Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Fuzzy Avatars Solved! Please re-upload your avatar if it was fuzzy!

Proof that ArenaNet's servers most likely compromised

SatariousSatarious Kansas City, MOPosts: 1,075Member

http://www.reddit.com/r/Guildwars2/comments/z16qv/new_email_address_getting_a_pw_reset_notification/

It appears that customers who dutifully followed ArenaNet's suggestion to "create dedicated email accounts for GW2" are receiving those "password reset" emails.  If this is the case, that pretty much blows apart their theory that accounts are "being hacked into as a result of farmed accounts from OTHER games".  It seems to me that ArenaNet is trying to avoid responsibility for their own third rate security/authentication system.  In response, this guy hits the nail on the head:

 

"Has it occurred to anyone that there is a possibility the support website (http://en.support.guildwars2.com/) has been hacked?

Support ticket CMS has a notoriety for this kind of thing.. I'd be careful. DO NOT use your game email / password when registering on their support website!"

«1345

Comments

  • TwoThreeFourTwoThreeFour Virginia, VAPosts: 2,131Member
    Edit: Nevermind :D
  • YakkinYakkin irvine, CAPosts: 919Member
    O wait, nevermind. Just saw it. And I don't think I've made any emails for the support site, so I should be safer.
  • ComafComaf Chicago, ILPosts: 1,154Member Common

    Sometimes, when I think about how major corporations (think Apple and Samsung, for example) engage in corporate espionage, I come to wonder if video game companies are any different?  This year it was reported that the Iranian nuclear program was slowed a tad by a virus that was delivered aggressively from another country (I'm guessing that was us).

     

    So I wonder if say, Blizzard, might have had some fun with A-Net's servers.  Just a thought ;p)

    image
  • bcbullybcbully Westland, MIPosts: 8,284Member Uncommon

    from the reddit linked in OP.

     

    One question ArenaNet. Why is it when you change your email, the confirmation goes to the NEW email instead of the old one? Shouldn't it go to the old one instead?

    What I'm mainly worried about is

    • There's no secret questions to reset password/change emails. A captcha on the password reset would stop whoever it is from trying to reset the password since I'm 100% sure they're just using a bot. This would force them to enter it manually which means people would either get none, or get a lot less than they are.
    • No captchas (I have to enter a captcha to send a support ticket but not to reset my password/email?)
    • Stop sending the confirmation email for when you change your email on the account to the NEW email instead of the old one. There is no reason for this.
    • Just add SOMETHING for account security. There is literally 0 security other than a password. In this day and age I think we all know a simple password can be easily found out.
     
    •  No customer support number to call and get your account back.
     
    I added the last one....
  • TwoThreeFourTwoThreeFour Virginia, VAPosts: 2,131Member

    There were many posts in that link, I read some but not all. Arenanet was indeed searching for any people who had a new email account setuped exclusively for Guild Wars 2 and still received the password reset email. However, did any of the replies actuallly claim that they were such persons?

     

    I am asking because otherwise it just means that Arenanet wanted to rule out that possible scenario.

  • SatariousSatarious Kansas City, MOPosts: 1,075Member
    Originally posted by TwoThreeFour

    There were many posts in that link, I read some but not all. Arenanet was indeed searching for any people who had a new email account setuped exclusively for Guild Wars 2 and still received the password reset email. However, did any of the replies actuallly claim that they were such persons?

     

    I am asking because otherwise it just means that Arenanet wanted to rule out that possible scenario.

    Or, they could have received "Hacked account" tickets from folks who created new email accounts and wanted to see how widespread that issue was.  Either way, I still think it's something on their end considering how massive this problem has become.

    I'm not buying this BS their putting out there about the fault being with OTHER compromised sites.  It just seems to me that they're trying to pass the blame since their massive ego has been built up by all the fanboys thinking they're the best thing since sliced bread and that they can do no wrong.

  • TwoThreeFourTwoThreeFour Virginia, VAPosts: 2,131Member
    Originally posted by Satarious
    Originally posted by TwoThreeFour

    There were many posts in that link, I read some but not all. Arenanet was indeed searching for any people who had a new email account setuped exclusively for Guild Wars 2 and still received the password reset email. However, did any of the replies actuallly claim that they were such persons?

     

    I am asking because otherwise it just means that Arenanet wanted to rule out that possible scenario.

    Or, they could have received "Hacked account" tickets from folks who created new email accounts and wanted to see how widespread that issue was.  Either way, I still think it's something on their end considering how massive this problem has become.

    Yeah, you are right about that.

  • jusomdudejusomdude Posts: 2,389Member Uncommon

    I'm getting kinda worried about this... I got one of those password reset emails I didn't request...

    They need authenticator's for the game.

  • heartlessheartless Brooklyn, NYPosts: 4,993Member

    But it doesn't blow apart the possibility of trojans, keyloggers, SQL injections and other fun stuff like that.

