you guys are doing HARD to make it better but what about the non confirmation in e-mail change? How care if he needs to confirm to change my password when he just change my e-mail and then confirm everything, even ip?
Even with a problem in the pc security would be WAY HARDER to steal someone’s account with a change e-mail confirmation in the previous not the new, or even both together but never just in the new one.
For what I know, the e-mail change have been blocked atm, I hope you guys make that happens, a confirmation please. Then we can rest about not having our account stole because everyone can, someday, in a way or another get keyloggers or be cracked or hacked, even govern have their sites hacked. I’m sure you guys will get much less support tickets. lol

All of these account issues you are having to deal with can be fixed with 1 simple solution.

Make an account recovery connected to the original email address. “If you have lost access to your account click here” Sends a link in the original email address to reset the PW.

And done…. 500000 cases are off your desk and you can worry about the accounts that have worse problems like both the account and email address being compromised.

Implement authentication software… problem solved.

http://transcendentveneration.guildportal.com/Guild.aspx?GuildID=447231&TabID=3829021&TopicID=10225985&ForumID=2158899#forumEnd

This is a snapshot of my original tweet about this issue. Can’t put it up here so put it up on our guild site. Notice that it’s at guildportal, nothing in this link takes you anywhere bad.

I quote my friend (whom I refer to on my post ‘On behalf of my dear friend’).

“Someone needs to get whacked with a fish for overlooking something this dumb.”

“Even the F2P games have this security, why would you just decide to throw it out?”

Not to beat a dead horse, but you shouldn’t be able to change the email associated with your account without some sort of authentication. Password maybe, but email, that should be a huge red flag. I’m sure Arenanet is looking into this, and if not, they really should. Basically, all you need is the password, after that the account is yours. Most sites require the password, and then you need the ability to actually log into your email and authenticate the change. Therefore, the hacker needs two emails instead of one.

Anyways, looks like a design flaw and I’m confident you guys will get it worked out.

So glad I use a separate set of password for things such as banking, GW2, emails, important accounts. While Forums and discussion boards are for bluffers and are so easily accessed by everyone. They have such low security… it only made sense.

Good luck to the victims. Hope all is resolved soon.

Momone.2059:

So glad I use a separate set of password for things such as banking, GW2, emails, important accounts. While Forums and discussion boards are for bluffers and are so easily accessed by everyone. They have such low security… it only made sense.

Good luck to the victims. Hope all is resolved soon.

As do I, this does not protect you. All they do is run a program to type random emails into the log in (or do it manually as this is a full time job in some countries.) When they get one that is registered it will say incorrect password. At that point they switch to the PW cracking program which will run millions of passwords until they crack your account.

Now you are powerless because all they need is to get in once (because of the reasons stated above) and change all your info and boom your password is gone, your account is used to farm, spam , or sold outright on the internet. After that an Anet employee will come in and post informing you that this is all your fault for not protecting your account appropriately.

Hackers are making a mint and it is big money particularly in countries where there are 80 hour work weeks with slave wages. Thinking this problem will go away when this game has zero security compared to nearly every other MMO is idiotic. It will only get worse until security measures are taken or the game simply fails.

By the way the forums look, it takes at 2-15 days to have an account restored to it’s rightful owner. ( I am still waiting to hear from Anet about my account BTW) Who do you think is going to win that race?

Don’t believe what I am saying ? Go do a little research.

This is a serious issue… and instead of pointing fingers (gamers and Anet alike) we should all be focusing on the how best to fix and prevent it. Hindsight is always 20/20… after it has happened the “why” doesn’t matter anymore does it?

My original account sugarbuns.**** was hacked on September 12. I take full responsibility for my WEAK password. However, reading on these forums has been very discouraging. After seeing that several people have had to wait OVER A WEEK, and some are still waiting I realized that I don’t have that sort of patience. I bought a second key yesterday and was able to at least get back in game and play. At this point I am not very hopeful about my original account.

