There seems to be a lot of claims and counter claims about the recent spate of hacked D3 accounts. Blizzard are blaming keyloggers and the like while people who have gotten hacked are denying this and given their sheer numbers and that their ranks include quite a few games journalists and industry professionals I am forced to agree with them.

Does anyone know what is actually going on?

Maybe the recently stolen passwords from linkedin have something to do with it.
It seems like noone knows what the cause is but trojans/fishy sites/etc. are way to trivial to stay undetected when 200+ people got hacked.

If you have a authenticator, you are on the safe side (unless it's dial-in, which isn't supported for D3 currently).

99% chance it's a load of people with previously infected machines finally suffering for it.

As far as I can tell, the only security mistake Blizzard has made is keeping case-insensitive passwords. That's pretty damn stupid, but it's not nearly enough to make accounts easily hackable.

99% chance it's a load of people with previously infected machines finally suffering for it..

You think it is possible for hundreds of people having downloaded a trojan without noticing it? Or visiting a site they didn't want to but forgot about it?

Well with all those zombie news lately, maybe the infection's to blame.

You think it is possible for hundreds of people having downloaded a trojan without noticing it? Or visiting a site they didn't want to but forgot about it?

I'd believe it: God knows I was dumb enough to put up with various infections and problems for months not quite knowing what was going on, believing myself to be Sensible and Security Conscious and Not The Kind Of Shmuck Who'd Have That Problem.

I don't mean to say that's what's happened in this specific instance, but I'd believe it's possible, sure.

Yeah. And even a thousand cases would be less than 2 % of Diablo 3 players.

Does anyone know what is actually going on?

Blizzard, but whether you trust what they say is going on is up to you.

I'm inclined to believe them when they say it's the usual causes of account compromise that affect any online system. The numbers don't seem particularly high relative to the number of accounts Battle.net has; I'd expect much more if there was a design/security flaw in the system that allowed people to access accounts without authenticating/riding someone else's authentication.

They do seem to have made a mistake with the naming they use for their various security measures though. The physical and mobile authenticator are good devices that provides a whole lot of extra security. They also released a different mobile system they called a dial-in authenticator - http://us.battle.net/support/en/article/battle-net-dial-in-authenticator-faq - that does different things and only works with World of Warcraft. Calling both services authenticators gives the impression they offer the same security and I suspect a lot of the people who say they're hacked with authenticators have the dial-in authenticator and not the physical or mobile code generator.

I'd believe it: God knows I was dumb enough to put up with various infections and problems for months not quite knowing what was going on, believing myself to be Sensible and Security Conscious and Not The Kind Of Shmuck Who'd Have That Problem.

I don't mean to say that's what's happened in this specific instance, but I'd believe it's possible, sure.

The problem that I have with this is that there have been at least 3 games journalists and a few Youtube 'professional' commentators who have been hacked, these are not the kind of people who I would expect to fall victim to keyloggers.

With the amount of sites getting hacked these days (PSN/Steam/Gawker/LinkedIn/RPS/etc.), chances are that if you use the same password on any two sites, you're already vulnerable. The one hacked journalist on Ars Technica reused his PSN password, for instance.

People using the same passwords on multiple sites is another route to getting hold of people's email addresses and passwords and it doesn't require getting keyloggers onto people's machines.

edit: Meh, pkt-zer0 beat me to it.

With the amount of sites getting hacked these days (PSN/Steam/Gawker/LinkedIn/RPS/etc.), chances are that if you use the same password on any two sites, you're already vulnerable. The one hacked journalist on Ars Technica reused his PSN password, for instance.

This sounds like the most reasonable scenario to me. Reused passwords.
It would be interesting to know if someone got hacked with a battle.net-only PW.

I got hacked, used a b-net only password (though I guess it was similar to a really old one I used for like Cryptic and some of the other old places that got hacked, username was totally different). I think one of the main issues is its easy to brute force, Blizzard doesn't care if you enter the password wrong a thousand times before you get it right.

I had their SMS notification service, which turns out is not an authenticator, just a notifier that your shit got broke. Helpfully though the hackers just turned if off beforehand.

Overall it wasn't so big a deal, I was only lvl 34ish and Blizzard had the option to rollback my stuff to before it was hacked, I didn't even take it cause I had a friend bail me out.

1. Blizzard do not use case sensitive passwords (easier to hack)
2. Blizzard do not lock you out after a certain number of failed tries (easy to brute force)
3. B.net passwords are short, character wise (IIRC? Might be wrong on this one).

That means, unless you have an authenticator, (THE REAL ONE, The physical one or your mobile phone app from apple/google play) your password will be broken down very, very easily. It makes battle.net very hackable and those without authenticators tempt fate.

My WoW account was brute forced years ago, but I got the authenticator app and never looked back.

Blizzard's choice of security is shocking, but at least they provide the authenticators. Else we'd be screwed.

