Why are Gaming Companies Exempt?
I actually give gaming companies more grief than my bank, because I know that my banks are technologically inept. IT since 1997, and I’m still young to the industry. The creative, networking and security aspects go hand in hand (or should, but we know that defenses are meant to be broken), so I don’t give game companies as much leeway.
Which isn’t the common assessment. Just a truth through experience. I’m relatively calm about a bank releasing my personal account information, because I know it’s ripe for the picking for anyone who cares enough.
It’s NOT a leak on ArenaNet’s side. ArenaNet didn’t leak your personal details. Those Chinese hackers collected large lists of email addresses (and associated passwords) from a variety of other games, forums and websites. See also their game updates... including some earlier ones and this one:
We’ve observed hack attempts against hundreds of thousands of accounts that don’t even exist. To protect those people in case they purchase Guild Wars 2 and create an account, we will now disallow customers from picking passwords that we’ve previously seen used in a hack attempt.
So it’s only the people who have used the same email address that they used in other places, that got hacked. People with a unique email address for Guild Wars 2, don’t have a problem.
If you really want to compare it to a bank… suppose you would (and could) choose to use the exact same creditcard number and pin code for multiple different bank accounts. If one of those banks got hacked, could you really blame the other banks if your accounts there got plundered as well?
And could you please explain to me how someone could “lose hundreds of dollars” from temporarily not being able to access a game account that doesn’t have a subscription fee? Can you give me even 1 actual (factual) case?
(edited by Cheiron the Centaur.1829)
Hi Cheiron,
As read from an earlier topic, I believe a gentlemen lost $250 because ArenaNet saved his CVC credit card number (Without permission) when purchasing gems from the gemstore. His account was then hacked and $250 worth of gems were purchased.
Now off topic a little, this game has had one of the smoothest launches of any MMO… but people are being hacked left right and center and they are indeed getting a blank account back! Its a little silly you must admit simply because some of those people have been playing since pre-purchased launch and if I had a level 80 that was deleted because someone in china hacked my account… well… it wouldn’t be very nice xD And I’d want some form of compensation but thats my personal opinion.
Hi Cheiron,
As read from an earlier topic, I believe a gentlemen lost $250 because ArenaNet saved his CVC credit card number (Without permission) when purchasing gems from the gemstore. His account was then hacked and $250 worth of gems were purchased.
While I agree that ArenaNet shouldn’t store that kind of information on your account without your express permission, that gentleman’s credit card company should be able to handle this case of credit card fraud and provide him with a full refund.
And I don’t think you can expect any kind of compensation, as, even though ArenaNet’s security system definitely isn’t what it should be, part of this is also your own fault (being careless with your email address/password). The best you can hope for, is that they finish implementing the account revert program within the next couple of weeks, so that they can revert your account back to the state before it got hacked (if you would still desire to do so at that time).
(edited by Cheiron the Centaur.1829)
Skulsebud, it’s my situation, in fact I would like to come back 150 hours of my life. I have no idea what kind of compensation they could offer, the fact remains that I lost a character lv80 with all the boost bought through gems, equipment exotic and very high percentage of map completion. I don’t know whether to laugh or cry or simply cursing someone.
Frostpyro, you must not be aware that there are many many many lists of emails and passwords floating around the web and shared between people who try to maliciously access those accounts. If your GW2 account was compromised, your credentials are on at least one of those lists. This is not an issue of ArenaNet being compromised. This is an issue of people not being secure enough with their own credentials.
Last night, just for kicks, I did some searches online and found around a dozen long email and password lists for various sites. I don’t mean a few logins, but a lot in each list. This was just after a few minutes of searching.
There is no need for anyone to bother trying to get into ArenaNet’s databases when login credentials for various insecure sites are freely available for anyone to use. And with people using the same login credentials from site to site, it’s quite easy to find many valid logins for GW2.
If you don’t want to be compromised, do what ArenaNet and others have been saying repeatedly. Use an email and long password you don’t use anywhere else, and don’t use that info anywhere else, ever again. And check your pc for malware.
My account data has not been compromised ever, as far as I know, and my GW2 data isn’t going to be compromised. Why? Because I use a unique email and password, and I don’t respond to fake emails, and I regularly scan my pc. I am proactive about my account security, but many players don’t do the same thing, and they are stuck paying the consequences of their own actions.