After getting back in game, I discovered that my HACKED account had visited our guild’s bank and promptly emptied it out (for the most part). I had my guild members boot me from our guild, and got my new characters in. While playing all night I actually made contact with the person who currently has control of my account. They have taken my highest character from level 52 to level 57 in one day. I did not identify myself as the “owner” of the account, but said that I was a “friend” of the owner. During the confrontation they admitted that they were supposedly in JAPAN and that they had purchased the account off of eBay.

Regardless of any of it though. The only REAL contact that I have gotten in response to my tickets x 3 (due to feeling helpless and frustrated), is an e-mail basically lecturing me for filling out duplicate tickets for the same issue. I have only been updating one of those tickets since the mild berating. It will be interesting to see how long it takes them to get all of this “mess” worked out and actually put some sort of security system in place (possibly a coin lock or some other authentication system)?

Day number three and counting…

I am a co-guild leader and do to another over site and lack of CS the person who created the guild is unable to remove me because it’s not in the options. So now our 300 person guild that we worked for 8 months to create prior to release is at the mercy of a hacker while we wait to see how much damage they can do before Anet gets around to fixing things.

When I come here for help I am told by Anet employee’s it will be days before that help is available and it’s my own fault for getting hacked in the first place. So if I come across as angry and frustrated, that’s because I am.

Who treats their customers this way seriously? I have followed the game for years and there was constant talk of listening to their player base and how important we as consumers are to them. Well I am right here waiting and I am here to tell you, I am sure not feeling all that important to them right now.

lionhardt.2938:

As do I, this does not protect you. All they do is run a program to type random emails into the log in (or do it manually as this is a full time job in some countries.) When they get one that is registered it will say incorrect password. At that point they switch to the PW cracking program which will run millions of passwords until they crack your account.

Yes a gpu can crack a weak password in a few seconds. That’s why people should be using long passwords that can’t be easily guessed. Someone trying to compromise an account by brute forcing a password isn’t going to spend weeks or months trying to crack one account when so many other accounts can be cracked in seconds.

As for typing in random email addresses, the logical choice is to use lists of email addresses that have been used elsewhere, especially for games and gaming sites. It’s already known that those emails are in use, and the lists are a dime a dozen, available to anyone. There is no need to spend human or machine resources guessing email addresses that might not even be in existence when lists of known email addresses are much more reliable. As for spam, yes those get sent to email addresses that are not in use, but that’s usually in the form of admin@whatever or info@whatever.

The PW one I used for this game came back as strong. Again read my posts been playing MMO’s since 1993. I am not new to this, been there, seen that. The fact still remains that I did everything correct except changing my account info when Anet reported it may be compromised. Why did I not do that you ask? The system was down just as it is now. My wife and son still cannot change theirs.

With unlimited tries to access an account it would not take weeks or months as you suggest. GPU’s generate billions of passwords per second. While I appreciate your feed back it just simply is not accurate. An yes if your not in a third world country a data list is more practical. However if your paying 40 people .50 an hour to find account names for you and then run the hack program it become very profitable very quickly.

I could post up a couple links proving my point but feel that this would only enable more people and likely just get me in trouble. Could you create a password that would be more difficult, of course. Mine was not easy but perhaps I should have use a complete set of random numbers and letters and wrote it down instead of just making a very difficult password. Honestly that’s what I would suggest everyone does until Anet decides to do something about security.

Again not going to argue with you anymore about it. It’s pointless. When something bad happens to someone else and not them, people have this idea that the other person must be incompetent. Even when the other person makes intelligent, rational arguments showing otherwise, it makes no difference.

lionhardt.2938:

The PW one I used for this game came back as strong. Again read my posts been playing MMO’s since 1993. I am not new to this, been there, seen that. The fact still remains that I did everything correct except changing my account info when Anet reported it may be compromised. Why did I not do that you ask? The system was down just as it is now. My wife and son still cannot change theirs.

