Guild Wars 2 studio ArenaNet chased the 2016 Gaile Gray account hacker all the way to Germany – and lost

    
69

Back in 2016, MassivelyOP covered an odd story about the Guild Wars franchise and a hack that seemingly involved the account of then-ArenaNet employee Gaile Gray. As we reported at the time, someone had accessed and logged into Gray’s Guild Wars account and trashed it rather publicly, which prompted a statement from Mike O’Brien that clarified the “hack” was down to “social engineering” of customer support agents.

I had forgotten all about the incident in the ensuing years; after all, ArenaNet’s had many more ups and downs since then (including the spywaregate mess in which a clever gamer employed the GDPR to access his GW2 data and prove that he and other people had been unjustly banned). But MassivelyOP was recently contacted by the “hacker” involved in the Gaile Gray hack incident, and the story he told us led us down a bizarre path of Reddit trolling, police raids, court appearances, wise-cracking German judges, account bans, social engineering, and an apparent security loophole that could’ve put every Guild Wars and Guild Wars 2 player’s account at risk.

Let’s start from the beginning.

Lynie (not his real name) was a 19-year-old computer science student in Germany back in 2016. He’s far from the ideal witness here, given his history, but he’s at the heart of the tale. He says his original Guild Wars accounts had been banned for exploiting back when he was 13, but he hoped to get them restored following a mass-unban wave that year, so he contacted customer support several times in that effort and was ultimately let into an account without proper verification.

“I tried getting back another account where I only remembered the char name,” he told us. “I really didn’t have much info about the account. My real name and everything didn’t seem to satisfy the support. Then they gave me a hint that the email [domain] was @wanadoo.fr and I thought, huh, that’s weird, I don’t have a French email.” Thinking it was a friend’s account, he admitted it wasn’t his and had them check a different email. “Then a magical thing happened: The support agent asked what email I wanted the @wanadoo.fr account to be linked to now. I was really confused as I’d just told him it’s not my account.” He took the account – as a “freebie,” he said – and thus the “backstory that got [him] into this trouble” began.

Seemingly oblivious to how bad he’d look if caught, Lynie says he decided to try again to see just how pliable support really was, to see whether he’d found a reusable loophole: “I thought I’d try with someone famous that didn’t play anymore: White Wasabi.” According to copies of the support convo shared with MOP, it took Lynie very little effort to convince a customer support rep to hand over Wasabi’s accounts, with nothing more than character/guild names and a made-up birthday and address. ArenaNet would later characterize this as social engineering, a technical exploit, but in reality it appears the support rep simply wasn’t following protocol or even checking the information Lynie was providing, for this incident and for the multiple other attempts he made to slip through the studio’s support security.

And yes, there were several of these incidents: Lynie estimates he was successful in about five of his seven attempts over the course of a few months. Frankly, we believe it was probably quite a bit more.

At this point, you are surely wondering whether Lynie is a good guy or a bad guy in this story. We certainly were too; he’s an admitted and unrepentant social engineer, so we weren’t taking anything on faith.

But everything we’ve uncovered indicates he never actually sold any of the items or accounts he acquired through these intrusions and didn’t seem to be profiting from his activities or trying to pressure or extort ArenaNet into doing anything but shore up its security – nobody has been able to demonstrate there was genuine malice in what he was doing. Moreover, it does seem as if he made repeated efforts to notify ArenaNet about the social engineering loophole he was toying with, which is not something a blackhat hacker would do. Those look more like the actions of a grayhat.

For example, he told us that he bypassed the studio’s exploit report form, since this wasn’t technically a game exploit and he didn’t want it buried by low-level support staff; instead, he says he contacted ArenaNet’s customer service lead (then Michael Henninger) and security lead (then Chris Cleary) through Steam and showed them a Pastebin of how easily customer support had relinquished accounts to him.

