Blizzard Says Battle.Net Hasn’t Been Compromised

The launch of Diablo III has been a series of highs and lows. The game seems pretty great, but the always-on online requirements have come under scrutiny, and allegations of account hacking surfaced a few days back.

Blizzard did issue a statement earlier this week regarding compromised accounts, but I didn't run the studio’s comments yet because I was waiting for the company to answer a series of questions, which are below:

• "We'd like to take a moment to address the recent reports that suggested that Battle.net and Diablo III may have been compromised." -- Does Blizzard's analysis of the situation suggest there has been zero compromise of Battle.net and the subsequent "hacks" are 100% the result of outside interference?

• In a follow up post, a community manager wrote: "We have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password." What exactly are "traditional means"?

• In the same post, the same community manager said: "[We] have done everything possible to verify how and in what circumstances these compromises are occurring." Can you outline what these circumstances are to help players combat against it?

• If the authenticator is the best way to keep an account secure, why not make that a requirement for play?

Blizzard public relations told me the answers to my questions lay within an update this morning. That's mostly true.

Blizzard claims Battle.net has not been compromised, and the number of customers who have contacted the company about compromises has been “extremely small.” An actual number was not disclosed, and Blizzard said it has not received reports of account issues from any customers using the company’s authentication services.

For more details on those authentication services, click right here.

The issues in question have arisen from accounts being accessed using a user’s login and password, which Blizzard characterizes as a “traditional” mean of compromising an account. Blizzard outlined ways to protect yourself:

“The best defense against account theft still includes smart password management (e.g. using a unique password for every site/service and keeping your password to yourself) and scanning for malware and viruses regularly, as well as following additional preventative steps found here. In the end, while no security method is 100% foolproof, the physical Battle.net Authenticator and Battle.net Mobile Authenticator app are great ways to provide your account with an extra layer of protection.”

Additionally, Blizzard claims to have found no evidence of account spoofing after players join a game.

“We’ve determined the methods being suggested to do so are technically impossible,” said the company.

In other Diablo news, Blizzard is looking into restoring lost achievements for some players, and the real-money auction house has been pushed back to an undetermined launch date.

Well if don't have a smart phone you can't get the Authenticator for free. So i belive thats why they are not manditory yet. Unlesss they plan on packing the ones you can buy.

I have an authenticator and play mostly single-player so this isn't huge to me but I do feel bad for anyone who has had their account compromised.

@Hockeymask27: Several of the CE of their games came with them.

I'm sorry Patrick but your questions regarding Blizzards statement seem pretty stupid.

"What are traditional means?"

You asked this question directly after blizzard defined traditional means as "someone else logging into their account through the use of their password."

Almost every person who gets his account compromised is a victim of his own stupidity.

@Rappelsiini said:

I'm sorry Patrick but your questions regarding Blizzards statement seem pretty stupid.

Sorry, but so does your response.

It's easy; they can't make an authenticator necessary because a) not everyone has a smart phone, b) it's $5 to get the key chain authenticator and not everyone has access for one of those, c) some people just don't want to have to deal with it.  
  
That said, I have one and have never had my account hacked. 

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

I was one of the people that had his account compromised. I was not using an authenticator at the time and I was playing on the mac. (Not implying that OSX is somehow hackproof, just giving a data point)

The thing that was odd was that I was playing the game at the time. I got booted with an error message that said that my account was already connected. Then I was unable to log back in.

So my question is: What traditional method can work while I am logged in? If they just got my password through traditional means why couldn't I log back in and kick them out?

@Xeirus:

Because tacos.

@greedycheese: Sounds like a hypothetical that you scribbled down because that very series of events cannot take place.

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

Yes it does. Usually Patrick is straight to point and concentrates to the stuff that matters but this just feels like he is trying to question the man with nonsense. If he had something reasonable I'd love that but he doesn't.

This will continue to be an issue for a while. With items not being soulbound, and a cash auction house to sell stolen loot on, I can see it being worse than other online games.

I have an authenticator though, so no worries.

Good to hear, although it only clarifies their statements in their forums, and doesn't explain why a number of people are so confused about how their accounts were attacked. I suppose some people could be malicious, but its seems like other were just honestly confused about how their accounts were secured. Perhaps a better tutorial on how to utilize the authenticator is in order.

Also I don't agree with Blizzard's password strength algorithm: Length is more important then limiting repetition. And they limit you to 16 characters... why? Still, they have progressive security options in comparison to other services, so they're clearly interested in protecting accounts.

This completely dodges the whole question of why the fuck I have to log in to play a single player game to begin with.

Next thing will be someone getting banned from their single player game.

@Mihos: They've already spelled out the reasoning. You've refused their logic and used your own.

The six stages of debugging:

1. That can't happen.

2. That doesn't happen on my machine.

3. That shouldn't happen.

4. Why does that happen?

5. Oh, I see.

6. How did that ever work?

Looks like Blizzard is still at stage 1. Just because you can't see how a hacker intruded into your system doesn't mean it's impossible. Hacking often involves creating odd situations that the code simply cannot handle and that the original programmer has never even thought of. By the sound of it their intrusion detection systems don't detect the attack vector either so they'd only see that a hack occurs when the hacker logs in normally again.

