Blizzard Says Battle.Net Hasn’t Been Compromised

@lorex said:

Blizzard seems to have every buying into the notion that if you dont use an authenciator then its the customers fault for not protecting their own info. The official Diablo 3 fourms are filled with this sychophantic acceptance that it has to be this way. I certainly did not ask for the game to require me to always be connected to their servers to play, this was forced on the players by the company. Now to be told individual customers did not do enough seems like shifting the blame to me. Its on Blizzard to fix the problems with their servers. If the the only way to secure your account is with an anthenciator, then Blizzard should make them free to everyone. I know they are free online for smardphone users but not every customer fits into that category. Also there is a lot of denial on Blizards part that there is no security breach beyond traditional methods already known. It will be interesting to see what happens with the RMAH goes live and the first reported hacks are reported. Yoy think people are mad not when its just virtual money and items missing, imagine the hell that will be raised if actual money is stolen.

7 dollars shipped is pracically free. You probably spend more than that on an average lunch. If you don't have a smartphone or an ipod touch, spend 7 bucks and stop acting like there is some way Blizzard can protect you from your crappy password and internet habits.

@smfE:

My last comment could have been worded better/gentler; as a second-language writer you're doing pretty well.

@BionicRadd:

You have a really limited idea of what people can do with account numbers and other personal information when gathered from a banking website. Just bill pay? Ever heard of a money transfer? Regardless your analogy is awkward and not very useful. A password is a security measure, a doorknob is not. Your antivirus comment has the same flaw.

To address the point you tried to make; yes a condom and the pill is better than one alone. You are failing to understand my fundamental issue. If I want to have sex I should never be forced to use any contraceptive, it's my responsibility to make those choices and take any necessary steps involved. It is on me if I want my password to be "opensesame" or "kNxjLN2bW9LoNGsb". It's my prerogative whether I feel the need for an authenticator or the Prime Minister's permission every time I log in.

Just got hacked, all items on character are gone. I am now in a supposedly 6-8 hour wait to have items etc restored according to the customer service website. Also II am on a 75 minute wait by phone. Now hopefully I can get the stuff back but even so for me at least it makes this game almost not worth playing at all.

For all their effort in making this into a world of Warcraft lite, where you are always online I think they have in effect destroyed the game, no offline play and now we have to deal with account hacking and a slew off other problems. You know what could have avoided all these problems.....a SINGLE PLAYER GAME WITH MULTIPLAYER FEATURES....by trying to wrangle gold farmers etc out have done nothing but create a gold mine for them.

I can't believe I am saying this but seriously how can I get a refund because this is not what I paid for.

@jasonefmonk said:

@smfE:

My last comment could have been worded better/gentler; as a second-language writer you're doing pretty well.

@BionicRadd:

You have a really limited idea of what people can do with account numbers and other personal information when gathered from a banking website. Just bill pay? Ever heard of a money transfer? Regardless your analogy is awkward and not very useful. A password is a security measure, a doorknob is not. Your antivirus comment has the same flaw.

To address the point you tried to make; yes a condom and the pill is better than one alone. You are failing to understand my fundamental issue. If I want to have sex I should never be forced to use any contraceptive, it's my responsibility to make those choices and take any necessary steps involved. It is on me if I want my password to be "opensesame" or "kNxjLN2bW9LoNGsb". It's my prerogative whether I feel the need for an authenticator or the Prime Minister's permission every time I log in.

Yep, it certainly is. It is also your fault when your weak password gets your account stolen. Blizzard shouldn't require an authenticator any more than condoms should be required for sex. However, if you want to maximize your chances of not getting your lady pregnant, you should wrap it up. If you want to maximize the chances of not getting your account hijacked, you should use an authenticator.

As for my bank's web site, none of my account numbers are visible or accessible when you are looking at my account. Only same account transfers are allowed, so unless they want to transfer all my checking account money to my savings for funsies, their options are pretty limited.

@Berserk007 Do you realize your complaint is moot anyway? Instead of losing items to whatever on Battle.net you get a shot at getting them back where if you lose your items in a single player game you start over. I'm unclear why this is preferable.

