Blizzard Says Battle.Net Hasn’t Been Compromised

Soooo.... Can I play in public games without fear yet?

It's utter nonsense... my accout has been hacked and not becasue I told someone my account or becasue I logged in via an internet cafe... Battle.net 2 is horrible and this sort of this is appauling.

There customer services is a sad joke and they are treating there customers like shit

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

@Paul_Is_Drunk: @Paul_Is_Drunk said:

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

No matter how they get access to your account, they have to transfer your goods to a mule. That mule account shows up as "recently played with". I had the same thing, some random lv1 guy with under 2 hours played. I am sure that when Blizzard looked at my account they saw that guy and dealt with it.

@TehBuLL said:

@greedycheese what part of Blizzard saying the SessionID theory is impossible is hard to believe? I would instead start thinking of any emails you've clicked or install files downloaded from non-blizzard sites. Hell these days clicking on random wiki sites is a death wish. I'm only talking all this jazz until my stuff gets stolen, then I'll be just as pissed. I'm just glad my hackers are nice enough to wait until the Real money auction house is up.

I don't think I ever said that... I have no problem with Blizzard's response to this so far other than the 48 minute wait on hold when I called them to sort this out. But I have worked in a call center before, so I certainly don't blame those dudes. I haven't seen any real evidence to support the SessionID theory.

My problem is this: I think that the shouting match between the Pro-SessionID people and those asking for evidence has gotten so loud and toxic that it has become hard to understand what is actually going on. My experience getting compromised makes me feel that there might be something going on that is different from the run-of-the-mill keylogging/phishing scams.

Something that falls between the extremes of "If you get hacked it's your damn fault" and "If I get hacked it is all Blizzard's fault."

in other Diablo news, Blizzard is looking into restoring lost achievements for some players, and the

real-money auction house has been pushed back to an undetermined launch date.

the longer they delay it the better.

I'm not sure what you're getting at with this story Patrick, I do appreciate you updating me on the status of diablo 3 and the possible security issues, but I'm not sure that your italicized aggressive questioning is necessary.

Regarding Patrick's comment on mandatory authenticators, Blizzard has said that signing up for the SMS service will be mandatory to use the real money auction house.

@Paul_Is_Drunk: @Paul_Is_Drunk said:

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

No matter how they get access to your account, they have to transfer your goods to a mule. That mule account shows up as "recently played with". I had the same thing, some random lv1 guy with under 2 hours played. I am sure that when Blizzard looked at my account they saw that guy and dealt with it.

@Depth said:

Idiots gets keylogged and then eurogamer makes a big article saying its session hijacking making every battlenet forum posters believe it.

Even Forbes jumped on the bandwagon.

But seriously, get the authenticator.

@patrickklepek

If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

Because not everyone owns a smart phone and you shouldn't compel people to spend an additional $5 on a keyfob to be able to play a game?

My wow account gat pirated 2x when it was inactive for nearly one year (no game time in it).

I never bought gold or power-leveled, I never logged in my battle.net account from anywhere other than wow and battle.net.

The same thing append to my girlfriend.

So I say that YES they have big security issues.

@TentPole: @TentPole said:

Suggesting mandatory authenticators is extremely naive and idiotic on Patrick's part.

How is asking Blizzard a question about authenticators suggesting anything? Blizzard came out and said authenticators are the best security. All I see Patrick doing is trying to get Blizzard on the record about why they don't require them. To me that is just by-the-book reporting.

I didn't even know about the free smartphone apps until after I got hacked. Even if Blizz dosen't require them they could bring them up during the install and make users who choose not to have them click through a big ass warning.

This makes me wonder about all those random people that are showing up in the 'recently played with' section. People don't seem to be fabricating that, so I wonder what the connection is.

Idiots gets keylogged and then eurogamer makes a big article saying its session hijacking making every battlenet forum posters believe it.

@Rawson said:

@Hockeymask27 said:

Well if don't have a smart phone you can't get the Authenticator for free. So i belive thats why they are not manditory yet. Unlesss they plan on packing the ones you can buy.

Wrong. There's a Windows emulator for Battle.net authenticators, and there's also a dial-in authenticator that will literally work with any phone.

@zeekthegeek said:

Blizzard are better than this. They should KNOW that this is a simple session hijack hack, much like smartphone programs that could swipe into someone's logged in Facebook account.

Also wrong. There's been literally no indication that the session ID hijack has been real. It was started up by a guy at Eurogamer, and is entirely false, because fact checking is hard. Any claims otherwise are people who were phished/keylogged and didn't have an authenticator.

