Guild Wars 2 hack impacts 11,000 accounts

A breached Guild Wars 2 fan site is one of various sources of passwords being used by hackers to gain access to game accounts, according to ArenaNet.

20

It may be time to gird your loins and beef up your passwords again, as yet another online game's security has been compromised. Guild Wars 2 has received more than 11,000 support requests for hacking, but it appears that the game itself wasn't targeted. Rather, ne'er-do-wells gained passwords from other sources like fan sites, and matched them to Guild Wars 2 accounts.

While it may seem obvious for some users, the attack was apparently enough to flood ArenaNet with reports of hacked accounts. Ars Technica reports that the company received about 8,500 such e-mails over the weekend, and then roughly another 2,500 on Monday alone.

The company said that one particular fan site that recently came under attack was a source of the passwords, but it's "just one of many apparent breaches of other games and web sites that hackers have been collecting email addresses and passwords from." One user in Europe reported 10 e-mails about someone trying to access his account from China. He says the verification procedures in place have rendered those attempts unsuccessful.

"If you don't want your account hacked, don't use the same email address and password for Guild Wars 2 that you've used for another game or web site," said a statement from ArenaNet. "Hackers have big lists of email addresses and passwords that they've harvested from malware and from security vulnerabilities in other games and web sites, and they're systematically testing Guild Wars 2 looking for matching accounts." They advise using long, randomly generated, unique passwords. Which, really, is just a good idea in general.

Editor-In-Chief
From The Chatty
  • reply
    September 7, 2012 10:30 AM

    Steve Watts posted a new article, Guild Wars 2 hack impacts 11,000 accounts.

    A breached Guild Wars 2 fan site is one of various sources of passwords being used by hackers to gain access to game accounts, according to ArenaNet.

    • reply
      September 7, 2012 10:41 AM

      Yeah that headline was not misleading at all! Gave me a damn heart attack.

    • reply
      September 7, 2012 10:42 AM

      Nothing to see here, just people being security stupid.

    • reply
      September 7, 2012 10:45 AM

      Phew, good thing I didn't bother registering for any GW fan sites. -.-'

      • reply
        September 7, 2012 10:59 AM

        Not only that but you had to be dopey enough to use the same email and password as the game on these sites. 11k people are apparently dumb enough to do that.

    • reply
      September 7, 2012 10:57 AM

      10 e-mails about logging in from China? Thats nothing, my wife had no fewer than 260 attempted logins from China!

      The e-mail verification stopped them all short, and she's changed e-mail address and password since then and had no more attempts.

      • reply
        September 7, 2012 4:39 PM

        youremail+GuildWars2@gmail.com should stop most scammers with email lists and still allow your GW2 related email to be sent to your original email account.

    • reply
      September 7, 2012 11:00 AM

      authenticator? :D

    • reply
      September 7, 2012 11:17 AM

      if you use the same password for everything... you deserve to get hacked... COMEON PEOPLE !!!! IF YOU CANT REMEMBER MULTIPLE PASSWORDS YOU SHOULDNT BE PLAYING MMOS !!

      • reply
        September 7, 2012 11:26 AM

        that's like saying you deserve to have your house broken into if you don't lock your door.

        pretty sad position to take.

        • reply
          September 7, 2012 11:41 AM

          Not even close to being the same thing.

          • reply
            September 7, 2012 11:45 AM

            both are cases where someone deserves bad things to happen to them because they did not take the necessary precautions.

            maybe I'm being a dick about how I use 'deserve'

        • reply
          September 7, 2012 3:48 PM

          no, it's the same as using the same key for your house, your car, your office, your safe, etc... and then someone gets a copy of your car key.

      • reply
        September 7, 2012 11:47 AM

        i have signed up for accounts probably on hundreds of websites in my decade+ on the internet. that doesn't seem reasonable :(

        • reply
          September 7, 2012 12:32 PM

          use a password manager

        • ArB legacy 10 years
          reply
          September 7, 2012 12:51 PM

          Use LastPass! You've tried KeePass before, and thought it was a huge pain in the ass, right? LastPass is way simpler to use. You will like it.

          • reply
            September 7, 2012 4:13 PM

            How is keepass pita?

            • reply
              September 7, 2012 4:20 PM

              some people (like myself) are lazy

              • ArB legacy 10 years
                reply
                September 7, 2012 5:49 PM

                Yeah, I am way too lazy for that. It's too much effort. LastPass is automagic, just the way I like it.

          • reply
            September 7, 2012 9:53 PM

            Yep. Bite the bullet with a password manager. I went and changed my passwords on well over a hundred website accounts to get set up with 1Password... it takes a while, I just did it gradually over time, but it feels good to finally get all that mess under control.

      • reply
        September 7, 2012 12:39 PM

        If you use the same password for everything, calling it "getting hacked" is pretty generous.

      • reply
        September 7, 2012 1:39 PM

        is that like "rape rape" or just "rape"?

      • reply
        September 7, 2012 3:50 PM

        Nobody deserves to be hacked...but please try and understand that hackers commonly try and compromise places like clan sites since they have absolutely no security, then use those credentials in whatever the fan site was for.

      • reply
        September 7, 2012 3:54 PM

        You shouldn't be remembering multiple passwords, because if you can remember all 50 passwords you likely have on different sites, then those are probably pretty weak passwords. They should be complex passwords stored in an encrypted database and you should never have to look at them, ideally.

        • reply
          September 7, 2012 4:12 PM

          Have a complex password that you change the first 4-5 characters of for each site.

          shackxxxxx123
          googlxxxxx123
          guildxxxxx123

        • reply
          September 7, 2012 5:57 PM

          Actually, passwords like:
          "Hyperspeed Tableware"
          "Massive Disaster"
          "Terrible Password" (lol)

          and so on, are pretty secure AND easy to remember.

          • reply
            September 8, 2012 12:31 AM

            They once were but prediction algos make them pretty bad

    • reply
      September 7, 2012 11:19 AM

      Ouch

    • reply
      September 7, 2012 12:16 PM

      I had someone trying to hack mine when i was only level 5 lol. What a waste.

    • reply
      September 7, 2012 12:46 PM

      I bought this game on the box art and I was very disappointed to find out it wasn't a Mortal Kombat sequel. Who do I contact to get my money back? The idiots at Gamestop wouldn't give my money back.

    • reply
      September 7, 2012 3:30 PM

      These people also must not have verified their email. After verifying my email, anytime someone tries to login to my account from a different IP it must be verified first.

      • reply
        September 7, 2012 4:19 PM

        Or their email account used the same pass and is compromised too.

      • reply
        September 8, 2012 12:56 PM

        This is true; however, I got errors for the first week or so and was unable to verify my email. I know others who had the same problem.

        • reply
          September 10, 2012 8:08 AM

          Yes, as far as I know it was broken for everyone for about a week. It works fine now however.

      • reply
        September 8, 2012 1:10 PM

        I've logged into my GW2 account from 4 IP addresses at this point. One IP is my home, so that one is clear. One IP logged in just fine initially, then required authentication the 2nd day. The other 2 IPs have worked perfectly fine with no authentication.

        I would definitely not rely on this for security.

        • reply
          September 10, 2012 8:11 AM

          I can't say I have had the same problem. I only logged into one computer prior to verifying my email. After verifying my email it required my authentication. I logged in from one other IP which also required verification. I also let me friend log into my account to download the client so it would be ready when his copy came in the mail and he also need to be verified.

    • reply
      September 8, 2012 1:16 PM

      PSA: How to create a better password than random characters. http://xkcd.com/936/

Hello, Meet Lola