Blizzard Says Battle.Net Hasn’t Been Compromised

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

You have missed my point completely. Just because shit happens doesn't mean it's up to the everyone to take all of the precautions in the world to prevent said shit from happening to them. Shit happens because there are assholes out there being assholes. People can take all of the precautions they want, but assholes will continue to be assholes because taking precautions does not make the assholes not be assholes.

Blame the assholes, not the people that got shit on by the assholes.

In addition, wearing a stab-vest prevent one from being stabbed in the torso by random guy, but that doesn't mean it's up to people to wear stab-vests so they don't get randomly stabbed.

@Zomgfruitbunnies said:

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

You have missed my point completely. Just because shit happens doesn't mean it's up to the everyone to take all of the precautions in the world to prevent said shit from happening to them. Shit happens because there are assholes out there being assholes. People can take all of the precautions they want, but assholes will continue to be assholes because taking precautions does not make the assholes not be assholes.

Blame the assholes, not the people that got shit on by the assholes.

In addition, wearing a stab-vest prevent one from being stabbed in the torso by random guy, but that doesn't mean it's up to people to wear stab-vests so they don't get randomly stabbed.

Shut up, Asshole!

@mbkish said:

Shut up, Asshole!

Can't. Diarrhea.

@Bunny_Fire: I meant not playing multiplayer... The reports that I have read regarding this situation has stated that most people who have been hacked at this point have recently played multiplayer. I wasn't saying that I play the game offline without a connection, I was using offline to say that I have been playing mostly single player. I should have specified that a little more I guess.

@Turambar said:

@BionicRadd said:

@Turambar said:

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

I fit all the all the requirements of someone "taking precaution". What now? Am I still at fault?

You had an authenticator and a strong password and used an email that you only use to log in to Battle,net? You did ALL of those things and got compromised? I don't buy it.

Didn't have an authenticator, but yep to all the rest. Here's the running theory on just what is being exploited. Original post can be found here.

You make a credential handshake once in the entire session. This happens at the time of login and this is what gets logged (IPs, account IDs, etc.).

At this point only session identifiers get transferred back and forth for each transaction. A transaction is whenever the state on your account changes. This could be anything from making an AH purchase to picking up some uber sword, or completing a quest, etc..

If I steal your session identifier and send that instead of mine, then I now have access to your account and I completely bypassed the need to login. This could happen in real time. It's possible Blizzard made the system spaz out when it detects multiple detections from the same account ID, so it keeps the most recent one logged in and kicks the old one.

The tools to do this might have also allowed the malicious user to change credentials on the fly. The game client assumes it's not hacked and the session is legit, so it makes the changes live.

While it is a theory and of course Blizzard will never confirm/disclose the specifics of their security flaw, it does a good job explaining the specific circumstances surrounding my hacking: the fact that I was booted off the game while in the middle of browsing the auction house, and the fact that my password was already changed when I tried to log back in mere seconds later. There in lies the rub: of course it is hard to believe what the above is actually happening unless it suddenly happens to you as well.

How did they log in to Battle.net and change your password without knowing your old password? I have never gotten into the account management section of Battle.net without having to login.

@Turambar said:

@BionicRadd said:

@Turambar said:

@mbkish said:

@Zomgfruitbunnies said:

I am disgusted by the amount of victim blaming in here. If duder gets stabbed in the street by random guy, it's his fault for not taking precautions to not getting randomly stabbed, right?

Fuck off.

This is very different than a stabbing specifically because you CAN take precautions. Even without an authenticator, if you have a password containing a-zA-Z0-9 + symbols it will take 91800 years to crack it by brute force. To stay clear of keyloggers; avoid unprotected browsing, unknown sites, and don't run anything you aren't sure is safe.

I fit all the all the requirements of someone "taking precaution". What now? Am I still at fault?

You had an authenticator and a strong password and used an email that you only use to log in to Battle,net? You did ALL of those things and got compromised? I don't buy it.

Didn't have an authenticator, but yep to all the rest. Here's the running theory on just what is being exploited. Original post can be found here.

You make a credential handshake once in the entire session. This happens at the time of login and this is what gets logged (IPs, account IDs, etc.).

At this point only session identifiers get transferred back and forth for each transaction. A transaction is whenever the state on your account changes. This could be anything from making an AH purchase to picking up some uber sword, or completing a quest, etc..

