It seems that more and more people in the US forums (EDIT: TWICE, actually) and the EU forums are reporting that their accounts have been mysteriously compromised, even with their RealID properly configured. People have logged in after yesterday's downtime and partial rollback only to find their characters stripped naked and with no gold at all. If at first it may have seen as the result of some shady business on the part of the user, now evidence seems to point at some people being able to somehow enter your account after playing a public match with them. Many users have reported to have players like "leiyong", "Matthew De Ruyter" (RealID) and "alexbad19 " added to their "Recently Played with" list just before getting "hacked".

No official Blizzard representative (aka "blues") have commented on the matter, besides the normal "check that you're playing in the correct region" and "change your password" stuff.

Edit: Added another thread in the US forums with more recent information.

That's concerning. Now if I could only get by this damn 3006 error.

@ShadowConqueror said:

That's concerning. Now if I could only get by this damn 3006 error.

You could try this possible fix. No harm in trying, I guess.

Well good thing I'm only interested in playing with people I know or by myself.

No one got hacked or battle.net would be down like Sonys PSN last year. People that know nothing about Information Assurance awareness allowed themselves to be phished.

That's why I have an Authenticator on my account. 

Seems they are using brute force methods to get peoples usernames and are able to bypass the usual login process. Authenticator or not, public games or not - its now a dice roll to see when they get your account. Lets hope they patch this vulnerability soon.

@ShadowSkill11 said:

No one got hacked or battle.net would be down like Sonys PSN last year. People that know nothing about Information Assurance awareness allowed themselves to be phished.

I don't know. Normally, I would think that this has been a case of phishing and some people were dumb enough to fall for it... But so many users in so little time were all victims of phishing? Many of them with Real ID? Besides, Blizzard is not saying anything about this. If I were them, after all the shitstorm created during the weekend because of the servers being down and everything, the first thing that I'd do is to deny all of this ASAP.

It all sounds very fishy...

Edit: Also, it seems that anyone could be victim of this in case it actually is some sort of hack or exploit, regardless of whether they play or not public games.

Basically the same thing that happens to people in WoW, is happening in Diablo III.

Authenticators are neat where even Blizzard even offers a dial-in authenticator.

As mentioned, this happens in WoW too where people use similar or the exact same info from Battle.net in other places. It isn't that Battle.net is being hacked but some random site third party site has an account sign up where that user put the same email and used the same password. What is worse is people using the same password for the site, Battle.net and the email account. If someone gets into that third party site then they have the keys to everything to take over....

Blizzard can't do anything more than make people aware and push authenticators as much as possible.

@EXTomar said:

Authenticators are neat where even Blizzard even offers a dial-in authenticator.

As mentioned, this happens in WoW too where people use similar or the exact same info from Battle.net in other places. It isn't that Battle.net is being hacked but some random site third party site has an account sign up where that user put the same email and used the same password. What is worse is people using the same password for the site, Battle.net and the email account. If someone gets into that third party site then they have the keys to everything to take over....

Blizzard can't do anything more than make people aware and push authenticators as much as possible.

Details are still emerging but it seems like the dial-in authenticator is the one having more hacking incidents whereas the mobile and stand-alone authenticators seem to be okay. The dial-in works differently from what I understand.

At this point people should reserve judgement until more details come in. Some of this will be traditional keylogger and poor password practices but some of it could be genuine holes in blizzard's security with a new product and new infrastructure.

What's going on here is a huge security hole that wasn't detected until it was too late. Authenticators or playing solo in locked passworded games won't keep you safe. This is a huge mess and this week will be filled with meltdowns and drama, and no doubt a retarded class action lawsuit or three.
 
From god knows where:
"The current theory is hijacking session identifiers. Basically, every time you complete a mission, get an achievement, ect. your client communicates with the server but doesnt have to go through the authentification servers. If I hijack one of your session ID's and submit it through my client instead of my own session ID, it would kick you off and essentially let me take over your account without ever having to type in a password... since it doesnt go through the authentification server the client doesnt report it as a compromised account."

@SomeJerk said:

What's going on here is a huge security hole that wasn't detected until it was too late. Authenticators or playing solo in locked passworded games won't keep you safe. This is a huge mess and this week will be filled with meltdowns and drama, and no doubt a retarded class action lawsuit or three.

