Account Hackings - The Source

this guy claims to.
it could just be shoddy coding. database could be pointing at wrong profiles. i haven't seen another person's account yet and i've been using the ncsoft master account for a while now.

not sure if it was a coincidence but seemed like a lot of the current wave of hackings happened after aion got released and it seems like a lot of aion accounts have been stolen as well.

They've always ignored these threads until the Guru mods get behind them and demand accountability. Since this is an NCSoft problem, I'd imagine that the ANet people are going to distance themselves until they have the opportunity to verify and confer with NCSoft.

Also, there are three times the number of posts in the thread about hats. Says something about the GW community and the (shortsighted) priorities of many.

I have just been looking for such an option in my account, i wasn't aware it could not be done

*sobs in corner, wishing he hadn't linked GW account to NCSoft account*

heh you're telling me. i got 10 gw accounts and 3 coh accounts linked to that . ..

Yes they have, as some posters here have alrdy tried doing it, by allowing this exploit to remain open in the public like they are doing. This problem was known by some and were trying to get it fixed before to many found out to exploit it.

Oh dear, if this is true the shit will hit the fan again.

the dupe method report to gaile that got fenix and i banned was patched within an hour of them finding out about it. makes me wonder how they were trying to get it fixed . .. this has been going on for how long now? i would also consider this a heck of a lot more dangerous than a dupe was. if anet or ncsoft knew about this already from players, it should have been a priority to fix, especially since they could've just made some small changes to prevent this.

Yeah..this makes it official. I'm cancelling my GW2 pre-order. I'm not buying another piece of shi..er...software from this company until they fix the security problems. I'm not paying money for an account that is going to be easily stolen. And yes, if I purchased a piece of software, I technically do own something and have legal rights to compensation (in the form of a refund for all products purchased). Maybe Anet & NCSoft would react a little more in the players best interest if a number of us contacted the BBB & our local Attorney Generals.

with the online games, you own the right to access their server with an account. you do not own the actual data. if you read the eula closely, it states that.

i allways worried that this day would come and well as has been said its lets hope ncsoft admit to this if its true and get it fixed prompto

In the hat thread's defense, Regina was in there encouraging users to describe where and when the hats failed to launch and people are constantly showing up with their own personal details, whereas this thread's mostly intelligent discussion of a big problem.

Fixing is one thing, admitting there is a major security problem....

Actually this is a very common problem, I recall having the same thing about ten years ago when I was doing my first web apps. The problem then was lack of thread safety in interop code, but there are other causes. It was quite a common problem about 7 or 8 years ago with some ecommerce and even financial sites, not heard of it for a while though, it's something web developers and testers should know about if they are in that business.

Worrying isn't it.


Who votes to unlink their GW account from NCSoft?

Hear hear! *leaves signature*

It would require very very bad coding, bug and stuff. Its hard to believe, if it took only 60 tries then its a pretty common thing. Its hard to believe the bug existed even in first place, but possible, thinking that still exist, well i will need more proof of that.

what's to be concerning is that at the moment not only a few guys in the game believe this to be a whole fraud; like in the GM's hacking and thus trying to keep the GW population distant and leave the game. Their idea is that, the less people that play GW, the less it will take to maintain the servers. Doesn't make too much sense to me, but just my 0.23$

I understand what your saying, but any hacker worth his salt would know to use a proxy connection doing this. A proxy hides his real ip by stealing someone elses which means you wouldnt be punishing the hacker- just the poor schlub that he stole the ip from. If that were another gw player, that would suck.

So wait, Linsey got her account broken into? When was this?

i could see that if the game was dying and had no successor but they have gw2 to look at. most of the players who play gw1 will probably eventually buy gw2 (unless their experience becomes so soured that they'll move on to a different company)

1. This is bad. Worse than I knew... which was plenty bad already.

2. The character-name question is not going to protect GW accounts when the NCSoft account is compromised because of the old support tickets that contain character names.

The best quick fix would be to delete all the old support tickets ASAP. Since that requires NCSoft to cooperate, it probably won't happen.

Plan B. Change the GW security question so that the user may specify ONE particular character name as the only correct answer. (Presumably everyone has an obscure character that's never been used in a support ticket.)

3. Read #2. It's important.

4. Again, I want to call for EITHER
Let us sever our GW accounts from the NCSoft account
OR
Remove the NCSoft account's ability to reset the GW password (from the GW side).

5.
Since it's already known to the bad guys, there's not much more harm to do. If this were a first release, I'd feel a little more miffed that NCSoft wasn't given a private warning first. Since the info has already been available for 4 months elsewhere, I'm not terribly upset.

Hopefully the knowledge that ANYONE can now hack any account, might pressure NCSoft into finally acting.

6.
Perhaps not a regular, but not a brand new Guru account either:
Here's one possibility: Improper pointer to a memory address that is not properly allocated and preserved for the duration of the pointer. When the number indexing that account in the database is calculated, it gets stored at that address. Then the memory gets released. Then the pointer comes by and references it. If the system doesn't happen to reuse that memory address for anything in the meantime, the correct value is still there, and the pointer returns the correct value exactly as planned. If the system has reused it, the value is essentially random, and the pointer returns a random value. Hard bug to catch and fix, since sometimes -- even usually -- it works just fine, and the condition that triggers incorrect behavior is wholly external to the program or its inputs.

