Hacked...me...of all people!

Soooo, as those in FFXIV know, I've been out of touch recently. There has been a lot going on in the dreaded 'RL'. I've been working a bizarre amount of overtime, my wife and I are looking at buying a house, they switched the shift I work on and I'm also scouting a new department that wants me to work for them. Well, I got on to check my email last night and my password was changed. After recovering my password I discovered my GW2 account was hacked as well as my FFXIV account. So, I'm in the slow process of trying to recover my accounts. Arenanet still hasn't gotten back to me about my GW2 account. they said they need my CD key and I can't find my case. We'll see what happens, until then I'm on Steam playing some Exile, Conan and DOTA2 lol

Oh, and I have AVG annd Avast so I have no idea how this happened...especially since I don't go to any...unsavory sites on my PC, its strictly gaming, email and gaiscioch.

Is it possible that the email that said your password has changed wasn't legit to begin with?

I've been getting numerous emails posing as SquareEnix since FFXIV beta, most of them aren't even in English.

1.  If you are using the Free version of AVG and Avast, they may not be giving you the protection you really need as they aren't always up to the task of protecting your system as well as they could. I personally use BITDefender ($50 per year) which alerts me to just about everything, including advertisements that track you or malicious links from adds.  

2.  You can also get an app for firefox/chrome called addblock or noscript, which allows you to block scripts from add while you browse websites.

3.  Check your Add/Remove programs to see if you have any old Java/Flash drivers that haven't been cleaned up with the new drivers and always ensure your software and operating systems are updated as they become available.  These are common ways of being infected.

4.  Never, ever use the same password.  Always use a strong password with a a mix of numbers, uppercase, lowercase and special characters.  Try to avoid using actual words as well.  

It probably all sounds condescending, but there are so many people that are just unaware of basic security that it never hurts to reiterate these things.  Good luck getting your account back, make sure you do a full sweep of your HDD to ensure there are no key loggers hiding away to catch you out again. 

Avg andavast wont protect you from malware. Plus having 2 virus protections can cancel each other out. More than likelyyour email was brute forced or you used a password that was used somewhere else and was comprimised.

"Avg andavast wont protect you from malware. Plus having 2 virus protections can cancel each other out. More than likelyyour email was brute forced or you used a password that was used somewhere else and was comprimised."

^^^ I agree with Fog.  Folks, do not use "free" anti-virus.  Its "free" for a reason.  That's like hiring a homeless person to house-sit for a beer.  Anti-virus programs are like Power Supplies... its the one thing on your computer that you do NOT want to "go cheap" with.

I suggest to use either Norton, Panda or F-Secure.  You can also use ESET, but its *really* aggressive, to the point of being a pain sometimes.  After being burned by AVG, McAffee and even Trendmicro, I stick exclusively with Norton 360... its never let me down in the last 4 years that I've been using it, on all my home computers.

IT Director of over 15 years here. Some free ones are good, some aren't, and some are good at times and bad at times. Right now there are escalating occurrences of zero day viruses that none are catching for a few days and they are coming out at least weekly. 

As far as my professional opinion on products, the commercial ones can be OK but they are very heavy on the client resource usage and cause as many system problems as they cure. Many in my industry will tell you Norton and McAfee are just shy of being install-able viruses themselves due to the how they affect systems.

For 'free' products, Kaspersky and MS Security Essentials are both pretty good and tend to respond to new threats at a decent rate. Sophos and F-Prot are also good. AVG and Avast are both a little flaky in my experience and go through cycles. Trend is reliable but not always the quickest to pick up new threats.

If you do have a file that you suspect may be a trojan or virus you can upload it here and this website will tell you what it is and which products can detect and clean it: https://www.virustotal.com/en/

As others mentioned, never run two products as a continuous scan. It can actually damage files on your system among other nastiness. If you want to double check you should be safe running one as an active scanner, then disable it to run something like the Sophos AV removal tool which is an on-demand scanner only.

If your main product doesn't include malware scanning then you should have a product to do that or at least manually sweep your system on a regular basis with tools like malware bytes.

Most home users don't get hacked or have passwords stolen from viruses, spyware, or actual system intrusions. The most common way people get hacked is by using the same or similar passwords at multiple sites. When one of these sites is hacked, which is increasingly common these days, all the sites you visit and use that same email and password are now at risk. As gamers we often use the same identity in every game we play and make the mistake of using the same password with every game.

Here's a good trick to use a similar password at every site, so you can remember your password but avoid using the exact same password. Most password storage is in hash format - meaning the password is encoded with a bunch of gibberish and a key. The key is disposed of so that the password can never be decoded, but the hashed format is used and cannot be decoded. Pick a root word for your password, then tack on a few characters at the end to identify the game. So what you memorize is the root word (used at all games) and the convention you use for the "game characters" at the end.

Examples:  (root word / game characters)

passwd#guwa2  > guild wars 2
passwd#ri0  > rift (add a 0 for first gen games just to maintain your convention)

Saved in hash those two words would look very different from each other, but you the user only have to memorize your word (preferably not an actual dictionary word, pick a nickname or spell the word wrong) and your special convention at the end.

Also, passwords, no matter how scrambled using lowercase, uppercase, specials, and numbers, are only as secure as the length. This is why most IT security managers now promote pass-PHRASES. Essentially passphrases are infinitely more secure. Passphrases simply combine a number of dictionary words into one long word. It makes it easy for you to remember and nearly impossible to be brute forced - going past 30 characters or so would take even a networked cloud of computers years to crack.

