Security Issues

[Hawkbit]

I've got at least 10 emails in the last few days from Anet, people trying to change the password on my account.  Hell, six of them are from within the last few hours. 

Not that we need to be told - - but make sure you have a strong password.  It seems the hackers are going after this game hard.

[Malakili]

Yeah, just got one of those myself

[Rasix]

Yep, I've gotten 2 emails already.  I assume more will come.

[kildorn]

I've had one so far.

[01101010]

Three thus far... 10:35, 11:11, and 12:46. My abcd1234!@ passwords cannot be deciphered!!

[Trippy]

Change your account login --  your email you sign on with -- which is not to be confused by the email address A.Net sends notifications to which can be different

[kildorn]

The lack of brute force protection is probably the first clownshoes IT thing I've seen from them. I wonder how much drama that actually would cause gaming companies.

[Ginaz]

Emails are fake and not from ANet.  I got 6 or 7 to an email thats not tied to my GW2 account.  As always, don't click on anything.  Change your password if you want but do it directly from their site and not the link in the emails.

[Amaron]

Do you mean you're getting mails from the password reset system?  I would think they wouldn't bother with that if they didn't have access to your email account.

[Ginaz]

Do you mean you're getting mails from the password reset system?  I would think they wouldn't bother with that if they didn't have access to your email account.

I have a seperate email account I use only for a few of my online games.  That one hasn't gotten any password reset requests.  My more general email, which has no connection to GW2 at all, has gotten at least 6 or 7 password reset emails.

[Tannhauser]

Yeah I got an email from ANet saying someone tried to change my password.  My password is strong, but I may change it anyway.

[Abelian75]

Yeah, I got that too.  Kinda curious what the idea behind that is, because I'm pretty confident they don't have my email (I use a 2-step authenticator thingy for gmail.  Also, nobody's logged into my GW2 account or changed my password.).  Not sure what it accomplishes to do that before gaining access to the email account.

It doesn't appear to be a fake email, though.  Links seem to go to the actual guildwars2.com website.

I didn't change my password or click the links, in any event, if only because I figure if someone is trying to make me want to change my password, I probably should not do it.

[Khaldun]

There's actually a thing on login in their own interface at the login screen that asks to confirm the email used for the game when you first sign up--the puzzling thing for me is that the confirmation link that pops up in email always reads as "expired" even if I go to it five seconds after getting the email. I think there's something funky going on with Arenanet's basic security set-up.

[MrHat]

Well, that's great.

Got an email while I was playing that said my account email has been changed.

Guess who didn't change it?

Put in a support ticket as I'm unable to log in now.

Super duper.

[Hawkbit]

I dropped your guild privs for the time being to remove the ability to withdraw items from the guild.  Let us know when it gets up and running. 

The guild stash has been open to all, the guild vault is deposit only for the time being.

[MrHat]

I dropped your guild privs for the time being to remove the ability to withdraw items from the guild.  Let us know when it gets up and running. 

The guild stash has been open to all, the guild vault is deposit only for the time being.

Thanks.  Glad I burned my collectors stuff already.

[Merusk]

So I decided to try GW1 again and had my NCsoft pw reset and sent to me on Thursday.  This morning it was hacked after I had changed the login email  to a new account unconnected to anything. They've got some bad security problems over there.

[MisterNoisy]

Hilarious - I don't even have a GW2 account and have been getting emails about this shit.

[koro]

I got two emails last night: One of them alerting me that a password change had been requested on my account.

The second? The confirmation email for the previous password change. All links (barring the confirmation one, 'cause I wasn't clicking that) were legit.

I do not have a Guild Wars account. 

[Mosesandstick]

I think my IP got changed because of some repairs being done my ISP. Now I need to re-authenticate but I'm not receiving a damn email...

[Evildrider]

I think my IP got changed because of some repairs being done my ISP. Now I need to re-authenticate but I'm not receiving a damn email...

This is affecting a lot of people.  I haven't been able to log in all day.  :( 

[Nevermore]

Yup.  Apparently their system is so terrible sensitive that even people with dynamic IP addresses through their ISP are getting this, and their backend is so horrible overloaded that the emails aren't being sent.  You can't even log into the website (when it's actually up) since it also asks for the verification.

