Update - Wednesday, December 2, 2009

Second one is interesting. Either it wasn't functioning properly (which I think we would have heard about in the Bugs forum) or it had a security vulnerability. If it's the later, I guess the rash of account thefts is over now. However, it would sadden me that a vulnerability that every game programmer should remember from the days of D2 somehow made it into GW. WTB official clarification: can we breathe easier about account theft?

This, pl0x.

These are dark times to be playing GW. I really hope that this fixed it, but, if that was the case, why was it something so "simple" to fix? I understand tracking it down would be difficult, but wouldn't things like this (If the account thefts were truly URL based) be something you'd think about in the very beginning when making a site that would involve you previously entering your account information?


I'd like to know what the fix was, really. Whether it was because of these thefts or not. This update was a tad suspicious.

Sounds like accounts were being stolen over a URL..

Hey no offense to all of these bug updates but really, when are the skill updates rolling in?

Usually first monday of the month..

Personally, I want them to get these account thefts fixed first before they devote their time to skill balances. Seems like the much more serious of the two issues.

That would explain a LOT, and make people feel secure once again, indeed.

I too was a little suspicious with the URL thing. I wonder if that really was it, you know? It is possible someone may have been into a little bit of URL tweaking (since there are lots of sites that if you tweak the URL enough you can get where you shouldn't be) and maybe this person figured out how to add something or tweak something in the url to reset (or change) the password to the account of his/her choice. And it only takes one person to figure it out, spread the word and crazy stuff starts happening.

If the "i r got haxed" threads actually stop flowing in I will be shocked.

This is my suspicion: first symptom of being haxed was that password no longer worked, and only after changing it though plaync, "045, account blocked for your own protection" error displayed.

So, flow looks simple now:

Goldseller abuses exploit to get username and reset its password -> Raids account -> support notices it and blocks account -> User finds out password no longer works, resets it and gets block notice upon login.

As an example of how easy it might have been (of course assuming this WAS what the update fixed) would be to go up to this post now and change the last numbers to whatever you want as a way to go back to other threads, older threads..etc.. so the password reset URL may have been similar, only the "hacker" needed to simply change the number (or whatever the value was) and bam, he succeeded.

Well it depends on a number of things that we have absolutely no idea about. I can show you security bugs that got fixed and looked ridiculously "easy" from the user point of view but are hard to pinpoint during the security analysis, due to the way the software is organised (the web can be a messy place to code, in particular due to the complex frontend languages and the need to link a backend to other software).

I'm not convinced that the patched vulnerability was simple to use to hack an account, or else a hacker would have used it much more heavily (for a short period of time) and I suspect we would have had much more than the high number of hack reports we had here.

I did click that Password retrieval URL after my account had been hijacked, and ALL it did was take you to NCSOFT. So I'm 100% sure that it couldn't have been used for stealing accounts, it just didn't take you to any specific page for retrieving your password.

Although it's fun to read all the conspiracy theories you guys come up with, thirty for blood ;-)

We don't know if there was indeed such a vulnerability or not. But it's a possibility, and that's alarming.

Typical guru response to anyone who has their account compromised is:
1. "Your password wasn't strong enough, or you gave it away"
2. "You use bots or RMT"
3. "You visit dodgy sites"
4. "You have no computer security"

And based on 1-4: "its your own fault, and you deserve to lose everything"

These mantras are spouted regularly by people who presumably consider themselves invulnerable... and they are therefore either a) naive, b) ignorant or c) plain stupid. Or several of those.

Because nothing is 100% secure. No anti-malware is 100% effective. Malware is ever more sophisticated. All OS's have vulnerabilities waiting to found and exploited. Everybody makes mistakes, nobody is infallible. There may be disgruntled or malicious insiders. As users, there are many things which are not under our own control.

IMO, the smug people who think they are invulnerable should think again. An exploit such as what is suggested above could happen. Similarly, application or OS exploits could emerge. And if they did - they most certainly wouldn't our own faults for being careless.