You can pick words that make no sense together (like "fourteenContagiousWatermelonChartreuse") but given the uniqueness of the phrase it should be easy to remember! Or pick something like "MadonnasNegligeeLooksBetterOnColbert" - the phrase grammatically makes sense but who would guess that (except maybe Colbert, he'd agree).

I would also suggest using something like LastPass to organize your passwords in a secure method. It will even warn you when you have passwords that are identical. Storing passwords in your browser is bad.

I've used Malware Bytes paid edition and Avast Free Edition for over 10 years and have never had my account compromised or even had a problem with viruses. The key is to use different passwords for different protection levels. I have a easy password for sites i don't care if they get hacked, different mid security for games and websites, and high security passwords for anything that connects to my identity (banks, shopping, etc)  this typically has kept me safe. My xbox got hacked at one point and psn got compromised at one point but neither of those could be prevented on my end. Neither had access to anything as i use game time / point cards for payment and do not tie them to my bank accounts.

So sorry to hear you got hacked :( Hope to see you soon in some game or other!

I'm not going to get into another argument about using Norton 360.  I've used it since 2008, after 5 other AV programs failed me on cleaning an infection on my GF's computer, and I have had absolutely no problems, be it viral or performance problems.  I've tested my gaming performance extensively and have found zero noticeable impact by running it, or keeping it active while I am gaming... and my system is an older Duo Core system.

The exact reasons that the "IT professionals" don't like it, is exactly why home users can count on it to work for them when they need it to.  Keep in mind that corporate/commercial computing systems have redundant security measures that the average home-user will not have, or come close to matching.

Other than the brands that I suggested, Malwarebytes is a good one to pay for, don't use the free version (the free is good, just the program is worth paying for and supporting them).  I used to as a backup, but I found that I really did not need it.  I can't comment on Avast, but have not heard complaints.  Kaspersky is very problematic, according to both reports and personal experience, I would never buy it or rely on it.  AVG is just pure crap, you might as well use your NAT router as your only firewall, too.

If folks are really interested, google AV comparison reports for the current year.  However, keep in mind that some of these reports are biased towards particular brands, but if you compare the results of several, you can get a good idea at what you want to use to protect your computer.  Regardless of what brand you prefer, or decide upon... if you do not currently have an anti-virus program installed, get one ASAP.  

I can't count the number of times that Norton alerts me that a malicious Java Toolkit script attempted to download via a hijacked advertising banner on a website that I've trusted.  That's how my GF got infected via Facebook a few years ago.  >_>

Oh and email accounts... protect your email like its Fort Knox.  It literally is your electronic version of it, because your email most likely contains all the information a hacker needs to steal your account information and identity.  Make sure you use a strong password, change it every couple of months to something 100% brand new and unused.

Also try to use several emails:  Use one email for your social networking and forums, another for your banking and shopping, and a completely separate one for your gaming.

If you get "hacked", after you virus scan your computer, immediately change your email password first, then worry about your game account(s).  Occasionally check your Sent and Deleted folders.  If you find they're clear, but don't remember clearing them out, then change your email password ASAP.  Hackers will delete their "tracks", but what they delete depends on who is doing it.  Most will delete everything (its easier), but some will delete just what they used, which is why I suggest changing your email password if you suspect anything, or have a "gut feeling" that something isn't right.

Hope you get this worked out.  =)  Yeah be crazy with them passwords.  I know I am, but then again I've spent time knowing about IT, phone systems and security since I went in the service in 1986 and beyond.  =)  I've never been hacked and my protection software has never failed me. 

To some up what everyone else said:

1) different passwords and LONG ones.  I was happy when they made it so we could go beyond 8 characters for user names and passwords.  For awhile there you couldn't on the average system.

2) always keep you protection software up to date.  I've used several and never had issues with any of them on home pc's.  Corporate wise some things just don't work as well with other underlying protection in place.  Yeah, don't have two doing the same thing or it gets messy!

My Guild Wars 1 account got hacked when NCSoft told everyone they had to go to an NCSoft account along with their GW account. There apparently was a glitch in the system that got exploited and a ton of us got hacked around the same time. Fortunately, a friend of mine saw my toons online and said "hey, are you playing right now?" to me on Skype, and so I stopped the thief that same day. However, they still gutted my account. Lucky for me it was after the account restore had been set up, so Anet was able to restore my game to the previous good save.

After it got restored, I made a list of all my CD keys and changed passwords to EVERYTHING.

Unfortunately, my Xbox account got hacked, too--about the same time I heard a ton of other people complaining about their account getting hacked. I had a strong password on there, so I don't know if they hacked into MS to get access or somehow social engineered someone to get access. It took me forever to get control back there, though MS was good about returning the points I had on my account before the hacking and a few more for my 'inconvenience'.

The account hacking might be your fault, but it might be the fault of someone really creative who managed to get access to MS or NCSoft itself to get your account. That being said, I'd follow the advice of just about everyone. I've had good success with Avast and MalwareBytes, and I run NoScript on Firefox. NoScript has saved me from some stupid viruses (along with more than a few stupid ads). Like Fog, my accounts handling real money have very long, very complex passwords to reduce the chance of hacking.