 |
|
Apr 06, 2011, 12:03 AM // 00:03
|
#1 |
|
Krytan Explorer
Join Date: Jul 2005
Profession: W/R
|
Epsilon e-mail breach: your GW login address may not be safe
What are you talking about?
Hackers and spammers may have suddenly obtained your name and e-mail address last week, and it may make your GW account more vulnerable, since nobody will have to guess whether or not your e-mail address exists, only whether or not it will get them into a GW account. Where did they get my e-mail address from? If you ever used the e-mail address that serves as your GW logon for any other purpose, even if you unregistered from the other websites and services and only use it for GW now, your e-mail address may have at one point been entered into the database of Epsilon, a major e-mail marketing servicer used by over 2,500 companies, including several major US banks and financial services, and several Fortune 500 companies. Epsilon claims to have 250 million customer records, most of which are likely to have an e-mail address on file. Epsilon was hacked on March 30, 2011. It is not necessary to have signed up for mailing lists, contests, or marketing promotions; having an online management account for your bank or providing an e-mail address on a job application is enough for your e-mail account to have been sent into the Epsilon vortex. How do I know if they got my e-mail address? Epsilon is refusing to release a list of companies whose customers have had their names and associated e-mail addresses stolen in the breach. Companies who use Epsilon for their e-mail services usually do not disclose that they have shared or will share your information with Epsilon. Individual companies whose customers have been affected by the Epsilon breach are notifying their customers (this is not required in all states, and some companies may never notify their customers of the breach) to be on the lookout for phishing e-mails and an increase in spam. Customers are reporting that even if they had not done business with a company in years, and had closed out all of their accounts with said company, if that company's customer lists were managed by Epsilon, the customer's e-mail address was still held by Epsilon and was obtained by hackers in the breach. Unregistering from mailing lists also did not remove customer e-mail addresses from the Epsilon database, it only prevented further marketing e-mails, and the customer's e-mail address was still sitting in the Epsilon database to be stolen by last week's hackers. TLDR: You may never know if Epsilon had your e-mail address, and you may never know if your e-mail address has been compromised by the Epsilon breach. You need to assume that your e-mail address is in bad hands! Oh snap! Now what? If you are not linked to a NCSoft Master Account (never bought from the GW In-Game Store, never bought a digital download of GW) you can just change your GW logon information to a new e-mail address that you have never used for anything besides GW, and will never use in the future for anything besides GW. Lucky you! If you are linked to a NCSoft Master Account, you can change the e-mail address associated with your NCSoft Master Account for support issues and password resets on your NCSoft Master Account, but you can't change the e-mail address required to log onto GW. Sorry, blame NCSoft for that, because they are the ones who say it is impossible to ever allow you to change your GW logon e-mail address once you have linked to a NCSoft Master Account. You should be very careful about posting your character name anywhere, since that is the only thing keeping hackers and botters from brute-forcing their way into your account! You may want to beg NCSoft to allow users to change their GW logon e-mail address under all circumstances (fat chance!) or beg ArenaNet to come up with additional non-guessable non-screen-scrape-able (i.e. not just character name) security measures for GW accounts that can be implemented without NCSoft's cooperation. Sample of known companies affected by the breach, aka 'You are screwed if you ever gave these guys your e-mail address': Best Buy Capital one Citibank Fry's Chase (aka JP Morgan Chase) HSN Kroger TD Ameritrade Target Tivo US Bank Walgreens There are many more companies, and if the entire Epsilon database was looted, it could be 2,500 companies worth of customer lists and 250 million e-mail addresses. More reading at: http://krebsonsecurity.com/2011/04/e...pear-phishing/ http://www.securityweek.com/massive-...s-major-brands http://arstechnica.com/security/news...hase-users.ars http://redtape.msnbc.com/2011/04/who...about-you.html /epicfail /beg 'Can we please have a secure logon system?' Last edited by ducktape; Apr 06, 2011 at 12:06 AM // 00:06.. Reason: quote marks hates me |
|
|
|
Apr 06, 2011, 12:42 AM // 00:42
|
#2 |
|
Desert Nomad
Join Date: Sep 2007
Location: New Zealand
Guild: CoA
Profession: N/
|
I just don't care anymore, it's always the same old story. My junk mail inbox is literally filled every day with spam about Wow Accounts, Aion Accounts, Guild Wars accounts and what not and how I need to confirm my account or risk losing it. I don't have any of those games apart from Guild Wars.