If I steal your session identifier and send that instead of mine, then I now have access to your account and I completely bypassed the need to login. This could happen in real time. It's possible Blizzard made the system spaz out when it detects multiple detections from the same account ID, so it keeps the most recent one logged in and kicks the old one.

The tools to do this might have also allowed the malicious user to change credentials on the fly. The game client assumes it's not hacked and the session is legit, so it makes the changes live.

While it is a theory and of course Blizzard will never confirm/disclose the specifics of their security flaw, it does a good job explaining the specific circumstances surrounding my hacking: the fact that I was booted off the game while in the middle of browsing the auction house, and the fact that my password was already changed when I tried to log back in mere seconds later. There in lies the rub: of course it is hard to believe what the above is actually happening unless it suddenly happens to you as well.

How did they log in to Battle.net and change your password without knowing your old password? I have never gotten into the account management section of Battle.net without having to login.

My friend was hit by whatever this is. He's had the worst luck with this game which is somewhat interesting cause he's the biggest diablo fan out of my circle of friends. Lucky for him he hadn't actually played much because he can only play on my laptop (he's having computer issues, like i said, bad luck). I'm sure someone or some group out there is enjoying his 20k gold and level 20 gear. They hit a real jackpot with him. Luckily they didn't change his password, but I must say they are very rude. I tried to strike up a friendly conversation with them when I saw them on his recently played with list and they instantly logged off -_-. Oh well, live and learn. He has an authenticator now and so do I cause I'd rather not learn the hard way.

You really sent them those questions? Jesus.

@Turambar said:

The idea would be that they can alter account information on the fly as well, just as they have the tools to steal the session identifier. Now, the thing is if what you intend to suggest, that I had my account compromised the old fashion way, it would mean an e-mail would have been sent to me from Blizzard acknowledging that particular password change. That is something I never received. There is of course the chance that the hacker decided to delete it from both my inbox as well as the trashcan, but you'll forgive me if I doubt he would attempt to hide his presence to that degree particularly considering how overt the ultimate goal was.

Why would you ever doubt that? The longer he has a hold of your account, the more he can do with it. A friend mine got his wow account jacked just after Wrath came out. After they finished stripping his 80 and sending all the gold to wherever, they took his Death Knight to Karazhan on multiple occasions and farmed it for whatever he was farming for. Since this particular friend is sometimes not that talkative, the farmer logged in 4 or 5 different times before we figured out what was going on (my friend's wow account wasn't even active at the time). I don't remember your specifics, but if you had a high level D3 character, they would certainly want to mask their actions from you to maximize the amount of time they got to spend farming for rare drops.

"If the authenticator is the best way to keep an account secure, why not make that a requirement for play?"

Possibly because not everyone has a smartphone nor can they afford to buy the physical authenticator and/or have it sent to them. (Though they could afford to buy the game?)

Not that it affects me, having the android auth app.

@Moofey said:

"If the authenticator is the best way to keep an account secure, why not make that a requirement for play?"

Possibly because not everyone has a smartphone nor can they afford to buy the physical authenticator and/or have it sent to them. (Though they could afford to buy the game?)

Not that it affects me, having the android auth app.

Yea, the "cant afford it" argument is pretty weak. Blizzard doesn't require it because then they would have to pack it in with their game and that would just be wasteful. Also, you don't need a smartphone. I used the IOS auth on my ipod touch for a couple of years before I got a smartphone.

@Turambar said:

The idea would be that they can alter account information on the fly as well, just as they have the tools to steal the session identifier. Now, the thing is if what you intend to suggest, that I had my account compromised the old fashion way, it would mean an e-mail would have been sent to me from Blizzard acknowledging that particular password change. That is something I never received. There is of course the chance that the hacker decided to delete it from both my inbox as well as the trashcan, but you'll forgive me if I doubt he would attempt to hide his presence to that degree particularly considering how overt the ultimate goal was.

Why would you ever doubt that? The longer he has a hold of your account, the more he can do with it. A friend mine got his wow account jacked just after Wrath came out. After they finished stripping his 80 and sending all the gold to wherever, they took his Death Knight to Karazhan on multiple occasions and farmed it for whatever he was farming for. Since this particular friend is sometimes not that talkative, the farmer logged in 4 or 5 different times before we figured out what was going on (my friend's wow account wasn't even active at the time). I don't remember your specifics, but if you had a high level D3 character, they would certainly want to mask their actions from you to maximize the amount of time they got to spend farming for rare drops.

