Blizzard investigating Diablo 3 account hack reports

Blizzard is investigating reports that Diablo III accounts are being hacked and stripped, even if the user is 'protected' by a Battle.net Authenticator. For now, it says to hold tight and authenticate up.

42

Since Diablo III launched a week ago, a growing number of players have found their accounts broken into and their characters stripped bare, or even had their accounts outright taken. Blizzard is investigating these reports, initially blaming them on old-fashioned hacking techniques rather than a security hole in Diablo III, but some victims insist they've been hit even with a Battle.net Authenticator.

As with hacks in other online games--let's not forget Diablo III's DRM means it's an online game for everyone--the victims have all their characters' items sold, their stash emptied, and all gold passed onto another account. Blizzard's offering rollbacks for affected characters, but it's inconvenience and upset nobody fancies dealing with.

While Blizzard is eying the usual hack vectors--keyloggers, phishing, passwords collected from hacked websites and whatnot--some unconfirmed reports say there may be a serious problem. Supposedly, miscreants can easily hijack the session ID of someone else playing, spoofing it to get access to their account.

As a forum post from community manager Micah 'Bashiok Whiple shows, Blizzard's not buying that yet, but is investigating.

We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

Yet there are many reports of players using an Authenticator who have been hacked regardless. Still, you may want to beef up your account security all the same, using an actual Authenticator, the free Authenticator mobile act, or the SMS Protect service, as detailed here.

"Historically, the release of a new game--such as a World of Warcraft expansion--will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III," Blizzard said. Let's hope that's all it is.

With the launch of the real-money auction house coming on May 29, delayed by the launch issues, people are about to become an awful lot more concerned about the safety of their gear.

From The Chatty
  • reply
    May 22, 2012 6:30 AM

    Alice O'Connor posted a new article, Blizzard investigating Diablo 3 account hack reports.

    Blizzard is investigating reports that Diablo III accounts are being hacked and stripped, even if the user is 'protected' by a Battle.net Authenticator. For now, it says to hold tight and authenticate up.

    • reply
      May 22, 2012 6:40 AM

      While I'm only 31 and just beat normal I put the BA on my account as soon as this crap started happening. Sucks that people are losing their shit.

      • reply
        May 22, 2012 7:01 AM

        I changed my password and I have an authenticator on the way. If something were to happen to my level 52 female barbarian named SnooSnoo, I would be inconsolable.

        • reply
          May 22, 2012 7:18 AM

          why not just use the authenticator on your phone?

          • reply
            May 22, 2012 7:22 AM

            Cause I have a dumb phone, not a smart one.

          • reply
            May 22, 2012 7:24 AM

            [deleted]

            • reply
              May 22, 2012 7:32 AM

              They have the SMS thing now that makes it automated.

            • reply
              May 22, 2012 7:33 AM

              if your phone suddenly dies then it can take a bit to get the authenticator removed via phone

              No kidding! =)

            • reply
              May 22, 2012 7:39 AM

              [deleted]

            • reply
              May 22, 2012 7:59 AM

              Back when I played WoW and my iphone crashed, Blizzard wanted me to email them a scan of my driver's license to remove the authenticator from my account. I wasn't entirely comfortable with that.

              • reply
                May 22, 2012 11:17 AM

                Haha, think they might use it? I guess you're one of those who are afraid of telling someone your shoe-size too. After all, you want your privacy!

              • reply
                May 22, 2012 3:34 PM

                they just automatically text you something now

            • reply
              May 22, 2012 8:44 AM

              last time it took me about 5 minutes to get them to remove it by phone by asking a couple security questions.

            • reply
              May 22, 2012 9:05 AM

              they have recovery codes now. you store it in a safe place and its easy to get it removed.

        • reply
          May 22, 2012 9:52 AM

          if what some people are saying is true (hackers are duplicating your sessionID) then none of that matters. supposedly if they have your battletag (friends, joining public games, potentially the auction house) then you're vulnerable.

      • reply
        May 22, 2012 7:43 AM

        When I first started reading your comment I thought, what's your age got to do with it?

    • reply
      May 22, 2012 7:21 AM

      Hahaha. I thought "being online 24/7" was supposed to be safer Blizzard? Wasn't that the reason I can't play single-player offline? Ahahaha. Good one.

      • reply
        May 22, 2012 7:25 AM

        [deleted]

        • reply
          May 22, 2012 7:41 AM

          Tsk, you completely missed his point. Although probably placed in the wrong place I support his standpoint. DRM just enrages most people as it should.

          Any game that requires me to have a constant internet connection or limits the amount of times I can install it, I will not buy.

          • reply
            May 22, 2012 8:36 AM

            [deleted]

            • reply
              May 22, 2012 9:29 AM

              Which department at Blizzard do you work at? Or is it another company in the bloated corporate structure that is Activision Blizzard?

