Guild Wars Guru Security Notice - Page 3 - Guild Wars Forums

Dralspire · Jan 24, 2010, 03:50 AM // 03:50

Done, passwords changed.

S{R}Raptor · Jan 24, 2010, 03:53 AM // 03:53

what if this breach has not been fixed and the people that did this snuck a root kit onto the server the forums are running on, knowing that the first thing people do is change emails and passwords, then these guys get all your changes to. A gaming league i belong to had this happen to them and it took them over a year to straighten out all the crap that got damaged.

I am glad you guys told us that you had a security breach, but you need to dot every i and cross every t and make darn sure everything is accounted for before you go telling innocent people to reset their stuff and end up them being the ones that get hacked. Rootkits are damn hard to detect unless you have the right scanners for them as most AV will not find them.

Valcion · Jan 24, 2010, 04:00 AM // 04:00

honestly, no use in change my forum info, since if they got it they got it, not much to be done about it. It's much more important to change the OTHER info, like your ncsoft master account password and email and such.

I use a junk mail acct for all game fan sites and completely separate and unique email and pass for my in game stuff, so at the very worst they can hack into my other fan site accounts, but not my actual game accounts.

Inde · Jan 24, 2010, 04:06 AM // 04:06

Quote:

Originally Posted by S{R}Raptor

what if this breach has not been fixed and the people that did this snuck a root kit onto the server the forums are running on, knowing that the first thing people do is change emails and passwords, then these guys get all your changes to. A gaming league i belong to had this happen to them and it took them over a year to straighten out all the crap that got damaged.

I am glad you guys told us that you had a security breach, but you need to dot every i and cross every t and make darn sure everything is accounted for before you go telling innocent people to reset their stuff and end up them being the ones that get hacked. Rootkits are damn hard to detect unless you have the right scanners for them as most AV will not find them.

Well I guess I could make up a few "what if" theories myself as well (which I have indeed been doing for the last 24 hours now

), but I can tell you we went over our files with a fine tooth comb. They didn't get onto our server from what we can tell but I don't have an answer for you, or if this was a concern, because if you know about rootkits than you know the problems associated with those. I can tell you that even now we continue to work on this but we've always monitored our security, which is how we knew this happened in the first place.

I'm as upset by all this as anyone, it's not an easy problem and there are no easy solutions. We are very disappointed that this happened as well. My own data was compromised as much as yours. Our approach is to try to be as open and honest as possible with all of you.

S{R}Raptor · Jan 24, 2010, 04:27 AM // 04:27

Quote:

Originally Posted by Inde

Well I guess I could make up a few "what if" theories myself as well (which I have indeed been doing for the last 24 hours now

), but I can tell you we went over our files with a fine tooth comb. They didn't get onto our server from what we can tell but I don't have an answer for you, or if this was a concern, because if you know about rootkits than you know the problems associated with those. I can tell you that even now we continue to work on this but we've always monitored our security, which is how we knew this happened in the first place.

I'm as upset by all this as anyone, it's not an easy problem and there are no easy solutions. We are very disappointed that this happened as well. My own data was compromised as much as yours. Our approach is to try to be as open and honest as possible with all of you.

Im glad you guys are telling us about the breach, just putting in my 2 cents, maybe get you guys to check something you might not have thought about. Im almost wondering Inde, if this incident is related to what i experienced in early December.

Inde · Jan 24, 2010, 04:31 AM // 04:31

I'll bring everyone up to speed, S{R}Raptor's last line is referring to a virus notice he believes happened from a visit to Guru in December of '09. I contacted him personally by PM as his was the only report. We checked our ad server, tried to replicate and watched the forums closely for any further reports and received none. So no, I do not believe this was related, to answer your question.

Gennadios · Jan 24, 2010, 04:56 AM // 04:56

Well. At least you didn't wait for the player base to find out and then accuse us of exercising poor security to cover it up.

Ty for the announcement.

Akish Cohor · Jan 24, 2010, 05:04 AM // 05:04

Were our dates of birth on the information the hackers received?