    I've been on the internet for a long time, since the mid 90's, and if there is one thing I learned is that you should never trust the security of your account to a corporation, no matter how trustworthy they seem.

    The first and the best line of defense is you and if you don't take it seriously, then part of the blame is on you.

    I'll give you an example. I started getting those "reset password emails" a few days ago because I used the same email address as I did for Battle.net and SOE games. Knowing what this leads to, I created a new email account specifically for GW2. I have not revceived one password reset email since.

    I urge everyone to do the same. There is a lot of money in RMT and hackers are not going to stop no matter what ArenaNet does because it's just too lucrative. Look at WoW, even with all of the lawsuits Blizzard has won against gold traders, WoW players still get gold spam and accounts still get hacked. The hackers aren't going to stop because this is their livelihood.

    I know that some of you are here posting for different reasons but anyone who is serious about this, do what I did. It works.

     

    Just to clarify, and I appologize for the caps:

    CREATE A BRAND NEW EMAIL ACCOUNT AND TRANSFER YOU EXISTING GW2 ACCOUNT THERE. No more password reset emails. Don't wait until ArenaNet does something, take matters into your own hands. It takes like 5 minutes to create a free email account with Yahoo or Gmail.

    image

  • TakitonTakiton Arlington Heights, ILPosts: 73Member
    Originally posted by Satarious

    http://www.reddit.com/r/Guildwars2/comments/z16qv/new_email_address_getting_a_pw_reset_notification/

    It appears that customers who dutifully followed ArenaNet's suggestion to "create dedicated email accounts for GW2" are receiving those "password reset" emails.  If this is the case, that pretty much blows apart their theory that accounts are "being hacked into as a result of farmed accounts from OTHER games".  It seems to me that ArenaNet is trying to avoid responsibility for their own third rate security/authentication system.  In response, this guy hits the nail on the head:

     

    "Has it occurred to anyone that there is a possibility the support website (http://en.support.guildwars2.com/) has been hacked?

    Support ticket CMS has a notoriety for this kind of thing.. I'd be careful. DO NOT use your game email / password when registering on their support website!"

     

     

    with 100% certainty i have infalable truth prooving that.... maybe, possibly, the servers were hacked, maybe.  I'm totally sure of this possible event

  • SatariousSatarious Kansas City, MOPosts: 1,075Member
    Originally posted by heartless

    But it doesn't blow apart the possibility of trojans, keyloggers, SQL injections and other fun stuff like that.

    I've been on the internet for a long time, since the mid 90's, and if there is one thing I learned is that you should never trust the security of your account to a corporation, no matter how trustworthy they seem.

    The first and the best line of defense is you and if you don't take it seriously, then part of the blame is on you.

    I'll give you an example. I started getting those "reset password emails" a few days ago because I used the same email address as I did for Battle.net and SOE games. Knowing what this leads to, I created a new email account specifically for GW2. I have not revceived one password reset email since.

    I urge everyone to do the same. There is a lot of money in RMT and hackers are not going to stop no matter what ArenaNet does because it's just too lucrative. Look at WoW, even with all of the lawsuits Blizzard has won against gold traders, WoW players still get gold spam and accounts still get hacked. The hackers aren't going to stop because this is their livelihood.

    I know that some of you are here posting for different reasons but anyone who is serious about this, do what I did. It works.

     

    Just to clarify, and I appologize for the caps:

    CREATE A BRAND NEW EMAIL ACCOUNT AND TRANSFER YOU EXISTING GW2 ACCOUNT THERE. No more password reset emails. Don't wait until ArenaNet does something, take matters into your own hands. It takes like 5 minutes to create a free email account with Yahoo or Gmail.

    I've pretty much ruled out trojans, keyloggers, etc. in my case since I update and run SuperAntiSpyware religiously (every day) on my machine and have MS Security Essentials for the AV.  Plus, I make it a point to never click on links in email.  I always go directly to my account url any time I get an email making me aware of something to do with my account.  I've been doing this since the dawn of the World Wide Web and it has served me well.  That's why I have my doubts that it has anything to do with me.  

  • slowpoke68slowpoke68 Chicago, ILPosts: 413Member Uncommon
    Originally posted by heartless

    But it doesn't blow apart the possibility of trojans, keyloggers, SQL injections and other fun stuff like that.

    I've been on the internet for a long time, since the mid 90's, and if there is one thing I learned is that you should never trust the security of your account to a corporation, no matter how trustworthy they seem.

    The first and the best line of defense is you and if you don't take it seriously, then part of the blame is on you.

    I'll give you an example. I started getting those "reset password emails" a few days ago because I used the same email address as I did for Battle.net and SOE games. Knowing what this leads to, I created a new email account specifically for GW2. I have not revceived one password reset email since.

