Blizzard Tries To Reassure Hack Victims, Results Vary

Perhaps the next version of the Authenticator should be a real-life Barbarian who physically assaults all hackers within a 30 mile radius.
Because the universe loves comedic irony, Diablo III’s online infrastructure specifically put in place to keep out cheaters and hackers is currently being besieged by cheaters and hackers. Yesterday, Blizzard acknowledged the issue, and today, the damage control process has officially begun. From where I’m standing, though, it leaves out one very important step: the part where it, you know, actually solves the problem in the long run. Perplexingly, the multiplayer-loving megalith has opted to calm players by pointing out that account compromises skyrocket with new game releases, ala WoW expansions. Fair enough. But why, again, is it supposed to be reassuring if it keeps happening?

Blizzard outlined its approach to hacking and slashing the hacker menace that plagues its hack ‘n’ slash in a forum post:

“Historically, the release of a new game – such as a World of Warcraft expansion – will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well.”

“We’ve been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.”

The developer suggests players either contact its support department or tie accounts to an Authenticator, which it still touts as “[one] of the most effective measures we offer to help players protect themselves against account compromises.” On that front, however, Blizzard’s response is especially odd, given that we’ve been hearing reports of hackers working their dark magics  unimpeded by Blizzard’s supposedly unassailable data fortress. The implication on Blizzard’s end, then, is that its servers are secure and players managed to get strung up in some keylogger’s web, while many disgruntled players are making claims to the direct contrary.

Meanwhile, if you’ve been hacked, Blizzard’s offering rollbacks to restore lost items – though sheer volume has obviously slowed down the process quite a bit.

As of now, Blizzard still plans to roll out the real money auction house on May 29, but I’ve sent a mail to find out if the potential ticking time bomb that is sticky fingered thieves and access to credit card information could derail the launch even further. Regardless, it’s far from a promising state of affairs, and Blizzard’s “Well, you know, these things happen” attitude toward the matter has caused my credit card to scamper under my bed and begin whimpering in abject terror.

Sure, maybe Blizzard’s being honest and all these people were simply careless with their data. But even so, we’re talking about an upcoming service that allows people to freely buy and sell items using – and I can’t stress this enough – real money. The stakes are much, much higher now. Drop the ball from up here, and it’s probably not coming back. So, Blizzard’s fault or not, something needs to be done. Otherwise, the current rash of stolen virtual identities will probably be looked back on fondly. Like – oh, off the top of my head – a walk through the park on a balmy spring day that you didn’t have to miss in order to sit inside and spend hours on the phone securing all your personal information.


  1. Alien426 says:

    Well, I agree that it’s okay to be mad at Diablo 3. Did not buy it.

    • RF says:

      Currently in the process of trying to negotiate a refund. We’ll see how that turns out.

      • Bhazor says:

        Would be very interested to hear how that worked out.

        At this point offering full refunds is about the only way Blizzard will earn even a sliver of my respect for them back.

        • HothMonster says:

          Supposedly refunding it is not a problem. TOS says they will refund in 30 days. Of course if you bought the game somewhere other than their digital store you may be stuck dealing with your retailer. link to

      • Smashbox says:

        Wait – after publicly bashing this game at every available opportunity for over a month, you … bought it?! Words fail me.

    • Syra says:

      I’ve not had any trouble with d3 since the initial rush, which I got in on after 30min of password spamming. The internet is up in arms but literally all of my friends are playing it too with no problems. Is there an element of extrapolating the size of the problem based on internet QQ going on?

      Here’s hoping problems get resolved.

      • mike2R says:

        Well I woke up early this morning and thought I’d play a couple of hours before going to work.

        Servers were down for maintenance…

        I don’t normally get upset by DRM, but I don’t think I’ll be buying another game that does things this way. Not a boycott or anything, I just doubt I’ll buy another game on the same terms.

        • Shadram says:

          Servers went down at 1am PST yesterday for 8 hours. Unfortunately, that means they went down at 8pm here (NZ) and even earlier in Australia and East Asia. Apparently the unemployed in the US, wanting to play from 9am, are more important than prime time in several entire countries.

          • kaffis says:

            Far more likely than taking potshots hinged on catering to the US unemployed is that they want the servers to be back *up* around the end of the European work day. Starting an 8-hour patch cycle at 1am Pacific means finishing up at 4pm GMT — throw in daylight savings, and AFAICT, that’s 5pm for much of Europe.

            But that’s okay; I’m sure it’s far easier and more satisfying to sound self-righteous when belittling the need for the unemployed to play rather than acknowleging that perhaps the European playerbase outnumbers the Aussie/New Zealander playerbase.

          • MiKHEILL says:

            Well perhaps that’d be true, if the European servers were the ones affected. The servers being referred to here however were the Americas, which inexplicably includes Oceania. The European servers were in fact online for the entire time the Americas server wasn’t on the night in question (Tuesday).
            But hey, ill informed condescension seems to be the flavor of the day, so you keep indulging in that.

        • Runty McTall says:

          Me too. I buy too many games at the moment anyway (in that I don’t feel I have time to do them all justice) so am looking to really focus my purchases better in future. In retrospect I think I should’ve just gone for Torchlight 2 and skipped D3.

          I won’t be buying anything with always on DRM again (meh, maybe for like £7 (my somewhat random mental limit – been waiting for BLOPs to fall to this for literally years) on a sale).

          • ScubaMonster says:

            Played the Torchlight 2 beta. It’s not really that great. Despite all of Diablo 3’s problems it’s certainly the better game of the two.

          • Highstorm says:


            I had the exact opposite experience. I found the T2 beta delightful and vastly superior to D3’s highly streamlined fluff.

          • MiKHEILL says:

            Played the Torchlight II beta, and it’s amazing, literally everything I wanted Diablo III to be (except for the cartoonish graphics of which I am not a huge fan).

      • Didero says:

        It’s not even just this specific problem of not being able to log in that’s the issue.
        It’s the fact that it’s possible for the problem to exist in the first place that a lot of people don’t agree with.

        • radioactivez0r says:

          That’s probably one of the more eloquent explanations of my stance against it that I’ve seen.

      • Wreckdum says:

        It’s not about the servers being down all the time. It’s about them being down too often and when they are up the horrendous lag. I have 35Mbps internet service. For most of launch week on Diablo III I was getting 600+ to sometimes over 1000 ping. The game is impossible to play in Hell difficulty and higher with a ping that high. Apparently you and your friends live on a cloud far far away from everyone else on the internet.

        Or you’re one of those people that posts on the forums on a known problem that everyone is having and says UHHHH MUST BE YOUR PC, GET A BETTER VIDDYA CARD BRO.

        • Phantoon says:

          All the people that endlessly defended SWTOR bailed back to WOW.

          It’s why the mindless zombie defense of it is exactly the same, word for word.

    • reggiep says:

      Jim makes the assertion that it’s solely Blizzard’s problem to solve cheating and scamming. Isn’t that like saying it’s the governments problem to stop thieves from breaking into my house? It’s a shared burden. The government agrees to deploy police officers while I agree to put locks on my doors and maybe deploy a security system.

      Jim also, like most pundits, offers up no solutions.

      • shizamon says:

        Nathan wrote this article friend..

      • kaffis says:

        What solutions would you recommend, then, when Blizzard’s approach to security doesn’t even recognize case sensitivity as a useful tool in making passwords secure?

        There are rumblings about the rash of hacked accounts being linked to the very authentication infrastructure they use. No amount of password complexity, good password discipline, keylogger-free computing environments, or multi-factor authentication can save you from sniffable session info.

        If that’s the case as is being rumored, that lands FIRMLY on Blizzard’s shoulders, and theirs alone.

