Sign in with
Sign up | Sign in
Your question
Closed

Guild Wars 2 Accounts Hacked Immediately After Launch

Tags:
Last response: in News comments
Share
September 8, 2012 4:10:19 AM

Well, when tons of hacking attempts occur that means the product is worth their time... so I guess Guild Wars 2 is off to a great start.
September 8, 2012 4:25:34 AM

There's an easy way to stop list bruteforce tactics: 30 minute timeout with an email enforced password change after 3 failed login attempts... also, forced password change after first time login, with previous passwords cached for non-use later(if the user attempts to use a previous password again, it fails)...

These password tactics are very, very, very easy to implement... few lines of code in most cases....
Related resources
September 8, 2012 4:45:41 AM

Uh, how do fansites can someone's main account info...

Oh right, ID10T errors.
September 8, 2012 5:10:31 AM

these are ALL user errors. If the fansite gets hacked, and you use the SAME email and password for that and your gw2 account, that isnt gw2 accounts being hacked. That is you being stupid.
September 8, 2012 5:12:42 AM

also, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.
September 8, 2012 5:34:26 AM

Hmmmm...I wonder if Angry Joe's account would get hacked? Probably not...
September 8, 2012 5:45:25 AM

samwelayealso, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.


I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybread

Was worth a try
September 8, 2012 5:54:45 AM

master_chenHmmmm...I wonder if Angry Joe's account would get hacked? Probably not...


Hahaha. He does use Angry Joe for everything.
September 8, 2012 5:58:35 AM

My account was hacked, took 5 days to get it back with all my items gone. It was not phishing since I just got the game and I did not visit any guild wars 2 fan sites. Although my password would have been easy to bruteforce, the hacker bypassed email conformation somehow. The fact that that was the case made me think arenanet is to blame. I did not have the same password for my email as for my guildwars 2 account. The emails conformations were also unread, just 2 emails saying request password change and the last one, request email change. Someone would have to have fooled the authentication process.

I don't know how they handle things but I hope they tighten up security... I also made my account password over 12 chars just to be more secure but if companies can't secure their end, it makes everything I do pointless.
September 8, 2012 6:17:36 AM

While I agree with these being user errors such as using the same email and passwords on fan sites, as well as going to gold selling sites (and yes, the spam is already rampant in chat and the game mail system), one of the few things Anet has not done properly was not having authenticators ready for launch.

Everyone knew GW2 would be popular, and authenticators have been being asked for for well over a year and the devs have talked about adding them in. They should have been there for launch.
September 8, 2012 6:19:52 AM

My "account" that has no game on it and was only registered for the original GW trial has been hacked repeatedly already. :\
September 8, 2012 6:56:19 AM

samwelayealso, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.


Short password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.
September 8, 2012 6:57:42 AM

cmcghee358I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybreadWas worth a try


Should have tried toastersdonttoastsoggybread123 :-)
September 8, 2012 8:08:01 AM

title is misleading it suggests GW2 user/pass database have been hacked and hackers have the accounts but it's not the case and the one who we should blame are the users.
September 8, 2012 1:28:27 PM

Kami3kHahaha. He does use Angry Joe for everything.

Uhhh...what?
September 8, 2012 2:35:41 PM

this is not news - hackers are more advance that the current state of tech in companies - every single is hacked -- every single one --
Anonymous
September 8, 2012 3:38:13 PM

same here: Not on any fansites / pw of gw2 and email are not the same ... Just received 2 emails saying password change requested and after that email change requested.. Both emails were not read so they have not even been in my email.. so no just user faults here
Anonymous
September 8, 2012 4:00:09 PM

toastersdonttoastsoggybread is good for brute force but not for dictionary attacks
September 8, 2012 4:23:21 PM

freggoShort password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.


No one (sane) brute forces a password on a live website. What people do is hack websites and steal the information in their database.

If the site's owner is a complete and utter moron, these passwords will be plaintext or maybe encrypted (which isn't effective because you'd have to store the key, so the hackers will likely get it as well). Obviously, there's no brute forcing necessary with that, they simply know your password.

If the owner is just stupid, they'll have unsalted MD5 or one of the SHAs, which will take almost no time to brute force. That isn't to say SHA is bad (it's perfectly secure to use in many cases)... it's just that it doesn't help you much in the case of passwords.

Ideally, you use PBKDF2 with either bcrypt or scrypt as a function... with enough rounds/iterations, even a relatively weak password would befuddle those hackers.

In fact, this shows strong passwords aren't the answer. The answer is for website owners to use good practices on password storage/authentication. Since that's never going to happen, use keepass or lastpass to generate completely random 16-character passwords and just have your secure/strong password keeping your password database safe.
Anonymous
September 8, 2012 4:28:22 PM

GW2 is all its hyped up to be.. Personally I find the two step e-mail log on quite easy to use and definitely more secure. Always use Different Strong passwords and change them regularly! Make sure you always run an AV on your PC and check your firewall is set up correctly. Also every month before your password changes make sure you scan with secondary AV such as malwarebytes and do a root-kit scan as well. Never been hacked, always followed this procedure!

samwelayealso, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.