From god knows where:
"The current theory is hijacking session identifiers. Basically, every time you complete a mission, get an achievement, ect. your client communicates with the server but doesnt have to go through the authentification servers. If I hijack one of your session ID's and submit it through my client instead of my own session ID, it would kick you off and essentially let me take over your account without ever having to type in a password... since it doesnt go through the authentification server the client doesnt report it as a compromised account."

Holy cow if that's the case that's a pretty bad mistake on Blizzard's part.

I would like to add that my younger brother (who only plays with me and my 2 buddies) was also hacked. So public games aren't the cause. That session id theory sounds the most plausible right now instead of some elaborate phishing scam. Though, now I'm worried. I have the mobile authenticator linked (as does everyone else in the group), but I'm guessing that won't mean shit if hackers can jack a session id?

Could easily be a new virus that steals the session ids...

Why would you add with REALID someone you don't know?

Without in-depth details, "session id" should be bound per account, per client instance. There could be a flaw but an external client instance can't take over a session if it is still alive even if they user name and password. If nothing else, having two client instances probably breaks one or both transaction channels with the "mothership". If they could pull off this, that would indicate a deeper flaw in the entire transaction model than just loosing control of accounts.

I'd asked for Diablo 3 for my birthday, figuring they'd have the bugs worked out after a few weeks. Sounds like I should update my wish list with something else. Max Payne 3 sounds solid.

I can confirm this happened to me just now. Logged in, no password change, all gold and stash items gone, equipped items oddly still there, mysterious names on my recently player with list. My losses were relatively small, just gems and 70k gold, but this is looking to be a real problem. The names on the recently played list make it look like a hack, but the password remaining the same and equipped items still being there make it seem more like a bug. No idea which is the case, blizzard service tickets are just spitting out form letters about account recovery limitations and auction house restrictions if you want your account recovered.

Player names on my recently played with list were quyunjiang, EddiBlue, Roxus and kkaos2, anyone else got those names on their list if a similar thing happened to you?

P.S. I also have been playing single player or with real world friends only, no public games, and have the smartphone app authenticator, so yes, no one seems safe.

Yep, this is blowing up on the internet right now.

The current theory is that people are getting session IDs and submitting them as their own. Session IDs basically store what you killed, what you got, etc. and they don't go through an identification process when they are submitted to the servers. (That's my bad summation. I'm sure someone can explain it better).

One of the guys at Eurogamer got hacked, as well.

http://www.eurogamer.net/articles/2012-05-21-diablo-3-accounts-hacked-gold-and-items-stolen

@Aelric said:

I can confirm this happened to me just now. Logged in, no password change, all gold and stash items gone, equipped items oddly still there, mysterious names on my recently player with list. My losses were relatively small, just gems and 70k gold, but this is looking to be a real problem. The names on the recently played list make it look like a hack, but the password remaining the same and equipped items still being there make it seem more like a bug. No idea which is the case, blizzard service tickets are just spitting out form letters about account recovery limitations and auction house restrictions if you want your account recovered.

Player names on my recently played with list were quyunjiang, EddiBlue, Roxus and kkaos2, anyone else got those names on their list if a similar thing happened to you?

P.S. I also have been playing single player or with real world friends only, no public games, and have the smartphone app authenticator, so yes, no one seems safe.

Shit! Although I have not been hacked, my circumstances are basically the same. I've been playing only by myself or with a few real world friends. Were your inventory items gone too? By that I mean the non-equipped stuff in your characters personal inventory. Just wondering if they only get access to one character then it would be smart to spread your stash items over an alt or something like that to mitigate any losses.

@Patman99: All chars cleaned out, just not equipped stuff, I'm afraid

Well that's scary.

Holy shitballs. Guess I won't be playing Diablo 3 tonight. Again.

Like I said, it's really odd that the equipped items are not gone. They were the best things I had, my stash just being some gems and only 70k gold since I poured most of it into smith and stash upgrades. Still, it's a really unnerving bummer and yeah, I'm not playing any more until Blizzard issues a statement on it. I'll eat the loss instead of get rolled back to a previous account state, but I'm not gonna play for a while now. Beat normal last night anyway, so it was time for a break regardless.

This is why you put an authenticator on your account. No one can log in unless they have your phone.