        • GBoyzJay says:

          Actually, it’s a bit worse than that. I mailed Nathan with the thread link earlier today, but… well, let’s just say passwords are *really* insecure, and if you don’t have an authenticator, you’re almost certainly at risk.

          Add to this the stories going round of people hacking while in-game, videos supposedly of people walking around stealing everyone’s loot, and… it’s not looking great for Blizzard.

          • Ragnar says:

            At the same rate, look at some of the posters on the Blizzard Forums. They can’t (or can’t be bothered to) read basic English. I wouldn’t be too surprised if many of them clicked on a link and entered their login info to “Get Uber Pre-Order Bonus DLC Loot for Diablo 3 FREE!!!”

      • Phantoon says:

        Nathan wrote the article, and he didn’t contend that always-on was supposed to stop this.

        Even though it was, and hasn’t. And if you’re saying it’s “all the players’ faults”, how have you got to a state of mind where you think a company, out to make money, doesn’t lie?

      • Ateius says:

        Okay, so couple things.

        First, I believe he’s referring to Jim from the Jimquisition link shown further up in the comments, as the statements he refers to are those Jim makes.

        More importantly, the Jimquisition rant was referring to hackers and cheaters in relation to the cash store, asserting that the cash store was the entire reason for the massive anti-cheating measures, and correctly identifying that the smooth functioning of the cash store is Blizzard’s problem, and the imposed solution should not be providing inconveniences for the players. The home-burglary analogy doesn’t work here. A better analogy would: The cash store is Fort Knox, and the always-online DRM is me being dragged out of my home and told to walk the perimeter fence. This shouldn’t be my problem, but it’s being made my problem against my will.

  2. SquareWheel says:

    I didn’t buy it due to their DRM policy. Looks like I lucked out.

    • baby snot says:

      You’re missing out on all the click click, click click, click click click click click.

      • Gnoupi says:

        Or he played torchlight 2 beta, and he doesn’t miss in the click click click.

  3. gschmidl says:

    Why does it keep happening? Because people are lazy idiots who

    – reuse the same password on multiple sites
    – use shitty passwords like “password1”
    – never change their passwords
    – don’t use the authenticator despite dire warnings to do so

    It’s been known for a number of years that a stolen WoW account is worth more than a stolen credit card, and people still don’t protect their accounts. The authenticator is even free if you have a smartphone.

    Sony’s been hacked. Kotaku’s been hacked. If someone used the same password there, their account is also hacked.

    And of course Blizzard could force people to use authenticators before they can play, but (like literally everything else on the internet) the generated QQ and nerdrage would be off the charts.

    • RF says:

      Christ, the shills are out in force today.

      No, it’s not those people’s faults. I usually use the same password with different capitalisation since I find it easier to remember.

      You know what Blizzard’s passwords are not? Case fucking sensitive.

      • gschmidl says:

        I’m REALLY not a Blizzard shill, but I’ve seen this over and over the past few days on various forums. “I got hacked!” “Do you have an authenticator?” “No, but I have two firewalls and three virus scanners!”

        Blizz have claimed it’s only been people without authenticators that’ve been hacked and I’m inclined to believe them for now.

        That passwords are case-insensitive is pretty goddamn stupid, yes. But you know what would actually solve the problem for a lot of people? Not having to be friggin’ online for a game you want to play alone. The chat alone makes me hate humanity that much more.

        • RF says:

          It’s also the fact that passwords are brute-forceable (no lock out time for trying to enter), login username info is sniffable from the forums etc.

          • Donkeyfumbler says:

            Is that right?

            My account was recently hacked, but all they got access to was a WOW account that had been dead for 5 years. I had changed the password recently to play the Diablo beta – it had been a nice long randomly generated one, but I had to keep typing it so often to try and get in that I changed it to my old default one that I’ve used in the past on sites I don’t care about.

            I’d presumed that someone must have grabbed username and password from one of those sites that had somehow been comprimised and then tried their luck with my blizzard account, assuming that their was no way that Blizzard would allow a brute force attack. Surely it would be madness not to have some kind of lockout after so many wrong attempts?

        • jrodman says:

          There are a LOT of other services in this world that have more value and are not protected by hardware gizmos without a lot of breakins. Why is it so unreasonable to expect that if you can keep trojans off your computer that you shouldn’t need an authenticator?

          Over the years I’ve identified 10 or so things that blizzard should do to improve security, and sent all of them to blizzard in clear communications. As far as I can tell they’ve implemented about none.

          • Rilgon says:

            To be fair, there was a report that said the average WoW account was worth more on the black market due to both the ease with which it can be stripped AND the fact that the average law enforcement doesn’t give a damn about it (which is not the case with, say, a bank account or credit card).

            That said, 2-factor authentication is better than not and in any situation where it’s available, it should be used. Yes, even at bare minimum, one of the emulated options (like the JS-based one or an emulated Android handset).

        • mihor_fego says:

          You must mean the authenticator included in the game packaging, right? Cause if it’s necessary to secure your account, they should issue you one with every purchase.

          • D3xter says:

            That would cost them cents extra! CENTS!
            What do you think they are? A charity?

          • Godwhacker says:

            Amen to this.

            The game already costs £45 for a *download*, which is almost certainly around £44.75 pre-tax profit. Throwing in an authenticator with that would hardly break the bank. They’ll probably moan about cost, but I can’t believe that the shitty dongle they offer on the website actually costs £9 to manufacture.

          • Gunrun says:

            Actually from the manufacturer of the token it costs about $8, less if you’re buying in bulk which presumably blizzard does. Blizzard claims to be selling the items at cost after postage because its worth it for the reduction in support time.

          • D3xter says:

            Sure does, you completely sure it doesn’t cost a GAZILLION dollars?
            Blizzard surely sells them at a loss too in a noble gesture of self-sacrifice, they’re practically giving them away!
            link to

          • Gunrun says:

            Hmm yes I’m sure its blizzard making the majority of the profit on those keys, and not the person actually manufacturing them and creating the technology. Let’s just focus on manufacturing costs though because we know the only money that a product costs is the plastic its made of. Let’s just ignore the research and developmental time for the technology, as well as the costs of running the authentication servers. Clearly blizzard is rolling in it with authenticator money.

          • Godwhacker says:

            Well yes, they clearly are. It’s old technology, the R&D costs will have been paid for years ago, and they’re made in fucking China. Even if it does take $8 (!) to manufacture, which I highly doubt, $8 != £8.

          • D3xter says:

            And today’s episode of “In the mind of a Blizzard apologist” is…

            Did you even read the article?

          • Gunrun says:

            Oh you highly doubt it do you? Well I guess you must have rolled out 2 factor authentication for your company or at least know someone who has then? No? Well then…

          • Godwhacker says:

            And I take it you’ve heard of economies of scale? No? Well then…

          • Katar says:

            Most UK banks give away authenticators free. Frankly it’s disgraceful that they don’t give away physical authenticators free to people that play/played WoW. Worse still they are £9 ($14) or €10 ($12) in the EU when they are $6.50 in the US. That difference is entirely EU taxes as they sell them at cost!

        • Ninja Foodstuff says:

          I got a notification from blizzard about a year ago saying my wow account had been suspended due to spamming.

          I wrote back to them saying that I hadn’t logged in to my account for several years.

          This was the response I got was:

          Having looked into your issue, it appears that your account has been compromised using a key logger or trojan virus, or through an e-mail or website phishing scam.

          How that is possible when I hadn’t attempted to log in for several years, (I had literally not typed the password combination in as long) I don’t know. Clearly something is amiss.

          • RF says:

            It’s an issue a lot of people have been having. And, yeah, everyone’s “wtf” about it.

