Account Hackings - The Source

OFFICIAL RESPONSES AND ACTION

THINGS STILL IN NEED OF CLEARING UP:

1. Why this issue is not being held responsible for 50% of reported account hacks.
2. Where the list of passwords hackers are using for the other 50% is coming from.
3. Why ArenaNet was not informed of this issue by NCSoft when they found out about it, through Gaile (ArenaNet Support Liaison) or another medium.

-----------------------------------------------------------------------------------------------

Hello denizens of Guild Wars Guru! It is I, Erys Vasburg, everyone's favorite Domination Henchman, here to deliver some startling and very important news to you all! Anyone who has been following Regina or Gaile's talk pages on the official wiki lately will have noticed a certain forum moderator kicking up a bit of a stir about the security issues as of late. For whatever reason, he hasn't brought these issues to Guru yet. So, everybody's favorite Domination Henchman (that's me!) has decided to go over his head and share this with you. Read it quick, before it gets lost in Gaile's confusingly organized talk archives forever!

Yes, Gurumites, it's true - we're at risk (please do your best to thoroughly read over the content of these links from start to finish - trust me, friends, it is important that you do so if you wish to understand the severity of this problem!). Linking our GW accounts to our NCSoft master accounts has, as many have begun fearing, indeed doomed us to the fate of being easily targeted for simple hacking. While this may not be the source of all of the recent troubles, it's certainly the source of a great deal of them. The most wonderful fantasmical part of it is that, despite all evidence to the contrary, NCSoft is trying to push it under the rug with blatant lies. Truly, it is better to blame the fan community with no proof of fault by claiming a fan community website had a security flaw (I would link you to this, but it is hopelessly lost in Gaile's archives, in a place I can not find - someone who is better at the wiki, please find it for me!) than to admit that the problem lies within your own website (image swiped from xxteacakez's comment on the official wiki). Anyone who, unlike certain people in important official positions, takes the time to read the threads I linked earlier will see that this problem is far from merely "cosmetic" and is, indeed, likely what caused Linsey's own account to be hacked (she updated her facebook status when this happened, and made further comments on it afterwards - no I do not have a screenshot, but anyone who does is more than welcome to provide it; it's worth noting that the character name security change for GW happened very shortly after her account was hacked, as the previously mentioned forum moderator pointed out on Gaile's talk page).

Of course, the denial is strong. Of course, Gaile insists that this issue is nothing, even though she did not read up on it before saying so. Of course, she insists that it is not related, as many hacked accounts were not linked to NCSoft Master Accounts. Of course, she, and everyone at NCSoft, would like us to believe that after four years, suddenly thousands of people became infected by a real life stupidity virus and stated dealing with RMT or being keylogged simultaneously, and visiting a website that she refuses to name or even offer any scrap of evidence that it exists.

But we are not infected by stupidity, Guru. We do not have to lay down and accept the lies anymore. There is evidence to show that NCSoft, not the forums, not us (the players), is responsible for our hard work being wiped out without a chance to prevent it from happening or even get our prized pixel possessions restored to us. We are not at fault for NCSoft's errors; we should not be penalized because NCSoft and ArenaNet can not figure out website coding or software.

So, NCSoft. So, ArenaNet. Step up and take responsibility for your errors. Stop blaming the players! Stop blaming the community! Fix YOUR PROBLEM and save OUR ACCOUNTS (what is left of them, anyway). We did not buy Guild Wars to have our accounts stolen because YOU can't keep them secure. Those of us that bought Aion did not do it to have their accounts stolen because YOU can't keep them secure. We do not want OUR EMAILS and OUR PERSONAL INFORMATION being given to people because YOU can not admit to YOUR errors. FIX YOUR WEBSITE CODE. NOW. The character name fix was nice. You can admit that you added it because of a problem on your end, now. Own up to your mistakes, and maybe people will actually trust you enough to buy Guild Wars 2.


