Late Friday night the GuildWarsGuru database was accessed by an unknown third party. We caught it as it happened, but in that short space of time it appears they may have managed to obtain tables of user account information.
Their point of entry was a flaw in the WordPress software used to run the GuildWars2Guru.com front page. How they managed to get from there to the other databases is unknown right now, as it involved bypassing other security measures we have in place.
We've spent the 24 last hours tirelessly investigating what happened, patching up the exploit, and further strengthening security. It was important to inform the community as soon as possible, but we couldn't do that any earlier without advertising the sites vulnerability to others who may have more malicious intent.
So, what does this mean to you?
With the high incident of RMT hackings and phishing across MMO's rising we understand how serious this problem is, and the possible implications arising from this incident. Right now we assume the hacker's motivation was simply to obtain the list of email addresses, for the purpose of sending spam. That may seem fairly mundane, but there's a big market for that information.
Anything more sinister would require the hacker attempting to crack encrypted passwords. The investment required to do that seems to far outweigh the questionable return, though we can't rule it out. As such, we urge you to change your Guru, Guru Auctions and Guru 2 passwords and/or emails as soon as possible. We also urge you to change passwords and emails for any other site or service you log in to with the same information you use on guru.
We apologize for this unprecedented breach, and can only assure that your security is of the utmost importance to us. We are gamers as well, and are doing everything in our power to minimize the damage from this by informing our community openly. If you have questions or concerns please feel free to post them here, and we will do our best to address them as swiftly as possible.
To further protect your account please see guides on Phishing, Security, PlaySmart and Passwords.
Guild Wars Guru Security Notice
JR
Rampage
Shit happens. I'm very glad to see that you aren't pulling an NCSoft and just denying everything. Thanks for informing the community, good job guys.
Gigashadow
Did they also get the character name associated with the email account, if it was in the profile? (or even if it had been removed, and was being kept around somehow)
JR
Quote:
Originally Posted by Gigashadow
Did they also get the character name associated with the email account, if it was in the profile? (or even if it had been removed, and was being kept around somehow)
Thankfully, no. We wiped all character names when we introduced the change a couple of months ago.
Neo Nugget
lishi
Just wondering.
Do guru save the password(even if encrypted) or just its md5 hash?
As far I know even if you have the md5 hash of the password you cannot obtain the original password as the association its not 1:1.
Do guru save the password(even if encrypted) or just its md5 hash?
As far I know even if you have the md5 hash of the password you cannot obtain the original password as the association its not 1:1.
Arduin
Hmm, good thing I changed all my email-addresses and passwords some time ago.
Thanks for the open communication to us forumites.
Thanks for the open communication to us forumites.
Twin Blade Warriror
ty for informing us
Shayne Hawke
This is good to know, thanks.
Chthon
1. This is exactly how you're supposed to handle a security breach. Honesty and transparency ftw. I wish NCSoft could learn from your example.
2. Did they get the PM's associated with each account. Those are sure to contain GW IGN's.
3. For folks changing the password and e-mail. Remember to use a password unique to Guru and (preferrably) an e-mail unique to Guru (or shared with other not-so-important accounts).
2. Did they get the PM's associated with each account. Those are sure to contain GW IGN's.
3. For folks changing the password and e-mail. Remember to use a password unique to Guru and (preferrably) an e-mail unique to Guru (or shared with other not-so-important accounts).
JR
Quote:
Originally Posted by Chthon
2. Did they get the PM's associated with each account. Those are sure to contain GW IGN's.
Nope, PMs were not obtained.
Raven2201
What about the people who have the same email used for their GW account tied to guru as well?. That seems like it could pose a security issue to those users GW account.
Death By An Arrow
Although I'll likely change my passwords now atleast temporarily,
does it appear the worst thing were going to get is just spam?
or are we more endangered (with important info, etc. etc.)?
