In a recent post from Gaille
The thread can be found here
“I have news for you: If someone gets your password on any system, there’s a pretty big likelihood you’re going to be in trouble. And that is why we say — often and very firmly — that account security begins and ends with you. We’ll help, but your security is in your hands.
Use a strong, unique, hard-to-guess password for Guild Wars only.
Do not share your account.
The title of this thread is misleading. Our database has not been hacked. People are not waltzing in and getting players’ credentials. The incursions are coming from external sources, over which we have no control.
More information is available in our recent article about security.”
Not once did anyone in the thread mention database compromisation.
Nor does the title.
All i said was it requires no confirmation to change anything which i confirmed on my own account.
This is undoubtedly and unarguably a huge loophole.
Imagine i walked into a bank and said “I want to withdraw ALL the money from this account X”. (imagine you are withdrawing much more than an ATM would allow)
They reply: " Okay do you have your PIN?"
You reply: “Yes here it is”
Cool have all the money KBYE.
Now normally you would expect things like
“you are not tied to this account or this person anyway”
“do you have proof of identity”
the list goes on.
But none of this needs to be done to get at an account.
This is where i believe the problem lies.
Now yes; account security DOES lie with the account holder but it also lies with Arena Net. This needs to be heightened.
Now above “We’ll help, but your security is in your hands”. This is what you have not done. You do not even have a Captcha function to prove someone isn’t just brute forcing the email. Some of the even the most basic of forums have.
TL;DR: ANet lacks account security and there is nothing stopping the brute forcing of account passwords. Yes users need to do what they can but ANet doesnt provide the resources for this.
