Guild Wars 2

Thank you for the advice. We made another attempt after dinner and finally managed to get the tiger.

I still hope they fix the issue soon though. My first time doing the event was with 3 of my friends. We were having a great time until two of them crashed and couldn’t rejoin. It kinda killed the excitement of battle we had been looking forward to.

The Dragon’s Stand meta event has a massive issue with rejoining the fight if you disconnect. Once the map engages the final zone event, it becomes impossible to join the map in any way. So, if you disconnect on the fight, you no longer get to participate in the battle you worked 1-2 hours to get to.

My girlfriend and I have been trying to clear the event just to get the tiger pet for her Ranger. However, all four times we got to the final encounter, her Guild Wars will crash at some point during the encounter.

A few minutes ago, I thought we finally had it because we defeated the boss without a disconnect. However, while gliding to the chest, she got booted again. Nothing I can do can get her back to the map to claim a tiger, despite being there since the map opened.

There needs to be a system in place to allow a player who has been participating in the map’s meta event to rejoin.

Me and a friend were having trouble with this mission tonight. My friend got it working by running right at the friendly NPCs as soon as the gate opened, which caused them both to become aggressive. I used the #3 ability (Charge) as soon as I clicked the gate prompt and it also charged straight through one and made both aggressive.

I’m not sure if this works 100% of the time or why it works, but it may be worth a try for anyone else having this issue.

The initial tests were on the same IP address. I have since tested it with two different IPs with the same conclusion. The disconnect button will only kick them out of the website. It will do nothing to remove them from your actual game account.

This is incredibly misleading and I think should either be fixed to remove them from the game as well, or to prevent the disconnect button from appearing if the hacker is in the game but not on the website, since it would do nothing in that situation other than offer a false sense of control.

After some testing this morning, I’ve realized why I had strange behavior with the Disconnect button on the security page.

It appears to do nothing. Absolutely nothing.

I logged into the Guild Wars 2 game on one computer and the guildwars2.com security page on another computer. While logged into the game, I removed myself from the Authorized Networks and then clicked disconnect on my own IP that I had the game running on. It did nothing to my game. I could still run around and freely change characters. The only thing I could tell it did was reset the time the security page said I’d been online back to 1 minute. That explains how the hacker always seemed to be instantly back online.

I then tried changing the password. Same thing. Despite my account password changing, I was never booted from the game. Only upon logging out completely did it prevent me from getting back on without the new password/mobile authentication code.

What is the point of the Disconnect button if it is going to do nothing? I spent the entire hour I was being hacked clicking it every minute because I was convinced it did something.

I’m going to install GW2 on another computer and see if getting booted from the game because another client logs in will force a person out of the account. If I had to guess, it won’t since I did try to log on during this.

Edit: I found a use for the disconnect button.. It will disconnect them from your account management page on the guildwars2.com website. I do not know why the button appears when they are only logged into the game if it’s not going to do anything to remove them from it.

I used the old email address while sending all the messages to CS. However, when I sent it I had already changed my email password. Furthermore, even if he had the name of the new email, it has an entirely different password. It also allows me to check the IP of recent connections to my new email, allowing me to verify that nobody other than me has accessed it.

Even if he had access to my email, I believe the only way to use it to gain access would be to do a password reset, but the passwords I set never stopped working. At one point, I reset my password, logged into the Security page and disconnected the IP. I hit refresh almost right away and they were already logged back in. It did not seem to slow them down at all.

My concern was that there was some way for them to keep a persistent connection after obtaining access once, despite login details changing.

EDIT:
I’d also like to mention that I changed my account password three times throughout this time period. Each time was with a new password I’ve never used anywhere before, all 20+ characters long.

Here is the full text of my ticket and timestamps, with my emails redacted.

Edit:

Added lines to make it more readable.

Ellieanna.5027:

Don’t you find it funny how in less then an hour of an account being hacked, the email was changed. That is no way an account is hacked, proof of identity is done and the email is changed is the amount of time the OP posted. Also, if you re-read, the OP’s email was also hacked. That is not on Anet at all. When THAT occurs, it causes a lot of issues, outside of Anet’s control, especially when you leave the serial code to your game in your email, and the hack gets it.

As soon as I found the authenticator attached, I opened a support ticket along with the last 4 digits of my credit card, my full name, and my birth date to verify my identity.