@Aelric said:

Like I said, it's really odd that the equipped items are not gone. They were the best things I had, my stash just being some gems and only 70k gold since I poured most of it into smith and stash upgrades. Still, it's a really unnerving bummer and yeah, I'm not playing any more until Blizzard issues a statement on it. I'll eat the loss instead of get rolled back to a previous account state, but I'm not gonna play for a while now. Beat normal last night anyway, so it was time for a break regardless.

At least your hackers were courteous enough to leave you clothed!

Could easily be a new virus that steals the session ids...

@isnipeyoudie said:

@mosdl

Could easily be a new virus that steals the session ids...

Unfortunately, getting a session ID can be as easy as stealing outgoing or incoming packets from the intended victim. This does mean, however, that the packets aren't signed in some way or the session id data in the packet is woefully obvious to see when a packet is grabbed.

Hence why I thought that if this is true, it would have to be on the client side, where the session id could be read from memory - I assume Blizzard is smart enough to use secure connections.

I'm going out on a limb to say I don't know if that even matters since the "toasts" are coming from the server not the client. They would have to have access to the encrypted channel in a "middle man" style attack which makes me wonder how they could forge any of it.

From the descriptions just here it sounds more like early WoW days where they would force rollbacks and reset, all too often without notice. For whatever reasons (sometimes they did make sense) they would deem "X wasn't an exploit but we can't let players have it" and just remove them or alter characters as they saw fit.

@mosdl: You don't have to have access to the computer of the victim to grab a packet they sent, or one they're receiving. Judging by the widespread number of cases, I'm guessing the session id isn't signed (strange, as you said, Blizz isn't dumb), or someone decrypted their packet signing.

Blizzard has, at least, acknowledged the existence of a possible breach:

Hey guys,

We are very aware of these reports and are taking them very seriously. Please keep an eye on the General Discussion forums as Community members will be posting something soon.

If you have been hacked, please contact Customer Service as soon as you can. In addition, using an Authenticator can help secure your account even more.

Well, it's a start. At least it should stop all those "IT'S YOUR FAULT, THERE IS NOTHING WRONG WITH BNET" posts for a while.

@JoeyRavn said:

Blizzard has, at least, acknowledged the existence of a possible breach:

Hey guys,

We are very aware of these reports and are taking them very seriously. Please keep an eye on the General Discussion forums as Community members will be posting something soon.

If you have been hacked, please contact Customer Service as soon as you can. In addition, using an Authenticator can help secure your account even more.

Well, it's a start. At least it should stop all those "IT'S YOUR FAULT, THERE IS NOTHING WRONG WITH BNET" posts for a while.

Oh my god, just looking at the Eurogamer comments had me going...

Keyloggers and viruses because your computer is insecure, STOP LOOKING AT PORN! Are people fucking serious anymore?

@Doctorchimp said:

@JoeyRavn said:

Blizzard has, at least, acknowledged the existence of a possible breach:

Hey guys,

We are very aware of these reports and are taking them very seriously. Please keep an eye on the General Discussion forums as Community members will be posting something soon.

If you have been hacked, please contact Customer Service as soon as you can. In addition, using an Authenticator can help secure your account even more.

Well, it's a start. At least it should stop all those "IT'S YOUR FAULT, THERE IS NOTHING WRONG WITH BNET" posts for a while.

Oh my god, just looking at the Eurogamer comments had me going...

Keyloggers and viruses because your computer is insecure, STOP LOOKING AT PORN! Are people fucking serious anymore?

Yeah, and apparently they're on the one track mind that all authenticators cost money and Blizzard only does it to grab money. No mention of the dial-in or free mobile app...

I'm not convinced that this is a "hack" but is rather simple phishing, such as the WoW emails I get 20 of each day, that people got hit by, but the phishers saved them for D3. I mean, instead of stealing your account a month ago, they waited until now.

Makes more sense to me than an account stealing virus in the first week. But who knows.

@Pinworm45: A friend I know just got hacked without even receiving or checking a single email in the inbox he uses for his Blizzard account, and hasn't even gotten anything video game related in his other ones (he keeps his stuff separate). It's not a phishing scam; it appears to be too widespread, fast, and random for that to be the case. It's not a virus either, so, by process of elimination, it's either an intrusion in Blizzard's servers or someone's figured out how to decrypt Blizzard's packet signing scheme.

@Pinworm45 said:

I'm not convinced that this is a "hack" but is rather simple phishing, such as the WoW emails I get 20 of each day, that people got hit by, but the phishers saved them for D3. I mean, instead of stealing your account a month ago, they waited until now.

