Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
GW2 officials say 11,000 support tickets for hacked accounts
Nadia
Member UncommonPosts: 11,798
goto link for full article
http://arstechnica.com/security/2012/09/guild-wars-2-password-attack-affects-10000-accounts/
Password crackers have hacked more than 11,000 accounts belonging to players of the popular game Guild Wars 2, in part by using credentials siphoned from an unknown fan site that was recently compromised, game officials said.
Officials with Guild Wars 2 developer ArenaNet recently began the practice of proactively e-mailing customers when someone logs into an account from a new location. They're also advising users to choose long, random passwords that are unique to their accounts and to check e-mail only from trusted devices. From Friday to Sunday, officials said they received about 8,500 support requests related to hacked accounts and another 2,574 requests by Monday.
Guild Wars 2 user forums are filled with threads like this one and this one, which tell similar tales. Online games such as World or Warcraft have long been hotbeds for account takeovers because the in-game assets such as gold and weapons can be sold online for real-world money. Accounts themselves are often sold wholesale.
"Uhm.. WTF!?" one Guild Wars 2 player wrote. "This is... frightening. I’ve barely owned the game for a day and already I’ve got chinese hackers after my stuff?"
ArenaNet officials should be applauded for being upfront about the attacks and providing effective advice for choosing passwords that aren't susceptible to cracking attacks. Chief among that advice is picking a long, randomly generated password that isn't used on any other site.
The anecdote exposes a fundamental truth about compromised passwords that Ars explains in much greater detail here, namely that the Internet never forgets. Once a password has been compromised anywhere, it likely will live on forever in thousands of password lists that hackers use to gain unauthorized access to accounts.
ArenaNet officials didn't respond to e-mails seeking comment for this article.
edit: changed title for nitpickers 
Comments
Bite Me
Yes...because when you use the same email and password on a fansite as you do with your game account...and the fansite get's hacked...it's obviously the developers fault.
"As you read these words, a release is seven days or less away or has just happened within the last seven days those are now the only two states youll find the world of Tyria."...Guild Wars 2
Well positive aspect of this is that at least 11.000 people already know that:
1. Their email password should be very long and very unique. Like ")(*Zf)SD(F*Ssdfx234';.,43" unique.
2. Their bank account should have top lenght there is available and should be creazy like this one above.
3. Every account linked to your email should NOT have same password as email, bank account or anything
4. If they do - your online identity is long gone.
Yeah, but not fully ANet's fault. It's mostly the fault of the user, using a (known) listed eMail address. I for one know two of my games eMail addresses are listed and have made a new one for GW2. All Anet should do is after <x> logon attempts block the IP address for an hour or 2 before the next logon attempt is allowed.
Where did i say it is devlopers fault? but then again i wouldn't put all blame on players either.
But thanks for the strawman.
Bite Me
the original article does reference this link
Why passwords have never been weaker—and crackers have never been stronger
http://arstechnica.com/security/2012/08/passwords-under-assault/
EQ2 fan sites
My recommendation is that for fan sites, you have a handful of passwords that you reuse a lot. It's fine if they're relatively weak passwords. Whenever you register for a new site, you consider whether you would care if your account on that site got "hacked". If not, you use one of your weak passwords, which makes it easy to remember. If so, then you avoid your weak passwords and pick a stronger password instead.
For example, if your account on this site got hacked, would you care? Unless you're a moderator or administrator here, why would anyone even try to steal your account? The problem with having your password stolen here is if you use the same password on another site where you do care if your account gets hacked. So you can intentionally pick a weak password here (and other fan sites, forums, etc.)--but never use that password for real games, e-mail, bank accounts, or other sites where you would care if you get hacked.
I'm not saying you should use "password" as your password here. But it doesn't need to be 14 characters of gibberish, nor does it need to be unique and never used on any other site. It only needs to be not used on sites where you would care if you got hacked.
Some MMO's/Games use region blocks .. not always due to hacking but could be for licensing reasons etc
aka: GW2Guru.com
They were "Recently hacked" via an old as hell SQL injection method that even my public school district have protected themselves against.
Also, BS on that article for not naming the "Unknown fansite" anyone with half a brain knows it was GW2guru (go check their forum).
The Theory of Conservative Conservation of Ignorant Stupidity:
Having a different opinion must mean you're a troll.
I'm sorry but I say this whole weak password stuff is absolute bullshit. I don't believe for a second that thousands of people are exposing their login details and password as is being suggested, How come other new games such as TSW didn't have the same problems?
Anyone who played Rift at launch has seen this whole scenario before: Thousands of accounts compromised, the developer blaming people for exposing their logins details and passwords..................and yet...... what did it turn out to be in the end? The answer is a flaw in tier own login procedures that enabled hackers to login with a genuine account and then use a backdoor to access any other account they wanted. No passwords or login details needed at all. It was only after one of their users pointed this out to them that they quietly closed the backdoor and miraculously, the whole hacking thing died a death.
It's about time Arenanet started employing experts to sort this mess out instead of blaming the users.
You missed the point. ArenaNet didn't get hacked, users did.