Regarding a keylogger, a full scan with MalwareBytes and Microsoft Security Essentials came up with nothing.

Finally, I am not sure that my email was hacked. I admit the possibility that the first email was initially compromised, though it may not have been. I just cannot verify it since that particular email doesn’t allow me to see previous logins. The Gmail account I switched to later does.

Despite verifying nobody had access to my gmail account, it did not do anything to boot the hacker off the account. That is the main reason I wrote this post. That seems to be a major security flaw that I hope will be addressed.

I also do not have the serial code for GW2 saved in my email account history.

For proof of the customer service response times, I’ve included the full email below (Read from the bottom up). The times are in PST instead of EST, but you can see the ticket was submitted around 00:36 (3:36 EST) which was about 25 minutes after I initially received the first login email. The delay was the result of trying to look up where to submit a ticket, changing my GW2 info, changing my email password, all while trying to constantly disconnect the hacker.

By 0:42, a support representative was able to remove the mobile authenticator off my acount. By 0:55-0:59, the representative was in touch to change my email to another secure email. I was honestly impressed with the speed of the communication.

I’ve included the email in the next post because this post got too long to include it here.

EDIT:
I have since figured out that the disconnect button will not remove a hacker from the game client. It only will remove them from the website account management. This is incredibly misleading, as the disconnect button appears when a hacker is logged into the game and, you would think, would remove them from it.

Original Post

Around two hours ago, roughly 3:10AM EST, I received an email notifying me of a login attempt from a Korean IP. I did not click anything in the email, navigated to the Guild Wars 2 website in my browser, logged into my account, and changed my password. Then I checked my Security page to make sure everyone was in order.

Everything was not in order. Somehow the Korean IP was listed under Authorized Networks and also had been logged in under Current Logins for about 5 minutes. I disconnected their current session and removed them from the Authorized Networks. I also noticed they added a mobile authenticator to the account, which is strange because it did not prompt me for a code when I logged in. I contacted Customer Support, who removed the authenticator about 6 minutes later. I also assumed my email must be compromised and took the steps of changing the password.

This should have been the end of the problem. However, despite having changed the game password, the email password, removing them from the Authorized Networks, and removing the mobile authenticator, the Korean IP continues to appear under Current Logins like clockwork almost as soon as I disconnect it. I would like to mention that the password I set was still working, so they had not reset my password and still somehow had maintained their login session.

Despite this, I reset my Guild Wars 2 password a second time. This did exactly nothing to stop the hacker. It was still appearing under the Current Logins (but not authorized networks) constantly. All the password changes did nothing to even slow this hacker down. At this point, the Customer Service changed my Guild Wars 2 email on the account to a different, secure gmail account (with account login history) and did a third password reset. This, again, had no effect. In gmail, I confirmed that no other IP has ever logged into that email address, and yet the hacker was still connecting without an issue.

It was now around 4:20AM EST, and despite constantly disconnecting them, two of my characters are completely naked with my gold, karma, bags, and gear gone. This brings up a number of issues.

1 – Hacker Persistant Log-In

While it is possible my first email was initially compromised, changing the password and even changing my Guild Wars 2 account email to a gmail account that I can 100% confirm was not compromised did not help secure my game account. Somehow, after the initial login session is granted to them, there was no way to revoke that login permission. I’m assuming the disconnect button on the Security page was booting them off the character, but not out of the launcher, but I have no way of confirming that. I was also unable to log into any characters during this entire period, as I would get a message alerting me that I was being logged in from another client during the loading screen every time.

2 – Why didn’t the Customer Support lock my account?

The damage could’ve been greatly reduced had the first action by Customer Support been to lock everyone, including me, out of the account while it was being fixed. I appreciate the quick response time to remove the mobile authenticator, but despite catching this person just 5 minutes into hacking my account, I still lost all of my currency/gear. I thought an account lock was standard procedure in these situations.

3 – Website Trouble

I spent the entire hour this was occuring refreshing the Account Security page and ran into two problems. Sometimes it would be blank below the Current Logins and Authenticated Networks, when I knew that was wrong because I was logged in myself. Other times it would load an XML error with the message “This XML file does not appear to have any style information associated with it. The document tree is shown below.” These errors greatly reduced how often I was able to disconnect this person, as reloading sometimes took a few minutes to get it to properly load.