I hope A-net puts some serious effort into GW2's security. Both to minimise the possibility of attacks, but also to mitigate damage should an exploit emerge regardless. From the outset, there should be stuff like:

-Do not require email addresses as logins.
-Allow "special characters" in passwords, both in GW2 client and in NCsoft master account
-Changing GW2 login password via NCsoft master account, should require you to enter the old password.
-Implement the optional use of hardware security tokens for login, like Blizzard's device for WoW.
-"character locks" to make characters permanently undeleteable*
-optional pin numbers (or the hardware security token) to access an account's in-game storage
-track the movements of items traded
-etc etc etc

*One or two locks should be free with each GW2 account from the beginning (the number of free locks must be less than the number of character slots that come with the account). Every purchase of an extra new character slot should come with a free lock that can be used on any character. Do not allow characters to be locked until they are a certain age or level.

This way, people will not be able to lock characters right after installing the game, or creating a new one (which they may regret later); people will always be able to reroll new characters (it's impossible to lock all character slots on an account); people can purchase extra locks if they want them (by buying a new character slot).

Since when didn't they allow special characters in passwords?

I wouldn't expect NCSoft to ever change their security procedures. They're appalling but since there's little financial benefit to them upgrading them, I don't expect them to ever improve.

I was not able to put ěščřžýáíéúůö in my password nor ♠ or • (wait, WHAt, his password is 056056136246040022418340 ?! ... how come it does not work)

And I'm just as sure this is how they were hacked. How come my EQ2 account was safe my other game accounts safe? Just GW was hacked.

I hope it's over but it was on their end and they should give back the stuff stolen. I know in certain instances Sony has done that.

i agree with everything except the password thing. did we forget about the storage pain crap? how a ton of us couldnt remember our old passwords or when we did it didnt work? umm yea lets not go down that road. and this makes me wonder if that just now notice this url thing worries about how secure GW2 will be. I would hate to spend like 50$ or more only to loose it a week later. come on regina,martin or anyone else. lets hear your take on it. that is if you have one.

Given that account theft is due to stupid people not protecting their computer, or revealing their account email and/or password, I'm not sure why this would stop it.

^omg, go away. how many times do we have to discuss it?^

This and should we change our passwords now? or not ever change them again??

So you are saying it's unreasonable to assume people are purposefully withholding questionable activities that may have lead to their "hacking"? I don't ever see any of the big fish getting hit with account theft, these would be the tens of millions in assets crowd. If there were active hacks going on they would be the people to target not some lowballer with 350k. If I'm wrong I'll eat crow here but I doubt it. Your average Joe "porn and torrents" Schmoe doesn't know his ass from his elbow in basic computer security and that's the problem. I see it all the time with customers.

If you don't want me hating on the retards, don't make claims that it's not their fault.

Moron.
12 chars.

Ok, explain how having an unsecured computer or giving away account information is a smart idea.

Given that you have no idea what you are talking about I suggest you STFU troll.

Explain how your assumption is valid - that everyone who loses their account, now and forever, in your simple black and white world... is because they had an unsecured computer or gave away their account information.

Since you're a moron, I'd better give you a hint: you can't explain that because its NOT valid.

Let me guess: you lost your account due to ignorance and neglect, and now the butthurt is welling up as you realize it was your fault.

No one who keeps their details private and uses a proper antivirus is losing their account.

You know, the world is not black and white...

I knew you wouldn't be able to justify your assumption, and I was right. Instead you attempt to divert attention with that pathetic response.

And you are wrong. I've never been hacked yet. See how worthless and idiotic your assumptions are?

Moron.

I found this on Gaile's support page.

Update: 2 December 2009

Link
People often use the same password and email for all of their online business because it is easier to maintain and remember one. This is a bad idea because if one site has a breach then the perpetrator has access to all of your accounts everywhere.

I think this explains the recent spate of account thefts.

Use different passwords people!

