11,000 accounts compromised

[Sylvanie]

My post you quoted I meant to say "It's VERY hard to pull off and is only something you can really do in an targeted way." Man in the middle attacks work, no question. The malware that sits and watches for programs launching that generally have the security tokens associated with them and starts re-directing traffic also work but the first is VERY targetted the second requires a stupid user.

No, it just needs malware for that purpose on the victim's computer (such malware would probably include code to intercept logins for most popular MMOs). The only tricky part is that removing a Battle.net authenticator requires entering two consecutive authenticator codes. The malware needs to trick victims into entering two consecutive authenticator codes (this is required for removing an authenticator). That's not too difficult, because most people will do that normally when a login fails (assuming that they mistyped the code or the password or the code expired).

Note that a simpler form of a man in the middle attack was observed in the wild. That one was limited to just taking over a gaming session, though, so the harm was limited to clearing out the victim's possessions, without the account having actually been stolen.

[Fitzgerald77]

I guess those 11k people are total morons. I will never understand fully how someone can get hacked. Use common sense people!

[Deleted]

that's awkward...

[Dazzy]

Authenticators can be comprismised and have been by malware/backdoor programmes.

As for giving my mobile number to any games company, you have to be kidding, Blizzard's North American database was compromised a few weeks ago.

It really is pretty simply don't use an email for things like forums that you would do for anything important.

You're correct about systems using authenticators being broken into in the past, but NOT for a video game. The amount of effort and money/research and computing power it takes...the average hacker will never see that much money in his life.

Authenticators are used to protect sensitive data at almost every major corporation on the planet, and for a good reason, they work.

As for passwords, yeah, no reason on earth to ever use the same password for more than one thing, ever. Write them down by your computer at home if you must (nobody is breaking into your house to get passwords to gaming sites and an amazon and paypal account).

[RoninaThorstone]

Edited.

It's already been addressed by a mod.

[Deleted]

its not Anets fault. If people are so naive to use the same password for fan sites and games, then they are placing their account security in the hands of the fan site, its as good as giving away your password. No one would hold Anet accountable if you handed it out to a hacker, but thats exactly what people have effectively done. very very simple security awareness is all it takes never to get hacked.

Its not nice, but in all reality, its the person who got hacked's responsibility to keep their account information secure. learn from this people, dont use the same password, ideally dont use the same email address if possible, and make sure you use decent(unique) passwords (ie, longer ones).

[Hellfury]

I dont agree they deserved to be hacked, atmost those ppl are internet naive.

But asking for a authenticator service its a legitimate thing.

[Wries]

Oh yes got 'em "Authorize Login Attempt" emails shortly after creating my account today, even. I had used one of my community not-so-important passwords by mistake.. Interesting to know that it's in a password list now as it was very random and probably unique.

However I still got my account. Guess they needed access to my email inbox as well? Though luck.

So which site was it that stored passwords in plain text and then got hacked? I'm not a member of any direct GW2 fansite..

[Tekkommo]

People will always get hacked with online games, it's your responsibility to be smart and make sure it doesn't happen to you.

Authenticators are a start, but other games have proven they are not 100%.

I don't wanna sound like a jerk and say you deserve to be hacked, but if you get hacked, it's most likely your own fault.

[Deleted]

I dont agree they deserved to be hacked, atmost those ppl are internet naive.

But asking for a authenticator service its a legitimate thing.

Or a rift style coin lock would be fine. It's a great way to do it in my opinion, not overly restrictive. It protects you from hacking really well. Unless your email and game passwords are the same......nm, bad idea!

[Deleted]

Yes. Stupid mistake. Stupidity has consequences.

Yes. Stupid mistake. Stupidity has consequences.

Did he use two top-of-the-line bike locks, one combo and one key, and both made of good solid metal? (Mind you, this is a very common bike theft prevention technique - why would they cut into YOUR bike locks, when the bike over there has only one bike lock, and it's made of plastic?) Where did he lock up his bike? Was it to a railing that would be difficult to cut through with a welding tool? If you've ever lived in Austin, you know that people make a living off stealing bikes, and will have such tools. In such locales, which are publicly known for bike thefts, you'd be smart enough to take your bike into where you live.

People need to get out of this "nice" mentality of trying to save everybody from everything. Even in modern society, it's survival of the fittest. We do need a nicer community where we treat everybody with some respect, but if they make a mistake, they deserve to suffer the consequences of said mistake. There's 6 billion people in the world, nobody is special.

The asura have a very similar attitude, and I don't fault them for it, though I despise the way they treat other people with their big egos.
"You're smart, and you survive...or not."

so I guess your parents were stupid one night, and they got what they deserved . Sad story

if you think everyone deserves to be robbed, beaten maybe even raped (she deserved,by wearing such skimpy outfit), you are not human beaing and I have no sympathy for you.
NO ONE DESERVES TO BE A VICTIM.
I have my window open during hot night, I leave my bike without locking it when i enter a building for a minute, I eat ice cream (yeah i deserve to be sick) I got beaten by trying to help girl in night club ( ideserved it i guess, should stay put and do nothing).
People like you are cancer in this world, no empathy at all, all you want is to punish people and watch them suffer.