The only way it'd be secure to emulate an Android and run the authenticator was if that machine was completely separate from your gaming machine and never ever connected to any kind of network. If your machine is compromised, so is your Android emulator. It's more work to compromise an account that way, but you only have to know how to do it once in order to automate it as part of your attack. Running an entire additional computer is more expensive and much more of a hassle than carrying an authenticator.

Edit: Also the dial-in authenticator currently only applies to WoW.

@l3illyl3ob: This is good advice. It's advice that I have given other people. Until this happened, I thought I was following it myself but this whole thing is making me re-evaluate.

@NS1126 said:

Also, Blizzard CS is pretty lax in their reply times.

Do you realize how many support tickets they must be getting for a a launch this large? I agree that waiting sucks, but c'mon. Cut their outsourced, barely literate support team some slack :P

@ildon said:

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

I don't think that's fair. Although it's less prevalent now because ad sellers seem to be getting better at catching and policing this stuff, and browsers and Flash are getting a bit better at allowing fewer security holes, in the past a huge rash of MMO game account compromises have been due to hackers putting up ads that contained malware, and those ads getting put up on popular and legit fan sites for those games. It's one thing for someone to stupidly click a bad link in a phishing email (your fault), it's another to visit your regular gaming website and get a trojan through your browser (not your fault).

Personally, I do run Firefox with NoScript and have for a long time, but I don't think that's honestly a fair expectation for most PC users.

Stupidity might be harsh, I guess, but you could say it's ignorance. People who use the internet accept the risks whether they know it or not, and if they get a trojan/virus/whatever, it is still their fault. It most certainly isn't Blizzard's fault.

If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

What a stupid thing to say. I use an authenticator, but why on earth should a game require an additional security measure that costs more money (not everyone has a fancy phone like me) to run?

Suggesting mandatory authenticators is extremely naive and idiotic on Patrick's part.

@TehBuLL said:

@greedycheese what part of Blizzard saying the SessionID theory is impossible is hard to believe? I would instead start thinking of any emails you've clicked or install files downloaded from non-blizzard sites. Hell these days clicking on random wiki sites is a death wish. I'm only talking all this jazz until my stuff gets stolen, then I'll be just as pissed. I'm just glad my hackers are nice enough to wait until the Real money auction house is up.

I don't think I ever said that... I have no problem with Blizzard's response to this so far other than the 48 minute wait on hold when I called them to sort this out. But I have worked in a call center before, so I certainly don't blame those dudes. I haven't seen any real evidence to support the SessionID theory.

My problem is this: I think that the shouting match between the Pro-SessionID people and those asking for evidence has gotten so loud and toxic that it has become hard to understand what is actually going on. My experience getting compromised makes me feel that there might be something going on that is different from the run-of-the-mill keylogging/phishing scams.

Something that falls between the extremes of "If you get hacked it's your damn fault" and "If I get hacked it is all Blizzard's fault."

@Bartz said:

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

I don't think that's fair. Although it's less prevalent now because ad sellers seem to be getting better at catching and policing this stuff, and browsers and Flash are getting a bit better at allowing fewer security holes, in the past a huge rash of MMO game account compromises have been due to hackers putting up ads that contained malware, and those ads getting put up on popular and legit fan sites for those games. It's one thing for someone to stupidly click a bad link in a phishing email (your fault), it's another to visit your regular gaming website and get a trojan through your browser (not your fault).

Personally, I do run Firefox with NoScript and have for a long time, but I don't think that's honestly a fair expectation for most PC users.

@greedycheese: I know that nobody wants to admit they could be a victim to it, but there's always the possibility of phishing. Sometimes all it is is a normal looking newsletter or whatever copied from blizzard, but replaced with their own links instead, hoping people would click on them and log into their phony site. Never click on a link from an email, ever.

I just look at the two current theories right now, and regardless of what Blizzard says on the matter, I just don't see any proof for Session ID hijacking, and it's pretty telling to me that every person who gets hacked doesn't have an authenticator. The most likely scenario is that all of this is just traditional hacking. I hope you find out what happened to you, greedycheese.

@Styl3s said:

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

I have had my WOW account jacked with an authenticator and i never click blizzard emails.

Believe it for not it's not ALWAYS the users fault.

Yeah I had the same thing happen. I had a damn authenticator and lost all kinds of stuff, never to be recovered. There's easy human element ways to get around an authenticator.

That was years ago in WoW though, and I haven't had any issues since.