Absolutely dead on. There's this concept called logic that Zahr Dalsk should look into. But you do need to be fair here. He isn't a moron. He is ill educated. The troublesome bit is that he couldn't do anything about being a moron, but he can do something about his ignorance.

The argument that all account thefts result from user error cannot be decisively proven, but there is ample evidence to suggest that the contention is not true.

What is disturbing about this whole episode is the cover up. ANet has denied the issue from the beginning and appears to be subtly trying pass it off in the update notes. Guru is complicit; Inde has repeatedly muzzled debate of the issue. Forum rules or no, this needed to be discussed. Account integrity is the single most important issue to players in a game like this, and I simply cannot fathom how ANet thinks they can pass this off with a wink and a nod yet retain the loyalty of their customers.

ONLY IF THEY ACTUALLY "FIXED" THE SITUATION WITH ACTUAL SECURITY MEASURES OR IF THEY DID A REGULAR ANET BANDAID FIX. i've had my account hacked and i wasnt the only one in my guild to have it happen. i'm not sure how my account was hacked yet but this could explain that. i hope they fixed it 100%. may dwayna be with us LOL.

Don't hold your breathe. Official clarification on this would mean that Anet would have to admit the smallest minutia of fault for the hacks, and they refuse to do that.

Btw, security is a 2 way street. Several of my friend's accounts have been hacked lately (through the NCSoft website), and all but one of them use over 13 character passwords with random capital letters and numbers. Oh, and none of them had their characters' names or emails on any fansite and used separate passwords for their email, GW, and everything else. And obviously, they all had virus protection.


Just saying....it can't ALWAYS be the players faults.

And once they were at fault they'd be expected to do something about it. I'm sure that Legal and Support are both screaming for silence on the matter.

Which is the whole reason that this issue needed free, fair and frank community discussion. ANet isn't going to admit anything unless we make them, and the people that got hacked aren't going to be made whole if they can successfully sweep this thing under the rug.

This is the top priority issue in the game. If you ask players whether they'd rather have balance or security, they'll take security hands down any day of the week. But the only way we're going to get that is if we, as a community, hold ANet accountable. No one will do it for us.

I understand the impulse to muzzle; a thread openly discussing security issues would be wild and woolly, with much moderation and unsubtle arm-twisting required. Unfortunately, muzzling the community lets the game company run roughshod over us, and that's wrong.

That is utter garbage and untrue. People I know that were also hacked have top grade security. I'd love to tell you off for ignorance but it's not worth it.

To be honest, I'm surprised you're not used to it yet. I am.

My friend just got hacked a couple hours ago. We're trying to recover his password at the moment its sad how heartless people can be.

sorry to hear it. But my point is it's Anet not the players. And for other smart remarks - I have and do use different passwords.

Well, I understand why they do it. ANet's using the same mechanism that Cheney used with the media in Bush's first term. They trade access for control, gaining some ability to shape community discussion by influencing fansite mods.

There's only one condition where this strategy fails. That's when people get tired of it and call them on it. So I speak out.

oddly enough all my emails and passwords are pretty much the same except with a 1 at the end or such

ive yet to be hacked in ANY game ive played. maybe cuz im dirt poor

but it seems through what im reading here you people seem to discount human stupidity?

sure all problems may not have been caused by negligent users but you make it seem as if thats impossible through your statements, and though i wont say arenanet is at fault or not at fault.

for most cases anything computer related who usually causes the problem?

as for the people who claim to have top grade security

i mean how do you know its not a vulnerbility through xfire ?
when my comp crashes i dont blame microsoft i bish at ati for selling me this crappy vcard

i didnt realise nsa's security protocols were available for common use no security is topgrade imo

i would group all in the medium range. as of right now i know of 2 keyloggers that arent detected by avg, norton, or antimalware bytes.

netstat you will see some interesting things there.

in conclusion if i were forced to say i would say that its a combo of user fail and a-net fail. oh onscreen keyboard helps people

p.s if youre going to use norton use norton corporate edition. home is utter crap