          • frightlever says:

            “How that is possible when I hadn’t attempted to log in for several years”

            Magic. Obviously magic. Or the password was easily brute-forced, or you used the same email/password combination on a different site that was compromised. Or maybe a dozen different answers. But since I’m sure you’ll assure me your security is faultless, we’re back to magic. Definitely magic.

          • Donkeyfumbler says:

            That was my attitude when my account got hacked a week or so ago. There were no trojans or anything else on my PC (two AVs always running, scanned with another three to be sure) and highly unlikely that username/pw combo was used on another site that had since been comprimised. It never occurred to me that they could brute force it – surely I’m not mad to assume that a company like Blizzard would have mechanisms in place to prevent a brute force attack?

          • Otimus says:

            I’ve long prescribed to the theory that someone who works or has worked for customer service or the like is stealing accounts. POSSIBLY from chat logs within the game, as -all- of that is logged, and viewable. So if you were to ever tell a friend your password via PM, they can see it.

            I’ve had a friend who had her account hijacked last year, and that’s pretty much the only way I could assume things could go down. Could be wrong, but it never hurts to think of these things!

          • sneetch says:

            Same thing happened to a friend of mine during WotLK, he hadn’t logged in in almost six months used unique passwords for every site and game he uses, and one day we noticed he was online, unresponsive to tells and whatnot and was running around some mines in Storm Peaks farming mobs. We let him know and he contacted Blizzard and got much the same response from them.

          • aepervius says:

            Yeah I got a similar answer. My password are hardly guessable and unique per site (combo of random letter , punctuation when allowed and number, like H7%y,?jA7-#a for example, and I have got them saved in a PDA password vault which never go online) and I make sure to never , ever, click any link in email, so for example if I get an email from amazon, I go to manually and not clicking on their address in the email. For “normal” web browsing and email I only use Ubuntu , and regularly download the newest version, and also make sure my security is OK. On my gaming computer I never go to any web site except the maker of the game (typed manually). I make sure my firewall& router are not compromised, and I take various other assorted security measure using various anti virus and spyware scanner to make sure windows is clean. And I still got the same damn canned answer. I would not be surprised if at some point in the past, they got hacked, somebody took off with an unsalted password file, or some other hack allowing direct access.

          • malkav11 says:

            Weird. When that basic scenario happened to me, Blizzard wouldn’t tell me anything at all. (Except, my account was banned, not suspended, and I was never notified.)

          • Malibu Stacey says:

            I had a couple of those e-mails & I’ve never played WoW or any other Blizzard game since Starcraft (and even that was only single player) & don’t have anything resembling a BattleNet account. I’ll dig them up later when I get home.

          • Khory says:

            Are you sure the email was even from Blizzard? I’ve gotten my fair share of phishing emails regarding my WoW account. I report them every chance I get.

          • Ninja Foodstuff says:

            @Khory: Yes I’m sure- that was in response to a ticket I created separately in response to the email about my account being banned (partly because I suspected the initial email was fake too)

          • jwoozy says:

            Gold farmers don’t immediately take over your account once your login details have been compromised. They can sit on that information for months before they actually get an order on your server, and there’s probably a massive backlog of keylogged account info on sophisticated gold farming ops, obtained through malware that was more than likely distributed through the modding scene or the usual channels (outdated flash/java exploits). It can take a long time for anyone to use your information once they’ve obtained it, which is why you’re encouraged to change passwords frequently and not use them same one.

            If the rumors about being able to hijack session IDs are true–and I stress that they are rumors and likely to be debunked (the thing about public games being a security risk was eventually revealed to be false, for example)–then it does represent a serious lapse on Blizzard’s part. However, the most reasonable explanation for the wave of hacked accounts in Diablo III is almost certainly that these accounts were compromised before Diablo III even launched (either during Beta or months ago in WoW), that they were compromised through the usual means that Blizzard can’t reasonably do anything about, and speculation regarding some easily preventable security loophole or exploit is utterly baseless and smells a lot like people who thought they were more secure than they actually were dreaming up some nefarious plot rather than admitting that they probably share some of the blame for their hacked accounts.

        • Phantoon says:

          “Not a Blizzard shill”

          “been on many forums”

          Really. Did you espouse how it was the players’ fault there, too?

          Have you considered that Blizzard could be lying, both directly and through omission?

          • RandomGameR says:

            Of course Blizzard is lying. It couldn’t possibly be that these third-hand anonymous reports that accounts are being hacked despite authenticators are completely fabricated.

            My favorite was the guy on the forums who claimed that he was hacked and he had an authenticator, and then a forum mod pointed out that he added the authenticator onto his account after the hack took place.

            But yeah, the forum mod must have been lying, not the other guy.

          • wu wei says:

            The most obvious example of Blizzard’s lying: they keep saying there is no evidence of any wrongdoing.

            Even if these people were all key-logged, then Blizzard’s logs should show them connecting from completely different IP addresses within a short period of time. That they’re apparently unable to do a log scan for IPs that connect to more than, say, 10 accounts just seems preposterous to me.

            The low-level players who seem implicated can still be seen pushing characters through their chop-shop. Regardless of how secure the authenticator is, pushing it instead of putting a stop to the hackers just comes across as self-serving and disdainful of the one thing their fans expected them to understand: their very real experience of loss at the personal value they were deriving from the game.

        • seren says:

          “Blizz have claimed it’s only been people without authenticators that’ve been hacked and I’m inclined to believe them for now”
          In official word on EU forums they’ve stated (and in the US one quoted, that now doesn’t mention it at all it looks like) of the cases they’ve investigated, no one compromised had an authenticator attached prior to being compromised. That’s not the same as saying only people without authenticators have been compromised.

      • Carr0t says:

        Damn straight. I’d love to give Blizz the benefit of the doubt here, but case insensitivity on passwords suggests they’re storing them in plain text in a DB somewhere. Case sensitivity is something users can choose to put in their password or not. If they were hashing the password then case would matter unless they were running a tolowercase or touppercase function on the password before storing it and before comparing it every time someone types it in. That’s extra unnecessary work for your system every time someone tries to log in, and that can add up with as many users as has. So the assumption is that they’re storing in plain text, when they should be hashing *and* salting in case anyone ever gets their DB. I wonder what their reasoning was. Too slow to run a hashing operation on every password entry? If that’s true then they should be redesigning and buying more servers to handle the extra load, not cutting corners where security is concerned. It’s not like they don’t have the money. I wonder if the same DB holds your base authenticator details which would allow people to work out what your code will be at any given time.

        • P7uen says:

          You might be right, but you can’t really infer that at all. All you can tell from not having case sensitive passwords is that they don’t have case sensitive passwords and that the person who made that decision was not a very wise person.

          • Milky1985 says:

            I think you can infer this, becasue its a later game that has the insensitivty while the early games are more fussy.

            You cannot “remake” a case insentive hash from a case sesntivive one (as the whole point is that you cannot get the origional pw from the hash)

            Thus the only way the new one works is if the passwords are stored in a such a way that you can get the pplain text back, maybe not pure plain text, but not stored properly either.

          • P7uen says:

            I’m aware, I’m just pointing out that It’s perfectly possible to store case-insensitive passwords in encrypted form, so his guess is as good as anyone’s, the only thing for sure is that it’s a shit system.

          • jimbobjunior says:

            You can, the first time you get an authenticated login with the case-sensitive password, normalise it and store it again. Now you can allow the user to log in using their case-insensitive password.

            Little known fact: facebook allow permutations of case in logins to account for the fact people often mess up with the CAPS LOCK key:

            PassWord and pASSwORD will both work.

            I’m not defending Blizzard here, but people are spreading misinformation here.

