I had an incident last month where my account was compromised, but fortunately the intruder did not do any damage (that I could find). While all that ended well (up to this point) and I did not need a rollback, the method that was used to access my account is very concerning to me and I apologize that I took this long to bring it up here and request that policy or something be changed at Anet’s customer support to try and prevent this from happening to others. in the future.
My email associated with my GW account was compromised first (I can only guess, in fact, I have no direct proof of this as nothing looked out of place in the email account (that I rarely access). This was 100% my fault as it was a decade old email account that I have NEVER changed the password on and I have admittedly used that password at dozens of sites in the past. It should have been the FIRST one I changed when I started using unique passwords for all my log ins several years ago, but since I rarely access the account, I never changed it. My bad and if I had lost everything in GW2, I would have accepted this as my stupidity.
HOWEVER, with only access to my email account, I still do not believe the hacker should have been able to send a single sentence email to GW2 support and get the password reset without a single question or verification of who the owner actually was. I GET that if the email came from the proper email address and did not appear to be spoofed Support would have no reason to suspect a hacker was pretending to be me and I understand they are busy and I’m sure they get those kinds of requests by the bucket full every hour but the fact that it was THAT easy to change the password still has me VERY concerned.
I had recently quit playing daily so the only thing that made me aware of this was an email from GW2 support in my email box asking, “How would you rate your recent support experience?”. I changed my email password immediately and had the horrid deep hole in the stomach feeling as I failed to log in here and my GW2 account. Looking at the email I realized what had happened and contacted support to try and regain control of my account (and prepare for a rollback (that I did not need). Ironically, Support asked me about a dozen questions that I couldn’t even answer all of them without access to the account (I’m guessing I got about 9 or 10 correct with some possible spelling mistakes on character names) before resetting the password again. My mind continually went back to the fact that if they had asked these questions on the original request, my account would never have been at risk.
In the end it all appears to have worked out ok, but the ease with which my password was changed still upsets me and I eventually decided to write this (way too long) post in hopes that this can be avoided by others.
Gaile, PLEASE can you request that support obtain some level of information to verify the user / player prior to EVER considering changing a password? Thanks for the consideration (and sorry for the way too long post).
