Something went wrong. Try again later

Giant Bomb News

179 Comments

Blizzard Says Battle.Net Hasn’t Been Compromised

Reports of account "hacking" are not necessarily a sign of security issues.

No Caption Provided

The launch of Diablo III has been a series of highs and lows. The game seems pretty great, but the always-on online requirements have come under scrutiny, and allegations of account hacking surfaced a few days back.

Blizzard did issue a statement earlier this week regarding compromised accounts, but I didn't run the studio’s comments yet because I was waiting for the company to answer a series of questions, which are below:

  • "We'd like to take a moment to address the recent reports that suggested that Battle.net and Diablo III may have been compromised." -- Does Blizzard's analysis of the situation suggest there has been zero compromise of Battle.net and the subsequent "hacks" are 100% the result of outside interference?

  • In a follow up post, a community manager wrote: "We have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password." What exactly are "traditional means"?

  • In the same post, the same community manager said: "[We] have done everything possible to verify how and in what circumstances these compromises are occurring." Can you outline what these circumstances are to help players combat against it?

  • If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

Blizzard public relations told me the answers to my questions lay within an update this morning. That's mostly true.

Blizzard claims Battle.net has not been compromised, and the number of customers who have contacted the company about compromises has been “extremely small.” An actual number was not disclosed, and Blizzard said it has not received reports of account issues from any customers using the company’s authentication services.

For more details on those authentication services, click right here.

The issues in question have arisen from accounts being accessed using a user’s login and password, which Blizzard characterizes as a “traditional” mean of compromising an account. Blizzard outlined ways to protect yourself:

“The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator and Battle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.”

Additionally, Blizzard claims to have found no evidence of account spoofing after players join a game.

“We’ve determined the methods being suggested to do so are technically impossible,” said the company.

In other Diablo news, Blizzard is looking into restoring lost achievements for some players, and the real-money auction house has been pushed back to an undetermined launch date.

Patrick Klepek on Google+

179 Comments

Avatar image for buft
buft

3409

Forum Posts

1787

Wiki Points

0

Followers

Reviews: 13

User Lists: 4

Edited By buft

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

i had my account jacked before authenticator, logged into battle.net from a public pc while on holidays. not related to my account but one time our guild bank lost quarter of a million gold after an officer got hacked.

got an authenticator and everything has been honky dorie ever since

Avatar image for ichthy
ichthy

1384

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By ichthy

For anyone that firmly believes this session ID theory, find me the primary source and definitive proof or you are full of shit. Thanks.

Avatar image for greedycheese
greedycheese

16

Forum Posts

10

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By greedycheese

@l3illyl3ob: I get that they could kick me off. My question is why couldn't I kick them back off? Did they change my password superfast? Is it possible that they could change my password before they logged in to D3?

As for virus scans, I am running OSX and do not have flash or java installed. As far as I know the only current vulnerabilities are trojans. I know that there will be OSX exploits eventually. There is no such thing as a 100% safe OS. It just seems highly unlikely to me that its the case right now.

Avatar image for extomar
EXTomar

5047

Forum Posts

4

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By EXTomar

If the SC and WoW clients are any indication, all client and server chatter is "player command" oriented. Stuff like "select NNNN", "buy MMMM", "action5". There is no way for the client to build a command and push it to the "Battle.net protocol" that is like "move otherplayer" or even "sell otherplayer weapon" or even "tell me otherplayer account". There isn't supposed to be enough information given to the player's client about any other player let alone enough to take over their account since all players are "cache entities" that are commanded by the server.

If someone has hacked their client to make Battle.net do something it was never designed to do then that is amazing. After years of WoW and a lot of SC2 no one has broken this yet. It isn't impossible there is a serious flaw in the Diablo 3 client that exposes some really crazy flaw in the bigger Battle.net protocol but Occam's Razor suggest someone just figured out the email/password.

Avatar image for hydraham
HydraHam

1380

Forum Posts

675

Wiki Points

0

Followers

Reviews: 0

User Lists: 6

Edited By HydraHam

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

I have had my WOW account jacked with an authenticator and i never click blizzard emails. also 2 of my friends who have authenticators have had their D3 accounts wiped and guess what? they aren't to blame.

