Gaile Wiki entry 2 December 2009 (Regarding account thefts)

Lucci_Slevin

Frost Gate Guardian

Join Date: Nov 2008

Liars Cheats and Thieves

03 Dec 2009 at 17:47 - 1
I posted this in the update thread but think it should be its own topic since it seems unrelated to the in-game update. Also this way more people can see it and make password changes if needed.

I found this on Gaile's support page.

Update: 2 December 2009

Quote:
We did confirm that one fansite had a security breach. The website owner has been very open and forthcoming about the issue. The webmaster posted on the site to let site visitors know about the situation and to urge site members to update their credentials in order to eliminate matching credentials on the site and on any game account.

We appreciate the fansite staff’s cooperation and believe that the enhanced security that the webmaster suggested will help prevent further breaches related to that site’s issue.

As mentioned previously, all fansites for which we have current contact information have been contacted by the Community Team to heighten their awareness of security concerns. -- Gaile 00:52, 3 December 2009 (UTC)
Link

People often use the same password and email for all of their online business because it is easier to maintain and remember one. This is a bad idea because if one site has a breach then the perpetrator has access to all of your accounts everywhere.

I think this explains the recent spate of account thefts.

Use different passwords people!

Cuilan

Cuilan

Forge Runner

Join Date: Mar 2008

Me/

03 Dec 2009 at 17:54 - 2
Never re-use passwords. Many sites can not only see your email, but your IP and password. That includes Guild Wars Guru.

I can see how such sites can have a "breach."

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

03 Dec 2009 at 18:23 - 3
Quote:
Never re-use passwords. Many sites can not only see your email, but your IP and password. That includes Guild Wars Guru.
The user database is encrypted in such a way that the staff cannot see your password, all we can do is reset it. Even the administrators don't have access to see what your password is in clear text.

nagisaki

nagisaki

Academy Page

Join Date: Nov 2006

The Interblag

Game Time [GT]

N/Me

03 Dec 2009 at 18:40 - 4
Though you may not be able to see the password in clear text, brute forcing the hash is simple and easy to do. Unless the user has a strong 50 digit password, it takes less then a day for most hashes to be cracked, less if it's able to be hit by a dictionary attack, and less still if the hacker has access to a powerful computing platform, whether distributed or dedicated.

Kattar

Kattar

EXCESSIVE FLUTTERCUSSING

Join Date: Mar 2007

SMS (lolgw2placeholder)

Me/

03 Dec 2009 at 18:47 - 5
I'm aware nagisaki, I just wanted to clear up a possible misconception. The owners of this site cannot see your passwords.

Anonymous IXl

Anonymous IXl

Lion's Arch Merchant

Join Date: Nov 2009

ON, Canada

Super Galactic Mystery Solvers [Clue]

Mo/Me

03 Dec 2009 at 18:50 - 6
My friend just got his account hacked a few hours ago and just found out about 10 minutes ago. Thank you VERY much for this link. We already sent a ticket in but the phone number does not work. Just remember guys... Longest password possible with numbers/letters.

magao

Academy Page

Join Date: Jul 2008

Australia

Order of Pussycat Mountain [OPCM]

N/

03 Dec 2009 at 19:57 - 7
Another way is to not use the same email address for your GW account as sites. This obviously shouldn't be instead of not re-using passwords, but in addition.

GMail allows you to add +anything to your email address. For example, all of the following would go to the same email address:

[email protected]
[email protected]
[email protected]

Many sites still don't allow a + in an email address (they use the "simplified" email address validator) but Guild Wars does.

You can also achieve the same effect if you have your own domain:

[email protected]
[email protected]
[email protected]

This means you can ensure that your GW login address is different to every other site that you have to supply your email address to. And that means that hackers won't match your login or email details from a different site to your GW account.

zwei2stein

zwei2stein

Grotto Attendant

Join Date: Jun 2006

Europe

The German Order [GER]

N/

03 Dec 2009 at 19:58 - 8
Quote:
Originally Posted by Katsumi View Post
I'm aware nagisaki, I just wanted to clear up a possible misconception. The owners of this site cannot see your passwords.
Attacker can however modify code which handles login to obtain plaintext passwords before they get hashed and compared to hash in database.

Daesu

Daesu

Furnace Stoker

Join Date: Oct 2008

03 Dec 2009 at 21:30 - 9
Quote:
Originally Posted by zwei2stein View Post
Attacker can however modify code which handles login to obtain plaintext passwords before they get hashed and compared to hash in database.
Yes, if a hacker gains access to the website, it is possible for them to get the passwords one way or another.

The lesson is, if you use the same game credentials on a web site then you are only protected as much as the weakest link in the chain. Even if ANet has the most secure password managing system, that would not help you much if the web site itself fails.

St Lucretia

St Lucretia

Pre-Searing Cadet

Join Date: Sep 2009

03 Dec 2009 at 21:39 - 10
I fell foul of this last week: I got an e-mail saying that someone had changed my NCSoft account password. I replied to support immediately, but after having had it resolved, I've just logged in to find all my gold (~400k) and most of my items (including Heavy equipment bag, weapons, loads of consumables, etc.) all gone.

Luckily none of my characters were deleted but it's still frustrating.

I wonder if ArenaNet can look at trades over the last week and ban any recipients?

Martin Alvito

Martin Alvito

Older Than God (1)

Join Date: Aug 2006

Clan Dethryche [dth]

03 Dec 2009 at 21:55 - 11
Quote:
Originally Posted by Lucci_Slevin View Post
I think this explains the recent spate of account thefts.

Use different passwords people!
If this is the complete explanation, then we should find that everyone hacked with the "novel" method of changing the password via NCSoft's website had an account with said fansite AND used the same username/password information for the fansite and NCSoft logins. (If you got the e-mail username for the game from the fansite's database along with the password for the game, you wouldn't go to the NCSoft website to change the password.)

That seems very unlikely. This explains some of the thefts. It is far from a complete explanation.

Inde

Site Contributor

Join Date: Dec 2004

03 Dec 2009 at 22:06 - 12
Quote:
Originally Posted by Cuilan View Post
Never re-use passwords. Many sites can not only see your email, but your IP and password. That includes Guild Wars Guru.

I can see how such sites can have a "breach."
It is not possible for a hacker to obtain your password on this site. I can not disclose our security measures but there are indeed additional and unique measures in place above and beyond what VBulletin software provides that would make this nearly impossible.

Also, please see the sticky thread here for all the latest updates:

http://www.guildwarsguru.com/forum/s...php?t=10410963