Came back strong from where? The game itself? If I go to gmail’s account signup page and put a pass of gw2password it says my password is strong. But I’d sure as heck not use that as a password anywhere.

In any case it doesn’t matter how long you’ve been gaming or how much knowledge you have. Anyone who uses services that require a password is susceptible to specifying one that is not strong enough or one that was already used elsewhere. That means you, me, and everyone else.

I hope everything is resolved quickly for you and the family, if it’s not already.

Err considering the hackers likely don’t have a hash file to use and can’t actually make billions of requests per second when trying to hack gw2 accounts, yes it would take weeks or months for many accounts. My gpu reference was for the case where someone does have a hash table to work with. I seriously doubt that is the case here.

In the end it doesn’t really matter how they are getting the accounts. I’m sure it’s a mix of easily cracked passwords, viruses, email databases and pw brute forcing. The end game is that people are getting their stuff jacked and everyone in the community should be in an uproar over it not blaming their fellow players for thieves that indiscriminately digitally high jack anything that will see a profit.

Seriously Anet should drop everything they are doing and put in the security measures that are needed to ensure account’s aren’t getting hit non stop. How many players are they going to lose over this before they decide it has priority over everything else they are doing?

Anet can get mad at me for continually posting in here if they want… I think the 5,000+ people should be all in here posting the exact same thing until a security update is put in.

Furthermore an acknowledgement of the problem would go a long way.

“Dear players we’re sorry, we will be working around the clock to ensure your accounts go back into the rightful owners hands and try our best to return your account to it’s original state.”

My deepest apologies if something like this has already been said and I have missed it!

Anet can quote me and just repost that and I’d be fine with it.

Maybe I should work on getting our guild of nearly 300+ to come in and help make this issue rise to the top.

There was already a post made somewhere recently which said they are working on a second form of authentication. You can get thousands more people here if you want, but I don’t see that speeding things up. Anything involving changing authentication needs a lot of time in the dev life cycle if the goal is to avoid more problems. Patience is needed.

In the meantime those with un-compromised accounts should be making longer and more secure passwords BEFORE they get compromised.

I think you mean first form of authentication.

ShadowX.4639:

I think you mean first form of authentication.

I know you were joking, but ArenaNet can’t force people to use a solid first form of auth.

anonymouse.9053:

I know you were joking, but ArenaNet can’t force people to use a solid first form of auth.

Except that the first form of authentication is broken for many users. E-mail notifications/verifications fail to send. Effectively locking the players out of their own accounts for taking the steps to secure it.

How is this solid?

ShadowX.4639:

http://transcendentveneration.guildportal.com/Guild.aspx?GuildID=447231&TabID=3829021&TopicID=10225985&ForumID=2158899#forumEnd

This is a snapshot of my original tweet about this issue. Can’t put it up here so put it up on our guild site. Notice that it’s at guildportal, nothing in this link takes you anywhere bad.

Someone in my guild informed the link isn’t working. It’s something to do with the link being rewritten thru Anet’s “you are leaving our site” page. If you copy the link and put it into a new tab it directs you to the forum page. Otherwise I guess it sends you to our guild page.

Which if you just go to forums and general you can find the post I am linking to.

“Except that the first form of authentication is broken for many users. E-mail notifications/verifications fail to send. Effectively locking the players out of their own accounts for taking the steps to secure it.

How is this solid?"
———————————
I was referring to passwords. The password is the first form of authentication. When I read that they were working on a second form, I thought this meant for sign-ins, but I could be wrong.

Why not add authenticator support for GW2 it’s the most secure function out there.

my account is hacked as well. i was notified that access to my account has been suspended. Doesnt this render the hacker unable to use my account as well?

Thank you everyone for your efforts to keep this post going and making valid points.

Early this morning my account was restored, just over 36 hours after reporting it stolen.