I'm careful with my game account. I have an email for games and an email for most other things. So people are only getting my gaming email because of me signing up for the actual game. It's tiring and I just want them to sort their crap out. But I'm not holding my breath anymore. |
|
|
|
|
Apr 06, 2011, 12:48 AM // 00:48
|
#3 |
|
Furnace Stoker
Join Date: Jun 2005
Guild: gwpvx.com/user:dzjudz
|
This message might as well be:
If you type in any e-mail address, you might type in an actual e-mail address somebody uses for GW. Brute-forcing into GW. Really? |
|
|
|
|
Apr 06, 2011, 01:06 AM // 01:06
|
#4 |
|
Krytan Explorer
Join Date: Jul 2005
Profession: W/R
|
I totally agree about the increase of spam, there is zero likelihood of remaining spam-free forever. I also agree about the phishing, since most of the phishes are so poorly done or so illogical that I do not feel sorry for anyone who falls for them.
The real problem is having our e-mail addresses harvested and known as a valid, working e-mail address, and then having that e-mail address available for botters and gold-sellers to try and brute-force into our accounts. Keep in mind: NCSoft or ArenaNet could possibly be Epsilon customers. Hopefully they will deny or confirm any possible history with Epsilon, since having 'Registered Account Owner Name' + 'Registered Account E-mail Address' + 'This Name and E-mail Combination Use These Game Services' is the worst possible scenario (from a security standpoint) that could happen to anyone with a linked account. NCSoft and ArenaNet are under no obligation to tell us if they have ever used Epsilon, so unless they are open enough to deny ever having used Epsilon services, it is best to assume the worst possible scenario and protect yourself by changing your GW logon e-mail if you aren't linked to a NCSoft Master Account. If you are linked, there's not much you can do right now except hope your account doesn't get hacked... |
|
|
|
|
Apr 06, 2011, 02:30 AM // 02:30
|
#5 |
|
Desert Nomad
Join Date: Mar 2008
Location: Sacramento, CA
Guild: Geezers
Profession: R/
|
Hopefully the guy whose account I stole didn't register his e-mail with one of those sites...
|
|
|
|
|
Apr 06, 2011, 02:34 AM // 02:34
|
#6 | |
|
Desert Nomad
Join Date: Sep 2007
Location: New Zealand
Guild: CoA
Profession: N/
|
Quote:
|
|
|
|
|
|
Apr 06, 2011, 03:07 AM // 03:07
|
#7 |
|
Desert Nomad
Join Date: Aug 2005
Profession: Mo/
|
The only spam I get about WoW, Aion, or GW is involved with my GWG registered email, so I'm not too concerned about the possibility of my log-in email being leaked. Hell, the log-in email isn't even a real email anymore.
|
|
|
|
|
Apr 06, 2011, 03:44 AM // 03:44
|
#8 |
|
Krytan Explorer
Join Date: Aug 2010
Guild: Gameamp Guides [AMP]
Profession: W/
|
Thanks for the heads up. I personally don't care if they got my email or what anyone can do with it. No one is going to be able to brute force my GW account let alone anything else. Good luck to them, they'll need it.
Also, one thing I do is use email clients (os x Mail.app, ipod touch, mozilla thunderbird), these suckers can be setup to block addresses and or strings of very common gimmicky ad text and when an email floats my way with the banned text strings or address, I'll never see it. Buahahahaha. |
|
|
|
|
Apr 06, 2011, 04:25 AM // 04:25
|
#9 |
|
are we there yet?
Join Date: Dec 2005
Location: in a land far far away
Guild: guild? I am supposed to have a guild?
Profession: Rt/
|
my tinfoil hat and I have been waiting for a day like this---I have NEVER given out my email address to any one of those listed--I DONT have online banking--never will. I use the phone to contact my bank or walk in. (heck I dont even have a debit card!).
If asked in a store or something for an email I just say no...the coupons arent worth it! (and yet I still dont feel safe....maybe a tinfoil suit too------)
__________________
 where is the 'all you can eat' cookie bar? |
|
|
|
|
Apr 06, 2011, 04:32 AM // 04:32
|
#10 |
|
Lion's Arch Merchant
Join Date: Jun 2005
Location: West Coast, USA
Profession: Mo/E
|
I only regret signing up for Facebook. My email rarely had any spam, but now it's like I let the flood gates open with that one.