            • reply
              May 22, 2012 11:03 AM

              Actually, he didn't miss my point, you did. A "major" talking point Blizzard sited as it's reason to go 100% was security. Here, enjoy the quotes...

              "While (Rob) Pardo recognizes that people sometimes want or need to play offline (such as internet outages, or playing on a laptop during an airplane flight), he notes that the increased security, plus benefits like the above, outweigh those other concerns."

              http://www.1up.com/news/diablo-3-requires-online-when-playing

              "Senior producer Alex Mayberry told MTV that... We can provide a much a much more stable, connected, safer experience than we could if we let people play off-line."

              https://us.battle.net/d3/en/forum/topic/5151265270

              So, umm, yeah. Nothing is perfect, but when you "sell" the experience of it being safer IF it's online, and then people get their accounts hacked, it brings that entire concept into question.

              • reply
                May 22, 2012 4:45 PM

                Not to mention, if the game had been designed as an offline single player experience with multiplayer support, the character data would be saved locally on their computer's harddrive and therefore not at risk for having their character stripped naked by a compromised online account.

              • reply
                May 23, 2012 3:47 PM

                I do not see where Blizzard said your account is 100% safe. I see a lot of "safer" though.

      • reply
        May 22, 2012 7:52 AM

        Why don't they allow you to lock your acct down to a single PC or two? IP? MAC address?

      • reply
        May 22, 2012 9:32 AM

        ahahahahah how about people run anti-virus and not get phished like noobs hahahaha

        • reply
          May 22, 2012 9:37 AM

          [deleted]

          • reply
            May 22, 2012 9:46 AM

            perhaps. but it can't hurt.

            Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password.

            http://us.battle.net/d3/en/forum/topic/5149619846?page=29#571

            funny how it's the same old shit, people 1) have fucked up malware'd machines and 2) they are fucking turbo clicking morons.... but they gotta blame blizzard !!!!

            or maybe it's college idiots with their machines logged in, shared with other morons, b.net account cached, no authenticator? OH MAN I GOT HACKED !!!!!!!!!!!!!!!!!!

        • reply
          May 23, 2012 6:29 PM

          says the guy who doesn't understand how a session attack works

    • reply
      May 22, 2012 7:24 AM

      thing is..... Diablo 3 does NOT require the authenticator to login..... FAIL BLIZZARD !!!

      • reply
        May 22, 2012 7:28 AM

        what? I get the auth. prompt almost every time I try to login...

      • reply
        May 22, 2012 7:31 AM

        [deleted]

      • reply
        May 22, 2012 7:31 AM

        What? Yes it does

      • reply
        May 22, 2012 7:34 AM

        Yes it does.

        By default, Blizzard games will store a token on your machine. If that token exists and your ip/mac/guid didn't change, it will only ask for the authenticator string once every week or two. You can disable this in your battle.net profile and force it to ask for the authenticator string every time.

        • reply
          May 22, 2012 7:40 AM

          [deleted]

          • Zek legacy 10 years legacy 20 years
            reply
            May 22, 2012 7:45 AM

            It's optional though, pretty sure you can force the authenticator every time if you want.

          • reply
            May 22, 2012 7:45 AM

            Location meaning IP address most likely. If all those machines share the same IP address then it will not ask for authenticator code each time.

          • reply
            May 22, 2012 8:28 AM

            I login on the same computer at my house and it prompts me every time for my BA key. Don't know what your smokin.

          • reply
            May 22, 2012 10:22 AM

            There is an option to check to require it on every login regardless.

        • reply
          May 22, 2012 9:03 AM

          Did you really just take the time to rationally explain the situation to someone who uses the phrase "FAIL BLIZZARD"

        • reply
          May 22, 2012 4:49 PM

          it didn't for me. I never had a battle.net account until D3's launch, so I created one and then I was able to just use my username/password to log in to the game every time I played. I actually just enabled the authenticator on my battle.net account today during work, but I haven't needed it and I've been playing all week.

      • reply
        May 22, 2012 9:04 AM

        I have to auth every time I log in.
        Hell, even their site doesn't keep me logged in between browser closes.

      • reply
        May 22, 2012 2:09 PM

        You can set it to need it every time or to prompt randomly.

      • reply
        May 22, 2012 2:21 PM

        It doesn't require me to use my authenticator either. Weird. I wonder if that's an option to set.

        • reply
          May 22, 2012 2:25 PM

          Ah, it's an option on Battle.net, not in Diablo 3.

    • reply
      May 22, 2012 7:29 AM

      This is going to get interesting when the auction house goes IAP with real money. I'm willing to bet it will become a wretched hive of scum and villainy. Like ebay.

    • reply
      May 22, 2012 8:17 AM

      This Diablo III launch has been a train wreck!

      • reply
        May 22, 2012 8:36 AM

        lol? far from it.