And, for the TL;DR people out there: LOGGING INTO YOUR OWN PLAYNC MASTER ACCOUNT CAN RANDOMLY LOG YOU INTO ANOTHER PLAYER'S ACCOUNT. YOU HAVE FULL CONTROL OVER THEIR ACCOUNT FROM THIS POINT. YOU CAN CHANGE THEIR PASSWORDS, AND EVERYTHING ELSE THAT ONE CAN EDIT FROM THE PLAYNC MASTER ACCOUNT CONTROLS.

Discuss.


EDITS TIME

First, I'd like to thank Bunny of aionsource for stopping by and joining the cause. We need all the help we can get!


Secondly, for people concerned about the details of the exploit being posted here, I will again point out that this information has been public knowledge for months. NCSoft is trying to shove it under a rug, not fix it. Our only recourse is to inform as many people as we can, so that we can rise up and put public pressure on them to cut the shit.

And lastly, for those wishing for confirmation that this exploit is indeed real, I encourage you to read through the threads I linked (remember how I said they were very important? ). However, if you want a Guru moderator's confirmation, you have it here:

There are a handful of confirmations from other fairly solid members of our community scattered throughout this thread as well.


This issue is VERY REAL and VERY SERIOUS. Please put more time into reading up on it than Gaile did. Don't get too caught up in your hats being missing to read links about account security failures. If you lose your accounts, HATS DON'T MATTER.

This is very disturbing.......

What the red freakin engine is this madness?

edit: the character name question addition is slightly comforting, but I'm not sure how I feel about this massive exploit being highlighted and broken down on a high-traffic area of a high-traffic forum.

Seriously Erys? Seriously?

Excuse me while I go scream bloody murder and stab some people...

(Not entirely sure I believe it though.)

sorry, i don't get it.

Seriously.

Read the threads - it'll take you a while, but when you're done, your eyes will be opened. You can also spam log in / log out on your PlayNC Master Account for a while until this happens to you if you must (but please, don't screw around if it does; I know a lot of people will just have to try it to believe it, but I hope they don't also screw another player over by changing a password or, worse, stealing an account).

This is a really, really big problem. I don't know why it hasn't been posted here before, seeing as how it is not new information.As I said above, it's not new information at all. And, it's not like you can explain the exploit without... well, explaining it. Everyone needs to know how and why accounts have been being stolen. GW accounts should be sort of safe from this exploit now, with the character name thing going on, but that doesn't mean much to the many, many people who lost accounts to it before that was added. Nor does it change the fact that your master account is still at risk of being hit.

The method has been public since October or so (see the provided threads). I'm bringing it to Guru so that the people it hit hardest will know what actually happened.

Well, if you weren't already storing your valuables in an unlinked account, you'd better start.

Looks like we have the smoking gun, kids.

I read the bit about people being able to accidentally log into others' NCsoft accounts on Aionsource but for some reason didn't put two and two together and work out that it explained the hacks in GW and Aion. Thanks Erys, and FFS NCsoft you pile of shit organisation, pull your goddamn finger out and get it sorted! *Really* glad I cancelled my CC details in Aion now. (EDIT: My husband, who has all his NCsoft games tied to the one master account, tells me that you need the CCV# to actually purchase anything even if your CC details are stored, so I guess that doesn't matter. Not happy about having my RL name and address in my Aion account's NCsoft account though - good job I used a completely fake name and addy in my GW NCsoft account. Very much not happy about the idea of someone being able to get hold of my personal info so easily.)

No, don't thank me. Thank the people at aionsource and incgamers who figured this out and did all the evidence gathering. They are the real champions here. I'm just passing the message along to a community that until now had no idea what was going on.

That's interesting to say the least. Luckily I only have aion linked to my account and I stopped playing that real quick so any hackers would just be disappointed. Thanks for the info Erys.

I can directly confirm this.