@EXTomar said:

@Berserk007 Do you realize your complaint is moot anyway? Instead of losing items to whatever on Battle.net you get a shot at getting them back where if you lose your items in a single player game you start over. I'm unclear why this is preferable.

How exactly do you lose item's in a single player game? If you mean like a lost save file, hey that's on you, you should have backed it up. Diablo 3 is designed to be completely under Blizzards control, so much in fact that there is no offline play. Hey I get it you have to deal with piracy, exploiting gold farming ,etc, but by treating this in MMO buisness model Blizzard has disenfranchised a lot of people who just wanted to play the damn game and could care less about online features. BTW moot is such an arrogant word

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

Not true. When my WoW account got hacked, it was a unique password that contained 27 characters, alpha-numeric, as well as an authenticator on it. That story can be told over and over when it comes to Battle.net. The same happened with my brother and three of my friends, one of which is pretty much the most hardcore I've ever seen about passwords (he has something close to 40+ different passwords for all his accounts).

It can literally happen to anyone at any time. I would suggest looking up how easy it is to hack into a Battle.net account before saying someone is a "victim of his own stupidity".

With that said, one of my friend's Diablo 3 account was hacked two days ago. He has an authenticator attached to it as well as a 19 character alpha-numeric password. Customer support got everything taken care of within a 48 hour time span. He's a little discouraged now, and he's already said that if he gets hacked again that he'll quit the game and stop giving Blizzard money. It's understandable, especially since Blizzard touts so hard about security...yet it's easy to hack a Battle.net account.

@jakob187 said:

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

Not true. When my WoW account got hacked, it was a unique password that contained 27 characters, alpha-numeric, as well as an authenticator on it. That story can be told over and over when it comes to Battle.net. The same happened with my brother and three of my friends, one of which is pretty much the most hardcore I've ever seen about passwords (he has something close to 40+ different passwords for all his accounts).

It can literally happen to anyone at any time. I would suggest looking up how easy it is to hack into a Battle.net account before saying someone is a "victim of his own stupidity".

With that said, one of my friend's Diablo 3 account was hacked two days ago. He has an authenticator attached to it as well as a 19 character alpha-numeric password. Customer support got everything taken care of within a 48 hour time span. He's a little discouraged now, and he's already said that if he gets hacked again that he'll quit the game and stop giving Blizzard money. It's understandable, especially since Blizzard touts so hard about security...yet it's easy to hack a Battle.net account.

Your friend has a 19 character password? When the password requirement is 8-16 digits in length?

You'll want to run a virus scan, and not visit anymore sites where you can buy gold. Also consider buying an authenticator. Account security is your responsibility, not the company that made the product that you're using.

This is of course, obvious for all other industries, unfortunately we as gamers have a lot of growing up to do.

@Ethan_Raiden said:

You'll want to run a virus scan, and not visit anymore sites where you can buy gold. Also consider buying an authenticator. Account security is your responsibility, not the company that made the product that you're using.

This is of course, obvious for all other industries, unfortunately we as gamers have a lot of growing up to do.

You are a gullible idiot if you think this is how most people get hacked.

Protocols other than http don't even use Session IDs in a way that can be hijacked...

... unless the auction house is using http! Interesting...

... then there's the matter of the Authenticator optionally not being required on every log in. There could be a token stored locally, that is returned to the server on subsequent logins, although blizzard describes it as "remembering the location you logged in from."

• If there's a token, then a stolen token along with your password might allow someone to login form anywhere.
• If there's no token, then some ip spoofing would be required. I wonder who Blizzard's network provider is.

Also, these authenticators themselves are sometimes compromised, as in the SecurID hack last year: http://www.rsa.com/node.aspx?id=3872

Came back to the game last night to find my character totally stripped, save for the soul-bound items. I don't mind the hackers so much, it's these ridiculous apologists on the forums.

