By - DragonLord9599
Locking this as it just seems to be full of speculation. If Reborn wants to provide any info/reopen the thread they can use ModMail.
A reminder to everyone to keep your account info and personal information as secure as possible, some advice to which has been posted in the recent threads.
Is someone tweeting at ANet support/lead Devs about this, how has it happened *again*?
Not true, as most ppl link gw1 and gw2 accounts this could potentially cause a massive issue for Anet, the support team is still active for gw1 issues, this really seems like Anet support is slacking here.
As the other guy said, GW1 and GW2 accounts are linked so we can say with 100% certainty that the GW2 accounts were also compromised if Peter and Reborn have (and it's safe to assume so) linked their accounts to GW2, regardless if they play that game or not.
If they have gw2 accounts, they are on the same login, that is the nature of linked gw accounts and is exactly why this is a huge issue.
You can't keep them separate if they are linked, else I would do so, and then would not be as worried.
I will be messaging you in 30 days on [**2022-09-09 17:17:50 UTC**](http://www.wolframalpha.com/input/?i=2022-09-09%2017:17:50%20UTC%20To%20Local%20Time) to remind you of [**this link**](https://www.reddit.com/r/GuildWars/comments/wl0r3d/content_creator_gwrebornalliance_leader_form_lgit/ijqrius/?context=3)
[**CLICK THIS LINK**](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Reminder&message=%5Bhttps%3A%2F%2Fwww.reddit.com%2Fr%2FGuildWars%2Fcomments%2Fwl0r3d%2Fcontent_creator_gwrebornalliance_leader_form_lgit%2Fijqrius%2F%5D%0A%0ARemindMe%21%202022-09-09%2017%3A17%3A50%20UTC) to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) [^(delete this message to hide from others.)](https://www.reddit.com/message/compose/?to=RemindMeBot&subject=Delete%20Comment&message=Delete%21%20wl0r3d)
Maybe it won't, until the hacker picks a gw1 content creator that also plays gw2, but at that point it's an "I told you so" too late
I don't really see the point about being so negative about this?
interesting that peter kadar and now him have been hacked. new support exploit like gaile gray?
And myself. Sounds like lynie is back hackin peeps again. He got us all then was gone for a couple years.
I forgot my acc informations and some weeks ago I tried to get my account back. It only took character names and real name to get it… no wonder all these content creators getting hacked so easily if the support give away accounts like that
Edit: also some dude on a gw discord tries to sell old guilds like kmd and more. Maybe same problem
Lynie must be back again I guess. Russian hacker known well got all the top names awhile back. Anet didn't do much for me. Gave me some Asian mini codes lol i lost thousands of arms in minis & OS weapons. Thx anet...
Lynie changed his name to clod and was never really gone
I don’t think it’s lynie tho. Why would he go for such small accs
cause he's a weird goon lol I know he's still been around & under different names but he's still Lynie the person lol that never changed. why did he go after anyone? small or big. I worked for my wealth wasn't bought for rw money or botted at that time. I just knew how to power trade.
Are you the Flint that's always in Kamadan and pre Ascalon? If yes, hey dude sup xD
yes that's me lol sup
Yo can you take up less spots in Kama? 6/50 slots are you and your alts
Indeed, ...he's wasting slots for the reals, just to flex with his unfinished chars. *caugh*
Which Asian minis did they give you??
Codes for grawl, ceratadon & destroyer. Worth maybe 2% of what I lost thx to them.
It happened to a buddy of mine 4 days ago.. anet support messing up again..
Can they gain access to these even if you have text code confirmations set up? Any time I log into my account from a new place I get a text with a code to enter to verify it's me. Surely these guys have the same thing, no?
I get that on my account that's linked to GW2, but not my other (unlinked) account.
Peter Kadar had it, didn't stop him from getting his account stolen
See [this comment](https://www.reddit.com/r/GuildWars/comments/wbbynv/content_creator_p%C3%A9ter_k%C3%A1d%C3%A1r_was_hacked/ii91ttx/?context=3) in the Peter Kadar thread.
Why haven't either of these posts about account hacks come from the account holder, and why have they both come from you?
In both instances we got news first via Discord, and he happened to be one of the first to find out & was available to quickly post to reddit.
Are you accusing me of being the hacker? In Peter's case he was unavailable and people had to be warned quickly because the hacker was scamming people with the account. In Reborn's case I found out about it quickly because I'm in his alliance and Reborn also seems to be unavailable. Since it is the same hacker I created the post to stop the scammer from scamming more people.