I'm sure there's thousands of other programming errors that could produce a similar result. That's just the one that came to my mind.

More jurisdictions than you can count, more legal frameworks than you can count. Some jurisdictions consider the EULA a binding addition to your purchase agreement. Some jurisdictions consider the EULA mere toilet paper. All jurisdictions are going to have trouble quantifying players' losses. Did you lose the purchase price of the game? The e-bay value of your best items? Some sort of emotional harm? It's a relatively new issue, and courts are universally bad at dealing with new issues. My guess is that the most favorable jurisdiction to try something like would be somewhere in the EU. And that's out of my area of expertise.

Well, I guess I have one more thought to add: You'll never get a judge or jury to understand how accounts are getting hacked and how exactly that fails to live up to the level of care a reasonable and prudent game company would use. But, "you knew there was a big hole in your security and you just sat there and denied it while doing nothing to fix it" is something that everyone understands. As is often the case, the coverup is more damning than the negligence.

yes, that's my exact thoughts into this, but a load of peeps think this, thought it might be shared.

I've seen something similar at a company I was at a few years ago. A timeout on a database lookup being handled improperly and the process proceeding with data from a previous session that hadn't been cleared from the server's memory. Two huge coding problems.

Probably not in any way related to what's going on here because if all this is true, people can log on to accounts that haven't been logged on to in ages. Anyway, just posting this to point out that one should never underestimate the power of bad coding.

Just a note of caution for those trying to log in and out multiple times to see if this works,

I would be worried that as part of the "solution" they might start banning all accounts that logged in and out a large number of times in a short period of time.

I understand the desire to see if this is real, but it's going to be tough to use the defense that you were just trying to help if they get over aggressive with the ban bat.

It don't require just bad coding, it require not fix the bad code. It would be hardly a secret to ncsoft if the problem was so extensive.
Thinking they didn't fixed it ASAP and people are still doing that, well that is hard to gulp down.

Yet, clearly the beans(account info) got spilled somewhere.

I hope players keep reminding anet that the current lack of security on ncsofts website is unacceptable and must be fixed.

Well when I bought the game, I put my trust in Anet, didn't even know who NCSoft was. Is seperating the GW account from the main account and destroying old tickets + personal info even an option?

This, pretty much. I want to be able to unlink my GW account from the NCSoft master account. What the heck is the point of Anet upping security on GW if someone hacking into the NCSoft master account can bypass all of these?

Yeah... I really want my accounts unlinked at this point. I don't care how safe you are, how crazy your PW is, it doesn't MATTER if this is true.

Ugh.

brb, throwing my keyboard all the way down the goddamn hallway.

Perhaps we should all start sending EMails to ANet/NCSoft requesting a bit of info on What The RED ENGINE GORED ENGINE GORED ENGINE GORED ENGINE GOing Hell they plan on doing about this...
Or perhaps just letting us un link from that useless website.

OH i get it now, you put a random acct name in the URL and bam, you can change their shit. HahahhaHAHHAA LOLOLOLOLOOOLOLLOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!

This is a very serious issue. If Arenanet was 1% serious they would force NCSoft to act now. This is the most stupid security issue a game company can have.

But it is NCSoft we're talking about here. From the great country of Denial of everything they do wrong. So if something is done, it might be in 2 years (and probably just make it worst)

If at least it asked for anything at all other than writing new password to change it. Even without the login issue it is stupid to make changing password this simple.

Edit: Maybe we should suggest to people who have been hacked to get themselves a random account from NCSoft. Since this is how it look right now, a big Jar of publicly exposed accounts that anyone can pick in.

Tell me you are RED ENGINE GORED kidding me!

"hurrr durrrr 99% of hacked accounts are through the fault of the players themselves durr hurrr hurrrr"

What now, douchebags?

Agreed. I feel sorry for all the forum users in the past who got flamed for losing their accounts to no fault of their own. You guys didn't deserve the treatment you got from this forum.

I just went to my master plaync account and did not see any old tickets. I've only used the account for the free storage pane. Am I not looking in the right place on my nc account for old information?

And will having a different email accounts on gw and plaync be beneficial?

Whaaaaaaaaat?

Couple that with the trick to generate legit account names and I'm stunned we haven't ALL been hacked by now.

I'm dead serious man.

No telling when this will be fixed, and it could be a while given that NCsoft has never taken security seriously in the past. (Security is weak even without this latest gaff).

If your character names are splurged in support tickets (or your NCsoft account name matches your forums name, and you've posted your IGN in forums)... and you want to protect yourself in the meantime... changing your character names is an option.

But you have to pay for that... which sucks royally. I still did it though - actually I did it as soon as character names become part of our account security. I changed the names of all characters whose names I had posted in forums or anywhere. I had to pay for that "insurance", I can't risk my main character getting deleted.