This is kicking our ass in Aion as well. Stripped out accounts are brutally common, check out the Aion Source forums.

i just checked how the password reset currently works for plaync, you have to answer a bunch of personal questions, so that would require thorough knowledge of a person.

if someone hacks your email tied to your plaync master account (read hacks your guru account, unless you use the same login and pass!), i don't think they can gain access to your plaync account.

so the OP's statement is the only plausible answer. logging on to your own plaync account can randomly log you into someone else's. that would explain people getting hacked in complete disbelief, because it has nothing to do with the guild wars client or their computer security. i've changed my own gw pass from the plaync website before. i think you just have to know the birthday? it's a piece of cake.

I look forward to the official response in this thread

Heh...

It'll be a generic "we're looking into it".

LOL. was waiting for this thread.

Only got my Aion account linked. not my GW acc. I think il keep it like that =]

Has anyone been able to successfully change another account's information through this method of randomly being logged into their PlayNC account?

Or..

its still not our fault....

Thank you for this thread! told them on the phone too, that it was because of the linked account! if only they had listen. Before linking to ncsoft master account, for 4 years nothing happens!

That websites been flawed from day one. Just look at all those people that forgot passwords to that website, because of the free storage pane rush. Then the horrible loading times on that bandwidth consuming excuse for a website. I wouldn't expect anything else, there has been no explanation into the massive hackings, and this is a pretty serious issue. I was never a fan of NCSoft, but Arenanet let me down too.

The communication regarding this has been so shallow. Something is just wrong.

i'm trying to randomly access your account right now ><

One of my friend's accounts got hacked this way.
Luckily he was able to recover it from contactin NCSoft quickly.

Even luckier...the hacker used the account to store items and money.
My friend came out of the ordeal with 200k and a bunch of max gold r9s.

the new security is not exactly safe either, read

So this is how the RMT's have been getting into the accts? Figures....

Pretty astonishing if this is true.

Anet's really on a roll, this alongside delay after delay on skill balances. As well as no acknowledgement of the botting appearing in pvp.

Really aiding GW2's appeal.

The guys on the other side are probably already thinking of a way to remedy this problem as we speak.
The "problem" of course being people exposing this sort of issues.

To be fair to Anet, I highly doubt they're responsible for the ridiculous lack of security on the NCSoft master account.

You can blame them for the problems within GW (lag, lack of festival hats, lack of skill balances/updates etc.) all you want, but I don't think you can pin the actual security gap in the master account on them.

(Denial of said security gap, however...)

I'm actually hoping their excellent legal team advises them against making one. Gaile has already done enough damage by not reading things and claiming proven problems to be "rumors that are provably false". Let them keep pointing fingers at a fansite that hasn't been proven to exist yet (hey, what was that about spreading rumors, again?). Everybody knows about this now, so there's no point in worrying about what they have to say about it. Their actions will speak louder than any words they might offer.

My account got hacked (and likely stripped). The only time I linked it to an NCSoft Account was for the free pane of storage during the anniversary.

lol irony.

The chess timer has been far expired, ANet. It's about time you made your move.

Can you just remove PlayNC ANet? It is a useless RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOing site and if this is anything to be believed then a major risk.

They're in zugzwang, Shayne.

There needs to be a way to de-link your gw account your from ncsoft master account!

Just remove all previously solved tickets please ArenaNet! NOW.

wonder if someone should report this to mmorpg.com. with a big enough stink about it, i bet ncsoft would be forced to deal with it unless they want to lose all of their customers.

If this is actually true, it is pretty bad.

That was my point with ArenaNet, yes. The way they encourage the lies by allowing them to fester on their official wiki, which is where they want players to go for all the facts... It looks very bad for them, doesn't it? Then again, so did this... But they covered it up nice and good, too.

(Yet another snapshot garnered from somebody who was on top of the issue at the time - posted with permission)

looks like if ncsoft would just make the old password a requirement to change passwords (just like most sites have), would be a quick bandaid for this until they can fix the actual issue.

What I don't get is can't they check and punish those who did it? I mean isn't it possible to look back in trade logs and see that one account moved everything it owns to another account? Or even if they were outside an outpost and everything was dropped for another account to pick up, isn't is possible to look back and check into those?

This is interesting....

What could be the reason that they are not fixing this?