Since Diablo III launched a week ago, a growing number of players have found their accounts broken into and their characters stripped bare, or even had their accounts outright taken. Blizzard is investigating these reports, initially blaming them on old-fashioned hacking techniques rather than a security hole in Diablo III, but some victims insist they've been hit even with a Battle.net Authenticator.
As with hacks in other online games--let's not forget Diablo III's DRM means it's an online game for everyone--the victims have all their characters' items sold, their stash emptied, and all gold passed onto another account. Blizzard's offering rollbacks for affected characters, but it's inconvenience and upset nobody fancies dealing with.
While Blizzard is eying the usual hack vectors--keyloggers, phishing, passwords collected from hacked websites and whatnot--some unconfirmed reports say there may be a serious problem. Supposedly, miscreants can easily hijack the session ID of someone else playing, spoofing it to get access to their account.
As a forum post from community manager Micah 'Bashiok Whiple shows, Blizzard's not buying that yet, but is investigating.
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
Yet there are many reports of players using an Authenticator who have been hacked regardless. Still, you may want to beef up your account security all the same, using an actual Authenticator, the free Authenticator mobile act, or the SMS Protect service, as detailed here.
"Historically, the release of a new game--such as a World of Warcraft expansion--will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III," Blizzard said. Let's hope that's all it is.
With the launch of the real-money auction house coming on May 29, delayed by the launch issues, people are about to become an awful lot more concerned about the safety of their gear.