By the way I'm mostly using same password for years in every mmo I played and wasnt hacked even once. I don't believe at all it's the matter od passwords.

[DrakeWurrum]

Stop being a douche now with the "you deserve to be hacked" shit. Now. -Edge

@edge specifically - Excuse me if this is stepping over some line, but you can't abuse your moderator powers here simply because you believe differently. I'm not breaking any rules of the forum. I'm stating an opinion that people disagree with, which is standard fare for every single sub-forum. I assure you, if you infract me for continuing this discussion, I will bring your superiors in on this, as none of my behavior is breaking a forum rule. If other people cannot keep their passions in check in regards to how they respond to what I am saying, they should get infracted, and they should have to deal with the consequences of their behavior. I should not be censored or punished simply because you are sick of how people are responding to my opinion, and you have to clean up. I have not forced them to break any rules, I have simply openly voiced an unpopular opinion (on this board specifically, anyways) which opens myself up to personal attack, if they make the choice to do so and break the forum rules.

I shouldn't get punished for making myself socially vulnerable.

It's all fine and dandy if you and others think it's a "douche" opinion to hold, but that does not break the rules of the forum in the least. I am not trolling, nor am I flaming, nor am I posting content that is intended to offend people (and if you can consider this offensive enough for censorship, let alone infractions, then anybody who has ever posted negative opinions about WoW or GW2 or SWTOR or anything on this forum may as well just have their accounts deleted, as somebody is going to be offended by it).

This is not even something that can be considered deconstructive or off-topic. I am very much contributing to the topic with related content and opinions, regardless of the popularity of my opinion - the topic being all about accounts getting hacked, and proper account security.

If people are willing to discuss this topic without insulting people left and right, giving proper respect to people (something I have NOT failed to do, short of light condescension), and keeping their passions in check, then you don't have any mess to clean up.

This particular rant, directed at you, is the only thing I've posted in this entire thread that breaks any forum rule. But hey, before you say anything about me posting this publicly, you could have taken the civil route and PMed me to stop in the interests of keeping civil discussion, and also been more polite about the request might I add, and I likely would have been quite willing to do so - but you chose to instead edit it into my post and make it into a public statement and a display of moderator power. Instead you chose to blatantly call me a douche, and directly caused me to derail this thread from the topic.

If you want me to stop discussing something because it's causing problems for you and your fellow mods, it's easier if you just ask privately. Hell, if you want to delete this entire rant for the same reason, by all means, do so. I just wish you'd taken the time to treat me like a fellow human being before it got to this point.

She deserved to be raped because she wasn't carrying mace or a gun.
They deserved to have their house burglarized because they didn't install steel bars on the windows and a $10,000 alarm.
He deserved to get mugged because he didn't have 5 friends with him.

None of those are the same thing, in the least. In the first case, it's very much not deserved, as the victim is likely not to have any power over the situation. Carrying mace or a gun isn't always enough deterrent, as the people who perform such acts are very messed up people.
In the second case, that's a ridiculous extreme. I'd assume most people can lock the entrances to their houses. Not always enough, but you can't do much more than that. Improper account security is more like simply having a piece of cardboard for your door.
In the third case, again, that's a ridiculous extreme, and one of those cases where you often have no power to stop it. This is more like walking around with your life savings openly visible in your hand.

When I say they "deserve" it, I am simply saying that they have to deal with the consequences of their choices and their actions. It seems this is par for the course for these forums, where everybody looks at a word, and then takes the definition of said word to the utmost extreme, as if you want to find a reason to be upset. If their choice is to not keep their account properly secured, then when they get hacked, they have nobody to blame but themselves. As has been said earlier in this thread, it's a matter of when, not if.

I have never said they should be hacked. I have never said it was justified. I have never said they have no right to complain, nor have I said they shouldn't get it back. Simply that it was something they brought upon themselves, when they have full capability of preventing it. They have all the tools at their disposal. That $10,000 alarm system you mentioned earlier? Those 5 friends? The mace and gun?
They have that ALL of that at their disposal, and then some, for no charge at all. It was even put directly into their hands. They were practically given a free police escort for the evening. Unfortunately, it was an option they declined, and simply set aside.

As far as account security is concerned, having a single e-mail across all internet accounts, regardless of how secure each individual account happens to be, is the exact same thing as giving your password to hackers. It's just as silly as taping the key to your front door to the wall right next to your front door, for anybody who comes up to use it.

When you do something or make a choice that is simply not smart or not wise, you very much deserve to reap the consequences. If you choose to sleep with somebody without using a condom, you have made your choice.

Account compromise is nothing like being a victim of rape. I know people, personally, who have been, and I find it very insulting for you people to make such a comparison. Nothing compares to such an act.

