Sign in with
Sign up | Sign in

Guild Wars 2 Accounts Hacked Immediately After Launch

By - Source: Ars Technica | B 43 comments

Hackers began breaking into Guild Wars 2 accounts just one day after the MMOG went live.

Me and my sidekick Weenie.Me and my sidekick Weenie.Guild Wars 2 is seemingly off to a great start, racking in positive reviews and pushing players into overflow shards due to the high volume of traffic. The latter is simply GW2 speak for the queuing system which tosses players into an overflow server when the primary map or world has reached its peak capacity.

In other words, Guild Wars 2 seems rather popular.

That said, that popularity rings like a dinner bell for hackers and scammers, drawing them in like flies to a picnic table. On a personal note, the account used for a hands-on evaluation of Guild Wars 2 saw a hacking attempt, so the latest report from Ars Technica isn't all that surprising. The site claims that several unknown websites – one of which is a Guild Wars 2 fan site – were recently hacked, thus spilling sensitive information leading to the compromise of more than 11,000 Guild Wars 2 accounts in mere days.

This is nothing new, however. Account hacking became somewhat of a nuisance with the original Guild Wars, forcing NCsoft to take extra precautions like forcing long passwords and setting up multiple security questions. Even my own Guild Wars account was somehow broken into and used to sell virtual goods – proving my identity and regaining access to the account was a nightmare (putting it nicely).

However according to the Ars Technica report, NCsoft officials claimed to have received around 8,500 support requests related to hacked accounts from Friday to Sunday. The publisher then received an additional 2,574 related requests on Monday. Naturally the company suggests that users not use the same password with multiple accounts.

"If you don't want your account hacked, don't use the same email address and password for Guild Wars 2 that you've used for another game or web site," officials wrote over the weekend. "Hackers have big lists of email addresses and passwords that they've harvested from malware and from security vulnerabilities in other games and web sites, and they're systematically testing Guild Wars 2 looking for matching accounts."

One of the newer security measures offered by Guild Wars 2 and developer ArenaNet is an email-based confirmation. Served up as an optional feature, users must confirm by email when they try to log into a Guild Wars 2 account. If they don't respond to the email, then they're denied access. It's definitely an annoying procedure (like using Battle.net's authenticator or Google's 2-step phone-based confirmation method), but it seemingly prevents anyone from hacking into the account unless the user's email account is compromised as well.

ArenaNet's confirmation arrives after "a wealth of anecdotal evidence" surfaced in the MMOG's first week pointing to a possible Chinese group of hackers trying to gain unauthorized access to player accounts. Even one employee of Norway-based security firm Norman ASA said she received an e-mail warning that someone used her details to attempt to log in to her Guild Wars 2 account just one day after it was created.

"It's been just over a week since the game launched, and I’ve now had 10 e-mails detailing attempts to access my account from China," the unnamed Norman employee wrote. "I live in Europe. Thankfully, creators ArenaNet make players confirm login locations via e-mail, so all these hacking attempts have failed."

Guild Wars 2 players wanting to avoid the headaches of a hacked account should use a password that's exclusive to the service. Gamers should also use the email authentication method to help secure the account.

 

Contact Us for News Tips, Corrections and Feedback

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 20 Hide
    samwelaye , September 8, 2012 5:10 AM
    these are ALL user errors. If the fansite gets hacked, and you use the SAME email and password for that and your gw2 account, that isnt gw2 accounts being hacked. That is you being stupid.
  • 20 Hide
    schnitter , September 8, 2012 4:10 AM
    Well, when tons of hacking attempts occur that means the product is worth their time... so I guess Guild Wars 2 is off to a great start.
  • 12 Hide
    cmcghee358 , September 8, 2012 5:45 AM
    samwelayealso, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.


    I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybread

    Was worth a try
Other Comments
    Display all 43 comments.
  • 20 Hide
    schnitter , September 8, 2012 4:10 AM
    Well, when tons of hacking attempts occur that means the product is worth their time... so I guess Guild Wars 2 is off to a great start.
  • 1 Hide
    memadmax , September 8, 2012 4:25 AM
    There's an easy way to stop list bruteforce tactics: 30 minute timeout with an email enforced password change after 3 failed login attempts... also, forced password change after first time login, with previous passwords cached for non-use later(if the user attempts to use a previous password again, it fails)...

    These password tactics are very, very, very easy to implement... few lines of code in most cases....
  • 5 Hide
    Kami3k , September 8, 2012 4:45 AM
    Uh, how do fansites can someone's main account info...

    Oh right, ID10T errors.
  • 20 Hide
    samwelaye , September 8, 2012 5:10 AM
    these are ALL user errors. If the fansite gets hacked, and you use the SAME email and password for that and your gw2 account, that isnt gw2 accounts being hacked. That is you being stupid.
  • 3 Hide
    samwelaye , September 8, 2012 5:12 AM
    also, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.
  • 4 Hide
    master_chen , September 8, 2012 5:34 AM
    Hmmmm...I wonder if Angry Joe's account would get hacked? Probably not...
  • 12 Hide
    cmcghee358 , September 8, 2012 5:45 AM
    samwelayealso, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.


    I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybread

    Was worth a try
  • 1 Hide
    Kami3k , September 8, 2012 5:54 AM
    master_chenHmmmm...I wonder if Angry Joe's account would get hacked? Probably not...