@Turambar said:

@BionicRadd said:

@Turambar said:

The idea would be that they can alter account information on the fly as well, just as they have the tools to steal the session identifier. Now, the thing is if what you intend to suggest, that I had my account compromised the old fashion way, it would mean an e-mail would have been sent to me from Blizzard acknowledging that particular password change. That is something I never received. There is of course the chance that the hacker decided to delete it from both my inbox as well as the trashcan, but you'll forgive me if I doubt he would attempt to hide his presence to that degree particularly considering how overt the ultimate goal was.

Why would you ever doubt that? The longer he has a hold of your account, the more he can do with it. A friend mine got his wow account jacked just after Wrath came out. After they finished stripping his 80 and sending all the gold to wherever, they took his Death Knight to Karazhan on multiple occasions and farmed it for whatever he was farming for. Since this particular friend is sometimes not that talkative, the farmer logged in 4 or 5 different times before we figured out what was going on (my friend's wow account wasn't even active at the time). I don't remember your specifics, but if you had a high level D3 character, they would certainly want to mask their actions from you to maximize the amount of time they got to spend farming for rare drops.

I doubt that specifically because he would have had mere minutes to change my password. I had logged into my account about 2 to 3 minutes before being booted off. I would further posit the question to you: can you imagine a way by which I would have had my password stolen? Once again, my internet history essentially only contains Giantbomb, AnimeVice, Wordpress, Blizzard, Gmail, Edgewood College, UW Madison, Wisconsin Department of Education, UW Health, youtube, Dayforce, and various mainstream news sites for the past week. I have not downloaded attachments from any e-mail, nor recieved any such e-mails. My password is over 10 letters, contains capitalization, numbers, and is romanized Chinese. If you have a theory as to how my password would have been stolen in light of that, I would love to hear it.

Have you ever logged in from a public computer? I had my Ebay account hacked that way.

@Turambar said:

@BionicRadd said:

@Turambar said:

The idea would be that they can alter account information on the fly as well, just as they have the tools to steal the session identifier. Now, the thing is if what you intend to suggest, that I had my account compromised the old fashion way, it would mean an e-mail would have been sent to me from Blizzard acknowledging that particular password change. That is something I never received. There is of course the chance that the hacker decided to delete it from both my inbox as well as the trashcan, but you'll forgive me if I doubt he would attempt to hide his presence to that degree particularly considering how overt the ultimate goal was.

Why would you ever doubt that? The longer he has a hold of your account, the more he can do with it. A friend mine got his wow account jacked just after Wrath came out. After they finished stripping his 80 and sending all the gold to wherever, they took his Death Knight to Karazhan on multiple occasions and farmed it for whatever he was farming for. Since this particular friend is sometimes not that talkative, the farmer logged in 4 or 5 different times before we figured out what was going on (my friend's wow account wasn't even active at the time). I don't remember your specifics, but if you had a high level D3 character, they would certainly want to mask their actions from you to maximize the amount of time they got to spend farming for rare drops.

I doubt that specifically because he would have had mere minutes to change my password. I had logged into my account about 2 to 3 minutes before being booted off. I would further posit the question to you: can you imagine a way by which I would have had my password stolen? Once again, my internet history essentially only contains Giantbomb, AnimeVice, Wordpress, Blizzard, Gmail, Edgewood College, UW Madison, Wisconsin Department of Education, UW Health, youtube, Dayforce, and various mainstream news sites for the past week. I have not downloaded attachments from any e-mail, nor recieved any such e-mails. My password is over 10 letters, contains capitalization, numbers, and is romanized Chinese. If you have a theory as to how my password would have been stolen in light of that, I would love to hear it.

Have you ever logged in from a public computer? I had my Ebay account hacked that way.

@Obinice: You can go to the site and re-sync it. It's a common problem if you had it for a long time, but the way you have to add it to the account with 2 consecutive numbers makes it pretty accurate for a good while.

