Ah yes… the reset mails come to the new email address, not the original. Apologies for not specifying…I always get really angry about this in every single thread on the subject that I’ve read about or posted in, and I often get carried away, forgetting to mention details about the situation. If they were emails coming to the old email address, I’d find that perfectly understandable, because the third party has that email address already….but the new address getting these emails is, to say the least, a bit discouraging, because that email has never been exposed.

I’ve had to repeatedly respond to posts of people saying:
“You can see anyone’s account in game, blah blah blah.”;
“You must have a virus…”;
“Your email is part of a list that some hacker cracker has and your emails are the same for everything and your passwords are the same for everything”;
…and any other run of the mill comment that anyone could possibly think of, on multiple occasions, because people don’t actually read all of the posts – they simply see one post on the 53rd page of a forum and blast you with comments essentially calling you an idiot.

The kicker that nobody seems to understand, is how the hell could I possibly be getting password reset notifications that are in fact legitimate, for an account that DOES NOT EXIST? The fact that I’m getting the emails on a previously unexposed email account is only the second part of the issue.

I’m not worried about a GW2 account…I don’t have one to lose. Do you see where I’m coming from with this?

Now, the second part (previously unexposed email) DOES have GW1 attached to it. A fresh email account that had no other previous ties to the game BECAUSE the account had been stolen on a separate occasion. The only way someone could get the email is through database exposure. My last post describes a way that it could have happened….It may have, or may not have happened that way, but it is a distinct possibility, and people keep coming back and telling me it’s my fault – it can’t be my fault if I don’t have the GW2 account in question….

but to which address does this phishing emails came to? The new isolated address? or the old email address that were tied to the GW1 account when it was breached?

I assume that for relevance it has to be the new isolated address, but i am just double checking if we’re on the same page here…

Someone -hopefully you!- has requested to change the email address associated with your Guild Wars account.
Need help or have questions about your Guild Wars account? Visit our support site: http://support.guildwars2.com/.
Thanks!
-The ArenaNet Team

Upon reporting this to the ANet support team no real answers were given to me just the good old FAQ link for all your solutions, so I haven’t been able to play or access anything related to my GW2 account as well as my GW1 account. Of course I’m still waiting for an actually helpful response. Yet they keep sending me password recovery links and stuff, completely disregarding me stating that the email attached to my account had been changed. So Hadokenx I agree completely with you.

Neither had a Guild wars 1 account or anything else MMO related connected to that username or password, I’m pretty damn sure that their servers were breached and they just aren’t saying. Keep in mind that this happened to the first friend THE DAY AFTER LAUNCH, luckily that’s when they freaked out about email authentication (what’s the point if you can log in without authenticating?) and he got his account back within 12 hours, he was told it had been locked because of access attempts from Korea.

Second friend only purchased a week after launch, account got locked yesterday and tonight it lists his home server as one of the EU ones.

It really doesn’t help that You can (or could) just skip the authentication page, or that it took THREE DAYS for their server to send me my email confirmation (and then the email was fucked and I couldn’t click the link because it was half as long as it should have been).

For those unaware of what I’m talking about, with the announcement of GW2, an “incentives” event was staged, by which people could grind for titles within GW1. The more titles you gain, the more “inheritance” items you would receive in GW2. To help people out, ANet created a little app on the GW2 website that is able to tell you which of those inherited items you would get by simply putting in a character name.

Let me ask you this: How can an app, directly available on the website, be able to access the information saved for your character? Do they magically create this information by directly accessing your character? No, they do not…it connects to the actual game database, and for each character, there is an account, and for each account, there is an email address.

Now, on to your SQL injection point: If it USES SQL, yes, it’s vulnerable. But maybe it’s a different database that doesn’t use SQL? No. It’s not. Their website is a WordPress website (check for yourself by looking at the source, and find wp-content and wp-admin lines in the code…that’s WordPress), and WordPress uses SQL based databases. For their website to have the ability to directly query the actual game database, it most likely uses SQL, and in turn is most likely vulnerable to SQL injection attacks.

And onto my next point…My email was changed due to my account having been stolen previously…it wasn’t third party crap like fan sites; it wasn’t a virus; it wasn’t social engineering; It was a flaw in the NCSoft website that allowed people to login and back out of their accounts in rapid succession, and those people would randomly end up logged into someone else’ account. I was one of the unfortunate ones that this happened to. So the argument of “it HAS to be your fault” doesn’t always apply. It’s the internet…everything is vulnerable.

Do you mean account? not email? Because if so I would suggest reporting that to customer support.

I’ve read other people who had the same messages. It basically means they have your account details already, but just cannot get past the e-mail validation yet. Some users have reported that eventually the account was stolen after a buttload of attempts.

But I guess that’s useless if they have changed the e-mail or deleted your characters anyway.

The e-mail validation might have helped me to keep my account more secure, but unfortunately every time I’ve tried to validate my e-mail the link is broken and gives me nothing but ‘an error has occurred’

Which means your current email address was obtained from a 3rd party and is being used in a phishing attempt. It’s great how everyone thinks every database is vulnerable to SQL injection. The sony case was entirely different to anything else that has happened. Sony pissed off people by removing linux on the playstation after it was jailbroken, the contents of their databases were posted on the internet. That was the proof sony was comprimised regardless of how long it took sony to publically announce it many people knew a long time beforehand. Nothing like this has happened yet and until there is some proof, SQL injection this SQL injection that oh look ArenaNet has been hacked.