    I urge everyone to do the same. There is a lot of money in RMT and hackers are not going to stop no matter what ArenaNet does because it's just too lucrative. Look at WoW, even with all of the lawsuits Blizzard has won against gold traders, WoW players still get gold spam and accounts still get hacked. The hackers aren't going to stop because this is their livelihood.

    I know that some of you are here posting for different reasons but anyone who is serious about this, do what I did. It works.

     

    Just to clarify, and I appologize for the caps:

    CREATE A BRAND NEW EMAIL ACCOUNT AND TRANSFER YOU EXISTING GW2 ACCOUNT THERE. No more password reset emails. Don't wait until ArenaNet does something, take matters into your own hands. It takes like 5 minutes to create a free email account with Yahoo or Gmail.

    Geez that is scary!  Like you, I have been computing since the mid-nineties.  I couldn't believe it, but a couple of months ago, for the first time, I found a key logger on my computer.  Have no idea how I got it, as I take security seriously and am very careful about what I do on the net.  I didn't fool around and did a complete low level format and real install of my OS just to be safe, but still.

    Hackers are getting so aggressive these days it is crazy.  Your point is well taken.

  • LobotomistLobotomist ZagrebPosts: 5,063Member Uncommon

    The state of hacking intrusions have risen by 1000% since the last year.

    Every possible game company that holds any kind of online service was hacked : From Sony to Blizzard , Valve ... you name it. Including ALL MMO companies.

    I think there is some server vunerability that is keept quiet by companies, since there is no defence against it.

    Anyway Diablo 3 was hacked - with all protection they had , didnt help.

    Now we can only watch as they hack Anet.

     

    image

  • jusomdudejusomdude Posts: 2,389Member Uncommon

    How do you change your email? I don't see any options for it in acccount management.

     

    NM, apparently you can't change the email if you didn't link with a GW1 account.

  • heartlessheartless Brooklyn, NYPosts: 4,993Member
    Originally posted by Satarious
    Originally posted by heartless

    But it doesn't blow apart the possibility of trojans, keyloggers, SQL injections and other fun stuff like that.

    I've been on the internet for a long time, since the mid 90's, and if there is one thing I learned is that you should never trust the security of your account to a corporation, no matter how trustworthy they seem.

    The first and the best line of defense is you and if you don't take it seriously, then part of the blame is on you.

    I'll give you an example. I started getting those "reset password emails" a few days ago because I used the same email address as I did for Battle.net and SOE games. Knowing what this leads to, I created a new email account specifically for GW2. I have not revceived one password reset email since.

    I urge everyone to do the same. There is a lot of money in RMT and hackers are not going to stop no matter what ArenaNet does because it's just too lucrative. Look at WoW, even with all of the lawsuits Blizzard has won against gold traders, WoW players still get gold spam and accounts still get hacked. The hackers aren't going to stop because this is their livelihood.

    I know that some of you are here posting for different reasons but anyone who is serious about this, do what I did. It works.

     

    Just to clarify, and I appologize for the caps:

    CREATE A BRAND NEW EMAIL ACCOUNT AND TRANSFER YOU EXISTING GW2 ACCOUNT THERE. No more password reset emails. Don't wait until ArenaNet does something, take matters into your own hands. It takes like 5 minutes to create a free email account with Yahoo or Gmail.

    I've pretty much ruled out trojans, keyloggers, etc. in my case since I update and run SuperAntiSpyware religiously (every day) on my machine and have MS Security Essentials for the AV.  Plus, I make it a point to never click on links in email.  I always go directly to my account url any time I get an email making me aware of something to do with my account.  I've been doing this since the dawn of the World Wide Web and it has served me well.  That's why I have my doubts that it has anything to do with me.  

    The worst thing you can do is rule out trojans and other stuff because you use a particular software. The people who create trojans and other viruses create them to be undetected by various anti virus software. It happens, the guys that do this are not 4chan scrip kiddies. They actually know what they are doing.

    SQL injections can happen on any website, regardless of how trustworthy it is. Don't have to click an email link. Does no one else remember when Alakhazam notified everyone that they have been unknowingly running ads with trojans and keyloggers? This was during vanilla WoW. Stuff like this happens. if you believe that you're unhackable, you already failed, since there is no such thing.

    image

  • fyerwallfyerwall Posts: 3,155Member Uncommon
    Originally posted by jusomdude

    How do you change your email? I don't see any options for it in acccount management.

     

    NM, apparently you can't change the email if you didn't link with a GW1 account.

    You know, friend of mine today got a password reset email for GW2. He doesn't own/play GW2 at all, but he has GW1. He changed the email address and PW associated with the account to a freshly created gmail account. Within an hour of creating the gmail account and changing the email in the account manager he started getting PW reset emails at the new address. And its not due to a keylogger or trojan as he had just completed a full reinstall of windows on his PC after installing his new HDD yesterday.