Believe it for not it's not ALWAYS the users fault and i am sick of people believing blizzard is always innocent, sometimes the shit is on their side.

Avatar image for jesterroyal
jesterroyal

393

Forum Posts

336

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By jesterroyal

I think session ID thefts have always been a perfect internet horror story. I hear them everywhere and yet nobody ever proves it was more than just getting bumped from their login. Thinking of getting the authenticator since i cant easily store an overly complicated password in a pw database like usual..

Avatar image for dvorak
dvorak

1553

Forum Posts

616

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By dvorak

@Styl3s said:

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

I have had my WOW account jacked with an authenticator and i never click blizzard emails.

Believe it for not it's not ALWAYS the users fault.

Yeah I had the same thing happen. I had a damn authenticator and lost all kinds of stuff, never to be recovered. There's easy human element ways to get around an authenticator.

That was years ago in WoW though, and I haven't had any issues since.

Avatar image for l3illyl3ob
l3illyl3ob

319

Forum Posts

3966

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By l3illyl3ob

@greedycheese: I know that nobody wants to admit they could be a victim to it, but there's always the possibility of phishing. Sometimes all it is is a normal looking newsletter or whatever copied from blizzard, but replaced with their own links instead, hoping people would click on them and log into their phony site. Never click on a link from an email, ever.

I just look at the two current theories right now, and regardless of what Blizzard says on the matter, I just don't see any proof for Session ID hijacking, and it's pretty telling to me that every person who gets hacked doesn't have an authenticator. The most likely scenario is that all of this is just traditional hacking. I hope you find out what happened to you, greedycheese.

Avatar image for ildon
ildon

756

Forum Posts

469

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By ildon

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

I don't think that's fair. Although it's less prevalent now because ad sellers seem to be getting better at catching and policing this stuff, and browsers and Flash are getting a bit better at allowing fewer security holes, in the past a huge rash of MMO game account compromises have been due to hackers putting up ads that contained malware, and those ads getting put up on popular and legit fan sites for those games. It's one thing for someone to stupidly click a bad link in a phishing email (your fault), it's another to visit your regular gaming website and get a trojan through your browser (not your fault).

Personally, I do run Firefox with NoScript and have for a long time, but I don't think that's honestly a fair expectation for most PC users.

Avatar image for greedycheese
greedycheese

16

Forum Posts

10

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By greedycheese

@TehBuLL said:

@greedycheese what part of Blizzard saying the SessionID theory is impossible is hard to believe? I would instead start thinking of any emails you've clicked or install files downloaded from non-blizzard sites. Hell these days clicking on random wiki sites is a death wish. I'm only talking all this jazz until my stuff gets stolen, then I'll be just as pissed. I'm just glad my hackers are nice enough to wait until the Real money auction house is up.

I don't think I ever said that... I have no problem with Blizzard's response to this so far other than the 48 minute wait on hold when I called them to sort this out. But I have worked in a call center before, so I certainly don't blame those dudes. I haven't seen any real evidence to support the SessionID theory.

My problem is this: I think that the shouting match between the Pro-SessionID people and those asking for evidence has gotten so loud and toxic that it has become hard to understand what is actually going on. My experience getting compromised makes me feel that there might be something going on that is different from the run-of-the-mill keylogging/phishing scams.

Something that falls between the extremes of "If you get hacked it's your damn fault" and "If I get hacked it is all Blizzard's fault."

Avatar image for tentpole
TentPole

1856

Forum Posts

9

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By TentPole

Suggesting mandatory authenticators is extremely naive and idiotic on Patrick's part.

Avatar image for gunslingerpanda
GunslingerPanda

5263

Forum Posts

40

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By GunslingerPanda
If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

What a stupid thing to say. I use an authenticator, but why on earth should a game require an additional security measure that costs more money (not everyone has a fancy phone like me) to run?

Avatar image for bartz
Bartz

97

Forum Posts

1

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By Bartz

@ildon said:

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

I don't think that's fair. Although it's less prevalent now because ad sellers seem to be getting better at catching and policing this stuff, and browsers and Flash are getting a bit better at allowing fewer security holes, in the past a huge rash of MMO game account compromises have been due to hackers putting up ads that contained malware, and those ads getting put up on popular and legit fan sites for those games. It's one thing for someone to stupidly click a bad link in a phishing email (your fault), it's another to visit your regular gaming website and get a trojan through your browser (not your fault).

