Warning: Hackers brute forcing passwords

[Eanae]

Hackers are using emails registered from databases they've collected to try and brute force passwords to guild wars accounts. Many people have been receiving password reset request spams to their emails. This doesn't guarantee they've been hacked but obviously it means you aren't safe if you're getting these. There are major security loopholes and flaws in arena net's password recovery system and it's flimsy at best. For now you can use the information provided in the link below for the best chance at staying safe until Authenticators and enhanced account reset options are added.

http://www.reddit.com/r/Guildwars2/c...t_more_secure/

Also, if you have a gmail account, I HIGHLY recommend enabling google two step authentication.

http://support.google.com/accounts/b...answer=1066447

[Bilopdop]

Sweet thanks! I have been receiving these emails everyday since I made my account. I was about to come here and ask about it.

[Katlan]

I noticed I got a password change email last night... thank god they have a a two step process and you have to confirm the change in your email. But, my character wasn't touched so I wasn't sure if it was a spam/fake email. I assume if they couldn't get into my email, but could my account, they would at least steal my money lol

[Eanae]

Yeah I got the email too. I submitted a hacked account ticket just in case because I'm at work. Looks like I may be in the clear as this seems to have happened to almost everyone I've talked to.

[Insanecyclone]

I don't even own the game yet and I keep getting those 'do this to change your password' stuff.

[Eanae]

These were legit password reset emails from ncsoft.

[Katlan]

wouldn't the people then know your account login/pw?

Oh wait, if these are from NCsoft then that would be your NCSoft master account? I think that is different from my main password and stuff

[Eanae]

They're brute forcing passwords because the password reset option actually tells you if there is or isn't an account ties with said account. So these hackers are using their database of emails they collected from who knows where to do this.

[Katlan]

should we be changing our passwords? lol

[Siya]

I've gotten like 4 emails last night >.x

[Eanae]

should we be changing our passwords? lol

If your email is safe and your password is complex it seems everything may be slightly ok for now. Anet really needs to fix all this.

[Insanecyclone]

If your email is safe and your password is complex it seems everything may be slightly ok for now. Anet really needs to fix all this.

I didn't even know what my nc master account pw was, until I found it written down. I've changed everything again now. Hell I've had some idiot trying to get my Anarchy Online account pw for months now, I keep changing it to fuck with the guy.

[Dantrag]

Just got the email. Reset it.

[Eanae]

Looks like arena net is asking for help in this issue to figure out where these reset spams are coming from: http://www.reddit.com/r/Guildwars2/c..._notification/

[Lucavi]

Haven't gotten one of those yet, but I got a shit ton of spam in my main account during the last round of Blizzard's "We made our game perma-online so you couldn't get hacked... and then we got hacked. Our bad." bullshit. If I get one of those emails, I'll make sure to report it, then upgrade my password hella complicated.

This hacker shit sucks; back in the day you barely needed a password for anything; now you need them for everything, you're supposed to have them so complicated that you can barely remember them and you aren't supposed to write them down anywhere. Its bullshit.

[niwaar]

These were legit password reset emails from ncsoft.

I did not get one of those emails, any idea as to why they'd be sending them to some and not all?

Oh and anyword on those "email verification" links not coming up as a failure? I changed my account email to something different and the verification link STILL comes up a failure.

Guild Wars 2 ‏@GuildWars2

If you got a password reset email & didn't request it, delete the email. Don't click the link in the email. We're investigating the issue.

Twitter 19minutes ago.

[Eanae]

Haven't gotten one of those yet, but I got a shit ton of spam in my main account during the last round of Blizzard's "We made our game perma-online so you couldn't get hacked... and then we got hacked. Our bad." bullshit. If I get one of those emails, I'll make sure to report it, then upgrade my password hella complicated.

This hacker shit sucks; back in the day you barely needed a password for anything; now you need them for everything, you're supposed to have them so complicated that you can barely remember them and you aren't supposed to write them down anywhere. Its bullshit.

One rumor is these list of emails comes from that hacked database as emails seems to correlate with battle.net accounts. Either that or they're pulling the emails from some kind of forum or spammer database. Arenanet said they're working on fixing their error/confirmation system for password resets so hopefully that gets in ASAP.

When I changed my account my verification email came up as a failure too when I clicked the link. Not sure if there's any consequence for it.

[Necronus]

This hacker shit sucks; back in the day you barely needed a password for anything; now you need them for everything, you're supposed to have them so complicated that you can barely remember them and you aren't supposed to write them down anywhere. Its bullshit.

Define complicated. Complicated for human =/= complicated for a computer. In ye olde days people only had to avoid actual humans, so "47hd8u4" was much more secure than "1234abc" ... but nowadays, its more about length (although most hacking programs still try basics like "1234" and "password" before beginning the brute force searches.)

Just to put up a very simplistic example ... making your password "4Scoreand7Years#GW2" is very secure even though it has full words and a string that hackers would expect "GW2" ... but the length and the arbitrary use of a quote pretty much mean its highly unlikely to be even tried ... and you can simply change the ending piece to reflect various games, so now you only need to remember "4Scoreand7Years#" for every site/game. Of course, you can make it more secure with more arbitrary words "DuckFiretruckSushiMontezuma" is still words, but unlike the quote above their arbitraryness means they're just as effective as a random string of characters.

The only REAL detriment to password creations is stupid limits enforced by "security policy" intended to make people put in more secure passwords, but in reality limit the search space for the hackers. (i.e. forcing your password to be 8-20 characters and MUST contain number, symbol, lowercase, uppercase" actually makes it easier to brute force)

[Lucavi]

I'm not 100% sure of it, but I'm more than willing to make a correlation between the two. Its not like there are multiple groups of hackers all going after individual games; this is more than likely one collective group hitting all of the "big" games. I'm not particularly upset with Anet, as we knew this game was going to have to be online-only, but for Blizzard to blow all of that PR smoke up our asses with this "WE'RE DOING THIS ONLINE-ONLY FOR YOU, GUYS!! FOR SERIOUS!" nonsense burns me the hell up. The problem with talking out of the side of your ass is that when you essentially get called out on it by the players, and then have your shit blown up by hackers, it makes you look like a goddamn fool.

They should have manned up and told the truth; online only was to make more money and to "ensure" that people bought legitmate copies. Money through verified copies; money through RMAH. It had nothing to do with security, and everyone knows it, and even if it did have a modicum of a percentage to do with security, we see just how goddamn well they can handle their security.

The hypocrisy drives me nuts.

I'd love to be wrong on this, trust me, but I really don't feel like I am. I'm all about a company being out for the money, but have the respect for your clients enough to man up and say it; stop with the PR bullshit.

[Eanae]

Lets not turn this into a diablo rant. We've seen plenty of those around. And as of right now, I do believe there is a correlation as well but I'm 50/50 on it as there's tons of other places emails could come from and WoW has such a massive list of current and past players that it's really easy for coincidences like this to pop up.