I guess for GW2 I will try and use a new email address, ...if NCSoft will let me. Last edited by Kula; Apr 06, 2011 at 04:35 AM // 04:35.. |
|
|
|
|
Apr 06, 2011, 04:47 AM // 04:47
|
#11 |
|
Grotto Attendant
Join Date: Apr 2007
|
Thanks for getting the word out.
|
|
|
|
|
Apr 06, 2011, 05:08 AM // 05:08
|
#12 |
|
Desert Nomad
Join Date: Jan 2008
Profession: Mo/
|
Ahh.. Marty, we need a Tinfoil Hat or Suit ingame soon.
|
|
|
|
|
Apr 06, 2011, 05:31 AM // 05:31
|
#13 | |
|
Frost Gate Guardian
Join Date: Aug 2010
Guild: Dragons Den
Profession: E/
|
Quote:
I have my own email server and IP address other than the gmail I use for signing up for forums and such. That server sits behind a firewall that blocks almost everything that does not come from the USA. There are some specific IP addresses around the world that I have let in because I use their products. Once I set that up my SPAM dropped to around 4 or 5 SPAM emails a week on my main business account. All those Nigerian Prince emails suddenly stopped. Anyone trying to even send to my server that is not on the allowed list doesn't even get a response. As far as Africa and other places are concerned my IP is a black hole. |
|
|
|
|
|
Apr 06, 2011, 08:43 AM // 08:43
|
#14 |
|
Grotto Attendant
Join Date: Jun 2006
Location: Europe
Guild: The German Order [GER]
Profession: N/
|
Frankly, I would be more worried about emails that were used when registering to GW related sites.
Like GWO (used mule account email address for that one ... guess what account got hacked when gwo was hacked?) or any other forum/tool/wiki/whatever site. 250 mil emails means it is very impractical to try to bruteforce some mmo game, especially when it is quite hard to guess whether it is linked to it. But you should be prepared for wave of phishing that might include some mmo games. |
|
|
|
|
Apr 06, 2011, 11:32 AM // 11:32
|
#15 |
|
Forge Runner
Join Date: Feb 2007
Location: Melbourne, Australia
Guild: None
Profession: W/
|
Thank you for the thread, I wonder if this has any correlation with my GW account being hacked last week. Thanks to the GW support, I could get the password reset again however it was too late as a lot of things were gone. This has basically killed my desire to continue playing the game
I would like to ask to those that have had accounts hacked like mine, do Anet do anything to restore what was lost? While I don't blame them as it's not their fault in any way, it does feel very disheartening for this to happen. |
|
|
|
|
Apr 06, 2011, 12:04 PM // 12:04
|
#16 |
|
Jungle Guide
Join Date: Nov 2005
Guild: The Imperial Guards of Istan [TIGI]
Profession: N/
|
You won´t get any lost items restored.
|
|
|
|
|
Apr 06, 2011, 04:44 PM // 16:44
|
#17 | |
|
Wilds Pathfinder
Join Date: Apr 2006
Location: @ Home
Guild: League Of Friends [LOF]
Profession: R/Mo
|
Quote:
I ended up taking a break for a couple of months. I'm now starting to replace what I had stolen. |
|
|
|
|
|
Apr 06, 2011, 08:10 PM // 20:10
|
#18 | |
|
Forge Runner
Join Date: Aug 2005
Location: Ashford Abbey
Guild: Hey Mallyx [icU]
Profession: Mo/Me
|
Quote:
|
|
|
|
|
|
Apr 06, 2011, 09:18 PM // 21:18
|
#19 | |
|
Grotto Attendant
Join Date: Apr 2007
|
Quote:
So, that brings us back to the usual advice: Protect your character names, since little else stands between thieves and your account. (Btw, I expect that the original thieves were after banking info, but sooner or later less valuable data like this may get sold to someone interested in exploiting it.) |
|
|
|
|
|
Apr 06, 2011, 09:24 PM // 21:24
|
#20 | |
|
Wilds Pathfinder
Join Date: Jul 2005
Location: Seattle, WA
Guild: Grenths Helpdesk
Profession: N/
|
Quote:
|
|
|
|
|
 |
|
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 08:08 PM // 20:08.
jQuery(document).ready(checkAds()); function checkAds(){if (document.getElementById('adsense')!=undefined){document.write("_gaq.push(['_trackEvent', 'Adblock', 'Unblocked', 'false',,true]);");}else{document.write("