This afternoon, I logged in to my inn room at The Drowning Wench. All was quiet. I called for my retainer to check my sales, then geared up and ventured out into the world. Immediately, I was hit by a blast of URLs comprised of a swath of irregular unicode replacement characters and the promise of hundreds of thousands of gil in exchange for a few real-world US Dollars. It was happening approximately 1.3 times per second, which meant that anything I tried to say or my friends tried to tell me would be instantly swallowed up. In a haste, I opened my blacklist to add the spammer, and then opened my report window.
A few minutes later, wandering idly around and wondering just how Square-Enix could possibly let this continue, I found her. A level 50 monk, dressed in Foestriker gear, mouth working - silently, as I'd just blacklisted her - and eyes staring, lifeless as the snows of Coerthas. Tuiyani Kusaragi was her name. It was not a string of random characters like RMT are wont to pick. It was not even a name randomly generated at the character selection screen. It was a name deliberated upon by a human being, particularly for the purpose of sounding Japanese-esque, but no less weightily considered. And it was stolen by a dirty gilselling scumbag, forcing their own words into her mouth.
How did this happen? Are hackers somehow magically able to force their way into your accounts? In all likelihood, no. Not only is this sort of tragedy entirely preventable, it's also pretty damn easy, too.
SO:
How do they do it?
People who want accounts - any accounts - do not specifically hack their way in. The effort involved makes this practice unfeasible for anything but personal reasons. Gilselling is a business; they seek to maximize profit and minimize effort. There are two main ways they gain access to your account:
1. They trick you into giving them your password. You might be a customer for their very own RMT services, or you might have registered for one of their fake FFXIV fansites - believe it or not, these are myriad - one way or another, you may have given them your password without even realizing it.
2. They've stolen it from somewhere else. Players who use the same password for many and multiple games are especially at risk - slight variations of the same password only slightly less so. Almost any game community you've ever joined might be a security risk for your one password. Once hacked into, the data extracted does not simply disappear; it is cracked. It is deciphered. It is sold, and it is bought.
What can you do?
Simple enough. Change your password. Not just for Final Fantasy XIV, but for your e-mail account as well. Use a good password. This stops almost all so-called 'hackers' in their tracks. They see that your old username and password didn't work, and move on down their list.
What can Square Enix do?
Also simple: attack the problem at the source.
Today, I read a rather inspiring article about how ArenaNet implemented a mandatory password change. They took a database of every password previously attempted, combined with the most common passwords, and prohibited players from using them. According to hearsay, the rate of hacking dropped to 0.01% and has been further dwindling ever since.
SEGA of Japan has implemented at least one 'change your password' campaign, and rewarded players who changed their SEGA ID password with prizes in Phantasy Star Online 2. Nexon has done several.
I'm not calling people who get hacked out for using gilselling services, or even for not changing their password, but if you're using a recycled password (or perchance haven't changed your password since last you bought gil):
You.
Are.
At.
Risk.
Because what is most often hacked is not your account, at least not directly. This feature is already implemented in Final Fantasy XIV, and is also easily circumvented if the account data stolen or otherwise obtained includes an e-mail address. If you've used the same password for the game and your e-mail, it's game over. I'm fairly certain that either you have a keylogger or your e-mail is compromised. I don't believe SE would allow anything on their servers without an MD5 hash, which is a code generated to identify a file - if it has been altered, the MD5 changes.