Inde · Jan 24, 2010, 05:08 AM // 05:08

Yes, we believe so Akish. And just for further information, birthdates are collected for COPPA compliance when you register.

al_capowned · Jan 24, 2010, 05:13 AM // 05:13

what version of WordPress are/were you running? 2.9.1?

jonnieboi05 · Jan 24, 2010, 05:16 AM // 05:16

I'm curious... What would you say (in your opinion, Inde) was the most critical bit of information the hackers got (or believed to have gotten)?

Inde · Jan 24, 2010, 05:32 AM // 05:32

al_capowned - It was our blogs.guildwars2guru.com that was accessed using Wordpress MU 2.8.6. The next version release was Wordpress MU 2.9.1 on Jan. 14th, then another update on Jan. 18th to 2.9.1.1. So we were behind by 9 days. We had stopped development of the user blogs as we had run into numerous problems.

JonnieBoi05 - emails

SithLord2064 · Jan 24, 2010, 05:35 AM // 05:35

This is the sort of thing that makes my sphincter shrink. Thank Balthazar the GWG team caught it quickly and informed the users immediately.

jonnieboi05 · Jan 24, 2010, 06:11 AM // 06:11

Quote:

Originally Posted by Inde

JonnieBoi05 - emails

Ah, okay. Thank you, Inde.

al_capowned · Jan 24, 2010, 06:28 AM // 06:28

Quote:

Originally Posted by Inde

al_capowned - It was our blogs.guildwars2guru.com that was accessed using Wordpress MU 2.8.6. The next version release was Wordpress MU 2.9.1 on Jan. 14th, then another update on Jan. 18th to 2.9.1.1. So we were behind by 9 days. We had stopped development of the user blogs as we had run into numerous problems.

apache 2.xx?

mrmango · Jan 24, 2010, 09:34 AM // 09:34

Thank you for the notification.

Raven Wing · Jan 24, 2010, 10:05 AM // 10:05

+1 thank you for informing us.

I wonder if we will see a lot of old guru users like myself having their account used for RMT etc spam on this forum and then get banned by guru? I hope not

Gill Halendt · Jan 24, 2010, 10:22 AM // 10:22

Quote:

Originally Posted by Inde

JonnieBoi05 - emails

How about passwords?

Is there any chance they could match e-mails and passwords if passwords are succesfully decrypted?

Do you think they have got to GWGuruAuction as well?

*sigh* I have my IGN in that profile.

karlik · Jan 24, 2010, 10:41 AM // 10:41

I think as a result we might see many forum members getting one of those phishing emails? Seems to me like one of the best uses for the info they got.

As said before, this kind of thing happens, and the best thing the site can do is be open, honest, and tell us what happened.

A hobby forum I used to frequent was recently hacked, most members got a spam email that was said to have come from the forum (looked like an endorsement from the forum). They (the forum) denied it happened and said it was unrelated to their site. A few of us posted the header info showing it was sent through the forum mail system, including the ip address of the forums mail server. They eventually did some research and admitted that somehow it did come through their mail system, but it would never happen again, and no damage was done.

Being told "somehow" means they don't have any idea what happened or how it happened, and yet they can assure us nothing bad happened (none of our info was compromised) and it'll never happen again?

Thx for handling this right way guys.

LicensedLuny · Jan 24, 2010, 10:45 AM // 10:45

Quote:

Originally Posted by Gill Halendt

How about passwords?

Is there any chance they could match e-mails and passwords if passwords are succesfully decrypted?

Do you think they have got to GWGuruAuction as well?

*sigh* I have my IGN in that profile.

JR's OP mentions the auction section, too, as one of the passwords we're urged to change.

If you change your password now and someone manages to decrypt the password you used for the auction site yesterday ... they've decrypted a password that doesn't work anymore and still can't get to your auction profile info.

So yeah, change the password for the auction system, too.

Oh, and another, "Bummer, but thanks for letting us know so promptly," to JR and the other staff who are working on this!