@Zomgfruitbunnies: Fact: People are assholes. Fact: People will be assholes regardless of your actions. Fact(?): Since people are assholes regardless of my actions, it's pointless to do anything to prevent their actions from harming me? That's how I'm reading your argument. I get that Blizzard needs to step up security (if something's really happening here) but until then the only thing that CAN be done is that the user needs to protect his/her own information.

Making the authenticator mandatory would be a stupid decision.

The smartphone apps are free, but not everyone has a smartphone. They could make the authenticator devices free to order, or ship them in the box ... but personally I still wouldn't want to use it. It's just an extra stupid step for those of us that have secure passwords and reliably manage them.

As for those who say you can still get hacked with authenticator attached: The way the modern system works is that if it detects an attempt from an IP-location which the account has never logged into it will challenge with the authenticator. If someone is able to defeat or guess 8 digit response, automatically trigger a "change your password" if it succeeds and kick them out. They would be forced to go to "www.battle.net" where they would be challenged again the authenticator/8 digit response. The system isn't foolproof or bulletproof but it is hard to defeat. It is way more likely someone they know, got access to their home machine and logged into WoW from their own machine (which it wouldn't automatically recheck with the authenticator) and stole items instead of some super hacker in Asia. The sad truth is that many hacks are actually done by acquaintances in familiar settings.

@Toxeia said:

@Zomgfruitbunnies: Fact: People are assholes. Fact: People will be assholes regardless of your actions. Fact(?): Since people are assholes regardless of my actions, it's pointless to do anything to prevent their actions from harming me? That's how I'm reading your argument. I get that Blizzard needs to step up security (if something's really happening here) but until then the only thing that CAN be done is that the user needs to protect his/her own information.

It is not the player's fault if they get hacked due to "weak" security. It is the hacker's fault because he hacked someone's account which he had no business accessing.

It is not the kid's fault if a crow shits on his ice cream cone because he isn't holding an umbrella on a sunny day.

It is not my fault if I get run over by a drunk driver because I decide to walk to work instead of driving a tank to get there or staying at home.

Preventive measures are great, but just because someone didn't take care to reduce the risk of being randomly selected to be a victim of something awful doesn't mean it is all of a sudden their fault for making it happen.

@Xeirus said:

@LikeaSsur said:

@Xeirus said:

@Rappelsiini said:

@Xeirus I'm on my phone so it's hard to pinpoint what exactly makes his questions stupid.

Then, honestly, why bother. Does it really annoy you so bad you have to go out of your way to make a useless post?

The irony is palpable.

Oh gee, look at another one. Someone has zero sense of irony, maybe you shouldn't use a word you don't understand.

I think he understands the definition quite well. You, however, may want to brush up.

I've stayed away from public games. Really want to try out coop, but its hard to get people together that are in the same parts of the story and difficulty. You can do coop at any time, but most people want to go through each part as to level accordingly for the higher difficulties.

Seems like people are still claiming its on blizzard's end looking at forum posts. I am doing the phone authentication thing before I log in each time now.

I have to agree that the authenticator should be mandatory. People bitch all day, but with how dumb a lot of people are and get phished or have easy security questions on their email and the monetary aspects of blizzard games there needs to be added protection. And the only way they can ensure every user uses an authentication tool is to make it mandatory. They should just give them to users with a history of buying and playing blizzard games. Sell them at gamestop for $5 for just Diablo 3 players, and then give them away with WoW sub cards. There is a call in option so people without a smartphone can do that as annoying as that would be. Blizzard should just offer a half-way point of sending the authentication code to your email, have it work for 5 minutes or so. That way a person's email and battle/net account would need to have been compromised, although that's probably easy considering everyone uses the same password.

Hasn't it been confirmed that these hackings are just session identification hijacks? If so, why hasn't Blizzard said anything about it? It just seems like an easy move to say, "our service is completely secure! Nothing wrong on that front!"

@Napalm Well no, there is nothing unusual going on (blue post from curse/mmo-champion on this).

I don't believe in the always online DRM stuff, but do think something has to be done about the rampant PC piracy. It's killing what should be the leading graphics platform, in tern holding the progression of games back as developers only invest their time in consoles.

I really don't understand peoples hate about the Blizzard Authenticator. Do you really need to sign into your game so fast that you can't take an extra 15 seconds to push a button and enter a 6 digit code in?