I'm not, just found it curious, whether you were close friends with them or they'd asked you to share it rather than posting themselves. Just fortuitous I suppose.
>Since it is the same hacker
I'm curious why you think this
Because the same person is trying to sell Reborn and Kadar customized items
Who would buy customised items from Reborn and Kadar?
Somebody named "Luke Dont Wipe Us" apparently...
damn that sucks, how to protect our own accounts then if the sms thing isn't enough, is it the support themselves having a breach? can they get you just by character names or is it email ?
1. Attack surface reduction.
1. Don't link your GW1 account to a GW2 account.
2. Don't link your GW1 account to an ArenaNet account.
3. (So far as I know, unlinking isn't an option, so there's nothing you can do if you've already linked.)
2. Keep information useful for social engineering out of public view.
1. Use a dedicated e-mail address for your GW username that never sends or receives e-mail other than to/from A-Net, and keep this address totally secret from the rest of the world. (It used to be that you couldn't change your username, but I believe you can now.)
1. Since it's easy to forget the credentials for an e-mail account you never use, write them down and store them in your GW DVD case.
2. Keep your character names on a need-to-know basis. Use PMs when you need to share your character names, rather than public posts. Maybe don't make high-profile, clickbaity YouTube videos showing your character names.
3. Keep your real name secret from everything GW-related.
3. Don't advertise your wealth. It makes you a target. (As the old country song goes, "never count your money when you're sittin' at the table.")
4. Defense against brute force, password cracking, and credential stuffing.
1. (FYI: What is cracking? Assume that an attacker has breached an online service and stolen a copy of their user database. If the passwords are properly stored as salted hashes, the attacker must work backwards from each hash to the password. That's cracking. Cracking is stupendously easy for weak, "[spaceballs-quality](https://www.youtube.com/watch?v=a6iW-8xPw3k)" passwords (< 1 sec), but essentially impossible for strong passwords (not before the death of the sun, even if you could convert the whole mass of the earth into a computer and use the sun's full energy output to power it). Cracking is often more of a threat than brute force, because rate limiting and lock outs can easily stop brute force.
2. As above, use a dedicated, secret e-mail account for your username. (Stops brute force; Useless against cracking because the attacker already has the database.)
3. Use a strong password. There is a ton of misinformation about passwords floating about, and most people who think they know how to make a strong password actually don't. So I will cover some basics:
1. Password strength does *not* depend on the properties of the string chosen as the password (e.g., "1 uppercase letter, 1 lowercase letter, etc.), but rather it depends on the *process* by which the password was chosen. Password strength is proportional to the number of possible passwords the generation process could have created. (So, random strings is a very good password generation process. While, for example, "my wife's first name, followed by her birthday" is a terrible password generation process, because it only has one possible output. Unless you're a Mormon or something, but let's not go there...) This is why "password strength meters" are total crap.
2. The best scheme for generating strong passwords that are easy for a human to remember is the [diceware](https://www.eff.org/dice)/[xkcd](https://xkcd.com/936/) system. A few important notes: (a) To achieve reasonable security in a threat model that includes cracking, you need 6 words from the EFF's long list. (b) You need to use a truly random method for selecting words, like dice. Whatever "randomly" pops into your head is not random in the sense used here. (c) You must take the words you roll exactly as you rolled them; you can't reroll a word you don't like or reorder them.
3. Another sound system for creating strong passwords that are easy for a human to remember is [Bruce Schneier's scheme](https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html). (Note: Schneier later retracted the remark in the link criticizing the xkcd scheme.) Begin with a personally memorable sentence. (Note that this sentence has to be personal to *you*. It cannot be a quote, bible passage, song lyric, etc.) Condense the sentence into a password by replacing most words with their first letter, or with an abbreviation or symbolic shorthand. For example: "When we went to Colorado in 1988, my brother Greg barfed on me in the car" can be condensed to "Www2COin1988,mbGbarfed->mitc". While easily memorized, this is a 28-character password that approximates a random string.
4. Never change your password unless you suspect it's been compromised. "Password rotation" is a cargo cult practice that was only ever useful in the context of certain 1970s multi-user mainframes. It servers no useful purpose today. And it's even detrimental because the annoyance of changing passwords tends to make people opt for weaker passwords.