Personally, I do run Firefox with NoScript and have for a long time, but I don't think that's honestly a fair expectation for most PC users.

Stupidity might be harsh, I guess, but you could say it's ignorance. People who use the internet accept the risks whether they know it or not, and if they get a trojan/virus/whatever, it is still their fault. It most certainly isn't Blizzard's fault.

Avatar image for ravenlight
Ravenlight

8057

Forum Posts

12306

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By Ravenlight

@NS1126 said:

Also, Blizzard CS is pretty lax in their reply times.

Do you realize how many support tickets they must be getting for a a launch this large? I agree that waiting sucks, but c'mon. Cut their outsourced, barely literate support team some slack :P

Avatar image for greedycheese
greedycheese

16

Forum Posts

10

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By greedycheese

@l3illyl3ob: This is good advice. It's advice that I have given other people. Until this happened, I thought I was following it myself but this whole thing is making me re-evaluate.

Avatar image for ildon
ildon

756

Forum Posts

469

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By ildon

@Rawson said:

@Hockeymask27 said:

Well if don't have a smart phone you can't get the Authenticator for free. So i belive thats why they are not manditory yet. Unlesss they plan on packing the ones you can buy.

Wrong. There's a Windows emulator for Battle.net authenticators, and there's also a dial-in authenticator that will literally work with any phone.

@zeekthegeek said:

Blizzard are better than this. They should KNOW that this is a simple session hijack hack, much like smartphone programs that could swipe into someone's logged in Facebook account.

Also wrong. There's been literally no indication that the session ID hijack has been real. It was started up by a guy at Eurogamer, and is entirely false, because fact checking is hard. Any claims otherwise are people who were phished/keylogged and didn't have an authenticator.

The only way it'd be secure to emulate an Android and run the authenticator was if that machine was completely separate from your gaming machine and never ever connected to any kind of network. If your machine is compromised, so is your Android emulator. It's more work to compromise an account that way, but you only have to know how to do it once in order to automate it as part of your attack. Running an entire additional computer is more expensive and much more of a hassle than carrying an authenticator.

Edit: Also the dial-in authenticator currently only applies to WoW.

Avatar image for depth
Depth

363

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By Depth

Idiots gets keylogged and then eurogamer makes a big article saying its session hijacking making every battlenet forum posters believe it.

Avatar image for viking_funeral
viking_funeral

2881

Forum Posts

57

Wiki Points

0

Followers

Reviews: 6

User Lists: 5

Edited By viking_funeral

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

Avatar image for greedycheese
greedycheese

16

Forum Posts

10

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By greedycheese

@TentPole: @TentPole said:

Suggesting mandatory authenticators is extremely naive and idiotic on Patrick's part.

How is asking Blizzard a question about authenticators suggesting anything? Blizzard came out and said authenticators are the best security. All I see Patrick doing is trying to get Blizzard on the record about why they don't require them. To me that is just by-the-book reporting.

I didn't even know about the free smartphone apps until after I got hacked. Even if Blizz dosen't require them they could bring them up during the install and make users who choose not to have them click through a big ass warning.

Avatar image for smilingpig
SmilingPig

1370

Forum Posts

5

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By SmilingPig

My wow account gat pirated 2x when it was inactive for nearly one year (no game time in it).

I never bought gold or power-leveled, I never logged in my battle.net account from anywhere other than wow and battle.net.

The same thing append to my girlfriend.

So I say that YES they have big security issues.

Avatar image for grimluck343
Grimluck343

1384

Forum Posts

20

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By Grimluck343

@Depth said:

Idiots gets keylogged and then eurogamer makes a big article saying its session hijacking making every battlenet forum posters believe it.

Even Forbes jumped on the bandwagon.

But seriously, get the authenticator.

If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

Because not everyone owns a smart phone and you shouldn't compel people to spend an additional $5 on a keyfob to be able to play a game?