            If you value your account you should use two factor authentication.

            Also to the people saying about brute-force protection, most protection schemes (3 failed attempts, locked for an hour type schemes) give rise to a potential DOS attack . Any attacker could trivially lock thousands of accounts a second.

          • Milky1985 says:

            “You can, the first time you get an authenticated login with the case-sensitive password, normalise it and store it again. Now you can allow the user to log in using their case-insensitive password.”

            Based on my knowledge at the tiem i assuem that the wow and starcraft 2 logins were case sentivie and only diablo 3 not, that would have required them to create this extra hash when we all made our accounts years and years ago, which would be silly.

            Now i can see its a moot point anyway, as all logins are case insentive , sc2 and everything.

            So its just a stupid password policy that goes against what most poeple say instead :P

          • P7uen says:

            I’m talking about asserting Blizz store passwords unencrypted on the basis they aren’t case sensitive, what are you all talking about?

            It’s like declaring their database can’t store numbers if they don’t require them in a password.

          • Milky1985 says:


            My understadning at the start was that wow and sc2 passwords (older games) were case senitive but diablo 3 was case insensitive.

            This has now proven to be false since it looks to have always not mattered if its upper or lower case but my reasoning based on the information was that the only way , (unless they planned for case insenitive passwords in the future,unlikely, seems silly) that old passwords would work in the new system (now case insentative) would be if they were stored in either plain text or a type of encryption which was reversable (you could get the pw out of the hash). Both of which are password storage no-nos and would mean that if someone did get hold of the db, peoples passwords would be exposed.

            Since it turns out its all insensitive its a moot point. But that was the reasoning.

          • Wisq says:

            There is absolutely nothing stopping any site from storing passwords “encrypted” (by which you mean hashed) and still matching them case-insensitively. Period.

            No matter what hashing algorithm you use, if the input is lowercased/uppercased before hashing, both on storage and at login time, you get the same answer regardless of case. This is the same for any deterministic algorithm of any sort — hashing, encryption, anything.

            What you can’t do is store them case-sensitively and check them case-insensitively later. But if you pick an approach to start, you’re fine.

        • mire says:

          sha1(strtolower($password)) – There, I’ve solved it!

        • Phantoon says:

          Why on earth would you give blizzard the benefit of the doubt?

          I will list things that they’ve said they’d do, then went back on, if you’d like. It’s a long list.

      • Syra says:

        But blizzards passwords are case sensitive? I used a capitalisation in a WoW account pass for a while iirc.

        • sneetch says:

          They’re not case sensitive (I just checked), you may have had a capital letter in your password, but they don’t care or record that.

      • Faxmachinen says:

        I’m not sure how admitting that you reuse you password helps your argument any.

      • Baines says:

        There is a Battlenet thread about the passwords being case-insensitive.

        A QA responded with a smilely that all Blizzard games use case-insensitive passwords.

        When people understandably complained, the QA said “I’m not going to keep posting on threads if my answer to someone’s bug report is a huge discussion about something that isn’t a bug.”, and the thread was locked.

        link to

        • psyk says:

          That dosen’t matter……the no lock on N failed logins does.

    • Grargh says:

      The 5th most used password is ‘pussy’.

      Still, it’s a bit rash to blame either party for it at this point. Unless you’re a hacker yourself and know how it was done :)

    • D3xter says:

      I guess this writer for The Examiner is just all dumb and stupid and all that, especially since she mentions she is using an authenticator: link to

      “This reporter, after having her own account with authenticator hacked, firmly believes this is a serious security breach on Blizzard’s side, though they either do not want to admit it, or are still unaware of the problem. Many who have had their account on Diablo 3 hacked were logged in at the time of the hack and support staff tells them there was no evidence of their account being hacked. That indicates there is an exploit in the system being taken advantage of.”

      Go ahead and spread Activision Blizzards corporate message everywhere! It couldn’t possibly be a companies fault, the fault always lies with the consumer!

      • pkt-zer0 says:

        So, how can said reporter not cause enough of a ruckus on the Diablo 3 forums for customer support to seriously look into things, if they haven’t already?

        • Nallen says:

          They lock all the threads.

          • Bhazor says:

            The original hack thread was closed at 26 pages due to having “too many posts”. Oh that Blizzard.

          • HothMonster says:

            You mean this one link to ?

            Did they lock that because it was full or because the op was a liar? The have a 150+ page sticky for the issue.

            edit: I just learned that 26 pages is the cap for most threads.

          • Phantoon says:

            Unless they’re running off old forum infrastructure there, popular threads should no longer cap at the 26th page.

        • Gnoupi says:

          They most likely are already looking into this.

          But between saying “be careful with your passwords, use the authenticator” and “we identified a security breach and are working on it”, there is an obvious difference of PR value.

          The latest would be more honest, but at same time, admitting a fault which was not “proven” publicly.

          Moreover, why would you? You obviously have a large amount of other players ready to insult the ones who got hacked, blaming their choice of password, and such. As proven here too. Admitting that you have a security breach would prevent that line of defense.

          • Phantoon says:

            I maintain those are the same exact people that ravenously defended SWTOR’s faults, then slowly slipped away when no one was paying attention to come back to WOW.

        • dazman76 says:

          Any such ruckus is immediately shouted down by apparently psychic, ultra-secured, uber-sensible gods of the internet world. They know you used a crap password. They know you’re lying about having an authenticator. They know you have a keylogger on your machine and you’re unaware of it. They know you’ve used the same password for B.Net and They know more than Blizzard, the FBI, the CIA and the MIB combined.

          THEY KNOW.

      • teh_boy says:

        There have been confirmed Man In The Middle attacks now, which work even if you have an authenticator. This happens when your PC gets hacked, and someone then uses a trojan to sniff out your Blizz credentials and pretend to be you for the duration of a session. The rest of the attacks have happened the traditional ways – sniffing out the password w/ a keylogger, guessing it b/c someone uses the same email/password everywhere, etc. The reason why a lot of people think this came out of the blue is that they were actually hacked by a long time ago. One or several groups has been collecting a list of compromised accounts, and then they hit them all at once before people could realize what was going on. People are inclined to believe the worst of others rather than accept the fact that they’ve been conned at some point by a random piece of malware. Blizzard can’t keep our PC’s safe for us, though, and it isn’t their responsibility to do so. Frankly, they currently offer a more comprehensive security package than your bank likely does.

        • Toberoth says:

          “Frankly, they currently offer a more comprehensive security package than your bank likely does.”

          What an absurd statement.

          • savagerose says:

            It’s absurd, but it’s also basically true, in the US at least. Here banks don’t use authenticators.

            No idea why this is the case when banks everywhere else provide them.

        • Docslapper says:

          In my old WoW guild, about 10% of our members had been hacked each year. If a bank had the same rate of hacks, they’d be broke.

          Blizz have known they’ve got security problem with Battle.Net for years, because large numbers of their WoW customers have had their accounts stolen (for whatever reason) for years. Making D3 always-online was a ridiculously stupid decision and they need to pay the price for it.

          Making D3 have a real-money auction house is a potentially suicidal decision. Real money is involved, which means real consumer protection laws and real lawsuits and real punitive fines. This is a class-action suit waiting to happen.

          • HothMonster says:

            Real money has always been involved. People pay real money for wow accounts and then hackers steal all their shit to sell for real money. Blizzard can not protect the end user’s system or account. With the ease of flipping gear and the lack of fucks given by law enforcement WoW is a better, safer, easier target than a bank account.

          • Phantoon says:

            Yes, but now Blizzard is responsible for a fluid economy, which in many places constitutes gambling… though the stock market isn’t considered gambling in many of those same places. How strange.

