Gaile Wiki entry 2 December 2009 (Regarding account thefts)

1 pages • Page 1

Frost Gate Guardian

Liars Cheats and Thieves

Joined Nov 2008

Dec 3, 2009 at 5:47 PM • #1

I posted this in the update thread but think it should be its own topic since it seems unrelated to the in-game update. Also this way more people can see it and make password changes if needed.

I found this on Gaile's support page.

Update: 2 December 2009

Quote:

We did confirm that one fansite had a security breach. The website owner has been very open and forthcoming about the issue. The webmaster posted on the site to let site visitors know about the situation and to urge site members to update their credentials in order to eliminate matching credentials on the site and on any game account.

We appreciate the fansite staff’s cooperation and believe that the enhanced security that the webmaster suggested will help prevent further breaches related to that site’s issue.

As mentioned previously, all fansites for which we have current contact information have been contacted by the Community Team to heighten their awareness of security concerns. -- Gaile 00:52, 3 December 2009 (UTC)

Link

People often use the same password and email for all of their online business because it is easier to maintain and remember one. This is a bad idea because if one site has a breach then the perpetrator has access to all of your accounts everywhere.

I think this explains the recent spate of account thefts.

Use different passwords people!

Cuilan

Forge Runner

Me/

Joined Mar 2008

Dec 3, 2009 at 5:54 PM • #2

Never re-use passwords. Many sites can not only see your email, but your IP and password. That includes Guild Wars Guru.

I can see how such sites can have a "breach."

Kattar

EXCESSIVE FLUTTERCUSSING

SMS (lolgw2placeholder)

Me/

Joined Mar 2007

Dec 3, 2009 at 6:23 PM • #3

Quote:

Never re-use passwords. Many sites can not only see your email, but your IP and password. That includes Guild Wars Guru.

The user database is encrypted in such a way that the staff cannot see your password, all we can do is reset it. Even the administrators don't have access to see what your password is in clear text.

nagisaki

Academy Page

Game Time [GT]

N/Me

Joined Nov 2006

Dec 3, 2009 at 6:40 PM • #4

Though you may not be able to see the password in clear text, brute forcing the hash is simple and easy to do. Unless the user has a strong 50 digit password, it takes less then a day for most hashes to be cracked, less if it's able to be hit by a dictionary attack, and less still if the hacker has access to a powerful computing platform, whether distributed or dedicated.

Kattar

EXCESSIVE FLUTTERCUSSING

SMS (lolgw2placeholder)

Me/

Joined Mar 2007

Dec 3, 2009 at 6:47 PM • #5

I'm aware nagisaki, I just wanted to clear up a possible misconception. The owners of this site cannot see your passwords.

Anonymous IXl

Lion's Arch Merchant

Super Galactic Mystery Solvers [Clue]

Mo/Me

Joined Nov 2009

Dec 3, 2009 at 6:50 PM • #6

My friend just got his account hacked a few hours ago and just found out about 10 minutes ago. Thank you VERY much for this link. We already sent a ticket in but the phone number does not work. Just remember guys... Longest password possible with numbers/letters.

magao

Academy Page

Order of Pussycat Mountain [OPCM]

Joined Jul 2008

Dec 3, 2009 at 7:57 PM • #7

Another way is to not use the same email address for your GW account as sites. This obviously shouldn't be instead of not re-using passwords, but in addition.

GMail allows you to add +anything to your email address. For example, all of the following would go to the same email address:

[email protected]
[email protected]
[email protected]

Many sites still don't allow a + in an email address (they use the "simplified" email address validator) but Guild Wars does.

You can also achieve the same effect if you have your own domain:

[email protected]
[email protected]
[email protected]

This means you can ensure that your GW login address is different to every other site that you have to supply your email address to. And that means that hackers won't match your login or email details from a different site to your GW account.

zwei2stein

Grotto Attendant

The German Order [GER]

Joined Jun 2006

Dec 3, 2009 at 7:58 PM • #8

Quote:

Originally Posted by Katsumi

I'm aware nagisaki, I just wanted to clear up a possible misconception. The owners of this site cannot see your passwords.

Attacker can however modify code which handles login to obtain plaintext passwords before they get hashed and compared to hash in database.

Daesu

Furnace Stoker

Joined Oct 2008

Dec 3, 2009 at 9:30 PM • #9

Quote:

Originally Posted by zwei2stein

Attacker can however modify code which handles login to obtain plaintext passwords before they get hashed and compared to hash in database.

Yes, if a hacker gains access to the website, it is possible for them to get the passwords one way or another.

The lesson is, if you use the same game credentials on a web site then you are only protected as much as the weakest link in the chain. Even if ANet has the most secure password managing system, that would not help you much if the web site itself fails.

St Lucretia

Pre-Searing Cadet

Joined Sep 2009

Dec 3, 2009 at 9:39 PM • #10

I fell foul of this last week: I got an e-mail saying that someone had changed my NCSoft account password. I replied to support immediately, but after having had it resolved, I've just logged in to find all my gold (~400k) and most of my items (including Heavy equipment bag, weapons, loads of consumables, etc.) all gone.

Luckily none of my characters were deleted but it's still frustrating.

I wonder if ArenaNet can look at trades over the last week and ban any recipients?

Martin Alvito

Older Than God (1)

Clan Dethryche [dth]

Joined Aug 2006

Dec 3, 2009 at 9:55 PM • #11

Quote:

Originally Posted by Lucci_Slevin

I think this explains the recent spate of account thefts.

Use different passwords people!

If this is the complete explanation, then we should find that everyone hacked with the "novel" method of changing the password via NCSoft's website had an account with said fansite AND used the same username/password information for the fansite and NCSoft logins. (If you got the e-mail username for the game from the fansite's database along with the password for the game, you wouldn't go to the NCSoft website to change the password.)

That seems very unlikely. This explains some of the thefts. It is far from a complete explanation.

Inde

Site Contributor

Joined Dec 2004

Dec 3, 2009 at 10:06 PM • #12

Quote:

Originally Posted by Cuilan

Never re-use passwords. Many sites can not only see your email, but your IP and password. That includes Guild Wars Guru.

I can see how such sites can have a "breach."

It is not possible for a hacker to obtain your password on this site. I can not disclose our security measures but there are indeed additional and unique measures in place above and beyond what VBulletin software provides that would make this nearly impossible.

Also, please see the sticky thread here for all the latest updates:

http://www.guildwarsguru.com/forum/s...php?t=10410963