Avatar image for greedycheese
greedycheese

16

Forum Posts

10

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By greedycheese

@Paul_Is_Drunk: @Paul_Is_Drunk said:

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

No matter how they get access to your account, they have to transfer your goods to a mule. That mule account shows up as "recently played with". I had the same thing, some random lv1 guy with under 2 hours played. I am sure that when Blizzard looked at my account they saw that guy and dealt with it.

Avatar image for corvak
Corvak

2047

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By Corvak

Regarding Patrick's comment on mandatory authenticators, Blizzard has said that signing up for the SMS service will be mandatory to use the real money auction house.

Avatar image for ethan_raiden
ethan_raiden

416

Forum Posts

22

Wiki Points

0

Followers

Reviews: 0

User Lists: 15

Edited By ethan_raiden

I'm not sure what you're getting at with this story Patrick, I do appreciate you updating me on the status of diablo 3 and the possible security issues, but I'm not sure that your italicized aggressive questioning is necessary.

Avatar image for somalu
somalu

17

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By somalu

in other Diablo news, Blizzard is looking into restoring lost achievements for some players, and the

real-money auction house has been pushed back to an undetermined launch date.

the longer they delay it the better.

Avatar image for turambar
Turambar

8283

Forum Posts

114

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By Turambar
@greedycheese said:

@Paul_Is_Drunk: @Paul_Is_Drunk said:

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

No matter how they get access to your account, they have to transfer your goods to a mule. That mule account shows up as "recently played with". I had the same thing, some random lv1 guy with under 2 hours played. I am sure that when Blizzard looked at my account they saw that guy and dealt with it.

Same here.  There was a lv 1 barbarian with the name WXYAY as my top most recently played with. 
 
@greedycheese said:

@TehBuLL said:

@greedycheese what part of Blizzard saying the SessionID theory is impossible is hard to believe? I would instead start thinking of any emails you've clicked or install files downloaded from non-blizzard sites. Hell these days clicking on random wiki sites is a death wish. I'm only talking all this jazz until my stuff gets stolen, then I'll be just as pissed. I'm just glad my hackers are nice enough to wait until the Real money auction house is up.

I don't think I ever said that... I have no problem with Blizzard's response to this so far other than the 48 minute wait on hold when I called them to sort this out. But I have worked in a call center before, so I certainly don't blame those dudes. I haven't seen any real evidence to support the SessionID theory.

My problem is this: I think that the shouting match between the Pro-SessionID people and those asking for evidence has gotten so loud and toxic that it has become hard to understand what is actually going on. My experience getting compromised makes me feel that there might be something going on that is different from the run-of-the-mill keylogging/phishing scams.

Something that falls between the extremes of "If you get hacked it's your damn fault" and "If I get hacked it is all Blizzard's fault."

I can say with a pretty high amount of confidence that it is not run of the mill keylogging or phishing.  I can't recall any e-mail I've opened in the last week that was not from my college, nor any potentially harmful websites I've visited.
 
On separate note, I've using the automated account recovery option that's on the Bnet site, but there is no eta on how long it'll take for the account to be rolled back before all my stuff was jacked.  How long did it take for your account to actually be resolved/restored?
Avatar image for zomgfruitbunnies
Zomgfruitbunnies

1298

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By Zomgfruitbunnies

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

Avatar image for baldgye
baldgye

780

Forum Posts

92

Wiki Points

0

Followers

Reviews: 5

User Lists: 3

Edited By baldgye

It's utter nonsense... my accout has been hacked and not becasue I told someone my account or becasue I logged in via an internet cafe... Battle.net 2 is horrible and this sort of this is appauling.

There customer services is a sad joke and they are treating there customers like shit

Avatar image for polyesterpimp
PolyesterPimp

279

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By PolyesterPimp

Soooo.... Can I play in public games without fear yet?

Avatar image for enthalpy
enthalpy

48

Forum Posts

1299

Wiki Points

0

Followers

Reviews: 2

User Lists: 1

Edited By enthalpy

Here's a tip for everyone who is concerned about potentially being the victim of an account compromise. Find a secure computer that you trust--this includes non-jailbroken mobile devices that contain a browser--and change the password on the account that you think is compromised, ensuring that you get the confirmation email. If your password for battle.net is the same as any other password, change it to be unique and long.