I am afraid you are incorrect here sir! a Dictionary only password no matter what length will be faster to "Brute Force Hack" than a Strong password using a combination of Case/Letter/ Number and Symbol.

It will take less time going through 26 letters up to 28 characters than 26 letters x2 for upper and lower case + 10 numbers and 30 standard symbols using an 8 character password!

Now the password you have given as well would be quite easy to compare to known has files as it is made up entirely of Dictionary words which is the biggest point of fail, a script kiddie will knock the hash file on the head with that in no time at all.!

Had you used random letters that would have increased the strength. Hackers are also getting smart, and using heuristic principles to hack passwords.

They know we like to use Strong passwords. So they already use rules of s=5, a=4, e=3, o=0, 1=l, as well as they know we mostly include a single symbol at the end of the password such as !. They also know we still use dictionary words in these passwords, so part of the hash file will already match what they know, and the rest becomes much easier to solve as you have half the Hash file figured out already.


I give you now an 8 character password that is way stronger than your massive letter password.

h^;X}4~l

Random, Case sensitive, Letters, Numbers and Symbols. This will take a far longer time to brute force or Hash compare than 100 dictionary words strung together!
September 8, 2012 4:41:07 PM

^I don't think so. Most cases bruteforce attacks cover capital letters and symbols anyways. Even if it were the scenario you describe I can guarantee you that 26^100 is much higher than x^8 with X=I don't know many usable password symbols there are and I don't feel like going to my computer to check.
September 8, 2012 4:57:21 PM

moriconThis will take a far longer time to brute force or Hash compare than 100 dictionary words strung together!


Nope, sorry. The number of characters (including upper, lower, and "special" characters like you showed ... including space) is a little over 90 from what I remember. Let's be generous and say 100, though.

Let's also assume the attacker knows your password is 8 characters long, so he doesn't waste time trying 1, 2, 3, ... , and 7 character passwords.

That's 100^8 different choices. ... or 10,000,000,000,000,000. Not bad.

How about dictionary words? Well, let's just be simple and say that everyone picks from the top 1000 most common words (though, trust me, the dictionary I'm randomly selecting from isn't this small). And let's say the hacker again knows the user has selected a 100 dictionary word password.

That's a total of 1000^100 different possibilities. I hope you don't expect me to write that huge number out here.

In fact, choosing as little as 5 (truly at random) dictionary words gives you 1000^5 = 1,000,000,000,000,000 choices, which is pretty close to your 8 character nonsense password. But the hacker has to also store that dictionary, so with looking up the dictionary words, it'd probably take 10x+ longer to do each check, so it's actually just about as secure at that point.

If we start talking about pulling from more realistic dictionaries, the difference becomes significantly more extreme.
Anonymous
September 8, 2012 5:13:33 PM

nacos^I don't think so. Most cases bruteforce attacks cover capital letters and symbols anyways. Even if it were the scenario you describe I can guarantee you that 26^100 is much higher than x^8 with X=I don't know many usable password symbols there are and I don't feel like going to my computer to check.


Sir you are totally correct, 26^100 is greater than 8^92, by several factors! What you fail to read is I Mentioned DICTIONARY WORDS!

I also said " Had you used random letters that would have increased the strength."

using 100 Dictionary words of 8 letters each will be faster to compare against a hash file than 8 random letters/symbols and passwords!

http://www.passwordmeter.com/ Go paste my 8 letter password into it and check the score, and then type 100 random letters into it and check the results!

Now paste the password toastersdonttoastsoggybread into it and check that.... Now paste that password 4 times into it and check again.. Surprised!

September 8, 2012 5:24:48 PM

Email confirmation for every single login sounds like an excellent idea. Blizzard needs to get a clue from this.
September 8, 2012 5:25:12 PM

moriconusing 100 Dictionary words of 8 letters each will be faster to compare against a hash file than 8 random letters/symbols


How do you figure?
September 8, 2012 6:39:40 PM

memadmaxThere's an easy way to stop list bruteforce tactics: 30 minute timeout with an email enforced password change after 3 failed login attempts... also, forced password change after first time login, with previous passwords cached for non-use later(if the user attempts to use a previous password again, it fails)... These password tactics are very, very, very easy to implement... few lines of code in most cases....


Yahoo (or was it another website?) has a 24-hour policy. Fail the passwords three times, and you're done for the day.

The only issue is trolling. If you can get hold of someone's username, then it's very easy to lock them out of the account. :/ 
September 8, 2012 8:50:11 PM

zshazzIdeally, you use PBKDF2 with either bcrypt or scrypt as a function...


Correction: PBKDF2 with one of the SHAs, or either bcrypt or scrypt. Not that you should make a decision on password storage solely by what a random joe blow in the comments of Tom's Hardware said... please do some due diligence by reading this stuff up if you actually intend on making decisions that will affect your users.
September 8, 2012 9:43:26 PM

After the way diab-BLOW III went, who woudn't want to give guild wars a shot.... they might be able to take blizzard to the cleaners.
September 8, 2012 11:52:53 PM

Someone make a petition to block Chinese ip's from the rest of the world.
September 9, 2012 2:01:45 AM

As soon as Aion was launched in the US about 3 years ago I got many phishing e-mails with fake Aion websites and at the time I only had acquired the game, never got on the forums or any fan website. How did them get my e-mail?