From the issues I've been seeing, it had nothing to do with login/password.  It was people being able to exploit data packets which isn't traditional.  Why isn't blizz addressing all those complaints?

Blizzard are better than this. They should KNOW that this is a simple session hijack hack, much like smartphone programs that could swipe into someone's logged in Facebook account.

Right, in most of the discussions, I don't think there was much question of Battle.Net in general or people's logins being compromised. There was a question of whether session ID spoofing/session hijacking was being used to log into Diablo 3 servers as another player without needing any access to that player's login info.

I suppose that's what they're addressing in this bit:

Additionally, Blizzard claims to have found no evidence of account spoofing after players join a game.

“We’ve determined the methods being suggested to do so are technically impossible,” said the company.

But that doesn't exactly instill that much confidence. I've seen other network techs say "that's impossible" until they see someone do it in front of their face.

If it is session hijacking, then no combination of password protection or authenticators is going to do squat.

@Hockeymask27 said:

Well if don't have a smart phone you can't get the Authenticator for free. So i belive thats why they are not manditory yet. Unlesss they plan on packing the ones you can buy.

Wrong. There's a Windows emulator for Battle.net authenticators, and there's also a dial-in authenticator that will literally work with any phone.

@zeekthegeek said:

Blizzard are better than this. They should KNOW that this is a simple session hijack hack, much like smartphone programs that could swipe into someone's logged in Facebook account.

Also wrong. There's been literally no indication that the session ID hijack has been real. It was started up by a guy at Eurogamer, and is entirely false, because fact checking is hard. Any claims otherwise are people who were phished/keylogged and didn't have an authenticator.

@Mihos said:

This completely dodges the whole question of why the fuck I have to log in to play a single player game to begin with.

You already know why.

@Rawson: I must of missed it. All I see is this when I tried to add one. If you could link me that be sweet.

Have the duders mentioned what's for TNT today? (I haven't finish listening to the bombcast) Or we just assume it's more Diablo? (they could go back and play Max Payne 3)

@Hockeymask27: http://us.battle.net/support/en/article/battle-net-dial-in-authenticator-faq

I have the token authenticator, so I can't tell you where it would be on the Security page.

That would be true if Diablo was a single player game but that is a dead horse beaten for decades....

This all sounds just like when external hacks swept through WoW where players thought and swore they kept their accounts secured but actually missed something.

As for how to help without sending out stuff to everyone or forcing everyone to buy smart phones, maybe they need to create a "desktop authenticator". Make it part of their Battle.Net account where all you have to do is download and install it and it provides an interface similar to what smart phone users see for their 2 step login. This is possible now but it is a bit too technical for lot of people and also it isn't ideal but it is much better than going without.

@Bartz: He actually asked it before they said that, he didn't run the questions until they answered them, and they answered them with the update, this morning.

@Bartz said:

Almost every person who gets his account compromised is a victim of his own stupidity.

THIS.

I want to applaud Giant Bomb for showing restraint on this story. A ton of news sites ran this story using unverified battle.net posts as their only sources. A random guy on the internet claims he had an authenticator but got hacked anyways? That's a news story to Rock Paper Shotgun I guess.

A lot of sites lost credibility in my eyes as a result of this, and I'm glad Giant Bomb isn't one of them.

They are correct. The accounts have not been compromised. Session IDs still being directly tied to data on peoples accounts, ie Blizzard themselves, their responsibility of safety, has been compromised. There is a reason people who get disconnected and find their characters wiped clean in less than a minute see random jibberish or a chinese name of a lv1/2 character with up to hours played on the recently played list. This is a real deal that an authenthicator won't help you from. If somebody has you listed as a friend and you pop an achievement while playing, your session ID can be taken from that data.
 
Using an authenticator and truly unique super-strong passwords are still a very, very good idea, mind you.
 
 
e: Btw, the way to do this is in non-Chinese hands right now. Not sure if the code was bought, leaked, stolen or if it was simply "Aha" reverse-engineered. Still, Torchlight 2 is coming next month or July.

@l3illyl3ob: Especially when the Eurogamer story was proven false. Disgusting.

@SomeJerk said:

They are correct. The accounts have not been compromised. Session IDs still being directly tied to data on peoples accounts, ie Blizzard themselves, their responsibility of safety, has been compromised. There is a reason people who get disconnected and find their characters wiped clean in less than a minute see random jibberish or a chinese name of a lv1/2 character with up to hours played on the recently played list. This is a real deal that an authenthicator won't help you from. If somebody has you listed as a friend and you pop an achievement while playing, your session ID can be taken from that data. Using an authenticator and truly unique super-strong passwords are still a very, very good idea, mind you.

Do you have any actual source for your information other than wild speculation and what people say on battle.net?

To give you some context for this, if someone logs into your account while you're on, you get disconnected. This happened when I shared my WoW account with my brother. The first thing they do when they log into your account is add someone to your friend's list and then transfer over all your gear to them as fast as humanly possible. Then when you log back in, you boot them out and the damage has already been done. This can explain pretty much all of the cases where someone got disconnected and then lost their stuff.