Until any forensics are completed that substantiate the sessionid spoofing rumor or some other compromise of the service as opposed to a meat and potatoes compromise of an individual's credentials, it's really hard to believe that people aren't just having run-of-the-mill credential compromises, and the Internet echo chamber isn't helping.

If I were in possession of a large number of compromised battle.net ids and passwords, this is exactly what I would have done awaiting the launch of D3--sit on the accounts until this point in time to furiously gather items to prepare for the immediately impending launch of the RMAH. I would then cash out fast in the initial crazy market rush.

Avatar image for deactivated-64b8656eaf424
deactivated-64b8656eaf424

1450

Forum Posts

12205

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

Yeeah, those questions are pretty dumb.
It's almost like you are one of those European Press people who you guys mock in the bombcast.

Avatar image for mbkish
mbkish

255

Forum Posts

3

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

Edited By mbkish

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

Avatar image for kindgineer
kindgineer

3102

Forum Posts

969

Wiki Points

0

Followers

Reviews: 0

User Lists: 5

Edited By kindgineer

The whole hacking scenario sounded like a bullshit outcry from the get-go. This doesn't sound any different than the fake account compromise I think 4chan came up with or whatever.

Just a bunch of upset individuals venting in a stupid way. Blizzard finally fixed the lag ( I now have a constant 100 ping insted of 300 ) and now the game is near perfect.

Avatar image for spankmastaflex
spankmastaflex

36

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 2

Edited By spankmastaflex

My wow acount has been stolen for some time now. Just havnt cared cause I'm over wow. I suppose when I get around to buying diablo 3 ill have to get that battle net stuff sorted out.

Avatar image for likeassur
LikeaSsur

1625

Forum Posts

517

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By LikeaSsur

@Xeirus said:

@LikeaSsur said:

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

The irony is palpable.

Oh gee, look at another one. Someone has zero sense of irony, maybe you shouldn't use a word you don't understand.

Ha ha, jeez, duder, calm down, it's not that big of a deal. None of us are going to lose sleep over one guy's negative comment.

Avatar image for toxeia
Toxeia

792

Forum Posts

2

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

Edited By Toxeia

@Hockeymask27: Android SDK has an emulator, you can run the authenticator in that. There's also a free dial-in authenticator. On top of that, it's only $7 with shipping for the old keyfob (which I have). If $7 is too much for security there's no reason to be complaining when your shit gets jacked.

@Rappelsiini: If you read a little harder you'd see that the formatting is in what Blizzard had previously released and his question on that subject. It's not stupid, it's how Patrick kept notes on shit he wanted to know. Good on you for wanting to ignore the constructive in constructive criticism.

Avatar image for jjnen
jjnen

680

Forum Posts

12

Wiki Points

0

Followers

Reviews: 1

User Lists: 1

Edited By jjnen

@Toxeia: First of all fuck you no need to be passive aggressive and who said it was supposed to constructive criticism? I just might have had a shitty day I this a way for me to let off some steam. But like I stated it before I was at the time using my phone so it would've been pretty difficult for me to elaboreta beyond my main point. It just struck to my eye as something stupid so I commented on that. Anyway it looks like you and I aren't thinking on the same level and I'm not in the mood to explain anything so I'll leave it to that.

Avatar image for arthurd
Arthurd

43

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By Arthurd

There are a lot of new people and people who haven't played in a long time coming in. It's sad that hackers are taking advantage of this but it will die down once those players get an authenticator. As for should Blizzard make authenticators mandatory, I don't think so. If you have a secure computer you don't need to use it. The thing is that people who think their computer is secure are probably wrong so they get hacked.

Avatar image for green_incarnate
Green_Incarnate

1789

Forum Posts

124

Wiki Points

0

Followers

Reviews: 0

User Lists: 7

Edited By Green_Incarnate

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

Avatar image for turambar
Turambar

8283

Forum Posts

114

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By Turambar
@Green_Incarnate said:

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

Did you use the automated account recovery option?  Also how long did it take for the issue to be resolved.
Avatar image for brocknrolla
BrockNRolla

1741

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By BrockNRolla

Too much editorializing Patrick. I had trouble understanding who was saying what.