My guess is NCSoft sells our records to 3rd parties or even gold sellers, why not? They might be a established "marketing" company in China looking legit.

And by the way, I am not going to purchase GW2 since they're killing City of Heroes, might as well keep myself entertained with Tera for now.
September 9, 2012 8:03:21 AM

I wonder how many peoples accounts where stolen from the info hackers got from cracking blizzard not long ago.

http://www.cinemablend.com/games/Battle-net-Database-Ha...

I am sure its reasonable to assume that not everyone know about this happening. Special since they stole everything Battle.net related except CC numbers.
Anonymous
September 9, 2012 9:09:38 AM

They hacked my ArenaNet account and changed my associated email without gaining access to my email. Great exploit they found in ArenaNet's system.
September 9, 2012 11:38:25 AM

When you play a game that is popular don't use any password that you have used anywhere else, use uppercase/lowercase/numbers and if they also accept special characters make it even stronger.
Have a good antivirus and a very good program to have is Zemana Antilogger it prevents all keyloggers from working and encrypts keystrokes, prevents screen grabbers and clipboard grabbers from running.
It also detects man in the middle attacks it is very highly rated i work in the cyber security field and recommend it to my business customers.
Personally i think email only security is a VERY BAD idea every major email companies has been hacked at one time or another they should add an extra layer of security for logging on like Aion has with a 8 digit pin code that is selected only via mouse pin pad.

September 9, 2012 7:45:04 PM

freggoShort password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.


That would be a way to lock out rivals so long as you know their e-mail and enter the wrong password on purpose. I think the game is temporarily turning into "Login Wars 2".
September 9, 2012 7:51:24 PM

myaccountgothackedaswellsame here: Not on any fansites / pw of gw2 and email are not the same ... Just received 2 emails saying password change requested and after that email change requested.. Both emails were not read so they have not even been in my email.. so no just user faults here


could be someone choosing a name similar to yours, or they typed theirs wrong.
September 9, 2012 8:19:03 PM

A Bad DayYahoo (or was it another website?) has a 24-hour policy. Fail the passwords three times, and you're done for the day.The only issue is trolling. If you can get hold of someone's username, then it's very easy to lock them out of the account.


Screen Name (other users see this name in game)
Login (nobody but you will see this, used at login screen only)
E-mail (used for account signup/notification)

A factor that should be unknown, names should be different, complicated for the user but a bit more secure and prevent people from locking each other out since their display name AND their (most likely) known e-mail address wont be a part of the login process. The game Conquer 2.0 is a Chinese MMORPG that does this.
September 9, 2012 9:10:16 PM

myaccountgothackedaswellsame here: Not on any fansites / pw of gw2 and email are not the same ... Just received 2 emails saying password change requested and after that email change requested.. Both emails were not read so they have not even been in my email.. so no just user faults here


Interesting if you have no outside connection and no easily guessed user name then perhaps hackers are using the game itself as a method to account steal. I have yet to play but any chance characters names are displayed with account name when talking? For example STO and CO when you talk it shows your character name and account name does this game also use such a method?
September 9, 2012 10:05:20 PM

go ahead store everything in the cloud like wolfgang grueners paying job tells him to promote every where and any where, this is a perfect example of cloud, enjoy.

also the cloud is great for botters with a proxy or CID type program. i just had a GM ban over 300 accounts yesterday that were replaced by another 300 or so 30 minutes later. the cloud has ruined online gaming by bogging down the servers and internet.
September 9, 2012 11:22:52 PM

Not sure why they don't just adopt the key system that Battle.net and SWTOR use, that has unique changing key value tied to your login. Without the key system you cannot login.
September 10, 2012 1:32:38 PM

samwelayethese are ALL user errors. If the fansite gets hacked, and you use the SAME email and password for that and your gw2 account, that isnt gw2 accounts being hacked. That is you being stupid.


I have to agree. Password security is something people take for granted until it costs them something. And most don't even bother to come up with and memorize a secure password scheme. Query any support desk and they will confirm this statement.

Plus, think about the PIN to your bank card or what you do with your credit card information. Then think about the on-line accounts you have. If you don't safeguard them both with the same degree if diligence, 'you're doing it wrong.'

Just glad to see that it was not Arena-Net who were hacked.

Still, to be safe, change your password to something better. And you can use this tool to see how secure it REALLY is:

http://howsecureismypassword.net/
September 10, 2012 7:11:57 PM

stingstangSomeone make a petition to block Chinese ip's from the rest of the world.


People think it's wrong that China's censoring their internet. The irony.

So why are there no news about GW2 being "sold out" or it being an amazing game? Oh Tom's. Please tell me about Apple and Blizzard and how great they are.
September 24, 2012 4:06:12 PM

It's nice to see leading companies in their respective verticals are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I'm hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.
!