Hi Cheiron,
As read from an earlier topic, I believe a gentlemen lost $250 because ArenaNet saved his CVC credit card number (Without permission) when purchasing gems from the gemstore. His account was then hacked and $250 worth of gems were purchased.
Now off topic a little, this game has had one of the smoothest launches of any MMO… but people are being hacked left right and center and they are indeed getting a blank account back! Its a little silly you must admit simply because some of those people have been playing since pre-purchased launch and if I had a level 80 that was deleted because someone in china hacked my account… well… it wouldn’t be very nice xD And I’d want some form of compensation but thats my personal opinion.
they are not saving CCV information, what they have done is set up a subscription style system where any further transactions do not need the CCV. Same result though.
Frostpyro, you must not be aware that there are many many many lists of emails and passwords floating around the web and shared between people who try to maliciously access those accounts. If your GW2 account was compromised, your credentials are on at least one of those lists. This is not an issue of ArenaNet being compromised. This is an issue of people not being secure enough with their own credentials.
Last night, just for kicks, I did some searches online and found around a dozen long email and password lists for various sites. I don’t mean a few logins, but a lot in each list. This was just after a few minutes of searching.
There is no need for anyone to bother trying to get into ArenaNet’s databases when login credentials for various insecure sites are freely available for anyone to use. And with people using the same login credentials from site to site, it’s quite easy to find many valid logins for GW2.
If you don’t want to be compromised, do what ArenaNet and others have been saying repeatedly. Use an email and long password you don’t use anywhere else, and don’t use that info anywhere else, ever again. And check your pc for malware.
My account data has not been compromised ever, as far as I know, and my GW2 data isn’t going to be compromised. Why? Because I use a unique email and password, and I don’t respond to fake emails, and I regularly scan my pc. I am proactive about my account security, but many players don’t do the same thing, and they are stuck paying the consequences of their own actions.
Simple solution lock accounts after 3 tries and send an email to account holder, and yes there clearly is reason for people to get into arenas accounts just like there was with battle.nets, That is where lists like these come from as well as other sites. Just remember blizzard never ever said when they got hacked just that they found out they had been hacked meanwhile everyone was shouting about how it was the players faults because no on would ever bother to try to hack blizzard. People hack governments for fun, when there is money involved to say there is “no need” for them to hack the company itself is not exactly true.
But to answer the question in the title, gaming companies are not exempt, they are under the same rules and laws that any company that holds data on you is under.
There is no need for them to hack into GW2 databases because there are still plenty of existing email and password combinations floating around for them to try.
If you found a set of keys outside a row of houses, you’d go through those keys first before you tried picking any of the locks. It’s easier and faster to get into someone’s account (or house) if you already have a list of emails and passwords (keys).
I am not surprised Blizzard eventually was hacked. But I don’t for a second believe ArenaNet has been compromised at this point in time. If they had been, there would be a lot more reports of compromised accounts considering they sold over a million copies already.
But I do find it amusing to read the conspiracy posts and threads. lol
I also don’t believe ArenaNet has been hacked. Why? Three reasons:
1. They are honest enough about such critical issues, that they would have informed us/warned us if that were the case.
2. See the game updates: if ArenaNet’s database had been hacked, why would hackers still bother testing logins for thousands of email addresses that do not have a GW2 account? That’d make absolutely no sense at all.
3. Amongst all the thousands of users that have been hacked, I have not heard of a single case where someone had a unique email address that they only used for Guild Wars 2, and still got hacked. If ArenaNet’s database had been hacked, then many of those users would have gotten hacked as well.
There is no need for them to hack into GW2 databases because there are still plenty of existing email and password combinations floating around for them to try.
If you found a set of keys outside a row of houses, you’d go through those keys first before you tried picking any of the locks. It’s easier and faster to get into someone’s account (or house) if you already have a list of emails and passwords (keys).
I am not surprised Blizzard eventually was hacked. But I don’t for a second believe ArenaNet has been compromised at this point in time. If they had been, there would be a lot more reports of compromised accounts considering they sold over a million copies already.
But I do find it amusing to read the conspiracy posts and threads. lol
A million copies and over 20k hacked accounts so around 2% at monday last week. That is pretty much the norm for any launch lets see what wave 2 of the hacking brings.
