Hacking Attempt Story. Guild Wars 2 - Possible Database Breach

sjgold · September 4, 2012, 2:40pm

So the purpose of this post is to share my experience with a hacking attempt on my account. It’s a positive story (well at least the outcome) so hopefully it will help someone else.

On Saturday morning (9-1-2012) my email started getting ArenaNet notifications for approval of login attempts from non approved locations. This started at 6am and went to about 8:30am in every 3-5 increments.

All of the locations listed on the email were located in different cities in China (CN). Obviously my email box was being hammered.

I had no clue what to do. Obviously my password was compromised (all numeric no pattern 6 digits very weak. Rated as 11mins to crack at 1000 attempts per second.). 2 Digits of entropy with 2 symbols appended would have changed it from 11 minutes to 3.6 centuries. I am a moron with my game accounts.

So I thought what to do, contact Arena Net? It was Saturday early. Write a post to my favorite forum? No idea.

At around 8:30am I changed my password to a alphanumeric combination which changed the entropy attack scenario to 3.6million centuries. The attacks did indeed stop after this, but I have no idea if it was my actions that caused it to stop.

My thoughts are that the password database is compromised and Arena Net either has no idea or they are not releasing the information.

I would suggest everyone change their password immediately.

Some things that I think Arena Net should have somehow been aware of and are definitely flaws in the system.

[ol]
[li]Attempts from China, or other hacker friendly countries should just be ignored for North American players. Frankly this could be done for any country with simple database calls. They are already storing the location of the approved locations.[/li][li] Seeing the amount of emails coming out of the system should have just restricted the location change requests. Seriously my email server was essentially under a DOS attack.[/li][/ol]

I do use Sanebox, so these emails did get filed in a folder for unknown emails but I cannot black hole the arena net emails which is too bad.

The Text of the emails is below:

A login attempt from the following location is currently awaiting your authorization.

Address: 120.71.26.181
City: Qingtao
Region: 02
Country: CN

This location is approximated based on information provided by your Internet Service Provider. If in doubt, deny the request and try again.

For security purposes, we alert you each time your account is accessed from an unrecognized location. To authenticate this login attempt, please click the link below:

https://account.guildwars2.com/allow-login?token=removed&request=removed&ip=120.71.26.181

Need help or have questions about your Guild Wars account? Visit our support site: http://en.support.guildwars2.com/
Thanks!
–The ArenaNet Team

Anyway I hope this email helps my fellow GW2 Players and Guildies

Useful Link: GRC's | Password Haystacks: How Well Hidden is Your Needle?
Calculate your entropy of any password and time to crack in multiple attack scenarios.

Edit: I stand corrected on Arena Net not reacting. Game status updates - Guild Wars 2 Wiki (GW2W)

triggercut · September 4, 2012, 4:10pm

If you don’t make your password unique for whatever MMO, you’re more likely than not to be hacked at some point, sadly.

Dan_Theman · September 4, 2012, 4:25pm

Agreed, triggercut. Unique and weird passwords, every time.

sjgold · September 5, 2012, 2:08am

Arena Net says the password list came from another location, but frankly that does not jive. This password was unique to my GW2 account.

Anyway… All is good now… Hope the info and link maybe helps someone.

strummer · September 5, 2012, 4:26am

Should you have the link to the “allow” URL in your post?

Miramon · September 5, 2012, 6:39am

Your password change must have been irrelevant to the attacks stopping. Because of the extreme slowness of password-guessing attacks through an actual login screen or HTTP connection, they probably were just using a short list of common passwords that they got to the end of and stopped.

Also the attacks were naive because the attacker was apparently unaware of the IP location system and the confirmation email.

Honestly I find it kind of hard to believe in any kind of serious login attack that comes in through the usual game or web login mechanism. It’s just too slow and obvious; no doubt Arena.net will shut down the account automatically after a while, or at least you’d hope they would, anyway, since they’re at least smart enough to run IP geolocation on the login attempt. Serious attacks come from acquisition of the hashed password file, at which time you just have to hope the hash and salt system holds up. Companies get into trouble when a) they refuse to believe anyone can get the password file to begin with, and b) when they roll their own password file security without having a proper security review.

Miramon · September 5, 2012, 6:45am

Yeah, good point, it’s no doubt expired by now, but it could be dangerous.

Stridergg · September 5, 2012, 8:09am

ANet sends the above email only when the login was successful (i.e. the password was correct) but it was from an unknown location (i.e. the location you haven’t approved before). They weren’t guessing his password when he was getting those emails from ANet, they already knew it.

So changing the password was a good idea.

The most likely way for them to guess the password was through using the Trading Post. ANet created TP so it could be accessed from outside the game. Here is an example of a guy doing this: http://www.gw2spidy.com

Now I am not sure how exactly they implemented login there but I would guess that initially, to get access you would only have to provide your account/password and TP wasn’t connected to their authentication servers (the ones that send the approval emails). Obviously TP was designed to handle gazillion requests a second, so it was a perfect avenue to guess simple passwords.

IMO that was the main reason why TP was down for a week. Hopefully they took their time to protect it better, they probably connected it to the auth server and simply ignore requests from unknown locations.

[edit] Here is the link to the Trading Post: ArenaNet

Miramon · September 5, 2012, 10:28am

Ah, I see; that makes sense.

I wonder why Arena.net didn’t turn off the account temporarily, because it must have been obvious it was being attacked.

stusser · September 5, 2012, 10:32am

I removed the token from his link since sjgold doesn’t seem to have read this.

Hopefully arena.net adds two-factor authentication soon. Ideally google authenticators.