    Hahaha. He does use Angry Joe for everything.
  • 2 Hide
    esrever , September 8, 2012 5:58 AM
    My account was hacked, took 5 days to get it back with all my items gone. It was not phishing since I just got the game and I did not visit any guild wars 2 fan sites. Although my password would have been easy to bruteforce, the hacker bypassed email conformation somehow. The fact that that was the case made me think arenanet is to blame. I did not have the same password for my email as for my guildwars 2 account. The emails conformations were also unread, just 2 emails saying request password change and the last one, request email change. Someone would have to have fooled the authentication process.

    I don't know how they handle things but I hope they tighten up security... I also made my account password over 12 chars just to be more secure but if companies can't secure their end, it makes everything I do pointless.
  • 2 Hide
    wildkitten , September 8, 2012 6:17 AM
    While I agree with these being user errors such as using the same email and passwords on fan sites, as well as going to gold selling sites (and yes, the spam is already rampant in chat and the game mail system), one of the few things Anet has not done properly was not having authenticators ready for launch.

    Everyone knew GW2 would be popular, and authenticators have been being asked for for well over a year and the devs have talked about adding them in. They should have been there for launch.
  • 1 Hide
    EldritchOnRye , September 8, 2012 6:19 AM
    My "account" that has no game on it and was only registered for the original GW trial has been hacked repeatedly already. :\
  • 1 Hide
    freggo , September 8, 2012 6:56 AM
    samwelayealso, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.


    Short password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.
  • 0 Hide
    freggo , September 8, 2012 6:57 AM
    cmcghee358I just tried to log into tomshardware.com with your username and the password of toastersdonttoastsoggybreadWas worth a try


    Should have tried toastersdonttoastsoggybread123 :-)
  • 2 Hide
    shahrooz , September 8, 2012 8:08 AM
    title is misleading it suggests GW2 user/pass database have been hacked and hackers have the accounts but it's not the case and the one who we should blame are the users.
  • 1 Hide
    master_chen , September 8, 2012 1:28 PM
    Kami3kHahaha. He does use Angry Joe for everything.

    Uhhh...what?
  • 0 Hide
    infernocy , September 8, 2012 2:35 PM
    this is not news - hackers are more advance that the current state of tech in companies - every single is hacked -- every single one --
  • 0 Hide
    Anonymous , September 8, 2012 3:38 PM
    same here: Not on any fansites / pw of gw2 and email are not the same ... Just received 2 emails saying password change requested and after that email change requested.. Both emails were not read so they have not even been in my email.. so no just user faults here
  • 1 Hide
    Anonymous , September 8, 2012 4:00 PM
    toastersdonttoastsoggybread is good for brute force but not for dictionary attacks
  • 0 Hide
    zshazz , September 8, 2012 4:23 PM
    freggoShort password is brute force safe if you allow only 3 failed attempts per 5 minutes for example and shut off the account after , say, 20 failed attempts.


    No one (sane) brute forces a password on a live website. What people do is hack websites and steal the information in their database.

    If the site's owner is a complete and utter moron, these passwords will be plaintext or maybe encrypted (which isn't effective because you'd have to store the key, so the hackers will likely get it as well). Obviously, there's no brute forcing necessary with that, they simply know your password.

    If the owner is just stupid, they'll have unsalted MD5 or one of the SHAs, which will take almost no time to brute force. That isn't to say SHA is bad (it's perfectly secure to use in many cases)... it's just that it doesn't help you much in the case of passwords.

    Ideally, you use PBKDF2 with either bcrypt or scrypt as a function... with enough rounds/iterations, even a relatively weak password would befuddle those hackers.

    In fact, this shows strong passwords aren't the answer. The answer is for website owners to use good practices on password storage/authentication. Since that's never going to happen, use keepass or lastpass to generate completely random 16-character passwords and just have your secure/strong password keeping your password database safe.
  • 2 Hide
    Anonymous , September 8, 2012 4:28 PM
    GW2 is all its hyped up to be.. Personally I find the two step e-mail log on quite easy to use and definitely more secure. Always use Different Strong passwords and change them regularly! Make sure you always run an AV on your PC and check your firewall is set up correctly. Also every month before your password changes make sure you scan with secondary AV such as malwarebytes and do a root-kit scan as well. Never been hacked, always followed this procedure!

    samwelayealso, passwords like h324o3!@ arent secure. they are short and easy to brute force. passwords like toastersdonttoastsoggybread are VERY secure, as it is extremely hard for a computer to brute-force through something that long, and they are also VERY easy to remember! if anything, add a . or a , between each word if that makes you feel any better. just dont use an 8 letter password no matter how complex you think it is.


    I am afraid you are incorrect here sir! a Dictionary only password no matter what length will be faster to "Brute Force Hack" than a Strong password using a combination of Case/Letter/ Number and Symbol.

    It will take less time going through 26 letters up to 28 characters than 26 letters x2 for upper and lower case + 10 numbers and 30 standard symbols using an 8 character password!

    Now the password you have given as well would be quite easy to compare to known has files as it is made up entirely of Dictionary words which is the biggest point of fail, a script kiddie will knock the hash file on the head with that in no time at all.!

    Had you used random letters that would have increased the strength. Hackers are also getting smart, and using heuristic principles to hack passwords.

    They know we like to use Strong passwords. So they already use rules of s=5, a=4, e=3, o=0, 1=l, as well as they know we mostly include a single symbol at the end of the password such as !. They also know we still use dictionary words in these passwords, so part of the hash file will already match what they know, and the rest becomes much easier to solve as you have half the Hash file figured out already.


    I give you now an 8 character password that is way stronger than your massive letter password.

    h^;X}4~l

    Random, Case sensitive, Letters, Numbers and Symbols. This will take a far longer time to brute force or Hash compare than 100 dictionary words strung together!
Display more comments