    Hes not worried though as he doesn't play GW1 anymore and isn't really interested in GW2 at the moment.

    There are 3 types of people in the world.
    1.) Those who make things happen
    2.) Those who watch things happen
    3.) And those who wonder "What the %#*& just happened?!"


    image

  • QuizzicalQuizzical Posts: 14,792Member Uncommon
    Originally posted by bcbully
    • Stop sending the confirmation email for when you change your email on the account to the NEW email instead of the old one. There is no reason for this.

    The trouble with sending it to the old account only is, what if you lose access to your old account?  That's not much of a concern a week after launch, but three years after launch, it sure is.

  • SatariousSatarious Kansas City, MOPosts: 1,075Member
    Originally posted by heartless
     

    The worst thing you can do is rule out trojans and other stuff because you use a particular software. The people who create trojans and other viruses create them to be undetected by various anti virus software. It happens, the guys that do this are not 4chan scrip kiddies. They actually know what they are doing.

    SQL injections can happen on any website, regardless of how trustworthy it is. Don't have to click an email link. Does no one else remember when Alakhazam notified everyone that they have been unknowingly running ads with trojans and keyloggers? This was during vanilla WoW. Stuff like this happens. if you believe that you're unhackable, you already failed, since there is no such thing.

    I take your point that every security can be circumvented.  This applies to carjacking as well.  There is no sophisticated car security system that can guard against a simple Tow Truck, for instance.  But thieves (whether it's in carjacking or software) prefer to go for the easy job.  In this case, I thnk the "easy job" is ArenaNet/NCSoft's pitiful security/authentication system.  I seriously doubt the security hole is on my end since I've had no issues with accounts being hacked for the 20 years I've been using the internet.  This is the first time.  This game basically gave me a rude awakening to the vulnerability of my info being stored on some server with little to no security.

  • GeezerGamerGeezerGamer ChairPosts: 5,605Member Uncommon

    Also. Get yourselves KeePass or something like it. My personal info never goes through my keyboard. EVER.

    Even setting up the passwords in KeePass, I copied the characters in one at a time. LOL

    I've had a separate email account I only used for my MMO subs. I did all this after my WoW account got hacked...actually, it was my webmail account not WoW. But they used it to reset my passwords. 

     

    Anyway, I haven't gotten any questionable emails. I'm not convinced I need a whole new email account just for GW2. I do frequently chane my email account passwords and it's not simple eaither. WE'll see, if this issue doesn't clear up and Anet remains plagued, I might set up another email. I'm just tired of created an email account for this and another for that. I have too many now.

  • ZinzanZinzan NorthPosts: 1,351Member

    I wonder how many of the players who had their accounts hacked have a reddit account which uses the same email address as their GW2 account....

    Reddit is far from a secure site and quite a few redditors are wannabe script kiddies, some are quite creative and more than capable of this kind of thing.

    Not all redditors ofc, most are decent people, but it's a possibility no-one seems to be considering.

    Expresso gave me a Hearthstone beta key.....I'm so happy :)

  • YakkinYakkin irvine, CAPosts: 919Member
    Just changed my password from an 8 letter and number to a 20 something letter password, but it'sa phrase I made up that will be easy for me to remember, but I figured the length will be helpful. Think it will work?
  • fyerwallfyerwall Posts: 3,155Member Uncommon
    Also look at how long it takes companies to fess up when it comes to their systems being hacked. People were bitching for a while about their D3 accounts being hacked and Blizzard kept blaming the user. A few weeks later they mention they were compromised and point out that it went as far back as before the launch of Diablo.

    There are 3 types of people in the world.
    1.) Those who make things happen
    2.) Those who watch things happen
    3.) And those who wonder "What the %#*& just happened?!"


    image

  • AoriAori Carbondale, ILPosts: 1,886Member Uncommon
    Originally posted by fyerwall
    Also look at how long it takes companies to fess up when it comes to their systems being hacked. People were bitching for a while about their D3 accounts being hacked and Blizzard kept blaming the user. A few weeks later they mention they were compromised and point out that it went as far back as before the launch of Diablo.

    the D3 'hacks' and bliz compromise weren't even linked lol. Either way blizzard announced it several days after the intrusion once they figured what was taken.

  • MMOExposedMMOExposed lalal land, DCPosts: 6,258Member Uncommon

    interesting.

     

    SoE hacked

    Blizzard Hacked

    Trion Hacked

    (whatever developers of RoM) Hacked

    NCsoft Hacked

    now Anet as well?

     

    could be...

    this is getting interestingl

    image

  • JoeyMMOJoeyMMO SomewherePosts: 1,326Member
    "proof" and "most likely" are kinda contradictory. Their either is proof, or it is a likely guess. One or the other, not both. Still no harm in upping security.

    imageimage
«1345
Sign In or Register to comment.