Death is nothing to us, since when we are, Death has not come, and when death has come, we are not.
It's never a great idea to use an email address as part of the login systems.
Can't understand why companies do that rather than the old
Unique Username/password and totally keep email's out the login loop.. it seems to just make one less hurdle hackers need to get over
How many years did it take the dickholes over at EAVision to admit to getting hammered like a drunken prom-date and losing tons of info?
TSW was not popular
to bring another popular recent online game for comparison:
many D3 players claimed the same thing at launch
Blizzard has been hacked! when Blizzard was not
http://www.eurogamer.net/articles/2012-05-21-diablo-3-accounts-hacked-gold-and-items-stolen
Blizzard did get hacked 3 months later but it was unrelated to the D3 hacking claims
EQ2 fan sites
Also Tsw hasn't anything atm that would make gold selling from hacked accounts profitable ... If there is nothing ingame to buy with the gold (pax) then why buy it with $
There was a Phishing campaign that was very successful in roping up thousands of idiots right when the game launched. There's also a list of account names and passwords that were hacked from other games that is being used to attack GW2.
The hackers are smart, and the people they hack, not so much.
A sure sign that you are in an old, dying paradigm/mindset, is when you are scared of new ideas and new technology. Don't feel bad. The world is moving on without you, and you are welcome to yell "Get Off My Lawn!" all you want while it happens. You cannot, however, stop an idea whose time has come.
For everyone protecting ANet you should really stop. We can't just rabidly defend them because we like them, they clearly fucked up. Yes Im one of the ones affected, and yes until I was I was all "idiots using the same passwords everywhere!"
This is not exclusively people using the same account info from one site to another (I mean, if that was the case the only "fan site" I go to is this one and my account info here is different from GW2). And even if it was, how many other games have had this issue? Im sure that players of GW2 that use the same info from one site to another did it in WoW, LOTRO, Rift, and any other number of AAA titles that have come out and have never had this issue.
There is obviously a large number of people who have been had though no fault of ANet, but to put on the rose colored glasses and pretend that ANets security is fantastic is just encouraging the shady business tactics they are taking part in. I recall a thread on Reddit where a man claimed that after he was hacked the hacker bought a ton of gems from the store and ANet (after taking 7 days to get him his account back) refused to pay the money back to him because their policy is that all purchases are final. He could be lying, but what if he is not? My experience with ANet support has not given me any reason to believe this man wasn't telling the truth.
Yes they are busy. No, I don't think they are maliciously ignoring us. But this has got to stop. They have to open up a phone line or something, a live chat, ANYTHING. If I could sit in a queue and wait 2 hours to talk to someone I'd be happy because at least I'd know I was in a queue. As it stands now I send in my ticket, I get a ticket #, and then....? Something happens? Maybe?
Meanwhile, individuals who exploited the karma bug are getting direct responses from devs on reddit of all places about exactly how many times they exploited. Are you kidding me? Someone who abuses the game gets faster service then someone who did nothing wrong?
I love GW2 and really want to play, but if they don't get their act together I can't in good faith continue to support them.
Please visit my youtube channel for some H1Z1/DayZ casual roleplay videos!
https://www.youtube.com/channel/UCrQoK5VZlwBBzpsksmXtjMQ
2 differences:
1. There was a known flaw in Rift, that was found out by the players. Players havent found any such flaw in GW2
2. There is a known fansite hack
You are suggesting that faced with something that walks like a duck and quacks like a duck, arenanet should pretend its a hippopotamus?
And i would bet my (unhacked) account they are investigating the possibility that its a two legged winged platypus instead of a duck just in case.
Yet. They havent found a flaw yet.
Please visit my youtube channel for some H1Z1/DayZ casual roleplay videos!
https://www.youtube.com/channel/UCrQoK5VZlwBBzpsksmXtjMQ
Death is nothing to us, since when we are, Death has not come, and when death has come, we are not.
im a gw2 fan
you think i would have a made a thread about this if i was covering/defending for ANET?
anytime i see a new thread about someone being hacked,
i dont give them grief along the lines of sucks for you, your fault
instead, I post support links to try to help them out
-- i dont blame ANET or the player, just want to help people get back into the game
EQ2 fan sites
Wasn't directed at anyone in particular
I actually think it's awesome you are bringing more attention to this, because the more bad publicity ANet gets, the more inclined they will be to fix it
Please visit my youtube channel for some H1Z1/DayZ casual roleplay videos!
https://www.youtube.com/channel/UCrQoK5VZlwBBzpsksmXtjMQ
My theme song.
We get it, you are angry you got hacked. You so desperately want to make Arenanet out to be the villain here, its beyond pathetic. You, unlike the OP, have no good intentions. You just want to trash a company because you yourself screwed up. You are like one of the people that would rent a movie, know when it was due, then be upset you had to pay 2 bucks when it was late and blame the corporation and call the BBB instead of taking responsibility for your actions.
Arenanet could have had more security measures to protect against user stupidity, but its still not their fault you got hacked and never will be. And certainly no reason to want to sully a company's reputation.
But hey, keep believing in that magic bullet that makes everything their fault and not yours.