"Oh you got hacked because it's your own fault for not taking precautions A-Z! Wait, you did take all the precautions? Then you must be lying because Blizzard and any other online entities are impregnable fortresses of security."<-- says the person who obviously doesn't remember any kerfuffle approximately a year ago...

@fozzyozzy: Oh, you're going to have to say more than "kerfuffle approximately a year ago". I'm probably blanking temporarily, but I don't know what you are talking about.

And for what it's worth, I'm more willing to believe Blizzard's claims that everyone who has so far come forward claiming they have an authenticator attached to their account when they were compromised had their authenticator attached afterwards (or were using the dial-up authenticator).

I'm not apologizing for Blizzard. I'm saying that it's a terrible world where gold buyers have caused a climate where people aren't even able to be lax with security on their game accounts. At the same token, I don't see why anyone should blame Blizzard, when provided with the tools to keep your account (relatively) safe. If you want to blame someone, blame the jerks who are creating a market where the content of our accounts has a monetary value. Blame the jerks who are working hard to get into our accounts.

And if you (as in anyone reading this) is the unique(?) case where an authenticator has been breached, then you clearly need to contact Blizzard and let them know about it, rather than gnashing your teeth on a forum where they are extremely unlikely to see it.

Considering how willing Blizzard is to recover account contents for you (not needed myself, but from what I've seen of friends who have been compromised), I don't see why there's so many people spewing vitriol in their direction.

*shrug* I am not appolgizing for Blizzard but stating things learned from years of this in WoW. The way Battle.net authentication works, the client is told who is playing not the other way around. There is no way to rig either the WoW or SC2 client to switch Player IDs while connected so I'm inclined to believe there is no way to do that in Diablo 3 as well. All objects are treated as anonymous objects commanded by the server to move so there is no connection or communication player to player. The tech just doesn't support the kind of things some posters are claiming it does.

And I am not claiming Battle.net is 100% secured either but I am going to claim that it is probably easier to hack random desktop machines and random people. Years and years and years of this where every time I've had to deal with it, it turned out to be something a player did instead of Blizzard. It isn't that any of those people were stupid or were careless but those guys are incredibly clever and persistent. WoW and Battle.net attacks are often the first time people have ever dealt with identify theft and they often they are angry and embarrassed it happened to them where the last thing you will get from them is all of the facts partially because these schemes often involve never noticing them.

Could there be something wrong with the Diablo 3 client that leaks sensitive info to a hacker? Yes there could be. Is it more likely that the player accidentally exposed their account information outside of Battle.net? More likely by magnitudes.

What I'm saying is that the conversation here shouldn't be so much about what could have been done on the user side, but instead pushing Blizzard to think outside of the normal means box for methods to prevent these issues.

The commercial release is barely two weeks old and the developer is already underselling (perhaps not 100% truthfully) the number of cases here. I know there have been methods to hacking for a long time, is it "venting" to wonder if maybe there's something server side being exploited?

I think the appropriate analogy is identity theft. Now maybe the victim didn't shred every single piece of junkmail, but then there are people who casually leave their belongings out in the open. My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

@fozzyozzy said:

My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

I don't like people who decided what conversation I should and should not have.

@TentPole said:

@fozzyozzy said:

My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

I don't like people who decided what conversation I should and should not have.

You're right. I'm a user and this is my experience, what will you do to prevent it in the future?

I was playing single player the other day and my account got compromised. I was disconnected from my game and then could not log back in. I reset my password and logged into diablo 3. All my items and gold were gone (fortunately on a lvl 20 barb) and there were 2 players on my recent players list that appeared. Since I play singleplayer obviously these jackasses are the ones who compromised my account. So I reported them to Blizzard.

I don't have an authenticator because I did not even know this was so prevalant in the community, but the fact that I have to spend more money on some device on top of a $60 game is pants on head retarded. If that is Blizzards security solution, it should be included in the game. Also, I don't give out my username and password and I was not phished or anything. The hacking must be going on through a java imbedded keylogger or something. This means you can pick up this stuff by just browsing the net.