Mainly im just concerned about hacks, cause im not great at remembering passwords so i try to keep some similar (blah blah i know its bad...) but if its a real concern ill just write it down
Thanks in advance ^^
does it appear the worst thing were going to get is just spam?
or are we more endangered (with important info, etc. etc.)?
Mainly im just concerned about hacks, cause im not great at remembering passwords so i try to keep some similar (blah blah i know its bad...) but if its a real concern ill just write it down
Thanks in advance ^^
Inde
Raven and death this is why we as quickly as possible have informed our users of what happened. We can't know the intent of the hack. As we recommended in our notice please change your emails and passwords immediately. Please also change any info that you used that may be the same elsewhere as well.
bsoltan
End
Lucci_Slevin
Thank you for informing us.
However, for over a month, I have been trying to call attention to the fact that this site(and incgamers) was being targeted since at least late October. I felt I was disregarded by various mods on both sites.
Some of my posts were even deleted though admittedly they were about very specific security issues.
I still think there are other avenues for hackers to use but I will keep it to pms out of respect for security. I think you guys should consider the fact that they may have or can still breach even without you knowing.
Forum software at its core is meant to be dynamic and mod-able, so there will always be new tricks. As I said in another post(that was deleted) the software is for chat not storing vital info.
bottom line: use a unique pw for gw.
However, for over a month, I have been trying to call attention to the fact that this site(and incgamers) was being targeted since at least late October. I felt I was disregarded by various mods on both sites.
Some of my posts were even deleted though admittedly they were about very specific security issues.
I still think there are other avenues for hackers to use but I will keep it to pms out of respect for security. I think you guys should consider the fact that they may have or can still breach even without you knowing.
Forum software at its core is meant to be dynamic and mod-able, so there will always be new tricks. As I said in another post(that was deleted) the software is for chat not storing vital info.
bottom line: use a unique pw for gw.
Cheferos
Sounds like you fixed it first, and quickly, and told us as soon as possible. Thank you.
Darcy
Luckily, my GW account ID is an obsolete address from before I belonged to guru. Thanks for the info. Good luck with your fight.
shoyon456
Well, I already get spam on my main email, not associated with ANY gaming. Apparently my Aion and WoW accounts are repeatedly being hacked and in danger of being perma banned.
I changed both guru accounts to a 3rd email long ago, and my passwords for Guru1 and 2 are unique to guru and other sites I don't care much about.
That being said, guru has responsive/open staffing.
I changed both guru accounts to a 3rd email long ago, and my passwords for Guru1 and 2 are unique to guru and other sites I don't care much about.
That being said, guru has responsive/open staffing.
mlandry
I get at least 4 emails for WoW phising scams every week even though I've only ever had a trial account for that game when it was released. I started getting some for Aion recently even though I don't even have that game.
I doubt it's going to be much different for GW. I've already had my account stolen once because of NCSoft's incompetent website security, thinking I was safe using the same pass there as ingame, and I've learned from my errors and have no passwords that match anywhere anymore.
I doubt it's going to be much different for GW. I've already had my account stolen once because of NCSoft's incompetent website security, thinking I was safe using the same pass there as ingame, and I've learned from my errors and have no passwords that match anywhere anymore.
Martin Alvito
As always, you (the admins) handled this like professionals.
I'm sure everyone appreciates both your forthrightness and your effort here.
I'm sure everyone appreciates both your forthrightness and your effort here.
Dima The Killa
i used to have all my important passwords be the same. email, gw, steam, and ncsoft. but i have even differentiated those when the ncsoft hing happened. but no way am i going to have same pass on important stuff as id o on forums lol.
o and if i do use the same email on here as my gw account what risk is that to my gw account? i cant think of any since there is no way they can figure out my pass. i don't see any reason to fret if they have the username and pass for guru because they can't really do anything useful with that info. but i am wondering if just having my gw email could be a prob.
o and if i do use the same email on here as my gw account what risk is that to my gw account? i cant think of any since there is no way they can figure out my pass. i don't see any reason to fret if they have the username and pass for guru because they can't really do anything useful with that info. but i am wondering if just having my gw email could be a prob.
