Guild Wars 2 studio says no accounts involved in new social engineering claim were compromised by CS

The Guild Wars 2 Reddit community has been up in arms this week over a gigantic thread started by former ArenaNet partner and content creator Paul “Olrun” Bentz. Olrun essentially alleges that his account has been taken over by a hacker using social engineering tricks on ArenaNet’s customer support, and his attempts to retrieve it prompted support to lock the account permanently.

“[S]omeone is abusing support to gain access to accounts with gizmos so they can sell them for thousands of dollars,” he says. “Then, when the original owner tries to get the account back, support just closes the account and says multiple people have provided enough information to prove account ownership.” When he tried to get his account back, that’s exactly what happened to him.

“I’ve seen this given as the reason for an account termination in the past. I even think I remember a dev explaining in a reddit thread why it was necessary. As far as I’m aware, it’s because sometimes it can be difficult to know who actually owns the account when people account share. If both people who had been playing on an account in the past try to claim it’s solely theirs, how is ArenaNet supposed to decide whose it is? But that’s not what’s happening here. Nobody else has ever had access to my account. He does not have access to the e-mail that was tied to the account and did not know the password. I have records of payments from my credit card. I’m still living at the same home the account was created in and has been accessed from for a decade. […] Something is wrong with their current process, and there’s no way to get it addressed other than calling attention to it through social media because, as per usual, support refuses to look into it further. Most likely, they are following the correct procedure, but that procedure is a little too loose with the amount of information necessary to claim an account when some player’s public information is out there (in this case, by ArenaNet’s own hand). Anyone whose account is inactive could be at risk. However, there’s no way to know for sure what the exact issue is because support would never give out that much information.”

Olrun finishes by posting copious evidence of the hacker’s bragging as well as video and sale posts to back up his narrative. The thread, which has over 1200 upvotes and 276 comments as I type this, is filled with anger at the situation as well as players piping up to say similar fates had befallen their own accounts.

We reached out to ArenaNet for some clarity on what’s going on; specifically, we asked about its presumed investigation into this situation, how it might help players affected, and how the studio has buffed its support processes in the last few years. Here’s the studio’s official statement to us, which appears to deny that the root of the account compromise is customer service:

“Account security is a top priority, and we have investigative processes in place to verify unauthorized account access, which we engaged in this situation. We don’t publicly discuss security processes to preserve their efficacy against bad actors. No accounts in these allegations were compromised due to customer service interactions, and the actions taken by our security teams reflect our standard procedures to maintain the integrity of the game and its players against unauthorized users and compromised accounts.” [Emphasis ours]

However, there’s documented precedence for suspicion here. Readers will recall that back in 2016, a hacker used social engineering to claw his way into the Guild Wars account of then-ArenaNet staffer Gaile Gray. In 2019, MassivelyOP published a lengthy investigation detailing the hacker’s story when he came forward after ArenaNet attempted (and failed) to punish him through the German court system. The hacker had stumbled into a very specific and shockingly simple social engineering exploit in ArenaNet’s support services, which he repeated over and over in escalating fashion to yoink multiple accounts after ArenaNet security staff ignored his public and private warnings. (In other words, they didn’t even believe the actual hacker with proof, never mind a victim.)

In fact, the type of social engineering that hacker conducted is pretty much exactly what Olrun believes happened to his account: The perpetrator learns just enough real-world information about an account holder to trick a clueless support person into handing over the account, the key difference being that the Gaile Gray account hacker wasn’t doing it for financial gain. This particular perpetrator, however, was aiming to sell Olrun’s account – before ArenaNet blocked him and Olrun from accessing it at all.

(Ironically, Olrun is no stranger to being banned unjustly from GW2; he was also banned during spywaregate, a 2018-2019 Guild Wars 2 banwave scandal during which players used GDPR to access their data and prove ArenaNet’s bans affected innocent players. At that point, ArenaNet admitted the error, and though the accounts had already served their six-month ban, it did grant compensation to the targeted players.)

Unfortunately, no matter who is ultimately responsible for hacks like these, they – and ArenaNet’s position and “standard procedures” – appear to leave legitimate account holders like Olrun with no recourse for recovery. If a former GW2 influencer can’t retrieve his account, there’s little hope for the rest of us.