Ok, this is WELL worth reading in full: https://www.guildwars2.com/en/news/mike-obrien-on-account-security/
I’ll summarize it here:
- ArenaNet are going to add the ability to use the Google Authenticator (does NOT require a gmail account to be able to use it) to account logins. They expect to have this available in about 2 weeks. They were originally going to do their own, but since the Google one is already well supported on multiple platforms and already well tested, in the interests of getting 2-factor authentication as fast as possible they’re dropping their own and moving to the Google Auth.
We know customers also want a native implementation of two-factor authentication, and we want it too. This is an area where we should act faster as a company, and we’re going to. We had our own homegrown implementation of smartphone two-factor authenticator in testing, but we’re going to pull it back and instead integrate Guild Wars 2 with Google Authenticator, which already has robust authenticator implementations on most major smartphone platforms. We expect to roll this out in the next two weeks.
- ArenaNet have evidence from logs that the people trying to break into GW2 accounts are using email+password lists obtained elsewhere (fan sites, the BattleNet hack a month or so ago, Steam forum hack a year or so ago, etc). Most of those combinations don’t have any account associated with the password, many of them used “good” passwords, but some of those lists are turning up matches and when they do…account is exposed. Unfortunately, a lot of these exposed accounts ALSO used the same password for their email account too, so the hacker was then able to log into the player’s email account to click the link in the email to authenticate their login…
So keep in mind, if you ever see an unexpected email asking you to validate a login attempt from a location where you’re not playing from, that means a hacker already knows your account name and password!
- ALL passwords used in those email+password hack attempts are being added to a blacklist, so that they cannot be used by any Guild Wars account in future. This doesn’t affect existing accounts.
The rate of account hacking was about 1.5% for accounts created before this blacklist was in place, and is about 0.1% for accounts created after.
- ArenaNet are requesting that people change their GW1/GW2 password now to a unique one for their account. When they do, the back-end will ensure that the new password is NOT currently one already listed on the blacklist, and will add the OLD password for the account to the blacklist so that it cannot be reused. Since you can use up to 100 characters in a guild wars password now, they’re suggesting using a full passphrase (with punctuation) when you create a new password.
This all leads to the following request. All existing customers, please change your password. When you change it, the system won’t allow you to pick your previous password, or any password that we’ve seen tested against any existing or non-existent account. Thus, after changing your password, you’ll be confident that your new password is unique within Guild Wars 2.
Please DO go and read the article. They’re not just blaming users (you used an easily guessed password, you had a key logger, etc – that stuff that has often been said in the past), but are looking at the situation reasonably and doing what they can to minimize risk both to your GW accounts AND to other accounts you may own.
Database Breaches
We’ve seen some players theorize that hacked accounts were due to a Guild Wars database breach. We have very strict blocks in place to keep network attacks from reaching our customer databases, and a team constantly monitoring for any signs of intrusion, and we’re confident that there has been no such breach.
We take security very seriously. Perhaps you can tell from this blog post. And of all the things we protect at ArenaNet, we protect our customers’ data most of all.
Companies like Blizzard and Valve presumably also had a commitment to security, yet they ultimately suffered breaches of their account databases. One day will we become such a target that a hack attempt will finally overwhelm our defenses?
If that ever were to happen, we’d be up-front with you about it, and we’d take immediate steps to ensure that it didn’t lead to widespread account hacking. And here’s something else to think about. Because we’re requiring all Guild Wars 2 players to use unique passwords for Guild Wars 2, there’s actually nothing a hacker can steal from Guild Wars 2 to help attack other games or web sites. Using unique passwords benefits you both ways. In general, making a commitment to use a unique password for each account you care about is the best way to protect yourself, not only from being hacked today, but also from being hacked as the result of any future security breach of any company you deal with.