Account Hackings - The Source

We were told it is not possible by proven and persistant liars.

Easy solution.


For changing settings/pass/etc. on NCsoft, make it require your current password to change stuff.


Simple as that until they get a fix.

True. They do say a lot of things are impossible, but truely... nothing is impossible when it comes to servers/databases/computers. It probably takes less than 3 seconds to remove a GW account from an NCSoft account. But for some reason, they won't do it. Just like how they won't restore a 1 KB line of text that makes your very GW character possible to exist.

Woah Woah now..back it down a bit...you don't understand, this solution makes WAYYYY toooooo much sense.

I hadn't even thought about HoM linking GW2 to my GW1 account and thus most likely also to the NCSoft master account. So much for a fresh start with GW2 when it comes to keeping it away from the terrible NCSoft site.

And all of this because they forced many of us that hadn't done so before to register at NCSoft for a single lousy storage tab. I would never have done so otherwise !

yes the change password system is idiotic to say the least..

The only way to avoid being linked is to purchase GW2 off the shelf (never mind preview or pre-order via the online store), use completely separate login credentials, and NEVER link your HoM. So much for the work you put in on GW1, eh?

Not sure if I ever did, but just to be safe, I'm taking every step possible. I've already removed everything sensitive I had in my profile that I could, apparently my name is locked in, but I'm not sure how to change the support password. Where do I go for that?

e: I can't believe you can just change an entire account's information just like that with no knowledge of the password needed at all. Maybe on some 13 year old's first attempt at a forum, but holy god this is a major game company's website.

If...now..that is a BIG IF by the time GW2 comes out, now lets think for a moment. GW2 is coming out in 2011..it's not going to come out on 1/1/2011..it will come later in that year, hell we don't even know when in 2011 it comes out. 2010 just began so at the LEAST we still have one solid year to see what happens to NCSoft security. If by the time GW2 comes out things are still the same I'm more then likely going to just create a single GW2 account fresh just to make sure it is never linked to an NC account. Yes, I will buy GW2 because I've come this far in GW1. I've already practiced the utmost extreme account security in this game in all forms you could imagine, except the NCsoft part. So..GW2..my account is starting fresh and I don't give a good fat damn about the HoM. Woo big ******* deal you grind your ass off for years in GW1 to get some stupid sword or minipet that flashes your e-peen off that you did what I just stated (grinded) and for that matter played GW1 and have the noobs ask you where you got it and how they can get it. As of now...FOR NOW, a new fresh game account for GW2 is in my book until they figure out what the hell is going on, who the hell let this happen and FIRE those utter MORONS.

Most interesting situation for a game I have ever heard of or have ever seen in my life. I gave you credit for keeping me astonished and entertained NCSoft, GREAT job.

Exactly. And my account was unlinked (storebought) for years until I needed to register for the free storage tab ...

@Chrisworld, I agree, I would also rather have a clean GW2 then have it linked to the HoM. I don't care about it that much, but still all most of us do these days PvE-wise is work on the bloody thing, would have been nice to have it in GW2 without the link to NCSoft being forced with it (all of this assuming that is the case, which seems pretty likely).

Well this is a comforting thought. Great!

And Bunnys post link from [email protected]... How the hell can you create a website and not TEST its security issues before you implement it on this grand of scale?!?!?!??!? Great business practices i see here. This just says to me that you dont care about your player base what-so-ever and if they have to go buy another game because they got hacked...who the hell cares...its just more money in their pocket. With this knowlegde...who cares about the HoM? Who will bother to waste their money on something that can be taken away so easily? Who will bother buying your games now? Might as well just throw your hard earned cash down the toilet. Will save you the thousands of hours wasted just to be disappointed later down the road.

Wtt my free storage tab for an unlinked ncsoft account

my mistake. it was a wiki post by Gaile who said she's been talking to Regina about this issue.

I'm willing to bet it will not be possible to play GW2 without an NC master account. There will be no choice like GW1, everything has been geared to getting people to link for a long time, they won't unlink simply because that is not the business model, linking is how they will make money.

You guys shouldn't blame much on Guild Wars, but more on NCSoft for not having common sense. They need to make it so entering current password is needed to change things.

Login to your NCSoft master account at http://us.ncsoft.com/en/. Once logged in, click the Support tab on the top of the screen, this transfers you to the http://help.ncsoft.com site. Then click on the My Stuff tab and login. Whatever support cases you have will be displayed and from there you can change your password to the support site by clicking the Change Password button.

Or you can just access the support site directly, either way, make sure your passwords for the two sites aren't the same.

then they can count on a lot of people not buying gw2 until we get some kind of assurance that their massive security holes have been plugged.

oh well, Champions Online, STO, and The Old Republic are calling me.

Regarding GW2 and buying off the shelf: You don't know for sure if they're not gonna adopt the same method they use for Aion: You MUST register your game account through NCSoft master account. It doesn't matter where you buy the game from.

oh for freaks sake!!! Shut down the plaync site until you get this fixed!!!!!!!! The hell wiith channels and protocol. Be safe first and fix later!!!!!!!