“They didn’t really believe it,” he told us. So he posted his concerns to Reddit, only to see the first two threads closed and deleted as the mods (rightly) thought it would embolden other hackers with a working roadmap. He also forwarded a copy of one of the threads directly to Cleary (we have reviewed that message). Here’s part of one of those (now-deleted) threads where Lynie details his activities (and we confirmed that none of this will work in 2019, so don’t bother):

Lynie claims that after these reports, he waited a while to see if ArenaNet had tightened security, but he was still able to snag more accounts. Frustrated, he posted another warning thread on Reddit, telling players directly that their accounts were at risk and accusing ArenaNet of not taking his private reports seriously. That thread, now three years old, is still up in full:

Deep in that thread, ArenaNet’s Michael Henninger publicly admitted to not believing the anonymous post. “Send me a ticket number as proof or I 100% stand by ‘This is not happening,” he wrote on Reddit. “If I’m wrong; and it is happening. It will be corrected immediately. […] I’ll never say it hasn’t happened. People make mistakes and I hire people; not robots. I’m saying in this case it didn’t happen and it most certainly is not our policy or practice.” So Lynie provided that ticket number in public. Henninger responded to say the final note in the ticket thread denied access to an account, but Lynie pointed out (correctly) that was only after the CS rep had already handed over two other accounts. Then the ArenaNet replies went dead, in spite of other gamers’ attempts to “page” the devs (pings that continued unanswered even after the Gray hack).

“So this hits Reddit,” Lynie told us. “You’d think now they’d fix it. It’s already a scandal, and the lead support is already involved – he saw the ticket. They should be fixing it, right? But they didn’t change the policies. I was scared for my own account at this point because it wasn’t just 1 ticket in 10 where this happens. From my own experience it was around 90% of the tickets I opened. I could get any account at this point. So I thought I’d show the support how ridiculous their policies are. I thought, who’s the most notable person for Guild Wars or the support altogether? Gaile Gray, community manager, support liaison, third person to work for ArenaNet.”

MOP readers will recall this is where we picked up the story ourselves, as players reported that Gaile Gray’s Guild Wars 1 account had been “hacked” in August of 2016. ArenaNet’s then-President Mike O’Brien provided us the company’s formal statement at the time, alleging that a “hacker socially engineered one of [the studio’s] CS agents to gain control of Gaile’s account,” though even he acknowledged the “hacker” didn’t do much – mainly spew profanities, hand out Gray’s loot, delete unrecoverable items, mess with goldspammers, and try to attract attention to himself. O’Brien also defended the company’s support team.

“To socially engineer the CS agent, the hacker provided a variety of personal details about Gaile. But we don’t accept personal details as primary proof of account ownership. We require things like verifying billing info, two-factor auth, access to the account’s primary phone number, or access to its primary IP address in cases where IP address ownership is clearly established. When we can’t verify, we decline access, knowing that incorrectly declining is an unfortunate but better outcome than incorrectly granting access. These are all established and documented policies. We have a great team of customer support agents who follow these policies, and the hacker tried a bunch of times and found one agent who didn’t.”

Lynie maintains he was trying to bring attention to the security loophole, explicitly denying O’Brien’s assertion that he shopped around for a vulnerable CS agent. We got a look at the ticket thread in which Lynie acquired Gray’s account, and it looks to have been one of his easiest conquests yet: He merely asked support to change Gray’s ArenaNet email account to a Gmail account he owned. The support agent requested more than a dozen bits of information; Lynie responded with several easy-to-guess bits of info, like Gray’s name, character names, and display name. But then he made up an obviously incorrect birthday, phone number, and street address. [After publication, we learned he did in fact submit a correct birthday, phone, and address for Gray, though it was not the one actually set in the billing address area inside Gray’s account; Lynie says he got the one he used from the White Pages. This was our misunderstanding, not Lynie’s or ArenaNet’s.] He provided no serial codes, credit card verification, IPs, or anything else that O’Brien wrote were standard requirements for these requests, just as with the past breaches Lynie had carried out. In our opinion of the text of the ticket, it was disturbingly easy.

“I was able to verify you as the owner of this account,” the support person had replied. “I have updated the email address on the account to the one you requested.” And that was that. Lynie was in. And we won’t sugarcoat it: He made an absolute mess of that account, trashing what ArenaNet would later publicly claim was unrecoverable loot in a public spectacle and distributing cheap festival hats to the crowd. In fact, we asked him about whether he felt bad about Gray’s account in retrospect, and he told us he didn’t – that he intentionally targeted Gray’s GM account used for official ArenaNet business, not Gray herself. “If I wanted to mess with Gaile, I would’ve taken over her [personal account],” he said.

There’s plainly a stubborn, trollish streak in him; not being taken seriously in his reports seems to have been a large part of his motivation to continue on, heedless of how ArenaNet might perceive his actions. “I’m not unlocking doors; the doors are open,” Lynie insisted in our interview, trying to explain why he kept escalating these intrusions.