I wish people would just stop buying gold. Obviously, there are a lot of people who buy it because the market is just so crazy. But do these people know where it comes from? Farming is kind of legitimate even though they ruin the games economy by selling in the first place, but stealing from other people sucks, especially since they cant be prosecuted.

Blizzard needs to stop blaming the consumer like its my fault for not knowing I was supposed to buy some device just to casually play the game. They need to own up to the fact that they have a huge security problem at the moment and that it is out of control. Or they need to put in an offline mode so I dont have to deal with this BS.

@RedRavN: If it is a keylogger as you hypothesize then what would you have blizzard do?

@fozzyozzy said:

You're right. I'm a user and this is my experience, what will you do to prevent it in the future?

Less Drew Carey is probably where I would start if I were you.

But seriously, why are you asking me what I will do to prevent your issues? I am not really interested in roleplaying Blizzard tech support.

@fozzyozzy said:

What I'm saying is that the conversation here shouldn't be so much about what could have been done on the user side, but instead pushing Blizzard to think outside of the normal means box for methods to prevent these issues.

The commercial release is barely two weeks old and the developer is already underselling (perhaps not 100% truthfully) the number of cases here. I know there have been methods to hacking for a long time, is it "venting" to wonder if maybe there's something server side being exploited?

I think the appropriate analogy is identity theft. Now maybe the victim didn't shred every single piece of junkmail, but then there are people who casually leave their belongings out in the open. My point is, the only conversations should be between whoever the victim is and the people who can aid. No room for armchair defenders and security experts.

I'm not seeing Blizzard underselling how many have been compromised - looking at their forums, there are at least a dozen posts from Community Managers on the subject. They are just saying that no reported cases have shown that there has been an active authenticator (not dialin/SMS) on the account on the time of the account - even in the cases where people HAVE claimed there was an active authenticator.

Further, I'm not sure what you mean about how Blizzard should think outside the box? As far as I am aware, they provide the most security options for their users than any other game developer. Even Steam only has a few of the features (SteamGuard) that Blizzard use to keep your account safe. And you can't really put it on their side if your account is compromised because you fell for a phishing scam (hey, you're only human, mistakes happen) or used the same password as on a site that had their user databases stolen in the last few years. Or wound up with a keylogger because of some shady ad-banner, or some other crazy shit that's going around.

You seem to have some idea of what they should have done, as you are saying that they should've done more. What have they missed? What more can they do, except force everyone to use authenticators?

(And yes, I realize that there are ways to get around authenticators. It's significantly harder than just getting past a static password, though.)

@RedRavN: If you have an Android device or iPhone (or iPad, I suppose), you could just download the free mobile authenticator. It's as safe as your phone/device is.

Direct links:

https://play.google.com/store/apps/details?id=com.blizzard.bma

http://itunes.apple.com/en/app/battle.net-mobile-authenticator/id306862897?mt=8

You then need to connect it to your battle.net account. And you should write down the recovery information, etc, in the app. Of course, if you don't have such a device, the keychain gadget is the only way to go.

edit: for good measure, here's Blizzard's "Help! I got hacked!" page to get you started recovering your account: http://us.battle.net/en/security/help

@Mnemoidian: Thanks for the info. Unfortunately, I dont have a "smartphone" so I can not run any apps on any of my devices. So I will have to get a physical authenticator at some point. One thing I dont get is how is it possible for these hackers to change my b-net password without my knowledge? Shouldn't they have to answer my security questions to do so? Why did I not recieve an e-mail alerting me to a password change. From my research, this has also been the case in compromised accounts that occur when people get booted in game and get their password reset. This to me indicates that the hackers have bypassed Blizzards own security system on their end, so that they are not even "aware" of passwords being changed through their system.

Obviously, If I had an authenticator this probably would not have happened but there seems to be a very real issue on blizzard's end that I hope they are working to fix, even if they never admit it publicly. You should not be able to have your password reset if you are logged in at the time. Just because a solution exists for the problem doesn't mean that Blizzard should be let off the hook and not be trying to invest in security for the core game in my opinion.