I get the argument for not wanting to spend more money but with a fairly sizeable amount of options available for the authenticator almost everyone probably has at least one way to be able to use it.

just had my account compromised and my password changed just this morning, recovered my account and had a recent player in my friends list who i've never seen and my quest progress was started over in act 1 ( i was in act 3). accounts are definitely being hacked. signed up for SMS notifications for my battle.net account now. protect your loot duders. Side note, i've played no co-op except for a a brief portion of the end of act 2 with a guy i know IRL who jumped into my game. have not had any public games.

@MrOldboy: Finally, someone talking some sense. It SHOULD be required. If nothing else, it should be required for you to use it before you can call Blizzard and report your account stolen. If you aren't taking all the steps necessary to protect your investment of time why should they spend the time it takes to recover an account that 95% of the time was your fault in losing anyway?

@OldManLight: Do you have an authenticator?

@Zomgfruitbunnies: I think we're splitting HARES here (get it?). If there's a compromise on Blizzard's side it needs to be handled, but there's no hard evidence of that yet. So far it's a bunch of people that never took advantage of the authenticator. While yeah, they shouldn't HAVE to get it, it's free and not having it would be like jay-walking on a busy street (referring to the being hit by a drunk driver scenario) or sitting under a tree chock full of crows while you eat your ice cream.

@jasonefmonk: @jasonefmonk said:

Making the authenticator mandatory would be a stupid decision.

The smartphone apps are free, but not everyone has a smartphone. They could make the authenticator devices free to order, or ship them in the box ... but personally I still wouldn't want to use it. It's just an extra stupid step for those of us that have secure passwords and reliably manage them.

"Making the authenticator mandatory would be a stupid decision." Stupidity taken to another level. Why would this be a stupid decision. There's not a single reason why it should not for safety reasons

As a side topic: I am big fan of 2 Step Authenticator systems. It isn't 100% secure and the biggest issue is if you physically lose the authenticator device but it is a stellar way to defeat most low level hacks. No one should be relaxed on maintenance on this type of sensitive information but 2 Step Authenticators help out.

@smfE: Because it's either an app I have to have open, a phone number I have to call, or a silly little device I have to keep with me and (I assume) charged when I have no issue creating and maintaining a secure password. Making it mandatory punishes competent users for the mistakes of careless ones. It would also force Blizzard/Activision to cover the cost of the devices for many users.

It is enough of a pain to have to type my password every time I log in to Battle.net from my personal computer. This isn't helping anyone be more secure, it's helping them be lazy with their secure information.

Are these competent users who swear up and down that they've been super careful with password credentials only to find out when Blizzard does a trace it is indeed a clean, one try login attempt from an internet cafe in Indonesia?

Because of WoW and dealing with this from a guild management perspective, I've come to realize people who think they are smart with their Internet usage often make basic mistakes in trust and pay for it. They visit their cousin's house for a family thing and plays a little WoW with them not realizing that machine used was infected to the gills with spyware due to his pr0n surfing habbits and the next day I see his character logged in the middle of the night and cleaned withdrew from the guild bank to the rank cap and stripped it the entire thing clean. It wasn't that he was incompetent but trusted and assumed they were just as competent.

I can't see this as anything other than a lie. My WoW account was hacked four separate times. The first time I kind of deserved it, used the same pass as my email. The second time I had a separate pass, but it was kind of weak. The third and fourth times I had a completely unique to Battle.net password, using max characters, numbers and letters, no sensible way to discern it, and after EACH hacking I did THOROUGH sweeps of my computer with every tool available to me, never finding a damned thing. This happened across multiple computers, and it happened across years. There has never been any explanation for any of them. I can't find any other explanation besides a problem on their end.

I'm half suspicious that it's them just trying to sell me an authenticator.

@EXTomar: I have NEVER logged onto my Bnet account from a computer not owned by me. I have NEVER shared my passwords with anyone. I am very careful with my own computer, and have never had any other accounts I use on my computers breached in this way. It's on their end. If you've never experienced it, good for you, I didn't for the first four years or so of WoW's life either, but clearly somebody found a way to fuck with it on their end, because it's sure as fuck not me. Not after four times with no intrusions on my computers.

