Did the RockYou password exposure foster GW account hacking?

Between late November and mid-December 2009, a site called RockYou.com was the victim of a widespread password breach. All existing user passwords were stolen and subsequently posted to an internet site. What is most curious about this event is that the timeframe may coincide with the large number of Guild Wars account thefts in December.

It seems highly plausible that any would-be GW hackers may have used this list of 32 million stolen passwords as a "dictionary" (IOW, a password list) to try against Guild Wars accounts. Anyone who used a common, simple password such as those used by the RockYou users would have been extremely vulnerable. Anyone having both a RockYou account and a Guild Wars account using the same password likely got hacked immediately.

One analysis indicated that by simply trying the top 100 most common passwords across the entire user space at RockYou, any would-be hacker would have been able to breach almost 1.5 million passwords from of 32 million users, or roughly 4.5% of all the accounts!

It is highly likely that hackers will continue to use this list of published passwords to continue to attack accounts at many sites including Guild Wars. The best way to safeguard against this kind of attack is to use stronger passwords, and to use different passwords for different accounts.

For more information about the RockYou account breach, here are a couple of articles:
Analysis of 32 million breached passwords
Complete article

Finally, anyone still using a simple password (just a name, a word from the dictionary, or a simple sequence of numbers), should CHANGE IT IMMEDIATELY!!!

Thanks for the information...I have a couple of guildies who were compromised. I will pass on this information.

I don't see how this can be the sole cause, given the reports of players being hacked despite strong passwords.

However, since the volume of thefts picked up quite a bit around the time of the RockYou breach, I'd concede the possibility that at least some of the thefts were related to the breach.

This is exactly my thinking as well. I wasn't trying to imply that the RockYou breach was the only source of hacked GW accounts, but rather that it may have helped facilitate a great number of them in the December timeframe.

hmmm ive personally never heard of RockYou(but i dont ahve facebook or myspace or anything like that so big surprise). But the breach of 32million ppl i mean im sure at least SOMEONE had that.. so its probably not a huge surprise that ppl got hacked becasue of this. But, due to recent lights on NCSoft and their no infamour seruity breach, that is probably a more likely cause. I mean we only just found out about being able to log on and off really fast alot and we'd get go into someone eles's acouunts. But how long have other ppl know about it that would take that practice to heart?. So, while this is a very good and possibly true theory, im going to say that NCSoft accoount breach is far more likely cause then RockYou.com

I also have never heard of RockYou but I find the report very interesting. I think what should also be addressed though, rather then just the focus on users as some companies will try to turn it toward that, is the recommendations they make at the bottom of it as well.

1. Enforce strong password policy – if you give the users a choice, it is very likely that they would choose weak passwords. (NCSoft currently does not support special characters)
2. Make sure passwords are not transmitted in clear text. Always use HTTPS on login. (NCSoft does do this but, someone can correct me, this was not the case until just a few weeks/months ago)
3. Make sure passwords are not kept in clear text. Always digest password before storing to DB. (I'm sure NCSoft encrypts though they did have a lawsuit against them in the mid-1990's where a db of passwords was left unencrypted)
4. Employ aggressive anti-brute force mechanisms to detect and mitigate brute force attacks on login credentials. Make these attacks too slowly for any practical purposes even for shorter passwords. You should actively put obstacles in the way of a brute-force attacker – such as CAPTCHAs, computational challenges, etc. (This is something NCSoft needs to work on, while they do throttle to an extent it could be much better with relatively little resources and effort)
5. Employ a password change policy. Trigger the policy either by time or when suspicion for a compromise arises. (NCSoft does not have this)
6. Allow and encourage passphrases instead of passwords. Although sentences may be longer, they may be easier to remember. With added characters, they become more difficult to break. (NCSoft does allow upper and lowercase though they give no tips for any of this on their sign up screen here: https://secure.ncsoft.com/cgi-bin/playncCreate.pl)

1. It seems plausible that some GW account thefts could have been caused by this. I am also 100% certain that not all of them were. A substantial proportion of GW account thefts were due to holes in the NCSoft account website.

2. GW's player base is much more sophisticated than RockYou's. (I never thought I'd be calling the GW player base sophisticated....) According to the article, the most common password on Rockyou was "123456." Not even people who run mending wammos are that dumb. At least I certainly hope not...

3. To a large degree, having your account stolen because you used an easily-cracked password is your own damn fault. It would be nice if NCSoft/A-net did something to prevent access from unusual IP's or to minimize the damage when this happens, but that's not something I'm going to demand or expect from them. If my account ever gets stolen through something I did, I'm willing to accept responsibility for that. Now, what I do demand and expect from NCSoft/A-net is that they finish cleaning up the huge holes in the NCSoft account website that can allow a thief into my account even if I do absolutely everything right with regard to security.

It doesn't matter how strong your password is when they actually have the password itself... RockYou.com admits that e-mail addresses were also obtained for each record stolen from their database. And at the time, that was enough to get into your GW account.

(For the purpose of creating a dictionary, then yes, it completely applies.)

TBH gw is always under constant hacking - all online games can be.
almost 3 yrs ago my gw account was hacked - i never used 3rd party programs nor gave out details - how i was hacked we theorised was by the following after hearing from a friend.
friend had what seemed to be a hack attempt as was at friends house and his msn messenger came online.He quickly logged into msn and changed passwords and then logged into messenger.
His contacts must have been copied as i was on his list and both my guildwars and msn account was hacked with passwords being changed.
i managed to regain msn and with anets help got guildwars back.
this was back when you could change gw email addy and request new password sent to new email addy - and thats what they did to me - changed my msn login and requested forgotten pass , got it sent then changed login.

my advice -
1. use a diff email account for gw - easy to get like googlemail
2. dont use gw email addy on messenger - if your hacked via msn ( does happen ) theres a chance your contacts are gamers and probably hackers will try your email addy on all games then do same with them.
3. do everything thats suggested for better protection - long passwords etc
4. never give out account details to anyone except verified anet/ncsoft staff via emails - eg support.
5. common sense - use it , if someone in an outpost says they are anet staff and they not using the anet text ( special colors i believe ) they are lying - anet staff cannot outside a staff account say they are anet staff - its been stated by anet before their staff in game playing ( not game work ) remain unknown to public.

I reckon online gaming should actually hire staff employed to attempt to hack their system - some big firms hire hackers to purposly find security flaws in their systems and that way online games can provide their customers a better system of protection and protect themselves.

Sure, except that accounts weren't just being stolen through the client. Some resulted from password resets on the NCSoft website, and some of those happened before the RockYou breach.

It follows that this can't be the sole cause.