I also don’t believe ArenaNet has been hacked. Why? Three reasons:
1. They are honest enough about such critical issues, that they would have informed us/warned us if that were the case.
2. See the game updates: if ArenaNet’s database had been hacked, why would hackers still bother testing logins for thousands of email addresses that do not have a GW2 account? That’d make absolutely no sense at all.
3. Amongst all the thousands of users that have been hacked, I have not heard of a single case where someone had a unique email address that they only used for Guild Wars 2, and still got hacked. If ArenaNet’s database had been hacked, then many of those users would have gotten hacked as well.
1/ It is not the case of honesty it is the law, but that does not mean they could not sit on the info for a little while. But you are correct they have been 100% upfront with the number of hacked account requests they have had, even giving exact numbers to the gaming press.
2/ There is more than one group of people out there selling information, so one group of hackers doing something is not really indicate they all are. Remember this is not one group of kiddies doing it for fun hacking of game sites has been linked with organised crime when CC details and money is involved.
3/There are reports of that all over every gamesite read the comments, there is also reports on the forums of people doing that and still getting hacked, just because you password is unique or you only use your email for this game does not mean you are immune from other methods. A unique email and password is a good idea, it is not a cure all.
belive me mate. Retail stores get away with it too. I work for a certain very large one who shall remain nameless but they lost my passport, threatened to suspend me as they no longer had “proof of my right to work in the UK” (I was born in england and lived her my whole life) When i kick up a stink about it including a complaint to the Independant Commissioners Office they basically lied to the ICO about where the manager has gone and that it was an isolated incident (6 others had similar things go missing)
big companys get away with anything they want, us little ppl mean nothing regardless of the dangers we may be put in from their incompetence
DAOC – Excalibur
WAR – Karak-Azgal
WAR – Karak-Azgal
3/There are reports of that all over every gamesite read the comments, there is also reports on the forums of people doing that and still getting hacked, just because you password is unique or you only use your email for this game does not mean you are immune from other methods. A unique email and password is a good idea, it is not a cure all.
So far, the only case I have read where someone specifically confirmed that they used a unique email address for GW2 that they had never used anywhere else and not shared with anyone, is this thread... but that person also admits that it could be any of a number of reasons. I will definitely be watching that case closely, as I am curious about the reason there.
Usually the statements are along the lines of “I have not used this email address/password combination for any other online game”, which says next to nothing, as it excludes all other websites and forums.
This is as much an attack on ANet as it is us users. GW2 success is directly related to selling goods to us in game but how much are you going to spend knowing your account might be hacked? …and you can’t rely on ArenaNet to get your stuff back.
This is a black mark on a otherwise outstanding game but I have to think that if ArenaNet didn’t have us use our email address as our user names the hackers would have had a much harder time of it matching up passwords and email addresses pilfered from other games or game forums.
With our emails required to be our log-in name half the work is done for the hacker.
I concede users need to do more to make sure they are secure but on the other hand is it really reasonable to expect us to create a new email address for every game or service we pay for or receive on the internet?
Isn’t some of this responsibility in the hands of the provider, isn’t it in the interest of companies that rely on internet transaction to keep our stuff safe?
I can’t believe in 2012 with account theft as prevalent as it has become that some kind of better authentication system was not put in place.
Even Bioware was smart enough to have both a hardware and phone app authenticator ready at launch along with a list of personal questions you had to answer to make any account related change.
Pointing the finger at the user and saying this is all on you is not good enough ….
Sorry if a Skillsaw came without cutting blade guard and 11000 people cut their fingers off would you say …“well the user should know better not to get his hand in the way of a spinning saw blade”… or did the manufacture not do all he could to protect his customer? ….and how many more Skillsaws would they sell once that hit the news?
The game should have came with an authenticator. I would glady have paid for a 5 dollar keychain authenticator or a mobile authenticator.
That would have prevented this whole mess, right?
I have experience with brute-force hacking and so long as you have a decent alpha numeric password with a special character and lenght to it, brute force takes too long. Or is that just for WEP cracking using Aircrack?
Now if someone uses their name as their e-mail and then uses their name followed by a few numerics a the end, then that would be easy for a brute force/dictionary attack. But then, how can you brute force a password when you are only alloted so many tries?