Despite losing all of my gems, money and items, I at least have regained control over my account. I am grateful for the timely assistance that was afforded to me.

While I feel that ANet still has a long way to go to improve the account security for its users, I hope that those measures being alluded to are implemented sooner rather than later.

lionspride.7596:

Thank you everyone for your efforts to keep this post going and making valid points.

Early this morning my account was restored, just over 36 hours after reporting it stolen.

Despite losing all of my gems, money and items, I at least have regained control over my account. I am grateful for the timely assistance that was afforded to me.

While I feel that ANet still has a long way to go to improve the account security for its users, I hope that those measures being alluded to are implemented sooner rather than later.

what about all your equipment? were they not soulbound?

feyrbrand.9587:

lionspride.7596:

Thank you everyone for your efforts to keep this post going and making valid points.

Early this morning my account was restored, just over 36 hours after reporting it stolen.

Despite losing all of my gems, money and items, I at least have regained control over my account. I am grateful for the timely assistance that was afforded to me.

While I feel that ANet still has a long way to go to improve the account security for its users, I hope that those measures being alluded to are implemented sooner rather than later.

what about all your equipment? were they not soulbound?

They probably just vendored or deleted all of his gear. Not like the a-hole who stole the account had any use for it.

GaileGray.9587:

People are only able to change account credentials if they know the account credentials, which is something that is happening outside of our game where a database for a forum, game, website, etc., is stolen and where the player is reusing credentials — something we’ve warned against for years!

Someone can try all day and night to change your email address, but they can only do that if they know the email address and the password. They can try to reset the password, but that is only processed if you confirm it.

Account security is important to us, but the principal owner of security is the account holder him- or herself.

Gaile,
Change to make things better in the future has to start with the provider to save users from themselves. If i built a skillsaw without a blade guard and 11000 people cut their fingers off it would not be good enough to say ….“Hey we’ve been warning you for years to keep your fingers away from the blade.”

For one, people tend to only want one email not several as its a pain to check a half dozen in-boxes every day. They also tend to keep email address for years. So when you have us use an email for our account name its like using a internet signature of our activity over the last several years making it easy for hackers to zero in their attacks.

So hackers are hacking into unencrypted web forum data bases and collecting peoples email address and cross referencing them to build a list of common passwords I’ve used around the net..Right? And we know this is happening for years so why then are we using an email address as our User Name and giving the hackers a target and the part of the equation they need to match up a password used elsewhere.

Why not protect users and generate a unique “account name” for them, just like you did for the forum names because I guaranty you Dman.9516 can not be traced back to any of me email address, that way the user name would be unique and guaranteed not to be on any hackers list.

I concede that users need to do more to protect themselves but providers of these internet products need to do more, and be smarter about user security, gone are the days were an email address is good enough as an account name.

It’s time to put a saw blade guard on internet security and protect users from losing their fingers to poorly designed security or their own bad habits …Right?

My sister was going to play today, as she’s at my home for the weekend and her own computer isn’t able to play the game because of shared RAM.
Realized her email doesn’t work to log on and it turns out her character is currently online on another server.

She hasn’t received an email saying her email has changed, or anything stating her password or IP has changed.

Hopefully the fact that she still has the email with the purchase order and license-key will mean she gets her account back in four weeks or so, judging from other players experiences with the time it takes ANet to resolve these issues.

GaileGray.9587:

Someone can try all day and night to change your email address, but they can only do that if they know the email address and the password. They can try to reset the password, but that is only processed if you confirm it.

Account security is important to us, but the principal owner of security is the account holder him- or herself.

This is stupid. The OP is right because this has been a problem for my boyfriend just now – his account was hacked last night (we were playing until about 3am est, and came down before 11am est) and in one night, someone was able to change the E-Mail account (and password – I’d assume) of his account WITH NO CONFIRMATION TO HIM. He also has never given his password out to others, not even our closest friends in guild.

