Jump to content

Regional FlagThe recent hacking incidents and a theorySource
Target Source
#1 -

I’ve read a fair bit about a number of people who have had their accounts compromised recently, and it has actually happened to a friend of mine, yesterday. His password was apparently not all that strong, however it’s not something that could reasonably be guessed or brute-forced, and he doesn’t use it for anything else on the internet. He scanned for a keylogger, and his hotmail account does not have an ip login history.

Like a few other people I know of, he received an email from Arenanet saying that his account email had been changed. Now, there is no option to change your account email on the account website. This means that regardless of what he’d lost, be it his password, his email account, which would be required if the hacker wanted to log in and approve a new IP address – none of this matters, because there is NO option to change email address on the account website at this time. It has not been on there for a few days at least, because someone who made a trial account pointed this out to a guild mate.

Basically, this means the only way someone can change the email address for your account is to make a support ticket and provide enough information to convince customer support that you own the account. I don’t know what information this is, and this is where my theory will hopefully be answered.

My friend, who did get his account back (albeit with no items, as they have no tools to do so yet, I hope they add them asap!), was first asked for his cdkey. If you bought the game online, this was emailed to you, and most people probably kept this email in case they ever needed the key again. I HOPE that this is not sufficient for customer support to decide that the account belongs to the person making the ticket, because if a hacker has got access to your email login, which they often do in such cases, that means they also have your cdkey, as it was mailed to you!

I think that in order to request ownership of an account, Arenanet should demand proof of purchase in the form of the payment details. This may already be the case, in which case this thread is pointless, but they DID ask him for the key, and if all a hacker needs is a key, which can be found inside an email, this is a massive security flaw.

I realise that if they had access to a player’s email account they would be able to steal everything anyhow, but as there is no email change option on the account website, this must be how they are doing it. This other other option is that the link to change email was removed but the functionality remains there and the url was used directly.

To summarise, please consider changing your policy so that a player has to provide some form of payment information (address or ccv number) in order to get control over the account back from customer support.

I hope this does not get deleted, and I hope that people can ask customer support how it happened, because although they were excellent and prompt with regard to giving him his account back, he did get a pasted response afterwards when he asked how it happend with general security advice.

I’d also advise players to keep a record of the cdkey elsewhere and delete the email, if this does prove to be the case.

I did look for a way to contact Mike O’Brien about this, as his article on account security was excellent, but I couldn’t find any contact details.

ArenaNet Poster
Target Source
#2 -

Please understand that we cannot be held responsible for the security of someone’s email account. Can a hacker gain enough information from an email account to allow him/her to steal a GW2 account? Possibly yes. Is that an indictment of ArenaNet security? Absolutely not, just as your bank is not responsible if someone gains your bank details through hacking your email account.

Please know that we do request proof of account ownership beyond the serial code. But asking someone for their CCV number doesn’t really help when they purchased from a store. Requiring a CC number is irrelevant when they bought from a different vendor. Therefore, those details are only part of the set of questions we ask to verify ownership.

In the end, the ultimate responsibility for security lies with each of us. While ArenaNet will do whatever we can on our end to protect your account, you, as account holder, also need to protect your sensitive information.

ArenaNet Poster
Target Source
#4 -

I understand your question, but I am hesitant for us to provide those details. Think about it: Giving “This is how you were hacked” details to players may well provide “This is how to hack” details to a hacker.

I suggest we allow this topic to go back to what it should be: a private discussion between a player and support about an individual compromise incident. None of us want to give hackers, cheaters, exploiters, or RMT a “recipe for success.” So if individuals have questions that do not pose a risk in answering, they can pose them and Support can answer them, on a case-by-case basis.