      • reply
        May 22, 2012 8:42 AM

        A 60 hours played train wreck =/

      • reply
        May 22, 2012 9:26 AM

        lol

      • reply
        May 22, 2012 9:48 AM

        Everyone who hasn't bought D3 and reads about some guy with a broken router moaning about it on Shacknews says the same thing. :) I don't speak for everyone but other than the outage on the first day, I have been able to play every time I tried to login, have a character in Hell, as well as lowbies in hardcore and normal, been playing with friends. No issues whatsoever.

        • reply
          May 22, 2012 11:16 AM

          I'm happy for you! I wish I could say the same, but the spikes have been gibbing my wizard until the res timer is 30 seconds and at that point it's starting to get kind of boring. I wish it was my connection, but all other games have no lag at all.

          • reply
            May 22, 2012 1:05 PM

            Yeah, I'm still getting random lag spikes, my ping is always in the 250-500ms range, and the stuttering is non-stop.

            The game is still playable but these issues are only getting more annoying.

            • reply
              May 22, 2012 1:35 PM

              stuttering? hmm. I've had lag hiccups now and then for 5 second blip if I'm switching characters after sending something to the stash and logging back in... but nothing localized like stuttering. what sound level are you at?

              • reply
                May 22, 2012 4:03 PM

                I've tried every sound setting and every other "fix" people have suggested (there have been dozens in the dozens of threads) with no luck, same with the others who are experiencing it. It's pretty widespread if you check the official forums. People with much, much better systems than I with dedicated sound cards are experiencing it too. Basically the game hitches randomly and constantly, the movement and screen scrolling is never smooth, it can get really severe but it can also be micro enough that some people may not even notice it. It's not related to the framerate either because it happens with a solid 60 (or above without vsync). And you can even see / feel it happen when you cap it to 30.

                People say loading everything into a ram drive is the only way they were able to lessen it, but that even that still won't get rid of it entirely. I don't have enough memory for that anyway. Apparently it was a big issue in the beta too, Blizzard said it had to do with how assets were loaded and that it would be gone in retail so they are ignoring it. But it's not gone.

                I've never played a game that does this. It doesn't make it unplayable like the lag spikes, it's just really frustrating.

                • reply
                  May 22, 2012 4:14 PM

                  Others believe it has to do with how the game streams the data for everything and syncs you with the server. Since there's nothing they can do on their end to get rid of it, the fault lies with Blizzard's setup.

                  I don't know what causes it, I just know it sucks. And every youtube video I've seen of the game has it to some degree. I don't really believe anyone who says their game doesn't stutter randomly because I have yet to see the game run smooth at all with my own eyes.

                  • reply
                    May 22, 2012 4:31 PM

                    I have been trying all the crazy solutions too, and no dice. Its up to blizz to patch it

      • reply
        May 22, 2012 9:55 AM

        [deleted]

      • reply
        May 22, 2012 10:13 AM

        * waits patiently for the next train wreck so I can say, "This train wreck is like the Diablo III launch"

        • reply
          May 22, 2012 10:15 AM

          DUDE did you see the facebook IPO debacle???? reminds me of diablo 3 !!!! total train wreck

        • reply
          May 22, 2012 12:59 PM

          the lakers are like the diablo 3 launch!!!

          • reply
            May 22, 2012 2:26 PM

            they're getting blown up next year. fine with me. we need a shakeup.

      • reply
        May 22, 2012 10:17 AM

        I only had one time where I ran into an issue.... but I've only played enough to get to level 18 .

      • reply
        May 22, 2012 10:55 AM

        If future train wrecks consist of marshmallows, beer and a new yellow helmet with sockets then sign me up!

      • reply
        May 22, 2012 10:57 AM

        <sarcastic hyperbolic response>

      • reply
        May 22, 2012 3:11 PM

        The Blizzard Bootlicking Brigade is strong in this thread.

      • reply
        May 22, 2012 4:47 PM

        shut it all down, blizzard

    • reply
      May 22, 2012 11:05 AM

      Same ole shit different game.

    • reply
      May 23, 2012 3:34 PM

      I got hacked. I was in the last act after the rifts, logged out at 845 to watch game of thrones, and at 940pm I got a email saying my password had been changed. I got up to see, and it was, I went to battle net and confirmed myself, changed my password, added the authenticator, and put in a support ticket. I just lost all my money. No items were sold. That said, My support ticket was responded to:

      I'm Game Master Kagmieth, thanks for contacting us about your WoW account. I did a little digging and found there is currently no WoW account attached to your Battle.net. Theres a chance any emails you received about the account could be fishing attempts sent to gain your account information based on old data they picked up from way back when.


      Right.

      • reply
        May 23, 2012 3:35 PM

        And he is talking about my WOW account is because he asked me if I had one... My ticket is for diablo... lol

Hello, Meet Lola