I didn't mean it that way. I am merely pointing out with that real example how someone I knew who was being ultra careful every other time decided for whatever reason (maybe a beer or two) slipped up and in a way they didn't expect. He didn't even think about it where we had to text them "hey someone has your account!". When they got back and saw the damage, they swore up and down in vo-com it was impossible, that they were so careful, that it had to be some new hack or a flaw in Battle.net, and so on when someone simply asked "Where did you login last?" and you could hear the /facepalm.

2 Step Authentication and physical authenticators are great ways to add tighter access control to any system. I don't understand why the automatic rejection and hatred of such systems where it isn't so much about the person not being careful as much as they are being careful by adding another authentication layer.

Move along, nothing to see here.

It's kinda funny how innocent Blizzard always are when it comes to security issues, while Battle.net passwords aren't even case-sensitive.
 
Basic security is hard guise

@jesterroyal said:

I think session ID thefts have always been a perfect internet horror story. I hear them everywhere and yet nobody ever proves it was more than just getting bumped from their login. Thinking of getting the authenticator since i cant easily store an overly complicated password in a pw database like usual..

As an internet security professional I can definitively tell you that session ID theft is a real thing. Whether it's happening to Diablo III or not I can't say but this isn't an issue that's an old wives tale. This is checked by security firms on every application we make when we go through security audits. It is very much an issue with all online applications.

@EXTomar said:

As for those who say you can still get hacked with authenticator attached: The way the modern system works is that if it detects an attempt from an IP-location which the account has never logged into it will challenge with the authenticator. If someone is able to defeat or guess 8 digit response, automatically trigger a "change your password" if it succeeds and kick them out. They would be forced to go to "www.battle.net" where they would be challenged again the authenticator/8 digit response. The system isn't foolproof or bulletproof but it is hard to defeat. It is way more likely someone they know, got access to their home machine and logged into WoW from their own machine (which it wouldn't automatically recheck with the authenticator) and stole items instead of some super hacker in Asia. The sad truth is that many hacks are actually done by acquaintances in familiar settings.

The hack in question gets around a login entirely, which would bypass the authenticator as well assuming it doesn't monitor each and every packet. If you can hijack a session you don't need a password or even a user name. Whether this security flaw exists or not we can't say, but if it does the authenticator would be worthless.

@Turambar said:

@BionicRadd said:

@Turambar said:

The idea would be that they can alter account information on the fly as well, just as they have the tools to steal the session identifier. Now, the thing is if what you intend to suggest, that I had my account compromised the old fashion way, it would mean an e-mail would have been sent to me from Blizzard acknowledging that particular password change. That is something I never received. There is of course the chance that the hacker decided to delete it from both my inbox as well as the trashcan, but you'll forgive me if I doubt he would attempt to hide his presence to that degree particularly considering how overt the ultimate goal was.

Why would you ever doubt that? The longer he has a hold of your account, the more he can do with it. A friend mine got his wow account jacked just after Wrath came out. After they finished stripping his 80 and sending all the gold to wherever, they took his Death Knight to Karazhan on multiple occasions and farmed it for whatever he was farming for. Since this particular friend is sometimes not that talkative, the farmer logged in 4 or 5 different times before we figured out what was going on (my friend's wow account wasn't even active at the time). I don't remember your specifics, but if you had a high level D3 character, they would certainly want to mask their actions from you to maximize the amount of time they got to spend farming for rare drops.

I doubt that specifically because he would have had mere minutes to change my password. I had logged into my account about 2 to 3 minutes before being booted off. I would further posit the question to you: can you imagine a way by which I would have had my password stolen? Once again, my internet history essentially only contains Giantbomb, AnimeVice, Wordpress, Blizzard, Gmail, Edgewood College, UW Madison, Wisconsin Department of Education, UW Health, youtube, Dayforce, and various mainstream news sites for the past week. I have not downloaded attachments from any e-mail, nor recieved any such e-mails. My password is over 10 letters, contains capitalization, numbers, and is romanized Chinese. If you have a theory as to how my password would have been stolen in light of that, I would love to hear it.

Same way my friend's account got hacked even though he hadn't logged into WoW in 3 months. Short answer - I don't know, but most of it is either social engineering or keylogging. This is what these people do, all day long, 7 days a week, 24 hours a day. The fact that you were on when they took control of your account is possibly incidental. Doesn't change the fact that they have to get your password to change your password. Until I see documented proof of someone pulling off this supposed "session hijacking", all the people proclaiming "it can be done" are blowing smoke, as far as I am concerned.

http://howsecureismypassword.net/

10 characters, no symbols based on your description and is an actual word of some kind? 169 days for 1 pc to crack it (they will use more than 1 pc to try it). By comparison, my giant bomb password will take almost 1000 years to brute force. Understand that these accounts aren't being taken by script kiddies just messing around with people. This is a business and they make a lot of money off this stuff.