Well we'll see when the time comes. When I bought GW in early 06' I just made the account in the GW client without any knowledge of NCSoft even being a company. But you are right, Aion is new and GW2 will be even newer, newer requirements and practices.

What if it disappears forever like XTH!

"experienced crew"

Let us stop for a second and think: would that be the same crew that told her to tell us multiple times that there was absolutely no flaw on their end? The same "experienced crew" who insisted everything was fine, even when the community was proving through action and example that there was a severe problem with security?

If so, it sounds like they need to become experienced in being unemployed.

You are comparing apple with orange.

The ncsoft account system and the guildwars dev team are separate and with different competence.

If the company XXX have a big problem in their marketing department the guys on the production department don't stop their job and help the marketing department with stuff who are not their competence.

The problem is that no one from anet can shut down the plaync site. So you're stuck with going through the channels in order to get anything done.

Meh

I'm going to win the lottery tomorrow, buy ANet from NCSoft and hand it to someone responsible. Someone responsible who cares about the game and thinks gamers are real people not numbers which you put into a PowerPoint presentation which you show to your boss every 4.5 weeks
NCSoft is SH*T. SH*T, SH*T and once again SH*T. I'm almost certain no one from ANet can tell them that straight in the face. But since I'm not employed by them I shall say it once again - you are shit NCSoft, bunch of money grabbers

For me this security issue, in the scale 1 to 10 is probably 8
9 is when those "hackers" take control over the game servers
10 is when they hack into ANet/NCSoft LAN
If I was IT support there I would just pull the plug on the server where the website resides
I mean seriously.... Logging RANDOMLY to other people accounts?! WTF?!
If that happened at the place I work the whole department would be in the office 24/7 until the SERIOUS SECURITY BREACH is resolved

As much I'm neutral towards Gaile, Regina and all the rest at ANet I must say I feel sorry for them. Saying something and hoping someone else did his/hers job properly... then defending them and putting your reputation on the line. F*cking hell... I would never do that. It must feel like someone back stabbed you, doesn't it?

experienced in NOT listening to their customer's genuine concern crew?

start looking for jobs or give me back all my undedicated minipets! more then 40 of them

OK then...everyone here should immediately submit multiple support tickets to the PlayNC site...maybe if we all do this:

A. NCSoft will "get it".
B. The increased traffic to the PlayNC site will take it down, thereby solving the shut it down issue.

I'm actually try to fully wrap my head around how many people could have been affected by this. Also I have created a petition demanding NCsoft/anet take responsibility IF (and looks to be likely) the fault is on their end.

Please sign! Voice your opinions and mark your name so that NCsoft knows the magnitude of the problem

First of all, we have escalated this up to the NCsoft Security team, and they will investigate the issue.

There have been ongoing investigations on the hacking incidents for some time, and according to the data gathered, none of them appear to be directly or exclusively related to NCsoft Master Accounts. Some hacking victims have NCsoft Master Accounts, some don't. Data was recently reviewed, and about half are not NCsoft Master Account holders. Therefore the hysteria surrounding the idea that all hacks are coming through the NCsoft Master Account doesn't seem to be valid. However, this doesn't necessarily rule out that some hacks are coming through NCsoft Master Accounts. The information about this particular exploit is new to us, and we don't know what will happen as more people, due to this thread, learn about it and even try it. We're not brushing things under the rug, nor denying that there might be a problem. The Support team has not previously notified us of this issue as detailed in the OP. The first we have heard of this information, as detailed in this thread's original post, was brought to our (ArenaNet's) attention just recently (yesterday, according to Gaile), so it's incorrect to suggest that we've been covering it up for months. Please be assured that we are taking the concerns in this thread seriously, following up with NCsoft Security, and actively raising the issue with the Security team.

Thank you.

Beat me to it. :P There seems to be a lot of flubbed code going around.

How big is the chance of randomly logging onto another person's account? I'm just wondering out of curiosity and so I can know just how big of deal this really is.

This is a very good point but it works both ways. I doubt NCSoft would suddenly lose any and all sense of business by letting a problem like this continue. That leads to me to believe that there's probably a logical explanation that doesn't hinge on NCSoft having some cover up conspiracy to mislead and screw over customers or every employee being in denial. I'm most certainly not saying this isn't a problem or doesn't need to be fixed but this is the kind of situation where you should really hear both sides and the only NCSoft reply I've seen was the one from Tamat compared to all the posts from players who really don't know full scope of the situation. Plus I can't help but think that the hacking wouldn't be anywhere near as severe if players hadn't made forum topics exposing the flaws to the public. To me both parties are equally at fault. And the irony is the people complaining about the lack of security are actually contributing to it. Chances are any cover up was actually meant to protect us. Basically I'm willing to give them the benefit of the doubt to at least protect their business interests. But then again I'm a devil's advocate.

Someone asked back on page 3 or 4 if there was a potential lawsuit & the answer is a resounding YES

EULA's and TOS's are NOT above the law. They are not a be all end all governance of how it will be. Unless YOUR local law is, to the letter, identical to their EULA/TOS then there is room for you to take them to the cleaners.