    • Revisor says:

      Please stop being vulgar, it’s not appreciated.
      Every online service should prevent brute forcing the password by locking out the attacker after several failed attempts.
      My bank does it, Paypal does it, heck, even most forum software does it.

      From the reports it seems that a large part of these account compromises are due to session hijacking.

    • Warskull says:

      Supposedly what happens is that when you join a pub game, people are acquiring a session ID and using that to get on your character without the need for a password or authenticator. They can raid your character while you are still logged onto it.

      When accounts with authenticators are getting hacked, there is a massive security problem. Currently, it looks like you should never join or create a public game.

      • Grygus says:

        This is my understanding of the problem, too. Multiple people have claimed on the forums to be hacked while having authenticators on their accounts, so it is strange to see Blizzard deny that’s the case; I mean, why lie about that?

        One forum poster had a bunch of screenshots up, showing a hacker going through his entire group, dropping their stuff and leaving them naked. He said the exploit was happening within the game itself, not at login. If that’s true, then all this talk of passwords and authenticators is nothing more than distraction. Could be that he staged it and all the other people are lying, of course. Seems unlikely, though.

        • MasterDex says:

          Why tell the truth? If the authenticators don’t do what they say on the tin, what good are they to anyone?

          • Phantoon says:

            Uh, because of the potential PR meltdown?

            They’ve been touting this crap for years- to admit that “oh yeah this entire bullshit system we put in place doesn’t actually work and probably never did” would be akin to sawing both legs off with a plastic butterknife.

        • warsarge says:

          Got a link for this – would love to read that thread.

      • briktal says:

        My main question with that is, why, after so much time, is that still just “supposedly” what happens? I would think that if it was something so simple, the actual step by step instructions for doing this would be widely known, so instead of “I heard it’s this” the threads would have “there’s a link on so-and-so for how to do this and here’s a youtube tutorial.”

      • Phantoon says:

        Don’t create or join a public game?

        So the entire point of the always-online is defunct.

    • Gnoupi says:

      From what it seems, it has more to do with stealing unique session ids, allowing someone to make the server believe they are currently you at this moment.

      Which is why they can’t guarantee security even with the authenticator, as said in their communicate.

    • Diziet Sma says:

      This, agreed.

    • Milky1985 says:

      The reports of this hack are character based, and based on session id mining of the characters then cleaning them out.

      So not related to the password in any way.

      Theres also the fact that blizzard themselves say that theres nothing untoward going on with the characters that are having there stuff disappear, how do we know this?

      Well when people are reporting issues to blizzard and asking for a rollback they are telling them that there is nothing detected that makes them eligable for a rollback, which means no additional IPs etc connecting. Indicating that possibly the issue is more secure as its effectily screwing with the data on blizzards side using session hijacking.

      Also soome of these accounts hacks are only hitting certain characters, and not the highest valuie characters.

      So maybe its not just password based?

      Lets be honest tho, if your going to be a shill use a name that doesn’t look like you have just mashed at the keyboard randomly.

    • Grygus says:

      Maybe you mean that people are lazy idiots who assume they know the nature of problems without looking into them.

    • Mallic says:

      The absolute basic principle of security design is that everyone is a idiot who knows nothing about security design. That’s who you’re making the system to protect. If it doesn’t protect those people, the system is worthless.

    • nickclarkson says:

      I coupled the mobile authenticator with my account on the Sunday before the launch so I could secure my account and register my D3 key. It took an eon to actually get it to login; it kept saying incorrect code. Eventually I got in and added my key. however, after logging back out I could then not log back in with the same issue. I use RSA and Signify tokens all the time, so I am aware of their workings, and I tried many times to log in.
      In the end I had to follow the “I have lost my authenticator” link to get it removed from my account. So, they’re fine if they work, but at least in my experience the mobile one does not.

      • HothMonster says:

        Did you try going into the setting for the auth app and having it refresh? Sometimes the code gets out of sync but I don’t personally know anyone who has had serious issues with the mobile auth. Not to say you didn’t but it might be worth trying again.

  4. MeestaNob says:

    I blame Ford for allowing their customers to cause car crashes.

    • RF says:

      I blame fanboys for letting companies get away with this shit.

    • Gormongous says:

      Nah, it’s more like, “I blame my car company for foregoing door locks in lieu of just an ignition key to deter theft”.

  5. vexytube says:

    The main route the “hackers” get email and password information is via “hacking” websites and pulling username/password information, since most people use the same password over multiple websites.

    Since they intend to use a RMH its very important that people don’t get there accounts compromised however… its there fault if they do. Do you remember when the price a compromised WoW account was worth more then credit card numbers…

    TL:DR, People type the same user/email/password information anywhere and everywhere. go figure…

    • RvLeshrac says:

      So the solution is to give Blizzard even more money? Fuck that. Fuck Blizzard. Fuck you.

      Steam seems to have a lock on account security without requiring you to purchase a physical security device (which have, repeatedly, been hacked).

      • Revisor says:

        Please don’t be vulgar to others even if, or especially if you disagree.
        I know this is an emotional topic but let’s stay cool.

        It’s true that a 2-factor authentication doesn’t need a special box, actually an SMS is enough. Look at how Google has solved it.

        • Nallen says:

          I’m with him and his vulgarity. The ‘hey you could just, you know, buy an authenticator’ retort is a crock of shit.

          • Sidion says:


            Steam has it done right. If I log in from any other PC I need to verify it through another method to get onto my account.

            Even though the rumor is this is some sort of other exploit… Any argument stating you should have used an authenticator deserves vulgar responses.

          • Moraven says:

            WoW has Steam Guard like security.

            Have not tested it with D3 yet.

          • HothMonster says:

            People get their steam accounts hacked too. If they did and don’t have steam guard activated would you say that they really should have had that extra security feature enabled? Its silly to call the people who got hacked stupid. They are victims of a crime and even smart, internet savvy people can get infected. But its not stupid to recommend they get a an extra layer of security which is, barring any truth to the current forum rumors, so far been 100% effective at protecting accounts.

            Steam accounts are not really as good of a target as accounts. If your account gets stolen they will not get to offload your games through a string of dummy accounts and keep them. They will not be able to buy anything with your attached credit card that can not be easily taken away and they will be committing credit card fraud if they do. Unfortunately for blizzard users their accounts are valuable and law enforcement gives zero fucks about people who steal your digital items. Blame the community for providing thieves with revenue, if people didn’t buy stolen gold no one would be stealing gold.

          • po says:

            See also Rift.

            The game has a coin lock, so that not only when you change IP, /but when you change hardware/ (happened to me when I used another computer behind the same external NAT IP), your account is locked so that no item on the characters can be sold or destroyed (not even grey quality vendor trash), and the characters can’t be deleted either.

            They send a code to your email to unlock, and also prevent you from changing the email address tied to the account until you’ve removed the coin lock.

      • P7uen says:

        Now, now. I agree with you but let’s be grown ups.

  6. csuzw says:

    More lazy Diablo 3/Blizzard journalism here. I love RPS but stop with this shit. Yeah we get it, you hate the always online thing but there is nothing to see here. As gschmidl says it’s people being idiots. There are no confirmed reports of people being hacked with authenticators either, every instance I’ve heard of so far has been debunked. Blizzard have got things wrong with Diablo 3 and I’m not a huge fan of the always online stuff either (I think it’s inevitable but too early) but this hacking thing is blown out of proportion and isn’t actually hacking anyway.

    • Revisor says:

      Please don’t be vulgar, it’s not appreciated.

      There is at least one newspaper journalist having no stakes in this and claiming she uses the authenticator and her account has been kidnapped. It sounds like session hijacking.