There still has been zero proof of actual session ID hijackings other than the current mass hysteria and rampant speculation.

@Sweetz: You're confusing speculation with a corporate statement. If you're alluding to the 2011 Sony stuff, that is SQL injection apples to angry people on the internet oranges.

@Alorithin: I don't know what to say, man. It's the internet and I can't prove anything. I know it sounds unlikely that's why I want someone to help me figure this out. One second I was playing with two friends, then poof.

It's not that big of a deal. I didn't even have much gold, only lost 40K.

I just want to know what I can do to keep it from happening again. (I immediately got an authenticator after this.)

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

The irony is palpable.

@greedycheese:

@Alorithin: I don't know what to say, man. It's the internet and I can't prove anything.

We are at an impasse.

@greedycheese Like I said a couple posts up, if someone logs in using your username and password, while you are currently online, you will get disconnected. That's what happened to you. Someone got a hold of your pw somehow.

I'd run multiple virus scans if I was you. You most likely have been compromised in some fashion. It doesn't matter how safe you think you are, sometimes all it takes is loading a site that's running a bad flash ad.

I don't know... this doesn't sound right to me. The Session ID stealing makes a lot of sense.

But then I didn't buy Diablo III so I haven't bothered looking at all the facts.

@LikeaSsur said:

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

The irony is palpable.

Oh gee, look at another one. Someone has zero sense of irony, maybe you shouldn't use a word you don't understand.

Anyone else feel they've basically just been using this as an excuse to sell Authenticators? I've got nothing but a "Well, it wouldn't of happened if you had bought this." feeling from all these latest statements. I have no interest in Diablo III (Borderlands is my preferred loot grind, personally) but it just seems they've done nothing but sidestep every issue that comes up. I don't like Activision one bit and I admit I'm not much of a Blizzard fan but these statements just seem to reek of backpedaling....

/2 cents

I got hacked this morning. I am a level 60 monk in Inferno Act 2, just beyond Maghda. All my stuff is gone (gems, 3 equip sets - MF, damage/hp, resistance set - and all my cash). They even cleared out all the sold stuff from my AH.

I submitted a ticket 8 hours ago and have no reply yet. The status of the ticket is open. I have added an authenticator now that this has happened.

However, Blizzard supposedly only does character rollbacks twice. Assuming they agree that I was hacked, they will rollback to a previously saved state. However, I should not have this count as one of my two chances since this is not my fault.

I ran AVG and Spybot S&D on both of my computers and got an all clear flag from both. Also, Blizzard CS is pretty lax in their reply times.

@ThatPrimeGuy Blizzard sells the authenticators at cost or at a loss. They don't profit from them at all. They're only $6 from blizzard, while similar devices can retail for up to $50 elsewhere.

I had my WOW account jacked before I had an authenticator. The key is to not get drinky and click that email saying I was invited to the new beta. Can only blame myself. Never open ANY email from Blizzard. All of these tactic and account jacking are old news to WOW Vets who have seen a guild bank looted.

@ThatPrimeGuy: I don't think so. They have free smartphone apps, a sms service and they sell the authenticator for 6 bucks which has to be close to cost. Not exactly an enviable revenue stream...

@NS1126 said:

I got hacked this morning. I am a level 60 monk in Inferno Act 2, just beyond Maghda. All my stuff is gone (gems, 3 equip sets - MF, damage/hp, resistance set - and all my cash). They even cleared out all the sold stuff from my AH.

I submitted a ticket 8 hours ago and have no reply yet. The status of the ticket is open. I have added an authenticator now that this has happened.

However, Blizzard supposedly only does character rollbacks twice. Assuming they agree that I was hacked, they will rollback to a previously saved state. However, I should not have this count as one of my two chances since this is not my fault.

I ran AVG and Spybot S&D on both of my computers and got an all clear flag from both. Also, Blizzard CS is pretty lax in their reply times.

Try running Microsoft Security Essentials. I know a guy who was insistent that it wasn't his fault and he was not infected at all, and after running MSE, his third virus scanner, he found out he was actually infected with a dangerous rootkit. Most likely, you have been infected by something, somehow. Running one virus scanner and one spyware detector isn't going to completely protect you.

edit: Run avast for good measure, too. Basically, if my account was compromised, whether not not it was my fault, I'd run every virus scanner under the sun.

Nobody can really say anything at this point. The only people who know are within Blizzard, and as somebody else pointed out, they may not be far enough along the debugging checklist to know themselves.

We can speculate, perhaps intelligently -- but all the real evidence out there of issues are forum posts and rumours without any real analysis or logs, and a normal PR response by a company that points the finger somewhere else, and, oh, BTW, we have this service that you can pay money for that would help with this issue. There's no way to tell yet if this is just the usual cost of business, or if there's an actual security flaw being exploited. (The time to watch won't be now, but when the real money auction house comes online -- because that's when real money can be made. That's when people would do nasty stuff, if there really is a zero-day exploit floating out there.)

JGH

@SomeJerk:

Every single person that has claimed this has yet to show any proof at all. Why don't you post some?