Smarty
Thanks JR et al, very clear and open message to the community there, much appreciated.
JR
Quote:
Originally Posted by Dima The Killa
o and if i do use the same email on here as my gw account what risk is that to my gw account? i cant think of any since there is no way they can figure out my pass. i don't see any reason to fret if they have the username and pass for guru because they can't really do anything useful with that info. but i am wondering if just having my gw email could be a prob.
I'd agree with your assessment that there isn't much risk if you only use that password for your Guru account. Sure they might have the account email, but they still need to guess the password AND match it with a character name.
Keep in mind they can access your game account through your NCSoft Master Account too, and they can get to that through an email account. So really you need to make sure nothing is using that compromised password.
Keep in mind they can access your game account through your NCSoft Master Account too, and they can get to that through an email account. So really you need to make sure nothing is using that compromised password.
Thargor
Thanks for the heads up on the issue guys.
In response to all those asking about if their forum and gw account info is the same... ARE YOU SERIOUS?
How many times has this subject been drug through the forums?
Learn to read, read the forums, read security related stuff on the web.
If anyone gets their account hacked because of this i dare say it is their own fault for being ignorant.
In response to all those asking about if their forum and gw account info is the same... ARE YOU SERIOUS?
How many times has this subject been drug through the forums?
Learn to read, read the forums, read security related stuff on the web.
If anyone gets their account hacked because of this i dare say it is their own fault for being ignorant.
Bob Slydell
Thanks for the heads up.
Death By An Arrow
Alright, thanks for clearing that up... mod who answered my question
Another Q:
I realized my GW email is diff than this one, cause my GW email was the email i used way before i ever joined guru. Im still gunna change my password, but since they dont have the current email linked to my account, im safe..er right?
Im not used to hacks and such, living in a small town and what not
Another Q:
I realized my GW email is diff than this one, cause my GW email was the email i used way before i ever joined guru. Im still gunna change my password, but since they dont have the current email linked to my account, im safe..er right?
Im not used to hacks and such, living in a small town and what not
Sir Skullcrasher
thanks for the heads up Guru Mods! 
To be honest.. who ever is stealing information on a game that is 4.. (FOUR) years old is freaking... smart as hell! lol
Either way, I'm changing everything here on guru and on gw just in case!
To be honest.. who ever is stealing information on a game that is 4.. (FOUR) years old is freaking... smart as hell! lol
Either way, I'm changing everything here on guru and on gw just in case!
Tortoise
I tend to use 1 password for all the non-important internet stuff I sign up with (forums and such) and just went and changed most of those. The important stuff all has unique passes.
In any case, thanks for the heads-up and your honesty in the matter. It is much appreciated.
In any case, thanks for the heads-up and your honesty in the matter. It is much appreciated.
Goddess Of Defense
As for the mystery to how they got from one forum, to the next. Guildwarsguru, and guildwars2guru are on the same server; which made it very easy. This flaw is good financially but bad in security. you didn't see this coming, therefore nobody is at blame, it's just that's the reason they got in easily.
Inde
Goddess, we do not believe they had root access to our server so this wouldn't explain what happened as simplistic as you put it. Our security was in place on every website and database housed there. A company usually wouldn't purchase separate servers just to run each individual website they have so yes, financially it makes sense for us to put multiple websites on the same server.
Good thought though!
Good thought though!
Sookie
With all the hacking going on, I created an email address just for guru and the "other" fansite a week ago. This new email address is in no way related to my GW account...just for the two fansites. Hopefully this was enough of a precaution.
Alesa
Thanks so much for letting us know so quickly. Top notch you guys.
glacialphoenix
Thanks for the headsup.
jonnieboi05
Thank you for the head's up. I am not too concerned, my GW account's email is completely private and no one in this world has except me (it's not registered or anything. It's just an email I used to create the account and never logged into it since then). 