    • Dinger says:

      Here’s the deal:
      If it is people “being idiots”, then it’s like when a pirated version of a DRM-laden game circulates, and said version is broken in fundamental ways. The developer gets a lot of bad press due to questionable acts by the players, but all of that bad press is deserved. Managing the popular reception of their game is part of their job. And it’s just a stupid idea to blame people for being idiots as it is to accuse all buggy game experiences being due to piracy: all it takes is to accuse one legitimate customer of being a pirate, or one non-idiot of being one, and the whole company looks like a bunch of head-in-the-sand morons, quick to blame the players for their own incompetence.

      So they can yell up and down it’s the user’s fault. It’s the user’s fault they used a weak password. It’s the user’s fault they didn’t buy an authenticator. It’s the user’s fault they didn’t buy a smart phone on which to run the authenticator. It’s the user’s fault the developers weren’t ready for, what they assure us, is an historical fact: every new release features new account thefts. It’s the user’s fault for buying a game that accepted weak passwords, multiple login attempts and a blame-the-user policy towards customer support.

      Of course, if it is the case that there’s something broken with the code — and let’s face it, brute-force hacking is an inelegant way to get a password — and sessions are being hijacked, well, who’s the idiot then? Blizzard and the goose-stepping army that so quickly calls a password1 idiot anyone who questions the party line.

      Bottom line: in a developing situation, never even imply that users are at fault.
      Never give your money to anyone who addresses problems this way: these are signs of a systemic failure of the social/corporate-cultural sort. Eventually the product itself gets torpedoed as everyone tries to cover their collective behinds.

    • nibbling_totoros says:

      What do you mean it “isn’t actual hacking anyways”? People can get into a B.Net account by brute force, no account lock out after a certain number of failed login attempts.

    • Lemming says:

      They are reporting the news you fool. It’s a game news blog. Just because you want to be part of the smokescreen with your mulroc plushy and your 12 inch Thrall toy doesn’t mean this stuff isn’t warranted.

    • Malibu Stacey says:

      Hmm another random-keyboard-mash username defending Blizzard.

      I think I’m starting to see a pattern here…

      • Phantoon says:

        It’s good that you’ve noticed, because what you’re seeing could easily be the case. Both EA and Activision have shown time and time again they have no qualms about playing underhanded. If you’d like, I could dredge up some interesting bits from EA doing it, though I don’t know anyone from Blizzard has admitted to such things, even anonymously.

        • psyk says:

          LMAO like you spreading speculation as truth? you need to go out side take a breath and go get a life.

          ““Oh, and unless you’ve lurked here for years, Bhazor and I have been here for longer than you have, so we do have seniority (as much as I hate agreeing with a pony).”” – Phantoon

  7. T4u3rs says:


    – Ongoing discussion about D3 login security problems:

    link to

    – Blog post updated with information from this thread:

    link to

    • RF says:

      Gotta love how the post about security issues gets reported by fanboys.

      • T4u3rs says:


        • RF says:

          Have a look at the thread. It’s been reported.

          • Rilgon says:

            The biohazard symbol shows up for ANY reports, including those to flag the topic for stickying or to notify Blizzard of something devs should be aware of. It’s kinda silly, but.

          • Phantoon says:

            Are you saying that you don’t believe it hasn’t been reported for deletion by a fanboy?

    • Toberoth says:

      That’s a really interesting bnet thread, thanks for sharing.

  8. Kamikaze-X says:

    I, as well as my partner, get constant spam email about our non existent accounts being accessed. Clearly phishing emails, and I bet at least a significant amount of those supposedly hacked happily clicked away on the malicious link.

  9. Rilgon says:

    People’s willingness to believe what Blizzard says at face value is baffling. Does no one remember, for example, the 4.3 PTR where Blizzard said Hunters were “just fine” and, surprise surprise, they weren’t just like all the notable theorycrafters said? It’s getting to the point where a blue post has barely any more credibility than the white posts that surround it, maybe even less.

    Contrast this with Trion Worlds who, when they had a similar breach, actually owned up to the issue and had it fixed within a day or so AND implemented the Coin Lock system which pretty much prevents any destructive mechanic from being possible until released.

    • RF says:

      Trion pretty much admitted they were baffled, actually. It took some guy to come along and show them how the compromises were happening for them to fix it.

      But, yeah, Trion is one of the best MMO companies out there, bar none.

      • Rilgon says:

        Yes, but more what I’m getting at is they basically admitted “look, there was a hole, we fucked up.” Blizzard admitting that they made a mistake somewhere would be my first sign to look outside for the Horsemen of the Apocalypse.

      • SiHy_ says:

        There’s no shame in admitting you are baffled, as long as you take onboard what people are willing to tell you. That’s simply common sense. I wish governments operated this way.

  10. LMN8R says:

    RPS, I love you guys, but your cynical hyperbole is starting to get a bit much.

    Stop conflating cheaters with hackers. Accounts are getting hacked through the same methods that online accounts of popular services are always getting hacked.

    That is a completely different happening from cheats, which are not happening. There might be certain exploits Blizzard overlooked, but no one is cheating. At least, not yet.

    The always-on restriction was designed to prevent cheating. It is. No amount of online protection by the best in the business can avoid all account hack takeovers, however.

    • RF says:

      Always-on doesn’t prevent cheating. Most of the exploit sites I browse have found a shit tonne of ways to exploit the game for superfast items / gold.

      So, yeah.

      • LMN8R says:

        Again, those are exploits. Not cheats. Diablo II was stricken with cheaters who were using outside applications to directly manipulate the game in ways that the game’s code cannot.

        That is not happening with Diablo 3. In Diablo 3, people are exploiting things that are actually in the game, and therefore can be fixed.

        Cheats, hacks, and exploits are three completely different things, and they should not be conflated or confused as the same thing, or else it completely muddles the entire conversation about the issues. When the conversation gets muddled, the Internet turns into a hellhole of uninformed rage that literally accomplishes nothing.

        • jrodman says:

          LMN8R, I appreciate the distinction you’re drawing here, but your vocabulary is against the norm.

          Traditionally an exploit is a scenario where you find a flaw in the programming of the game script or game engine to do something unintended, while a cheat is a scenario where you find a way to take actions that are not in the spirit or letter of the game rules. These are overlapping sets of course.

          However your claim that “exploits” don’t attack the game code is .. well.. jarring at best. Pretty much all successful security attacks on program integrity are categorized as exploits.

          • LMN8R says:

            I’m simply commenting on what RPS is suggesting – that people are cheating in the game in a way that the always-only requirement was designed to prevent.

            The always-online requirement was created to prevent people from creating their own code from the local implementation and apply it to the online implementation. No one has created external code that modifies the game in this way. Bugs are inevitable for any piece of software, and right now the only thing happening is people exploiting simple bugs that would exist regardless of the online requirement.

        • D3xter says:

          You people are laughable, there were already Diablo III Maphacks and Bots available during the Beta.
          One for instance is called “D3Advanced”, Google it.
          There’s even Speedhacks or Tools that will let people instantly leave the game etc.

          I’m not even playing the game and I came across this stuff…

          And yet again: link to

          “This reporter, after having her own account with authenticator hacked, firmly believes this is a serious security breach on Blizzard’s side, though they either do not want to admit it, or are still unaware of the problem. Many who have had their account on Diablo 3 hacked were logged in at the time of the hack and support staff tells them there was no evidence of their account being hacked. That indicates there is an exploit in the system being taken advantage of.”

          Apparently Blizzards word counts a lot more than everyone else’s to you blind fanboys…

        • RF says:

          > Looks at the exploits site.
          > Sees hacks.
          > Maphacks.
          > Speedhacks.
          > Memory editing.
          > Server emulators.