Makes more sense to me than an account stealing virus in the first week. But who knows.

This has already been discussed. Do you really think that ALL these people have been victims of phising? At the same time? Even an Eurogamer editor? It's no virus either: it's obviously on the part of Blizzard, not the user, probably because people have been able to somehow get into the authentication system.

and in sort of quasi-related news, Torchlight 2's beta is actually ending on thursday rather than first week of June. So I expect release date incoming very soon so maybe they're gonna capitalize on this horrible D3 launch and give people an alternative

@JoeyRavn said:

@Pinworm45 said:

I'm not convinced that this is a "hack" but is rather simple phishing, such as the WoW emails I get 20 of each day, that people got hit by, but the phishers saved them for D3. I mean, instead of stealing your account a month ago, they waited until now.

Makes more sense to me than an account stealing virus in the first week. But who knows.

This has already been discussed. Do you really think that ALL these people have been victims of phising? At the same time? Even an Eurogamer editor? It's no virus either: it's obviously on the part of Blizzard, not the user, probably because people have been able to somehow get into the authentication system.

The more I read about it, the more this has to be true. Granted, I do hold Blizzard in high respects, but that doesn't mean they can't fuck up every now and then. But of course, maybe they didn't fuck up at all. Like you said, someone (or some group) could have just focused on figuring out how to get into their shit because the real money auction house is coming.

I sure do hope all the idiots saying its a virus or people clicking bad links get hit so they can shut up.

This is why authenticators win. They're even free on phones.

Tell that to the authenticator-users who lost everything on the last character they played.

@SomeJerk said:

Tell that to the authenticator-users who lost everything on the last character they played.

Yeah, I just saw that. Pretty crazy.

@GunslingerPanda: For some stupid reason the Diablo 3 login doesn't use the authenticator. Or at least mine doesn't. Starcraft 2 and WOW ask for the code from it when I log in, Diablo 3 doesn't.

@Rautapalli said:

@GunslingerPanda: For some stupid reason the Diablo 3 login doesn't use the authenticator. Or at least mine doesn't. Starcraft 2 and WOW ask for the code from it when I log in, Diablo 3 doesn't.

You can setup that option on battle.net website, so you need to authenticate on each login.

@Rautapalli said:

@GunslingerPanda: For some stupid reason the Diablo 3 login doesn't use the authenticator. Or at least mine doesn't. Starcraft 2 and WOW ask for the code from it when I log in, Diablo 3 doesn't.

D3 will ask for the authenticator on first login from what i understand and also if you are logging in from a different location. At least this is the way it has been for me. But not everytime no.

"Media" is starting to pick up on it; http://pc.gamespy.com/pc/diablo-iii/1224789p1.html / http://massively.joystiq.com/2012/05/21/diablo-iii-players-report-eruption-of-hacked-accounts/

Blizzard should drop an announcement soon, possibly something too large and important to drop in the http://us.battle.net/d3/en/forum/3354739/ forum like they promised two hours ago.

You'll have to cut and paste the links manually because screw Parchment.

@JoeyRavn said:

@Pinworm45 said:

I'm not convinced that this is a "hack" but is rather simple phishing, such as the WoW emails I get 20 of each day, that people got hit by, but the phishers saved them for D3. I mean, instead of stealing your account a month ago, they waited until now.

Makes more sense to me than an account stealing virus in the first week. But who knows.

This has already been discussed. Do you really think that ALL these people have been victims of phising? At the same time? Even an Eurogamer editor? It's no virus either: it's obviously on the part of Blizzard, not the user, probably because people have been able to somehow get into the authentication system.

The timing is completely irrelevant, there's nothing to stop phishers from having phished a long time ago and saved all the account info until now. In fact, this is evidence in favor of it - What's more likely, tons of accounts that were phished over the course of a year (we already know this happens, WoW is notorious for having accounts stolen, even from the techsavvy and people smart enough not to open those emails), and they were saved until now, when they can be used on Diablo 3 quickly and easily before blizzard can react, or, a group of people came up with a way to get into accounts within a week of release, and then somehow managed to get into thousands of accounts within that time frame, while still keeping the method low-key enough for no one to know what it is yet?

It's absolutely a viable answer. It may not be THE answer, but it could easily be