“Granted, I was really mad at ArenaNet, and I was 19 years old and not so mature then. So I did something that would get attention: I went to Kamadan [the city where the most people congregate] and made it obvious I’m not Gaile [with foul language], then went on and muted some goldsellers, tried to ban some. Didn’t work unfortunately. It needed so much attention that they can’t hide it again. I tried so hard to let them know. They knew. They ignored it. It resulted in all my accounts being terminated, but I knew this would happen – I didn’t hide my identity.”

Three months after the Gray incident, Lynie’s mother called him: The Karlsruhe police were raiding his apartment. They had a warrant to cart away his PC, laptop, monitors, and USB sticks, all because ArenaNet had filed a criminal complaint against him. The studio maintained that in tricking his way into Gray’s account, Lynie had cost it over a million dollars in damages, wasted 50-70 man-hours in support and legal efforts, done irreparable harm to Gray’s characters, and caused “a negative effect on the reputation of ArenaNet and its brand” thanks to worldwide reporting on the story.

MassivelyOP was able to translate and confirm the contents of the relevant warrant and the indictment, but not the initial police complaint. The police were apparently looking for (paraphrasing the translation) chat history, emails, and other digital traces, including mobile telecommunication facilities and electronic media. (Lynie says he got his equipment back four months later.) ArenaNet had specifically accused him of (paraphrasing the translation here again) the unauthorized use of and breach of computers specifically secured against unauthorized access and then having illegally deleted or altered data in doing so, which would theoretically be prosecuted under the German statute against spying on data in combination with data alteration.

A criminal complaint of this nature in Germany compels the police and prosecutor to investigate, which they did. “I got an amazing lawyer, and we got to see the files the prosecutor has,” Lynie informed us. “The ArenaNet lawyer [from international law firm Taylor Wessing] tried to get access to the files and updates on the case every two weeks or so. He said the case was so important for ArenaNet that he would travel through the whole of Germany and provide help if it would bring the case forward. It’s in the court files; the police officer wrote it down.” (We weren’t able to independently verify this part of the court proceedings specifically because Lynie says his lawyer deemed it off-limits under German law. ArenaNet declined to comment.)

The investigation apparently wore on for nearly two years before Lynie was actually summoned to court in early 2018. He was then 21. “By this point the prosecutor had changed three times,” he said, “and the law they said I had ‘violated’ changed at least half a dozen times and in different combinations. They kept bending into another direction and weren’t sure what I did wrong. Nothing I did seemed to be against the law – stuff like computer sabotage, spying, changing data.” Though the authorities here in the US might have been able to hassle him to the ends of the earth under the absurdly broad Computer Fraud and Abuse Act, Germany is not the US.

“So it went to court, and there the lead prosecutor of my city shows up to meet my attorney and me and the judge that’s hearing the case. I explained everything I just told you, and the judge asked: You basically went to Microsoft, said you’re Bill Gates, and they took you to his office? I nodded. Everyone laughed. Then the prosecutor stepped in and said – he has to say this before we go on – that he doesn’t see any law I would’ve broken, and doesn’t see any reason to punish me either. My lawyer complained jokingly, saying he’s taking his job from him. And the whole case was dropped. They just dismissed it based on how ridiculous it was. The prosecutor said ArenaNet should’ve hired me to fix their system.”

MassivelyOP has reviewed the court document that makes it clear the prosecutor and judge agreed to drop the complaint, though not precisely why. Lynie claims that the prosecutor, who laughed at ArenaNet’s damages claim, said he saw neither “punishability” nor “crime,” while the judge was less confident about the criminal component. Ultimately, the court seems to have decided to drop the case rather than send it to a higher court where it would likely have ended in acquittal anyway. Lynie wasn’t even assessed court costs, though he was not awarded attorney’s fees from ArenaNet either, as this was not a civil suit.

“I was just glad it was over,” he says now. “It’s scary having a f***ing company from the US after you for opening a support ticket.” (Yes, he knows he’s being flippant here.)

That should’ve been the end of it, but it’s pretty clear that nobody involved here is any good at letting things go. When Guild Wars 2’s Icebrood Saga released earlier in September 2019 and aimed a fresh spotlight on the franchise, Lynie decided he wanted to try to get one of his accounts back, and within a few minutes of poking around, he claimed he’d found a “new potential way to get dev accounts.” (When he admitted doing this in our interview, we literally facepalmed. Why would he poke the bear again? Why come back? “If you play this game since you’re a kid, you believe ArenaNet is the best company ever,” he says. “You just want to believe they’re the good guys. You ignore all red flags and think it’s just one or two employees wanting to come after you.”)