I think session ID thefts have always been a perfect internet horror story. I hear them everywhere and yet nobody ever proves it was more than just getting bumped from their login. Thinking of getting the authenticator since i cant easily store an overly complicated password in a pw database like usual..

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

I have had my WOW account jacked with an authenticator and i never click blizzard emails. also 2 of my friends who have authenticators have had their D3 accounts wiped and guess what? they aren't to blame.

Believe it for not it's not ALWAYS the users fault and i am sick of people believing blizzard is always innocent, sometimes the shit is on their side.

If the SC and WoW clients are any indication, all client and server chatter is "player command" oriented. Stuff like "select NNNN", "buy MMMM", "action5". There is no way for the client to build a command and push it to the "Battle.net protocol" that is like "move otherplayer" or even "sell otherplayer weapon" or even "tell me otherplayer account". There isn't supposed to be enough information given to the player's client about any other player let alone enough to take over their account since all players are "cache entities" that are commanded by the server.

If someone has hacked their client to make Battle.net do something it was never designed to do then that is amazing. After years of WoW and a lot of SC2 no one has broken this yet. It isn't impossible there is a serious flaw in the Diablo 3 client that exposes some really crazy flaw in the bigger Battle.net protocol but Occam's Razor suggest someone just figured out the email/password.

@l3illyl3ob: I get that they could kick me off. My question is why couldn't I kick them back off? Did they change my password superfast? Is it possible that they could change my password before they logged in to D3?

As for virus scans, I am running OSX and do not have flash or java installed. As far as I know the only current vulnerabilities are trojans. I know that there will be OSX exploits eventually. There is no such thing as a 100% safe OS. It just seems highly unlikely to me that its the case right now.

For anyone that firmly believes this session ID theory, find me the primary source and definitive proof or you are full of shit. Thanks.

@TehBuLL said:

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

i had my account jacked before authenticator, logged into battle.net from a public pc while on holidays. not related to my account but one time our guild bank lost quarter of a million gold after an officer got hacked.

got an authenticator and everything has been honky dorie ever since

@SomeJerk:

Every single person that has claimed this has yet to show any proof at all. Why don't you post some?

Nobody can really say anything at this point. The only people who know are within Blizzard, and as somebody else pointed out, they may not be far enough along the debugging checklist to know themselves.

We can speculate, perhaps intelligently -- but all the real evidence out there of issues are forum posts and rumours without any real analysis or logs, and a normal PR response by a company that points the finger somewhere else, and, oh, BTW, we have this service that you can pay money for that would help with this issue. There's no way to tell yet if this is just the usual cost of business, or if there's an actual security flaw being exploited. (The time to watch won't be now, but when the real money auction house comes online -- because that's when real money can be made. That's when people would do nasty stuff, if there really is a zero-day exploit floating out there.)

JGH

@NS1126 said:

I got hacked this morning. I am a level 60 monk in Inferno Act 2, just beyond Maghda. All my stuff is gone (gems, 3 equip sets - MF, damage/hp, resistance set - and all my cash). They even cleared out all the sold stuff from my AH.

I submitted a ticket 8 hours ago and have no reply yet. The status of the ticket is open. I have added an authenticator now that this has happened.

However, Blizzard supposedly only does character rollbacks twice. Assuming they agree that I was hacked, they will rollback to a previously saved state. However, I should not have this count as one of my two chances since this is not my fault.

I ran AVG and Spybot S&D on both of my computers and got an all clear flag from both. Also, Blizzard CS is pretty lax in their reply times.

Try running Microsoft Security Essentials. I know a guy who was insistent that it wasn't his fault and he was not infected at all, and after running MSE, his third virus scanner, he found out he was actually infected with a dangerous rootkit. Most likely, you have been infected by something, somehow. Running one virus scanner and one spyware detector isn't going to completely protect you.

edit: Run avast for good measure, too. Basically, if my account was compromised, whether not not it was my fault, I'd run every virus scanner under the sun.

@ThatPrimeGuy: I don't think so. They have free smartphone apps, a sms service and they sell the authenticator for 6 bucks which has to be close to cost. Not exactly an enviable revenue stream...

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

@ThatPrimeGuy Blizzard sells the authenticators at cost or at a loss. They don't profit from them at all. They're only $6 from blizzard, while similar devices can retail for up to $50 elsewhere.

I got hacked this morning. I am a level 60 monk in Inferno Act 2, just beyond Maghda. All my stuff is gone (gems, 3 equip sets - MF, damage/hp, resistance set - and all my cash). They even cleared out all the sold stuff from my AH.

