Large increase in hacked accounts

There has been a big upswing in hacked accounts in GW2 at present, which has been somewhat concerning. Part of this I believe is a result of the break-in to the BattleNet authentication servers recently (Diablo 3), which gave the hacker(s) a list of email accounts associated with RPG/Online Games as a start point. Part of it is ALSO due to the password reset option (now currently disabled) on the GW2/NCSoft websites, because it would give a different message when used with a real game account email to that when used with a non-existent game account address – they could use the password reset to verify if there was a GW account attached to that email address…and then just try to brute force the password for that confirmed account name/address.

From Mike O’Brien (ArenaNet Founder) on Reddit:

Account security – We’re seeing an uptick in reports of account theft and attempted account theft. We believe hackers are using databases of email addresses and passwords stolen from other games and web sites, and pre-existing trojan horses, to search for matching Guild Wars 2 accounts which they attempt to compromise. To prevent this, we have temporarily disabled the “reset password” feature, and we’re working to bring email authentication online. To protect yourself, please ensure that you use a unique password for Guild Wars 2 that you don’t use for any other game, email account, forum or web account.

Email authentication – Email authentication is a feature that notifies you if someone tries to log into your account from a location you’ve never logged in from before. Thus, even if someone guesses your game password, he can’t log in unless he also guesses your email account password. You can make email authentication even more secure by using an email provider that supports two-factor authentication, such as Google or Yahoo, and taking advantage of that. We’re currently preparing email authentication and intend to deploy it in a phased rollout, starting on Thursday, August 30.

If you’ve been getting password reset attempt emails, it means that your account login name IS KNOWN to the gold sellers/hackers trying to break in. You may want to seriously consider changing the login email through the accounts page at the official site from a known safe machine…

If you have LOST access to account login, it’s possible that the account password has been guessed, and the person who got in has ALREADY changed your account email address. If you had your GW1 account linked to an NCSoft Master Account, you can log into the Master Account to see what the new email address was set to, change the password from the Master Account to lock the hacker back out again, and then log into the GW2 account page again to fix the email address back to one you own. Also – submit a support request asap as you’re likely to need a roll-back on the account and/or have been reported in-game for the hacker’s behaviour on your account – many people are currently getting 72hr/permanent bans on hacked accounts at present :(. Be aware that support is backed up very badly at present, it’s entirely likely that you won’t get a response for 4-5 days.

ArenaNet have added a brief “advice” page for security here: https://www.guildwars2.com/en/news/tips-for-keeping-your-guild-wars-2-account-secure/

Unique Account Emails

Many mail services like gmail allow you to use suffixes on your email address to create “unique” versions of your email address for different purposes without having to have multiple email boxes and login details. If you had been getting password reset emails and would like to change the email address used as your GW account login address, you may be able to do so using a suffix on your existing email so that you don’t have to create a new email account somewhere.

For example, if your email address was “bob@example.com”, you may be able to use a suffix like “bob+mysecureloginname@example.com”. The name portion has a separator character (usually either “+”, “-” or “=”) followed by whatever random string you want to use for the email address. Test sending to yourself with different versions to see if this is available to you. Gmail and hotmail both support this using “+” as the separator.

Email Authentication

ArenaNet are rolling out an email authentication system that sounds pretty much like SteamGuard over the next couple of days. Once that’s available, turning it on will mean that any login attempt from an unknown location will result in you receiving an email asking you to approve/deny that location for being able to log in.

Edit: Information on activating this can be found here: http://en.support.guildwars2.com/app/answers/detail/a_id/9192/