@Archaen said:

@jesterroyal said:

I think session ID thefts have always been a perfect internet horror story. I hear them everywhere and yet nobody ever proves it was more than just getting bumped from their login. Thinking of getting the authenticator since i cant easily store an overly complicated password in a pw database like usual..

As an internet security professional I can definitively tell you that session ID theft is a real thing. Whether it's happening to Diablo III or not I can't say but this isn't an issue that's an old wives tale. This is checked by security firms on every application we make when we go through security audits. It is very much an issue with all online applications.

I never meant to imply that it wasn't real. I just meant that it is a super easy culprit to blame. Someone always brings it up and many times its easier to say that some "chinese hacker" stole your session ID than to admit you had a weak password or a virus riddled computer. As an IT professional myself who removes viruses all the time for people who "didn't go to any strange sites" or "just don't know what happened"(Fake coupon sites. *sigh*), I've seen its easier to blame an outside circumstance beyond your control. Session ID hacking is near impossible for the end user to diagnose and is the hard to explain boogey man for nearly every MMO i've spent time around. Its scary and implies there's someone with enough skill and malicious intent to take your pants from you while you are wearing them.

I guess in short I never meant to question the possibility, just the plausibility.

My friend just got his account hacked and he just played singleplayer. This is disgusting and stupid. Blizzard deserves no defense. The people that do are just the ones that it has not happened to yet. First the servers can't handle the amount of people and now the security is a joke. Speechless.

Guys, this shit is real. All my items for my primary character are gone. I came back to my level 30 Demon Hunter on act 3, all nude and without her weapons. She only had one of her rings for some reason, but everything, including the stuff in my stash, has completely disappeared.

I managed to get some new stuff for my character, but all the things I legitimately found for my character has made all my 25 hours of play time simply for naught, and I carry no motivation to play this game now. I warn you all to change your passwords to something big, because I have a feeling this can happen to anyone at anytime.

Also for those saying use an authenticator (not talking about the free app), but security should be free. Paying 6 dollars to have a key-chain with a code is ridiculous for a fucking game account. This is what society has become. Caring about fake virtual items. Pretty soon they will be offering insurance plans.

@HellBound: Welcome to gaming. This is why I wish we could step back a bit in technology and always have a direct connect and LAN option. Sometimes, I just don't care that much about being online.

@jasonefmonk: My advice to you is maybe you should start thinking beyond your own nose tip. Just because you see you as a perfect competent user who will NEVER get hacked or anything, there's millions and millions of other people Blizzard has to make their systems and secure for, maybe so they wont get a bad rep hmm that's maybe one of the things. If it's enough to bring pain and sweat to you by typing a password to login life is hard for you.

This is not about some people being overall lazy but think of a little bigger perspective. If blizzard doesn't take accounts worth many money and games serious perhaps just perhaps those people wont buy their games again? How much is the cost of these devices that are Made In China, 50Cent maybe, is it worth keeping people safe and secure and not loose tons of revenue because you can't be 100% safe with the internet these days. Yes i think so, especially if you think longterm and keeping costumers. Else Blizzard wouldnt be able to have the fan base they have if they didn't take these subjects serious.

I have an authenticator with me in a key ring and it's really not that hard to have with you if you actually care about your things.

Think beyond dude, it will help you that's my only advice!

@smfE:

Your feelings of superiority because you believe you argue for some greater good is ridiculous.

I said nothing about getting hacked. This isn't about hacking it's a about social engineering and how it effects all of our internet use. People using the same passwords across many accounts, using easy to guess passwords, and using logins on insecure machines are the issue.

If you want the extra layer of security it is there and available to you. Considering all of these lost accounts are the users fault, Blizzard won't gain get any more bad press about it than Apple did with iTunes, or than Facebook has; if they do, it's shoddy reporters that don't understand the issue. Teaching people how to use the fucking internet will make them safer with all of their internet use. Blizzard properties are trivial things compared to your bank account or medical records. Would you argue to have an authenticator for them as well? How many do you want to keep stuffed in your pocket?