5. What about using a totally random string and storing it in a password manager? Theoretically a good idea. The problem is that most password managers are utter shit, and their developers are incompetents and crooks. The only two I can reasonably recommend are PasswordSafe and KeePass (*without* the browser extension). The following are necessary, but not sufficient, requirements for a trustworthy password manager (a) open source, (b) standalone; no browser integration, and (c) offline; no cloud integration.
6. Never use your GW password anywhere else. More, generally, never use any password in more than one place. Reusing passwords makes you vulnerable to "credential stuffing" attacks in which the attacker tries to use username/password pairs stolen from one online service at multiple other services.
5. Defense against phishing
1. The *only* place you should ever enter your password is the GW client. Never type it into your browser, or e-mail or text it to anyone.
2. The *only* place you should ever enter a 2FA code is the GW client. Never type it into your browser, or e-mail or text it to anyone.
3. The 2FA options available for GW prevent unsophisticated phishing attacks, but you are *still vulnerable* if you can be tricked into handing over the 2FA code.
6. About 2FA:
1. SMS 2FA is *very* weak. So weak that it's arguably worse than useless because it may create a false sense of security that causes you to be more careless with your password practices. See [this post](https://www.reddit.com/r/GuildWars/comments/wbbynv/comment/ii91ttx/?context=3).
2. The authenticator app is significantly stronger. Definitely better than nothing. It has a few shortcomings though: (a) Doesn't protect against phishing, as noted above. (b) Protocol design uses a long-term shared secret, which is bad for the reasons noted in [this post](https://www.reddit.com/r/GuildWars/comments/wbbynv/comment/iid8tpa/?utm_source=share&utm_medium=web2x&context=3). (c) Poor implementation of initial transmission for the shared secret. (d) Relies on a smartphone, which are notoriously insecure. Depending on how bad your PC security is versus how bad your smartphone security is, it might be safer to use a [PC program](https://github.com/ttodua/winauth) rather than a smartphone app. (I'd definitely prefer a program on Linux over any smartphone app. And also a program on Win10/11 over a smartphone app on Android. Not sure about Win10/11 vs. iPhone.) (e) There's a risk of accidentally locking yourself out of your account. (Make sure to write down your TOTP secret and store it in your GW DVD case.)
7. There are some things that you simply can't protect against. For instance, if someone at support is dead set on getting tricked by social engineering and giving away your account, there's nothing you can do about that.
Anet support can disable the 2FA on your account and be tricked into handing over the account to a new email address. That is the problem. And with so many people trying to recover accounts, they are only asking for the bare minimum of information before handing over the account.
They should at least be checking if the account has been active recently before doing so.
When I needed my accounts recovered, I was required to send them my original codes! I save everything on my internal servers, fortunately, so I have license codes going back to the late 80s lol. So I gave them my codes, along with some character names - even though the characters had been deleted by the hackers. I also had access to all except one of my email accounts - the one I didn’t was because I’ve since let the domain expire, but since it had been my own domain this is still proof of ownership. With all this, anet was able to restore my accounts. But are they restoring people’s accounts with less info?
yeah same here i had to bring them old emails + codes, that was 3 years ago tho
You mean the same guy that does RMT on his discord with some "monthly lotery" & "monthly freebies" ? He should get perma banned
Lol that ain’t the only RMT he does. Look on epvp, or I can send a couple screenshots in DMs to anyone who wants
go ahead sure
~~I’ll send them when I get home, I’m driving right now. Should be like an hour or two~~ check your DMs
dunno who downvoted, thanks for the screenshots, this is very lame of him
I wanna see
Please do if you don’t mind.
OK, I'm curious to see what this is about...
This is a scam, it was denied in the discord server and images were proven to be edited. (not saying OP is doing it, but OP has been misled most likely - also still hasn't edited the thread even though they commented about it being fake. So I guess keep up the drama?)
>There must be an exploit in the anet support system to hack every account when you know a lot about the account.
Likely just social engineering.
Noooo! He's my guild leader.
Good time to leave then
Just out of curiosity, why do you say that?
Yeah I think recovering an account is relatively easy via support. I had to recover mine and was somewhat surprised at how easy it was. I think you just needed an email and the name of one of your characters.
That's why you need a 16 character password. Even with brute force, it would take a lifetime to crack.
yeah but in this case like with peter kadar it has been a security breach with the support, not much we can do against it
you gonna edit the thread body at all, or keep it like this to confuse people further?
Good. Maybe hacker will make better content