Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Proof that ArenaNet's servers most likely compromised
Satarious
Member UncommonPosts: 1,073
http://www.reddit.com/r/Guildwars2/comments/z16qv/new_email_address_getting_a_pw_reset_notification/
It appears that customers who dutifully followed ArenaNet's suggestion to "create dedicated email accounts for GW2" are receiving those "password reset" emails. If this is the case, that pretty much blows apart their theory that accounts are "being hacked into as a result of farmed accounts from OTHER games". It seems to me that ArenaNet is trying to avoid responsibility for their own third rate security/authentication system. In response, this guy hits the nail on the head:
"Has it occurred to anyone that there is a possibility the support website (http://en.support.guildwars2.com/) has been hacked?
Support ticket CMS has a notoriety for this kind of thing.. I'd be careful. DO NOT use your game email / password when registering on their support website!"
Comments
Sometimes, when I think about how major corporations (think Apple and Samsung, for example) engage in corporate espionage, I come to wonder if video game companies are any different? This year it was reported that the Iranian nuclear program was slowed a tad by a virus that was delivered aggressively from another country (I'm guessing that was us).
So I wonder if say, Blizzard, might have had some fun with A-Net's servers. Just a thought ;p)
from the reddit linked in OP.
One question ArenaNet. Why is it when you change your email, the confirmation goes to the NEW email instead of the old one? Shouldn't it go to the old one instead?
What I'm mainly worried about is
There were many posts in that link, I read some but not all. Arenanet was indeed searching for any people who had a new email account setuped exclusively for Guild Wars 2 and still received the password reset email. However, did any of the replies actuallly claim that they were such persons?
I am asking because otherwise it just means that Arenanet wanted to rule out that possible scenario.
Or, they could have received "Hacked account" tickets from folks who created new email accounts and wanted to see how widespread that issue was. Either way, I still think it's something on their end considering how massive this problem has become.
I'm not buying this BS their putting out there about the fault being with OTHER compromised sites. It just seems to me that they're trying to pass the blame since their massive ego has been built up by all the fanboys thinking they're the best thing since sliced bread and that they can do no wrong.
Yeah, you are right about that.
I'm getting kinda worried about this... I got one of those password reset emails I didn't request...
They need authenticator's for the game.
But it doesn't blow apart the possibility of trojans, keyloggers, SQL injections and other fun stuff like that.
I've been on the internet for a long time, since the mid 90's, and if there is one thing I learned is that you should never trust the security of your account to a corporation, no matter how trustworthy they seem.
The first and the best line of defense is you and if you don't take it seriously, then part of the blame is on you.
I'll give you an example. I started getting those "reset password emails" a few days ago because I used the same email address as I did for Battle.net and SOE games. Knowing what this leads to, I created a new email account specifically for GW2. I have not revceived one password reset email since.
I urge everyone to do the same. There is a lot of money in RMT and hackers are not going to stop no matter what ArenaNet does because it's just too lucrative. Look at WoW, even with all of the lawsuits Blizzard has won against gold traders, WoW players still get gold spam and accounts still get hacked. The hackers aren't going to stop because this is their livelihood.
I know that some of you are here posting for different reasons but anyone who is serious about this, do what I did. It works.
Just to clarify, and I appologize for the caps:
CREATE A BRAND NEW EMAIL ACCOUNT AND TRANSFER YOU EXISTING GW2 ACCOUNT THERE. No more password reset emails. Don't wait until ArenaNet does something, take matters into your own hands. It takes like 5 minutes to create a free email account with Yahoo or Gmail.
with 100% certainty i have infalable truth prooving that.... maybe, possibly, the servers were hacked, maybe. I'm totally sure of this possible event
I've pretty much ruled out trojans, keyloggers, etc. in my case since I update and run SuperAntiSpyware religiously (every day) on my machine and have MS Security Essentials for the AV. Plus, I make it a point to never click on links in email. I always go directly to my account url any time I get an email making me aware of something to do with my account. I've been doing this since the dawn of the World Wide Web and it has served me well. That's why I have my doubts that it has anything to do with me.
The state of hacking intrusions have risen by 1000% since the last year.
Every possible game company that holds any kind of online service was hacked : From Sony to Blizzard , Valve ... you name it. Including ALL MMO companies.
I think there is some server vunerability that is keept quiet by companies, since there is no defence against it.
Anyway Diablo 3 was hacked - with all protection they had , didnt help.
Now we can only watch as they hack Anet.
How do you change your email? I don't see any options for it in acccount management.
NM, apparently you can't change the email if you didn't link with a GW1 account.
