Guild Wars Guru Security Notice

Late Friday night the GuildWarsGuru database was accessed by an unknown third party. We caught it as it happened, but in that short space of time it appears they may have managed to obtain tables of user account information.

Their point of entry was a flaw in the WordPress software used to run the GuildWars2Guru.com front page. How they managed to get from there to the other databases is unknown right now, as it involved bypassing other security measures we have in place.

We've spent the 24 last hours tirelessly investigating what happened, patching up the exploit, and further strengthening security. It was important to inform the community as soon as possible, but we couldn't do that any earlier without advertising the sites vulnerability to others who may have more malicious intent.

So, what does this mean to you?

With the high incident of RMT hackings and phishing across MMO's rising we understand how serious this problem is, and the possible implications arising from this incident. Right now we assume the hacker's motivation was simply to obtain the list of email addresses, for the purpose of sending spam. That may seem fairly mundane, but there's a big market for that information.

Anything more sinister would require the hacker attempting to crack encrypted passwords. The investment required to do that seems to far outweigh the questionable return, though we can't rule it out. As such, we urge you to change your Guru, Guru Auctions and Guru 2 passwords and/or emails as soon as possible. We also urge you to change passwords and emails for any other site or service you log in to with the same information you use on guru.

We apologize for this unprecedented breach, and can only assure that your security is of the utmost importance to us. We are gamers as well, and are doing everything in our power to minimize the damage from this by informing our community openly. If you have questions or concerns please feel free to post them here, and we will do our best to address them as swiftly as possible.

To further protect your account please see guides on Phishing, Security, PlaySmart and Passwords.

Shit happens. I'm very glad to see that you aren't pulling an NCSoft and just denying everything. Thanks for informing the community, good job guys.

Did they also get the character name associated with the email account, if it was in the profile? (or even if it had been removed, and was being kept around somehow)

Quote: Originally Posted by Gigashadow

Did they also get the character name associated with the email account, if it was in the profile? (or even if it had been removed, and was being kept around somehow) Thankfully, no. We wiped all character names when we introduced the change a couple of months ago.

Quote: Originally Posted by Rampage

Shit happens. I'm very glad to see that you aren't pulling an NCSoft and just denying everything. Thanks for informing the community, good job guys. Agreed.

Thanks for the heads up.

Just wondering.

Do guru save the password(even if encrypted) or just its md5 hash?

As far I know even if you have the md5 hash of the password you cannot obtain the original password as the association its not 1:1.

Hmm, good thing I changed all my email-addresses and passwords some time ago.

Thanks for the open communication to us forumites.

Quote: Originally Posted by lishi

Just wondering.

Do guru save the password(even if encrypted) or just its md5 hash?

As far I know even if you have the md5 hash of the password you cannot obtain the original password as the association its not 1:1. We do not store passwords as plain text. All passwords are md5 hashed with a salt on top.

To be clear, md5 hash is just a method of encryption.

ty for informing us

This is good to know, thanks.

1. This is exactly how you're supposed to handle a security breach. Honesty and transparency ftw. I wish NCSoft could learn from your example.

2. Did they get the PM's associated with each account. Those are sure to contain GW IGN's.

3. For folks changing the password and e-mail. Remember to use a password unique to Guru and (preferrably) an e-mail unique to Guru (or shared with other not-so-important accounts).

Quote: Originally Posted by Chthon

2. Did they get the PM's associated with each account. Those are sure to contain GW IGN's. Nope, PMs were not obtained.

What about the people who have the same email used for their GW account tied to guru as well?. That seems like it could pose a security issue to those users GW account.

Although I'll likely change my passwords now atleast temporarily,
does it appear the worst thing were going to get is just spam?
or are we more endangered (with important info, etc. etc.)?

Mainly im just concerned about hacks, cause im not great at remembering passwords so i try to keep some similar (blah blah i know its bad...) but if its a real concern ill just write it down

Thanks in advance ^^

Raven and death this is why we as quickly as possible have informed our users of what happened. We can't know the intent of the hack. As we recommended in our notice please change your emails and passwords immediately. Please also change any info that you used that may be the same elsewhere as well.

Quote: Originally Posted by Raven2201

What about the people who have the same email used for their GW account tied to guru as well?. That seems like it could pose a security issue to those users GW account. Change your GW Guru email address?


edit: ninjad

Quote: Originally Posted by Inde

We can't know the intent of the hack. It was NCsoft...they wanted to be able to blame someone else and this was the easiest way for them to do it...

On a side note....how would changing our emails now prevent anything? I mean...they already have the information...what would change if we changed our emails on this site now?

Thank you for informing us.

However, for over a month, I have been trying to call attention to the fact that this site(and incgamers) was being targeted since at least late October. I felt I was disregarded by various mods on both sites.

Some of my posts were even deleted though admittedly they were about very specific security issues.

I still think there are other avenues for hackers to use but I will keep it to pms out of respect for security. I think you guys should consider the fact that they may have or can still breach even without you knowing.

Forum software at its core is meant to be dynamic and mod-able, so there will always be new tricks. As I said in another post(that was deleted) the software is for chat not storing vital info.

bottom line: use a unique pw for gw.

Sounds like you fixed it first, and quickly, and told us as soon as possible. Thank you.

Quote: Originally Posted by JR

Right now we assume the hackers motivation was simply to obtain the list of email addresses, for the purpose of sending spam. Really? I would have thought there were much easier places to break into, to get email addresses just for spam.

My suspicion is they were after email addresses for GW- or Guru-specific phishing attempts...

...Or email addresses to attempt direct GW login (use forum name for the character name, and try the top 100 most common passwords as per the "RockYou" thread... they might get lucky, and it seems they are getting desperate enough to try anything)

My thanks to the Guru staff for their responsible attitude and reaction to this.