Earlier today, Redditors began circulating a forum thread filled with pictures of a character named Gaile Gray running around classic Guild Wars spouting nonsense (and worse). The claim that followed was that Gray, a prominent member of ArenaNet’s community staff, had been hacked. That led to accusations that ArenaNet’s account security is lax, as still other players boasted about having tested the Guild Wars 2 account recovery process to hack other users via social engineering on Anet staff.
We reached out to ArenaNet on the topic; the company has confirmed the hack and issued a statement as follows:
To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.
We want to protect all accounts as much as we want to protect our own. Some of you were particularly concerned about the impact to the game of hacking a GM account. You should know that we don’t give GM accounts or any accounts the ability to cheat progress, synthesize items, or manipulate the game’s economy. We play the game the same way you play the game. The hacker was able to use Gaile’s GM access to manipulate guild trims, but mostly he handed out Gaile’s personal items that she had collected from years of playing GW1.
We take your account security seriously and will continue to do everything we can to ensure that our support team consistently applies this security policy and prioritizes protecting you from account hackers.