The worst thing you can do is rule out trojans and other stuff because you use a particular software. The people who create trojans and other viruses create them to be undetected by various anti virus software. It happens, the guys that do this are not 4chan scrip kiddies. They actually know what they are doing.
SQL injections can happen on any website, regardless of how trustworthy it is. Don't have to click an email link. Does no one else remember when Alakhazam notified everyone that they have been unknowingly running ads with trojans and keyloggers? This was during vanilla WoW. Stuff like this happens. if you believe that you're unhackable, you already failed, since there is no such thing.
You know, friend of mine today got a password reset email for GW2. He doesn't own/play GW2 at all, but he has GW1. He changed the email address and PW associated with the account to a freshly created gmail account. Within an hour of creating the gmail account and changing the email in the account manager he started getting PW reset emails at the new address. And its not due to a keylogger or trojan as he had just completed a full reinstall of windows on his PC after installing his new HDD yesterday.
Hes not worried though as he doesn't play GW1 anymore and isn't really interested in GW2 at the moment.
There are 3 types of people in the world.
1.) Those who make things happen
2.) Those who watch things happen
3.) And those who wonder "What the %#*& just happened?!"
The trouble with sending it to the old account only is, what if you lose access to your old account? That's not much of a concern a week after launch, but three years after launch, it sure is.
I take your point that every security can be circumvented. This applies to carjacking as well. There is no sophisticated car security system that can guard against a simple Tow Truck, for instance. But thieves (whether it's in carjacking or software) prefer to go for the easy job. In this case, I thnk the "easy job" is ArenaNet/NCSoft's pitiful security/authentication system. I seriously doubt the security hole is on my end since I've had no issues with accounts being hacked for the 20 years I've been using the internet. This is the first time. This game basically gave me a rude awakening to the vulnerability of my info being stored on some server with little to no security.
Also. Get yourselves KeePass or something like it. My personal info never goes through my keyboard. EVER.
Even setting up the passwords in KeePass, I copied the characters in one at a time. LOL
I've had a separate email account I only used for my MMO subs. I did all this after my WoW account got hacked...actually, it was my webmail account not WoW. But they used it to reset my passwords.
Anyway, I haven't gotten any questionable emails. I'm not convinced I need a whole new email account just for GW2. I do frequently chane my email account passwords and it's not simple eaither. WE'll see, if this issue doesn't clear up and Anet remains plagued, I might set up another email. I'm just tired of created an email account for this and another for that. I have too many now.
I wonder how many of the players who had their accounts hacked have a reddit account which uses the same email address as their GW2 account....
Reddit is far from a secure site and quite a few redditors are wannabe script kiddies, some are quite creative and more than capable of this kind of thing.
Not all redditors ofc, most are decent people, but it's a possibility no-one seems to be considering.
Expresso gave me a Hearthstone beta key.....I'm so happy
There are 3 types of people in the world.
1.) Those who make things happen
2.) Those who watch things happen
3.) And those who wonder "What the %#*& just happened?!"
interesting.
SoE hacked
Blizzard Hacked
Trion Hacked
(whatever developers of RoM) Hacked
NCsoft Hacked
now Anet as well?
could be...
this is getting interestingl
Philosophy of MMO Game Design
Yea, it's a bit different than stealing a car. There is no easy or hard job. The hackers have a list of email accounts associated with various MMORPGs. They also have a list of passwords. Keep in mind that Blizzard got hacked, SOE got hacked, etc. These hacker guys have all of the info. They simply brute force the account system/laucher until they get a hit. It's as simple as that.
Imagine if you were trying to hack the password to my MMORPG.com account. You know my username, it's "heartless." Now all you need is a password. Now imagine for a second that you have a password list consisting of millions of various different combinations of letters and numbers and other symbols and that's just the least invasive way of getting into your account.
Protect yourself before blaming any one else and you'll always be safer. If your username is not on the list somewhere, you're not going to get hacked because guessing a password is one thing but guessing a user name and a password is ridiculously hard.
You still can't rule out the fact that it could be sniffing or them intercepting from a hop to ANET's servers.
I have yet to get these e-mails. So I believe ANET when they say its not on their end. When I get it, then I'll suspect e-mail
Games:
Currently playing:Nothing
Will play: Darkfall: Unholy Wars
Past games:
Guild Wars 2 - Xpiher Duminous
Xpiher's GW2
GW 1 - Xpiher Duminous
Darkfall - Xpiher Duminous (NA) retired
AoC - Xpiher (Tyranny) retired
Warhammer - Xpiher