If you've been hacked & denied restitution the first thing you should do is contact customer support (yes, I know, this seems redundant but it's not). Save copies of all ingoing and outgoing emails so you can print them if necessary. Request a full explanation of what happened. Be polite, courteous, and patient but do NOT accept the first answer you get. Be persistent.

In the meantime, do yourself a favour and brush up on your local law. Every country, state, province, etc., has local consumer protection laws to some degree. Learn them, look for loopholes, and take notes.

If support refuses to co-operate get the contact information for NC Soft's legal department. Explain what happened, attach all emails you've exchanged with support, and include exactly what you're asking for (in most cases a full restoration of your account to a state immediately prior to being hacked), and then clearly pinpoint where your local laws give you grounds for a lawsuit if they aren't willing to compromise their EULA/TOS and work with you outside of a court room.

Unless a class action is launched in numerous countries world wide then this issue can be settled in small claims court, in which case you can represent yourself for a very minimal cost.

Where I live I can take them to court in a heart beat; both NC Soft AND Arena Net. If, or I'm starting to think I should say "when", I'm hacked this is precisely what I will do.

Yes, it's just a "game", but it's a "game" that NC Soft & Arena Net have spent a lot of money convincing me to invest my time in playing, to actively participate in, to provide feedback for, and to see things we've all had a hand in (to some extent) implemented into the game. If it weren't for us the pixels of Guild Wars commodities would have no value and they would have ceased to create revenue a long time ago.

Which security team is giving you this information? NCSoft's or Anet's? NCSoft has blatantly ignored all information that they have massive security holes in their system for a long time now. This isn't the first security hole that people have found.

Even if this wasn't going on, there are still some security issues on NCSoft's master accounts such as passwords being able to be changed without verification of who's changing it (such as requiring the old password).
A post earlier by someone who has experienced in the field of testing website security detailed some additional security holes.

Why Anet isn't demanding that NCSoft fix all of these problems is mindblowing since Anet's survival is going to depend on NCSoft's reputation as long as Anet is under them. You have a game under development that from the information released will be great but chances are if things continue this way, people won't want to buy it since their account could get hacked at any time.

Despite NCSoft or maybe your own security team telling you that it's not them, the fact that there have been so many hacks going on and nothing has been done beyond requiring us to put in a character name (which can be found through numerous means) is a little telling on how we will be treated in the future. NCSoft has some of the worst customer service I have ever dealt with. City of Heroes customer service was fine when it was still under Cryptic and as soon as NCSoft took over, it went to crap.

You're basically telling us all that both Anet and NCSoft are just a bunch of rookies who have to rely on thier own CUSTOMERS to investigate AND point out all sort of flaws in things, from marketing "don'ts", community management, BUGS, Security issues, and everything?

How reassuring. Can't believe I was foolish enough to shell out my money so many times in the past for such company.

Turn it off, Turn it off NOW! It is scary to think of the amount of personal information that is being taken from this site. This is even a worse issue than having accounts stolen. Granted adding any kind of additional requirements would be welcome to keep accounts from being pilfered, it is not as serious as the amount of personal information that is in danger.

You have to wonder how much personal information has been stored away for when this hole is finally closed.

I used to think that EA (Electronic Arts) was the worse company/publisher, well not anymore. NCsoft you have done what I thought was impossible and surpassed EA as the #1 greedy faceless company that does not give a damn. Congatulations you have earned it!!!

Even if Anet DID know about it this issue, the GW team can employ plausible deniability. Problem with these things is, the fact that there's no individual responsibility will carry through the group, or slip. Problem with hierarchal bureaucratic corporations is there's so much red tape you don't know who to blame. Really the onus is on them to figure this bollacked situation. I don't know what happens if the responsiblity is on their end... what are all these people with hacked Play NC accounts have to say about this?

I still think that someone should post a link to this and to the aion forums on mmorpg.com or tentonhammer. maybe if a large website like them made a report on them, ncsoft would actually act on this. otherwise, we're probably just going to keep getting the same story about how they're still investigating and its not really their fault. if any other company had security problems like they've had recently, other companies would've started taking down variables to figure out what the problem was or at least have their security teams working on it around the clock to fix it. I wonder if the other company who's name means a snowy storm has had any major issues like this.

nvm, just did it myself. wonder if they allow me to link to other forums . .. guess i'll find out.

Heads up for you.

The shit is hitting the fan. ANet and NCSoft's reputation is in a nose dive, nobody believes you.

Time to go nuclear on this or your company is down the toilet, so you may as well cancel GW2.

So if this is the real deal, wouldn't you think by now Guru would be flooded with "I got hacked" threads? Its been over 12 hours, 15k + views & almost 300 posts on a topic that blatantly tells you how to do this..and yet no rash of hacked threads.

Just playing devil's advocate.

You guys really sound hysteric. Its the beginning of the new year. So what if they will mess up your accounts and the xunlai booty? Take a break. The more time you invested in the game and stayed in front of the pc screen, the more you could need it.

Did everyone get their festival hats?

If I were to compromise security, I would harvest information for use at a later date. sure, -most- of the info might be useless (at a later date), most being the key word here. that, or compile it and sell it to the people who are dumb enough to actually use it..