Avatar image for toxeia
Toxeia

792

Forum Posts

2

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

Edited By Toxeia

@Rappelsiini: No need to be aggressively aggressive bro. And if you aren't being critical to be constructive you're not doing anyone any good. Sorry you're having a bad day though.

Avatar image for bunny_fire
Bunny_Fire

390

Forum Posts

7

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By Bunny_Fire

@JBG4 said:

Well, at least this is comforting. I have an authenticator and play mostly offline so this isn't huge to me but I do feel bad for anyone who has had their account compromised.

im sorry your playing diablo 3 offline i call HAX you can do no such thing you need a always on connection to play it

Avatar image for turambar
Turambar

8283

Forum Posts

114

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By Turambar
@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

I fit all the all the requirements of someone "taking precaution".  What now?  Am I still at fault?
Avatar image for starvinggamer
StarvingGamer

11533

Forum Posts

36428

Wiki Points

0

Followers

Reviews: 0

User Lists: 25

Edited By StarvingGamer

It should be pretty obvious why an authenticator isn't required.

Avatar image for bionicradd
BionicRadd

627

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 1

Edited By BionicRadd

@Turambar said:

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

I fit all the all the requirements of someone "taking precaution". What now? Am I still at fault?

You had an authenticator and a strong password and used an email that you only use to log in to Battle,net? You did ALL of those things and got compromised? I don't buy it.

Avatar image for nathhaw
NathHaw

2874

Forum Posts

1877

Wiki Points

0

Followers

Reviews: 1

User Lists: 1

Edited By NathHaw

Ever since I was hacked back in 2010, I've used an authenticator.

"I never thought it would happen to me!"

Avatar image for green_incarnate
Green_Incarnate

1789

Forum Posts

124

Wiki Points

0

Followers

Reviews: 0

User Lists: 7

Edited By Green_Incarnate

@Turambar said:

@Green_Incarnate said:

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

Did you use the automated account recovery option? Also how long did it take for the issue to be resolved.

Yeah. Took like a minute.

Avatar image for turambar
Turambar

8283

Forum Posts

114

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By Turambar
@BionicRadd said:

@Turambar said:

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

I fit all the all the requirements of someone "taking precaution". What now? Am I still at fault?

You had an authenticator and a strong password and used an email that you only use to log in to Battle,net? You did ALL of those things and got compromised? I don't buy it.

Didn't have an authenticator, but yep to all the rest.  Here's the running theory on just what is being exploited.  Original post can be found here.
 

You make a credential handshake once in the entire session. This happens at the time of login and this is what gets logged (IPs, account IDs, etc.).

At this point only session identifiers get transferred back and forth for each transaction. A transaction is whenever the state on your account changes. This could be anything from making an AH purchase to picking up some uber sword, or completing a quest, etc..

If I steal your session identifier and send that instead of mine, then I now have access to your account and I completely bypassed the need to login. This could happen in real time. It's possible Blizzard made the system spaz out when it detects multiple detections from the same account ID, so it keeps the most recent one logged in and kicks the old one.

The tools to do this might have also allowed the malicious user to change credentials on the fly. The game client assumes it's not hacked and the session is legit, so it makes the changes live.

While it is a theory and of course Blizzard will never confirm/disclose the specifics of their security flaw, it does a good job explaining the specific circumstances surrounding my hacking: the fact that I was booted off the game while in the middle of browsing the auction house, and the fact that my password was already changed when I tried to log back in mere seconds later.  There in lies the rub: of course it is hard to believe what the above is actually happening unless it suddenly happens to you as well.
Avatar image for turambar
Turambar

8283

Forum Posts

114

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

Edited By Turambar
@Green_Incarnate said:

@Turambar said:

@Green_Incarnate said:

My account was hacked a few days back. Don't think it was a problem with key logging/virus/phishing, although the password for it wasn't that impressive. Changed the password and recovered the account. Haven't had a problem since. Don't know what they were going to do with a lv 8 character with no gold.

Did you use the automated account recovery option? Also how long did it take for the issue to be resolved.

Yeah. Took like a minute.

Hmm, it's been half a day and waiting so far.  Ah well, good to hear that it will be fixed on a somewhat timely fashion at least.