          Yeah, clearly 2.0 solved everything.

          EDIT: Oh, and this is all in the non-premium section. The premium sections generally have the good stuff.

    • RvLeshrac says:

      That’s interesting, Steam accounts appear to be nearly unhackable, without paying additional money for a physical security device.

      Considering the large number of F2P MMOs which are now linked to Steam accounts, they should be rather valuable. Hacking into a single Steam account might be worth a dozen individual game accounts.

      • jrodman says:

        Well, the appearance of SteamGuard suggests that they were having at least some pain here. But it certainly doesn’t seem as prevalent as in WoW, where almost half the longterm players I knew got hacked at some point.

        • RvLeshrac says:

          The point is that Valve solved this problem, but Blizzard doesn’t want to spend any money implementing any real security.

          • Gnoupi says:

            They did, obviously, with their RSA authenticator. So you can’t blame them for not putting the means to protect an account.

            But I’m not sure this issue was only with the actual fact of stealing a password. It would be more about stealing the current session id, and making the server believe you are the same already logged user.

        • LMN8R says:

          Account takeovers happen very frequently on Steam. Especially before SteamGuard was implemented.

          And here, Blizzard has stated that no one using an Authenticator has been hacked – equivalent implementation to SteamGuard.

          • Delusibeta says:

            The problem is that the are indeed reports of people getting hacked despite their accounts using Authenticators. Blizzard is talking absolute garbage here: there is a pretty damn major exploit here that allows people to (temporarily) jack accounts. Blizzard should not even think about opening the real money auction house before they fix it, otherwise they are going to be sued before you can say “charge”.

          • RF says:

            Equivalent to Steamguard except you have to pay for it.

      • MartinX says:

        Yeah, Steam’s unhackable … except for that one teeny tiny little time last year when hackers broke into Steam and stole the information of 35 million users, and maybe their credit card info, though they don’t think so. Probably.

        Other than that , bulletproof.

        I am willing to bet the farm that most, if not all, of the people hacked fall into one (or more) of these groups:

        1: Fell for a WoW/D3/SC2 beta access/”your account has been banned” click this link, phishing scam in the last couple of years.

        2: Uses the same email and password for Battlenet that they used on another site, service or game where the user information was compromised by hackers, and then didn’t change it, eg, Gawker(kotaku), PSN, Steam, Rock Paper Shotgun (this very site), Rift, Cryptic (startrek online) etc

        3: Have a keylogger (or had one at some point, or logged in at a pc that had one at work or school or an internet cafe to check the wow forums/armory etc). Because everyone we know definitely always has all their OS, Browser, Plugins, flash, AV etc ,up to date and never visit dodgy websites.

        • nibbling_totoros says:

          At least you can’t brute force your way into an account through Steam; B.Net accounts are laughably easy to gain access to. They don’t even lock your login attempts after a specific number of failed logins.

        • Malibu Stacey says:

          Yeah, Steam’s unhackable … except for that one teeny tiny little time last year when hackers broke into Steam and stole the information of 35 million users, and maybe their credit card info, though they don’t think so. Probably.

          Yeah the Steampowered User Forums and Steam accounts are one and the same thing.

          What’s that skippy, they’re not connected at all & you have to register separately on the forums even if you have a Steam account? Well blow me…

      • Moraven says:

        WoW uses Steam Guard like security.

        No idea on D3.

        Also a free authenticator for smartphones. $6.50 free shipping is not that much. Doubt they make

    • Revisor says:

      Well technically is it not cheating if you can raid other people’s accounts and steal their money and equipment?

    • elfbarf says:

      I’ve noticed that quite a few of these anti-Diablo 3 articles have been pretty poorly written, they’re quickly approaching Kotaku levels of “journalism”.

      • Phantoon says:

        Funny. Wasn’t Kotaku ravenously defending all the game’s faults?

        Really, you’re just witnessing a trend, here. As people get more and more mad, the tone of their arguments shifts to become less comprehensible because they’re not being listened to in the first place. It’s easier to go louder than eloquent when the twenty minutes you spent on your detailed mini-essay was rebutted with “BLIZZARD IS PERFECT, FAG! GET AN AUTHENTICATOR LOL!” and yes this is a strawman, in a way, by virtue of hyperbole, but the base idea is the same. Fanboys defend without thought, the dichotomy of the argument gets more severe because the defenders are unwilling to think about any negative aspect of the thing.

        To further extrapolate, it’s likely that people that do so are suffering from both defense of cognitive dissonance and escalation of commitment. Clearly, the game cannot be bad, as they’ve sunk so much time into it! So ten more hours wouldn’t hurt. That’s the escalation of commitment- as they put more time in, they must have been having fun, right? Right? It’s possible to play a game and not actually be enjoying it, as bizarre as that sounds. I noticed myself doing it several times in WoW before I quit- I hadn’t thought about how I was just jumping around the same city for a few hours each night, doing nothing.

        And cognitive dissonance comes in (or doesn’t, in their case) when you think about the situation itself. As the fanboys refuse to think on any of the faults therein, they make a mental wall where all faults are false and the game is stellar because otherwise they wouldn’t have put in that time- this makes them elevate the value of the game even further as they delude themselves. Look at any other hobby people can spend too much time on. The principles are the same.

        In closing, fuck this mediocre game, fuck the security breaches, and god bless captain america.

        • Wildcard says:

          That was a beautiful summation and the last line brought a tear to my eye. You are a wordsmith. That’s all I have to say.

  11. RockyMM says:

    Blizz shoul implement something Steam did, an extra password that appears in an email sent to user when using the game on different computer.

    • Gormongous says:

      Several people who got hacked are saying that Blizzard has no log of any sign-in but themselves. It doesn’t look like a client-side problem from almost all the testimonies I’ve been reading.

      • jrodman says:

        Clarifying that it is likely to be a protocol takeover or a server side hack seems good, but the sanity check mails seem like a good step as well.

        Personally the only attack I’ve gotten in recent years was someone gaining access to my IMAP server in a read-only capacity, which meant that all the confirmation mails in the world only helped the attacker.

        Luckily I figured that one out before the damage got too great and remedied the problem by taking over administration of the mailserver.

    • Avish says:

      In Gmail you can watch account activity and it warns you if something look out of the ordinary.
      It’s not as good as Steam’s solution, but it’s still better than Blizzard’s.

      Anyway. You can’t blame Diablo players for not knowing enough about computer security, but you can blame Blizzard for not doing all they could to avoid hacking and phishing.

      • yougurt87 says:

        Actually Gmail/Google have far better security than Steam. You can if you choose turn on 2 step authentication, which will text you the second code whenever you try to log in. And for things like your phone or other google related things that you need to log in with, it actually creates a 1 time use password ( in the sense where you can use it on only 1 device) that it permanently stores, and once registered can’t be used again.

        • Wisq says:

          And the most impressive thing is, sending text messages costs money. Yet Google does it for free anyway. Why? Because better security = happier customer and lower support costs. A higher overall quality of service while also saving them money.

          Blizzard won’t even absorb the cost of distributing a mobile app to customers; the only free ones are the ones they don’t have to pay to distribute. They insist on passing the cost to the customers, even though it’s a tiny one-time cost and then a perpetual savings and better customer experience after that. For shame, Kotick.

    • Moraven says:

      If I login to WoW from a different city, it requires me to reset my password and to click like 2-3 email links.

      Will test this with D3 later.

  12. pkt-zer0 says:

    So, Blizzard’s fault or not, something needs to be done.

    That is why you will need an authenticator to access the RMAH.

    • nibbling_totoros says:

      So basically, give Blizzard more money

      • pkt-zer0 says:

        Supposedly they lose money on physical authenticators, and the mobile one is free anyway.