I submitted a ticket 8 hours ago and have no reply yet. The status of the ticket is open. I have added an authenticator now that this has happened.

However, Blizzard supposedly only does character rollbacks twice. Assuming they agree that I was hacked, they will rollback to a previously saved state. However, I should not have this count as one of my two chances since this is not my fault.

I ran AVG and Spybot S&D on both of my computers and got an all clear flag from both. Also, Blizzard CS is pretty lax in their reply times.

Anyone else feel they've basically just been using this as an excuse to sell Authenticators? I've got nothing but a "Well, it wouldn't of happened if you had bought this." feeling from all these latest statements. I have no interest in Diablo III (Borderlands is my preferred loot grind, personally) but it just seems they've done nothing but sidestep every issue that comes up. I don't like Activision one bit and I admit I'm not much of a Blizzard fan but these statements just seem to reek of backpedaling....

/2 cents

@LikeaSsur said:

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

The irony is palpable.

Oh gee, look at another one. Someone has zero sense of irony, maybe you shouldn't use a word you don't understand.

I don't know... this doesn't sound right to me. The Session ID stealing makes a lot of sense.

But then I didn't buy Diablo III so I haven't bothered looking at all the facts.

@greedycheese Like I said a couple posts up, if someone logs in using your username and password, while you are currently online, you will get disconnected. That's what happened to you. Someone got a hold of your pw somehow.

I'd run multiple virus scans if I was you. You most likely have been compromised in some fashion. It doesn't matter how safe you think you are, sometimes all it takes is loading a site that's running a bad flash ad.

@greedycheese:

@Alorithin: I don't know what to say, man. It's the internet and I can't prove anything.

We are at an impasse.

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

The irony is palpable.

@Alorithin: I don't know what to say, man. It's the internet and I can't prove anything. I know it sounds unlikely that's why I want someone to help me figure this out. One second I was playing with two friends, then poof.

It's not that big of a deal. I didn't even have much gold, only lost 40K.

I just want to know what I can do to keep it from happening again. (I immediately got an authenticator after this.)

@Sweetz: You're confusing speculation with a corporate statement. If you're alluding to the 2011 Sony stuff, that is SQL injection apples to angry people on the internet oranges.

@SomeJerk said:

They are correct. The accounts have not been compromised. Session IDs still being directly tied to data on peoples accounts, ie Blizzard themselves, their responsibility of safety, has been compromised. There is a reason people who get disconnected and find their characters wiped clean in less than a minute see random jibberish or a chinese name of a lv1/2 character with up to hours played on the recently played list. This is a real deal that an authenthicator won't help you from. If somebody has you listed as a friend and you pop an achievement while playing, your session ID can be taken from that data. Using an authenticator and truly unique super-strong passwords are still a very, very good idea, mind you.

Do you have any actual source for your information other than wild speculation and what people say on battle.net?

To give you some context for this, if someone logs into your account while you're on, you get disconnected. This happened when I shared my WoW account with my brother. The first thing they do when they log into your account is add someone to your friend's list and then transfer over all your gear to them as fast as humanly possible. Then when you log back in, you boot them out and the damage has already been done. This can explain pretty much all of the cases where someone got disconnected and then lost their stuff.

There still has been zero proof of actual session ID hijackings other than the current mass hysteria and rampant speculation.

@l3illyl3ob: Especially when the Eurogamer story was proven false. Disgusting.

They are correct. The accounts have not been compromised. Session IDs still being directly tied to data on peoples accounts, ie Blizzard themselves, their responsibility of safety, has been compromised. There is a reason people who get disconnected and find their characters wiped clean in less than a minute see random jibberish or a chinese name of a lv1/2 character with up to hours played on the recently played list. This is a real deal that an authenthicator won't help you from. If somebody has you listed as a friend and you pop an achievement while playing, your session ID can be taken from that data.
 
Using an authenticator and truly unique super-strong passwords are still a very, very good idea, mind you.
 
 
e: Btw, the way to do this is in non-Chinese hands right now. Not sure if the code was bought, leaked, stolen or if it was simply "Aha" reverse-engineered. Still, Torchlight 2 is coming next month or July.

I want to applaud Giant Bomb for showing restraint on this story. A ton of news sites ran this story using unverified battle.net posts as their only sources. A random guy on the internet claims he had an authenticator but got hacked anyways? That's a news story to Rock Paper Shotgun I guess.

A lot of sites lost credibility in my eyes as a result of this, and I'm glad Giant Bomb isn't one of them.

@Bartz said:

Almost every person who gets his account compromised is a victim of his own stupidity.

THIS.