Lynie says he fired off private messages to multiple ArenaNet staff, including Mike O’Brien. “I learned from my mistakes – I’ll take it straight to the top this time,” he quipped. After a bit of back and forth, O’Brien thanked Lynie for his report and said he “agree[d] with [his] assessment” that the exploit was “too close for comfort.” (We’ve since learned, however, that it wasn’t a direct threat to either game.)

“I was like yay, he seems nice,” Lynie said. But by the next day he’d been locked out of his new and old accounts once again. While in September Mike O’Brien told Lynie that ArenaNet was still “figuring out what happened and why” and would “talk to [him] soon,” it now seems likely that barring another mass unban event or some other future reversal, Lynie probably won’t be let back into the game.

“I never hid my identity because I never thought I’m harming the company,” Lynie told us. “I was trying to help, but they banned me anyway. I grew up with Guild Wars – that’s why I have a lot of passion. I’ve played this game for more than half my life. I think I started when I was 8 or 9, and I always looked up to ArenaNet. Instead of banning the obvious botters who won the last two monthly automated tournaments in Guild Wars, they spent their time looking into what accounts I play on.”

After Lynie spilled his whole story two weeks ago, we of course immediately reached out to ArenaNet and offered the studio carte blanche and time to dispute the details and clarify its position on every last accusation, along with a number of other questions and concerns about security we had (Mike O’Brien’s departure from the studio in the middle of that inquiry period is entirely unrelated but apparently stalled this process). While the studio ultimately declined to comment in full on the record, citing legal and privacy concerns, it was willing to issue this statement on its security and recourses available to players whose accounts are compromised by social engineers or hackers.

“If a player suspects their account has been accessed by an unauthorized user, they should contact customer support immediately. In those situations, we always aim to roll back accounts to their original status, including reversing any changes that may have been made without the player’s knowledge. We highly encourage all players to enable two-factor authentication on their accounts in order to keep them secure. For more information on how to enable 2FA and tips on avoiding phishing scams, please visit help.guildwars2.com.”

After publication, former ArenaNet CS lead Michael Henninger contacted us anyway, and though he was unable to speak about the incident on the record, he did tweet this in defense of his team:

Lynie is now 22 years old, and he should be moving on to to the next stage of his life. We asked him what his goal in all this was. Why go to all this trouble? Why subject himself to our endless questions and skepticism? Why come to us with a wild story of the time an MMORPG studio pursued a teenager with a criminal complaint that in its own words seemed more concerned with brand image than the security of its players – and what does he hope to achieve by making public his claims, especially knowing the broad suspicion and doubt that will likely follow, as it so often does with such stories about hackers?

“I would say I want an apology, but I wouldn’t believe I would ever get a sincere one, so probably public vindication,” Lynie answered. “And I want them to hire competent people in the security department. And I want them to never be able to sue another player again.” We don’t think he’ll be getting his wishes.

We must concede here that it’s certainly possible that Lynie has embellished or downplayed the soft edges of his story that just can’t be verified or won’t be challenged on the record; we can only do our best to verify his claims with the studio and with those social media and court system records that are accessible, to include only those elements we have reason to believe come closest to the truth and that the public needs to know about, particularly in regard to the studio’s security and hack itself as we covered it back in 2016. So given that we can’t prove Lynie’s motivations are absolutely pure – indeed, he admitted he has a grudge and feels he’s “in the right for having it” – we’re expecting debate over whether he was truly a greyhat hacking to improve security or indulge curiosity or just a blackhat hacking with malice.

But at the end of this, the bones of his story held up under scrutiny: Lynie did socially engineer his way into multiple Guild Wars accounts, taking advantage of weak support/security back in 2016. He did report it rather than profit from it. He did commandeer Gaile Gray’s account and run it aground very publicly. And then ArenaNet did press criminal charges, which were dismissed in the German courts.

Ultimately, nobody can ever really know what was inside Lynie’s head, nor do we think players will ever get a complete explanation from ArenaNet about the true nature of its security way back then. But it’s a cautionary tale for everyone involved: for would-be greyhat hackers who want to help and still stay out of trouble with the law, for studios that put a little too much faith in the competence of their support personnel and security protocols, and for players too – for the sake of the Six, enable 2FA.

Advertisement
Previous articleShroud of the Avatar finally admits the Kickstarter book is not happening, offers in-game items instead
Next articleFractured opens up a porting test weekend ahead of Alpha 2 in November

No posts to display

69 Comments
newest
oldest most liked
Inline Feedback
View all comments