@RedRavN said:

@Mnemoidian: Thanks for the info. Unfortunately, I dont have a "smartphone" so I can not run any apps on any of my devices. So I will have to get a physical authenticator at some point. One thing I dont get is how is it possible for these hackers to change my b-net password without my knowledge? Shouldn't they have to answer my security questions to do so? Why did I not recieve an e-mail alerting me to a password change. From my research, this has also been the case in compromised accounts that occur when people get booted in game and get their password reset. This to me indicates that the hackers have bypassed Blizzards own security system on their end, so that they are not even "aware" of passwords being changed through their system.

Obviously, If I had an authenticator this probably would not have happened but there seems to be a very real issue on blizzard's end that I hope they are working to fix, even if they never admit it publicly. You should not be able to have your password reset if you are logged in at the time. Just because a solution exists for the problem doesn't mean that Blizzard should be let off the hook and not be trying to invest in security for the core game in my opinion.

This might seem kinda dumb, but to change your e-mail, you need your security question. To change your password, all you need is your old password.

the account hacking problem has been plaguing WoW TW realm for like 2 or 3 years already thanks to the sloppy security of TW realm's publisher

they try to cover it with some kinda of phone lock account protection, but then even MORE people got hacked(including me, twice) with that stupid phone lock on.

then last year blizzard decided to merge this piece of crap with Battle.net, in prep for SC2 or diablo3, I forgot which

my vote is that the security issues that's been plaguing asia are somehow brought into battle.net with this merger

@ichthy: Ahh I see, thanks for the clarification. I wonder if by implementing a security question to change the password if that would make it more difficult for the accounts to be compromised. But I'm clearly no security expert. Well at least I have managed to regear my barbarian and am back on track and crushing my way through act 3. :)

@Archaen

Certainly, such concepts are not limited to web browsing. A Session ID is more useful in a connectionless request-response protocol like http. In a connection-based protocol, sending a session id doesn't make sense after the connection is established and authenticated -- it's overhead. Armchair architecture going up, but it sounds likely that there are parts of the overall client-server interaction in Diablo III that are request-response based -- the auction house -- and parts that are connection based -- the game world state. It seems like inventory and character state could be handled with either communication style.

For request-response or connection based communication, Blizzard could bind a session to an ip address and not allow the session to change source ips without fully re-authenticating -- username, password and authenticator token, if enabled.

@DCam:

I don't disagree with anything you've said in this last post. The simple fact is we don't know how Blizzard programmed Diablo 3 servers to behave. They could have chosen not to do a connection-based method to keep the bandwidth overhead down. People with anecdotes of playing over wi-fi on airplanes seem to support this. It's possible it's a very tolerant connection, though. The bottom line for me is that with internet security a company often does not know when they have a problem. I don't believe my own programmers when they say their code is perfect so why should I believe Blizzard when they say hacking them is impossible? Session ID theft is indeed possible if they handle it too leniently. The posters saying they unquestionably believe a company to have a secure environment just because they say they do don't know much about internet security. The truth no one wants to tell laymen is that no system is completely hack-proof. The best anyone has is guesses until they're proven wrong.

@JBG4 said:

@Bunny_Fire: I meant not playing multiplayer... The reports that I have read regarding this situation has stated that most people who have been hacked at this point have recently played multiplayer. I wasn't saying that I play the game offline without a connection, I was using offline to say that I have been playing mostly single player. I should have specified that a little more I guess.

yes yes you should as i understand that offline is impossable to do with diablo as for saying that and i quote " I wasn't under the impression that I needed to go into so much detail about that but I guess some don't have the mental capacity to understand things that aren't blatantly spelled out for them." that i dont have the mental capacity to understand these things is extremely childish to personally attack me in such a way when i read a comment i take it for what it is after all I am replying to what your comment is not what i think it may be or imigine it may be.

sure i said your hacking which is the only way i understand that you can possibly play offline it was not meant as a personal insult ... So yes next time i ask you to think about your post try not to resort to insults (though i myself am sometimes guilty of this as i am not perfect)

Hacking is playful cleverness, use cracking instead.