Brute forcing is only an issue if you're using a simple variation of an English word (or name, or other nonrandom things) as your password. Otherwise, it's extraordinarily unlikely.

Consider: if you have an 8-character alphanumeric password, that's 36^8 possibilities. If you could try 1000 passwords per second (that's a lot), it would take you over 89 years to test all possibilities. And that's if you're targeting one account.

Use a decent password, and this is absolutely not an issue. Until the database containing password hashes is hacked - then it's feasible to test millions per second.

It doesn't change the fact people are stupid, use predictable passwords like bl1zz4rd, and so on. People will never admit that, because they don't want their password out in the open.

Seriously, have you seen the LinkedIn hack? You'd think most people on that site are very clever. Not so - a LOT of "linkedin" and "L1nk3d1n" as passwords.

And, like I said, its not case sensitive. dictionary words, and passwords, are SIGNIFICANTLY weaker without them. And we're talking about Chinese gold farmers. They have plenty of labour to waste time hacking accounts, building up a collection of gear ready for the RMAH.

EDIT: and, for the record, I am stupid too.

I know WoW uses a Steam Guard like service.

Tested D3 now on a computer in a different city. WoW and D3 will remember the last time you used your auth separately (if you have the optioned enabled to remember your computer, kinda like a half Steam Guard). Have been on WoW on that computer at least once a week and has not asked for password reset if I keep that up. D3 did not ask for password reset. So either stores info with your account and WoW, or they failed to put the BNET GUARD on D3.

Latter I find likely see how disconnected some of their B.Net features are across games. Well, the SC2 and WoW social tab work together fine. D3 one is buggy as hell and lacks such stuff as status updates and combining people who are online in more than one game. And really, you design the chat box to be that small and not resized? SC2 had it better with box for each private conversations but their public/private channel system is crap (which D3 has barely any of). War3 had channels fine, fail to see why B.Net 2.0 chopped so many features. They plan to fix it all but frustrating they designed and implemented things that way from the get go.


I have had WoW require a password reset after like 7-10 failed password attempts.

You think it is possible for hundreds of people having downloaded a trojan without noticing it? Or visiting a site they didn't want to but forgot about it?

Out of 4 million? Sure.

What I'd love to know is how many people got hacked with a fresh Battle.Net account set up just for D3. And also how many people got hacked that also have active WoW accounts. I'm guessing very few.

See, there's a good chance somewhere along the line your WoW/SC account got hacked. You don't play anymore so you never find out. Hackers then try your password again when D3 comes out and score, only then do you realise sometime in the last two years you got hacked (because maybe your BNet password was the same as Gawker/LinkedIn/PSN etc - did you go back and change that when those got hacked? No, because you no longer played WoW so who cares, right?)

If this was a new thing, we'd also see an upswing in WoW hacks as people would be using the D3 flaw to access people's WoW characters, as right now that's still a far more lucrative market. We're not really seeing many examples of that, which is why I think this is mostly just a matter of re-trying successful WoW hacks from the past couple of years.

I had my D3 account hijacked, if you're looking for sample cases. No authenticator, no trojans, but it was a reused password.

I think someone just got a large list of accounts + unencrypted passwords from somewhere, and are trying them out.

eHarmony and last.fm just got hacked as well (again, millions of pws). And a recent interview with a gold farmer also revealed their practices which include hacking forums and using reused passwords (transcript (http://diablo.incgamers.com/?p=22038)).

eHarmony and last.fm just got hacked as well (again, millions of pws). And a recent interview with a gold farmer also revealed their practices which include hacking forums and using reused passwords (transcript (http://diablo.incgamers.com/?p=22038)).

Yeah, people are lazy and probably won't use a different password for each and every account on every single site/service they use. A 'hacker' just needs a few stolen databases from some of the bigger hacks like PSN or just a collection of poorly secured vbulletin boards which aren't that hard to get, try the emails plus passwords on battle.net and is sure to find more than a few working ones. That's much easier and therefore more likely than bruteforcing, session spoofing or a hack of Blizzard's servers or other methods that have been theorized. Blizzard of course didn't help matters by giving a potentially huge monetary incentive to hackers (the RMAH) or provding a 'dial-in authenticator' that isn't really an authenticator, additionally confusing people about account security.

RMAH transactions take 3 days for you to receive money. Wonder if some of that time will be used to flag stolen goods.

Well if this interview (http://diablo.incgamers.com/blog/comments/concerned-diablo-3-farmer-interviewed-on-economy-bots-and-more#more-22038) is real it confirms that accounts are "hacked" by hacking different forums and just testing those log ins at Blizzard stuff. He also says that Blizzard is "bullet proof", so they have to acquire the log ins from different places.

having different log ins and pws may help coz even on bigger site, social media, these admins cant be trusted with your life like FB coz they know your credentials and pws


What? Are you implying admins hack players on their own servers?

What? Are you implying admins hack players on their own servers?

Or that passwords are stored on said servers in plain text ...