[Deleted]

Well, always consider that the victims are never to blame, but for your own personal safety, those people could have put themselves at less of a risk than they did. It would never be your fault if you got, for example; mugged, but it's good practice to not walk down dark alleys in bad neighbourhoods to safeguard yourself against it happening.

[xxf2dxx]

@edge specifically - Excuse me if this is stepping over some line, but you can't abuse your moderator powers here simply because you believe differently. I'm not breaking any rules of the forum. I'm stating an opinion that people disagree with, which is standard fare for every single sub-forum....

Off-topic
Derailing

This isn't the place for your petty little rant.



Personally I don't understand why they overlooked the security issues to begin with. Considering WoW has been dealing with it for ages and SWTOR even introduced pretty much the same thing right around release, I really just can't figure out as to why.

[Fenlnir]

This might be a little off topic, but if you were hacked, were you still on your ncsoft email log in? Just wondering if Arena net had a little accident that they don' want to talk about.

[Tlesta]

but this is just a bloody game, not my bank account ffs, most of the people don't give a damn about it.
Having new e-mail for everything, new pasword and what not, is madness.

If they don't care about it, then what does it matter if they get hacked? If even the most basic of security steps isn't worth their time for something they obviously have so little care of (their GW2 account), then I guess that's case closed. GW2 support is freed up to do other things than deal with something no one, even the owners, care about, and the owners can move on to something they do care about. Works out in the end, I suppose

[mercutiouk]

Same here. I use the same Gmail address, but everything has a different password. The password here is different from my email password, my GW2 password, my password on another site, ect.

So long as you have the 2 step setup then sure. Otherwise you're not protecting yourself at all (keylogger can get the different email password).

---------- Post added 2012-09-10 at 01:06 AM ----------

Oh yes got 'em "Authorize Login Attempt" emails shortly after creating my account today, even. I had used one of my community not-so-important passwords by mistake.. Interesting to know that it's in a password list now as it was very random and probably unique.

However I still got my account. Guess they needed access to my email inbox as well? Though luck.

So which site was it that stored passwords in plain text and then got hacked? I'm not a member of any direct GW2 fansite..

If you aren't a member of a fansite and got hacking attempts soon as you made it that does sounds rather like they have a potential problem at source there.

[Tlesta]

She deserved to be raped because she wasn't carrying mace or a gun.

That's not even close to this situation.

Now, if she had walked down a road called "Rape Lane", in "Rapeville" with signs over every entrance with HUGE letters, in multiple languages, stating "YOU WILL BE RAPED IF YOU TALK DOWN THIS ROAD. PLEASE TAKE THIS OTHER, MUCH SAFER BUT MILDLY MORE INCONVENIENT ROUTE INSTEAD"... then yes, totally deserved.

ArenaNet said loud and clear in so many places that it started to get annoying to "Change your password. Do NOT use the same email and password combination that you have used ANYWHERE else". They wrote it EVERYWHERE. The loader. The website. The registration site. There is only so much you can do to protect your players, but at the end of the day you can't protect them from themselves. If somoene honestly read even 1 of those warnings and did it anyway, they were practically screaming to every hacker out there "COME AT ME, BRO". :-P

Note that it's not just fan sites that lost people's emails and passwords. A large portion of the top MMOs by this point have all been hacked (Almost every sony game, WoW just a few months ago, Rift just a few months ago, Champions online just a few months ago... and those are the ones I know of). If you are using the same password/email combination as any of those, you can be pretty sure something bad is coming your way.

[ddsad2212]

Yep, this happened to me. Got my account set up, went to PAX for the weekend and came back to my E-MAIL being changed. Very poor preventative measures on Arenanet's part.

What do you expect them to do, stop people logging in using your password and email? Stop people who have full access to your email account from changing you password? You seem to be one of the people who think that people can actual hack A-net`s database, there are a few select people in the world who could form a team to do this to any company such as riot or A-net, none of them care about a few credit card details or using you account to sell gold , you can be assured of that. So please people learn how to use the internet.

[schippie]

Its hilarious some of the people who tell others they deserved this. Only one word for you i hope somebody breaks into your bank account. Lets see if you then still "deserve" it.

Anyways it was to be expected, its common knowledge its not easy for people to have multitude of passwords. Which is understandable, most will have one password or maybe iterations of the same password. Also i think most webmasters know adding rules like complex passwords etc are fairly redundant within reason. It simply is all part of this world now, nothing you can do about it honestly. Only features like auths can protect accounts (and even those are not 100% sure). Nothing can fully protect you, the best advice i can give anybody is have 2-3 passwords (the more the better but remembering them all is not that easy unless you want to keep a word document with all of them). 1 for most internet stuff 1 for games and 1 for your mail /extremely private stuff.

The idea of having 100 passwords is just dumb.. and creates a whole other problem the what i call: "I forgot my password crowd"

@edge specifically ...

If you have any moderation problems you will have to contact sunshine or boub/ chaud etc. You are not allowed to discuss these out in the public something that you should have seen after reading the rules.