The password may not be the be-all-end-all of internet security, but a second password certainly isn't the solution.

P.S. Insinuating I don't care about my things because I don't want another item to carry around is dumb. There is no dichotomy between those two things. You write very poorly, I hope English isn't your first language.

It just seems like Blizzard has had such a customer service nightmare since D3's launch night that they're giving nothing but canned responses like the one above. Give it about 3 months, they'll get it together with Diablo.

@jasonefmonk: 1: Nope english isn't my first language, i speak and read 3 languages how many do you? Nope i don't feel superior and yes i believe that arguing for some greater good is ridiculous.

2: I don't care if you said anything about getting hacked. Yes this is about being hacked, simple links being posted on offical game forums can easily contain keyloggers. Yes it's a good idea to use different passwords to your accounts, i do that myself. Even if you do this you can still ofcouse get hacked.

Teach people basic things how to venture safe on the web that's a good idea atleast Blizzard is trying to.

An extra layer of security is useful especially if you care for your security.

3:This doesn't have any relevance to what we're talking about. Why are you talking about press, Facebook, Apple and iTunes? Why are you comparing Blizzard properties to bank accounts and medical records. (weak weak arguments)

Yes ofcourse i would want an authenticator for my bank account .

How many authenticators would i want in my pocket? 1 because they generate a different number everytime. We actually have this kind of security here in Denmark for our bank account and services. It's working without any problems here and people are happy with it.

@jasonefmonk said:

@smfE:

Your feelings of superiority because you believe you argue for some greater good is ridiculous.

I said nothing about getting hacked. This isn't about hacking it's a about social engineering and how it effects all of our internet use. People using the same passwords across many accounts, using easy to guess passwords, and using logins on insecure machines are the issue.

If you want the extra layer of security it is there and available to you. Considering all of these lost accounts are the users fault, Blizzard won't gain get any more bad press about it than Apple did with iTunes, or than Facebook has; if they do, it's shoddy reporters that don't understand the issue. Teaching people how to use the fucking internet will make them safer with all of their internet use. Blizzard properties are trivial things compared to your bank account or medical records. Would you argue to have an authenticator for them as well? How many do you want to keep stuffed in your pocket?

The password may not be the be-all-end-all of internet security, but a second password certainly isn't the solution.

P.S. Insinuating I don't care about my things because I don't want another item to carry around is dumb. There is no dichotomy between those two things. You write very poorly, I hope English isn't your first language.

Know what someone can do if they get the password to my bank's web site? See how much money I have. That's it. Theoretically, they could set up some billpay stuff to use my money to pay their electric bill, but there's a minimum 2 day lead time on that, so, yea, I guess there's that. Fact is your blizzard account has a monetary value in the hands of the right person. Blizzard did not invent the authenticator and I think if you look at what other types of companies do use/offer authenticators, you will find a common thread. Your basic argument is you don't need a deadbolt because you have a really nice door knob, but it's not a one or the other situation. Both is better and there are people out there aggressively trying to get into as many Battle.net accounts as possible. By your logic, if you're a smart PC user, you shouldn't need an anti-virus program, because you won't do anything that would expose you to viruses.

Blizzard seems to have every buying into the notion that if you dont use an authenciator then its the customers fault for not protecting their own info. The official Diablo 3 fourms are filled with this sychophantic acceptance that it has to be this way. I certainly did not ask for the game to require me to always be connected to their servers to play, this was forced on the players by the company. Now to be told individual customers did not do enough seems like shifting the blame to me. Its on Blizzard to fix the problems with their servers. If the the only way to secure your account is with an anthenciator, then Blizzard should make them free to everyone. I know they are free online for smardphone users but not every customer fits into that category. Also there is a lot of denial on Blizards part that there is no security breach beyond traditional methods already known. It will be interesting to see what happens with the RMAH goes live and the first reported hacks are reported. Yoy think people are mad not when its just virtual money and items missing, imagine the hell that will be raised if actual money is stolen.

Yea, listen to Blizzard. Everything is fine, keep paying $60 for a game where you can get your account stolen by doing nothing. Yep. Putting those millions of dollars to good work there Blizzard. I've lost all faith in this company. Greed and wealth kills all.