I chose to delete and ignore these emails and haven’t had any issues…..so far.

Apparently, I haven’t made myself clear. If you were at all interested in what I’ve actually said, instead of questioning me (again with my recursive responses)you might actually go look at those GuildWars2Guru posts, and note that I ONLY signed up there for this specific purpose…different email; different password for everything.

Seriously..if there wasn’t an actual problem, they wouldn’t have disabled the password reset system. There’s at least a flaw in the system; in a more reasonable situation, the email address list for accounts has been exposed (a breach).

“Hackers don’t just go after guildwars related websites.”
Are you mental? Hackers go after any and every vulnerability they possibly can.

“There is no breach, if there was, they would say. It’s not like they would lose subscribers if they admitted a breach or anything.”
Sony took 8 days….yes, 8 days to come forth and tell the world that they had been breached, and they wouldn’t have even told then if it wasn’t law. Why would they do this? Because they risk losing customers. If there is a breach in the system in which a hacker was able to gain access to the database through the website, you bet your ass they’re going to try to keep quiet – they might not lose subscribers immediately, but they’d have to pull the servers offline to find the flaw and fix it…in that time, the people that were playing the game would have to find something else to do to fill their time, and eventually lose interest. In other words, they risk losing customers. They cannot risk that at this point in time because they’ve invested too much time into the project.

You do realize that guildwars2guru is a third party website right? Also, do you use the same password anywhere else? Hackers don’t just go after guildwars related websites. There is no breach, if there was, they would say. It’s not like they would lose subscribers if they admitted a breach or anything.

Yes bronzed, completely isolated. I had an issue with my GW1 account being stolen previously, in which when I got the account back, the email address was then changed to an email address that had no ties to anything else.

Literally, a single day after the official release of GW2, I started getting emails to change my GW2 password; the pitfall here, is that the emails are legitimately coming from with a link aiming at https://account.guildwars2.com/reset-password/, and not the emails that “look” like they are coming from a legitimate source, like those of the battle.net phishing emails.

While one may assume that I have a virus that is causing the issue…fresh installs, and no GW installed for quite some time, up until I got these emails so I could check to make sure my account hadn’t been stolen again.

My problem with this, is the fact that support are overlooking my circumstances because I don’t have a GW2 account…If I’m getting these emails, and I don’t have a GW2 account, but do have a GW1 account that is attached to that email, that means the database has likely been accessed by someone that shouldn’t have, in which case, there is a breach that ArenaNet or NCSoft is failing to inform the public about – think of the Sony debacle and the 8 days that it took them to actually mention something about it….

Explaining the issue is like a recursive algorithm checking over and over and over again to see if I’m crazy or stupid, because it’s simply not possible that the database has been breached…..

the trouble with phishing casualties is that once the address is out there, it’ll likely circulate VERY quickly among the miscreant that are likely to use them.

Once that happens it’s likely that the use of the email address in pretty much anything popular afterwards as a security risk in itself.

Interestingly enough while I did have a GW1 account, it was over 7 years ago I last accessed it and on another entirely different email account which I haven’t accessed, thought about or logged into over 7 years.

So obviously my email has popped up somewhere and is being targeted by phishing attempts. This particular email account I use now is used only two places, Battle.net and GoN. So how would a legitimate ncsoft email turn up on an address they don’t even know exists and has never been linked to any of their products, websites or affiliates? Seems like it’s just a broad phishing attempt from stolen email addresses – ie maybe from the big Blizz hack that occurred a month ago.

Of course it could be a blanket email from NcSoft trying to drum up more interest in GW2 :P

hadokenx:
whether you use the email for GW fan sites forums or what not frankly matters little, the more curious part is whether this email is used for other things before like other games and what not or if the address is completely isolated (never used before for other games, registration, etc).

because unless it is isolated, then there’s practically no guarantee that the address and possible password combination were not already compromised prior to it’s use in subsequent games or registration.

Go to the Guild Wars forum here on GoN and read my post about Password Reset Emails.

It’s many cases, it’s NOT the players fault…ArenaNet or NCSoft have been breached…I don’t care what anyone else says about it. I DO NOT have a GW2 account, and am getting the same emails as GW2 players….I DO have a GW 1 account, in which the only way the email could’ve been exposed was through NCSoft PlayNC site, or through SQL injection attacks on the Guild Wars Hall of Monuments Calculator which connects directly to the player database.

No, I don’t have a virus. No, I didn’t use that email to sign up for GW fan sites forums. Stop jumping to conclusions.

Hell, if you want to see how their support team actually responds, go to guildwars2guru.com, search for Password Reset Emails, and find the posts by “Temporarily Unavailable” (which just happens to be me.) There is a screen shot of the email conversation, and nothing has ever been solved since. The support team isn’t taking the problem seriously, and this article about them “helping players” is utter crap.

It’s also helped by the fact that ppl can link their GW1 account to it, which likely means it’s using the email address of GW1.

the natural thing to do would be to change both after the merge of the account, but few ppl do it… since, well… since it’s internet and most ppl simply are not used to taking safety precautions step.