[Amaron]

All links (barring the confirmation one, 'cause I wasn't clicking that) were legit.

I do not have a Guild Wars account. 

I'm lost on this as well.  I got some messages to an email that isn't associated with the GW2 account. The links are legit though.

Are they changing emails on already hacked accounts to ferret out which emails already have accounts?

[Ingmar]

Almost all well-made phishing spam uses legit links on everything but one of the links. You can't base anything off the fact that it has legit links in it, unless even the actual confirmation link they want you to click is legit. I bet it isn't.

[Amaron]

Almost all well-made phishing spam uses legit links on everything but one of the links. You can't base anything off the fact that it has legit links in it, unless even the actual confirmation link they want you to click is legit. I bet it isn't.

It is and it's the only link.  Goes to account.guildwars2.com (even in the highlight).  I can only think that they have a hacked account which they then attempt to change to known emails in order to fish out the ones with existing accounts.

[Ingmar]

Yup.  Apparently their system is so terrible sensitive that even people with dynamic IP addresses through their ISP are getting this, and their backend is so horrible overloaded that the emails aren't being sent.  You can't even log into the website (when it's actually up) since it also asks for the verification.

Yeah this is happening to us as well today. Clownshoes.

[Nevermore]

I just saw a post by someone on Guild Wars 2 Guru that if you run the launcher as an administrator you'll get the email.  I was doubtful but I tried it and it worked.

Edit: sounds like it was just a coincidence.

[Phred]

Hilarious - I don't even have a GW2 account and have been getting emails about this shit.

* Phred points MrNoisy at the definition of Phishing.

[MrHat]

Well, that's great.

Got an email while I was playing that said my account email has been changed.

Guess who didn't change it?

Put in a support ticket as I'm unable to log in now.

Super duper.

Just an update: 3 days later and not a word from the guild wars team.  Seems my fun time with GW2 has ended.

[KallDrexx]

Just an update: 3 days later and not a word from the guild wars team.  Seems my fun time with GW2 has ended.

Not that it's any consolation, but according to their status page they are inundated with tickets and are only at August 30th tickets currently

[Venkman]

Just an update: 3 days later and not a word from the guild wars team.  Seems my fun time with GW2 has ended.

No idea if this helps. But in the latest Anet update they note:

Our customer support team is prioritizing tickets from customers with hacked accounts or who are otherwise blocked from logging into the game. If your account was hacked, please follow these instructions for submitting a ticket, to make sure that your ticket is correctly prioritized and to make sure you're submitting all the information we need to restore your access.

I hope it helps!

[MrHat]

Ya, I did everything correctly, looks like a 4-7 day turn around on accounts.  Ah well.

[MrHat]

Back in, password new and improved.

Hopefully no more shenanigans anymore.

[Tyrnan]

From the latest update on the wiki page:

Scanning Accounts & Email Spam
    Yesterday, three malicious users each changed the account names of their own Guild Wars 2 accounts thousands of times, scanning through lists of email addresses stolen from other games and web sites, presumably to determine which email addresses were available (not already used for a Guild Wars 2 account) and which were taken. It obviously shouldn't be possible to change your own account name so frequently. We temporarily disabled account name changes and have now restored but limited them to prevent this.

    To the thousands of people who received emails stating, "the email address for your Guild Wars account has been changed," and are not even our customers, we sincerely apologize for the spam. Please be aware that your email address is on a list of account credentials that hackers have apparently stolen from other games and web sites and are systematically scanning.

    To Guild Wars 2 customers whose email addresses are being tested by hackers but not stolen, thank you for protecting your account by choosing a new, unique password for Guild Wars 2. Even though your unique password should protect you, we think you deserve to know if hackers have your email address on their list of credentials stolen from other games and web sites, so we'll send you periodic notifications when we see hackers testing your account.

Reset Password
    We're leaving "reset password" disabled for now. Please contact customer support if you forgot your password.

    We believe hackers also have lists of compromised credentials for email accounts, and we don't want to allow them to login to a compromised email account and then use "reset password" to steal the associated Guild Wars 2 game account.

[Arinon]

Why did we start forcing account names to be e-mail addresses again?