There’s obviously something wrong on YOUR end because even if it was a keylogger, the first thing they would’ve hacked would probably have been his bank account, not his GW accounts. >_> All other password-protected accounts that he owns is FINE.

This is a huge issue on Arena Net’s end that NEEDS to be addressed, not just dismissed as the player’s responsibility. I do realize that a lot of players’ accounts are compromised due to their own negligence, but that is not the case here and to hear you guys dismiss all responsibility and make the players carry this burden is just further victimizing someone who doesn’t deserve it – it’s just insulting. FIX THIS.

I thought I should post the outcome of my situation…

Yesterday afternoon I received an e-mail from Anet that my original account had been restored.

They basically restored my account in 72 hours…

The outcome was:

My level 52 guardian was now level 65…
I went from having 32 silver on that toon to 1.25 gold…
My inventory was full and overflowing…
All of my gear and weapons had been up graded…
I even had a yellow helm…
None of my skill points or trait points had been spent…
Crafting hadn’t been touched, and everything was the same.

…and none of my other characters had been deleated… and were all in the same status as when I left them…

The worst thing that “happened” was that the person who ended up controling my account had raided our guild bank and took out a bunch of low level mats.

I immeadiately changed my e-mail address on that account to a non-yahoo account, and I also up graded my password to something that is MUCH MORE secure than the WEAK one that I orignially had.

Why doesn’t AN just implement an authenticator? I used them for other games and never had any issues…of course I never reuse credentials from anywhere else in any of my games and there are different email accounts as well. And, I change my passwords often using nonsensical phrases with a mixture of caps, numbers and other keys to create my passwords.

But the problem can go beyond just the game. It could very well have been a hacker who just happened to hit the right codes together and was able to access an account (would not have mattered to the hacker whose account, just an account). Obviously this is a rare occurrence unless said hacker actually has millions of email addresses and credentials from other sites and has a program that just cross checks and combines.

An authenticator can save lots of folks headaches and I for one, would not mind paying a few dollars for one to add more security to my account.

Just changed my password twice today with NO EMAIL CONFIRMATION. Just an email to my old email saying ‘I hope this was you.’ But NO confirmation of any kind.

Sure you may be telling players for years not to use the same username and password but then again didn’t you add an extra line of security for Guild Wars, the character name line? Players boasted about GW account security after that.

I will say now, in regards to that, I HAVE NEVER had such a ridiculous time trying to contact customer support. I love this game but MAN you’ve really dug players into a pit. Now with the auto suspension when someone tries to access your account from an unauthorized location. Jeez. And don’t play completely coy, I believe I read on the Reddit about clicking ‘Reset Password’ from the launcher and that the reset link code itself was allowing hackers access to players accounts. Either way, this is obviously out of control.

I can also confirm that this has been like this since day 1. My husband and I switched accounts around because of HoM rewards.(He gave them to me ^^) But while we were switching around the PW’s and emails…. There was never anything to confirm the switch and we both went uhhhh I don’t think that they mean this system to be like this? So we both thought they were just working on it and had implemented their secure system.

I really can not believe that it’s not in place yet. My heart felt condolences go out to all of you that have been a victim. And here’s hoping that everyone has slammed their head on the keyboard a couple times to generate new passwords that have no meaning!

I’ve got a ticket in with CS in an attempt to change my account name since they’ve disabled the option to do so through this site.

They tell us to be sure to use something we’ve not used before. In the mean time, let’s remove everyone’s ability to make the changes we’re requesting them to make …

So the Hackers can change out account information, but we can’t? Cool.

I have a feeling A-net is still making this harder than it needs to be. Email confirmation really could have prevented all of this.

I wish we knew what they planned to do for this. I feel like my account is just a ticking time bomb now. Especially since “we can not restore any lost items”. I guess it’s better this kinda stuff happens now, rather than a year from now. Still sucks though, 1 of my guild mates came back 4g richer and another came back minus10g and all their stuff vendor trashed / deleted.