        • FCA says:

          Supposedly, that is patently false:
          link to

          • briktal says:

            Is that blog saying Blizzard is making a profit selling them for $6.50 with free shipping by producing a document from the manufacturer saying that they sell the tokens for a little over $6? Now obviously the company making them is making money off them, but the article talks about the parts cost of the tokens and that has very little to do with how much money Blizzard makes or doesn’t make off them.

  13. Eamo says:

    I’m not sure what the story is here, people get hacked, Blizzard state that they have yet to find a single case of the account theft being an in game issue as opposed to a user getting their password stolen. Exactly what do you expect Blizzard to do about this? Manually secure every single gamers PC for them? Require that everyone have antivirus and internet security software installed before they let you install the game?

    We get it RPS, you don’t like the always online thing but do you really need to turn every single post into an excuse to complain about it?

    • Delusibeta says:

      Evidently you haven’t read through the thread. There are reports of accounts being jacked despite the use of the Authenticator.

      • Zihua says:

        And those reports are false. Example: link to

        • Milky1985 says:

          Yes because 1 report was false they all are………..

          • reggiep says:

            The incentive to lie about having an attached authenticator is high when reporting account compromise. I’m not saying Blizzard is in the right, but every report of account hack on the internet should be approached with skepticism.

            If Blizzard has the proper logging in place, it would not be very difficult to determine when a session was jacked — just look at when the IP changed. If session jacking was possible, the RMAH wouldn’t be going live in less than a week. Common sense suggests that account compromises are from weak or shared passwords. Blizzard is certainly not free from fault here — case insensitive passwords and unlimited login attempts and all… that’s pretty bad security.

        • Phantoon says:

          Let’s switch your strawman- what if only ONE report is false? Does that not constitute a massive breach of security?

    • Mungrul says:

      Actually, I think sites that don’t complain about the sorry state of Diablo 3 and the erosion of consumer rights it represents are the offending ones here. RPS should keep making a noise, very loudly, for as long as it takes Blizzard to acknowledge that they’ve made a mistake. I’m also glad to see that people like RF are exercising their consumer rights and demanding a refund.

      Just because you’ve had minimal to no problems doesn’t make this right.

      Just because the game is good doesn’t make this right.

      If you sign away your rights to something as trivial as a game, what other rights are you going to sign away because you believe it’s for your own good?
      Should we all have sub-dermal chips implanted to make identity verification easier? It’s for the sake of convenience after all. Not that such a system could EVER be hacked.

      Wake up and stop consuming everything thrust down your gullet by corporations that exist purely for one reason: to strip you of your cash. Your apathy results in decreased quality of life for everyone.

      • Eamo says:

        Shouldn’t RPS be reviewing the game that Blizzard made instead of constantly moaning that they wanted Blizzard to make a different game?

        Being able to play a computer however you want is not a right. Exactly which of your human rights are Blizzard violating here? Not being able to play your games offline is not a human rights violation and it is silly to think it is. I think of Walt in Big Lebowski yelling about his buddies dying face down in the muck in ‘nam over a cup of coffee.

        This is a game, marketed as such, that made very very clear that an internet connection was required at all times to play. Yes they could have made an offline version but there are very legitimate reasons to make it multiplayer only. The single, biggest, most common criticism of Diablo 2 was the amount of hacking and duping that went online. It is silly to argue that making these hacks was not made a lot easier by having an offline mode to develop and test them in.

        The typical anti-piracy argument for DRM also fails in this case, this isn’t a case of where the always online mode hurts the legitimate customers and doesn’t affect the pirates because they play a cracked version. In this case there is no piracy, it is stopped completely and the cost to legitimate customers? Well it is none if they read the box and knew that this was an online group based dungeon crawler.

        This constant crying “but I wanted a different game, but I wanted a different game” is just silly. If a company wants to make a multiplayer game shouldn’t they be entitled to?

        I get it, they wanted a single player game, I get it, they are not happy about the launch issues that are happening (though to be fair other than the server downtime I have yet to suffer a single disconnect or lag spike despite playing on an age old laptop), what I can’t stand is the constant whining, the smug satisfaction they seem to be taking in these difficulties, it just seems rather petty and childish, they didn’t get what they wanted and they are glad that the other kids are unhappy too.

        So I have cancelled a subscription over this issue, my $2 a month RPS subscription. I might also point out that the last subscriber email they actually send out was now 6 months ago, the irony of ignoring their own subscribers for 6 months while lambasting Blizzard for minor outages on a just launched game is lost on them.

        • Emeraude says:

          Being able to play a computer however you want is not a right.

          Rights are the end product of a negotiation between several parties. Were it to happen that this indeed isn’t a right under current law, enough of us seem to think that it should be, and thus that rights needs to be renegotiated.

          That’s what we have legislative bodies for, you’ll tell me, but voicing you opinion long and hard enough for it have impact is all part of the political process.

          • Eamo says:

            No, rights are basic and fundamental. The end product of a negotiation is a contract. If you don’t like the contract Blizzard are offering you then by all means don’t take it but it is disingenuous to claim it is a rights issue.

      • lordfrikk says:

        If you sign away your rights to something as trivial as a game, what other rights are you going to sign away because you believe it’s for your own good?

        So people shouldn’t be held accountable for stupid decisions? If you didn’t inform yourself before buying, singing or anything else in life,really, you are the only person to blame. SUre they are dicks for goading you into it but ultimately it’s your decision.

    • FCA says:

      No no, their exact words were (emphasis mine):
      “While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.”
      I don’t know at which rate they are investigating the hacks, but given the reports a lot of obvious security measures were not taken by Blizzard (like Steam guard like account protection, upper/lower case account, extra security when logging in from a different location, lockout after x number of attempts, all things I’ve seen when using Steam, Facebook, Gmail, etc..), I wouldn’t want to bet on Blizzard in this case.

      • Phantoon says:

        Always bet on Duke.

        Oh and that corporations will lie whenever it suits then, because they’re out to make money. People need to stop thinking that following the capitalist ways of greed doesn’t make you evil- that’s the entire point. Not in a Captain Planet way of “we’re going to do monumentally stupid things that waste thousands or millions of dollars because we hate earth” but “we’re gonna dump this here because it’s cheap and no one will find out”.

  14. rokmek says:

    I didn’t bought Diablo 3, especially because I like single player games more and I just can’t endorse the use of always-on DRM, no matter what “security” reasons you may have. But I just can’t believe that gamers stand this, I mean paying $60 for a game that you can’t play but when you do get a chance to play it, you risk yourself of being hacked, lost all your hard earned stuff and then being blamed for being stupid or not had spent additional $6.5 on an authenticator.

    • Zarunil says:

      It’s been a simply terrible release for a lot of players. Lag, disconnects, unable to login etc. Terribad.

  15. Neurotic says:

    When does my Torchlight II unlock? ;p

  16. Grimgrin says:

    The Diablo 3 hate has been pretty thick on the internet as of late. The negative press is some what sad, and the amount of people how feel they should do more then just not by the game is a bit surprising even by Net standers. It some what disheartening seeing how I’ve been have a great time with it and the new skill system and playing with my friends

    • Delusibeta says:

      Simple: no-one wants other companies to think that we would accept always-on DRM. It won’t take much for Ubisoft and EA to double down on their always-on DRM schemes, and I fear that the success this game has generated will be taken as an excuse to enforce this bullshit on other games. Add in the fact that I expect a Call of Duty game in the near future to use (because why use someone else’s matchmaking when you have a matchmaking service that is relatively well liked in-house?) and that’s three of the big four publishers using always-on DRM.

    • Emeraude says:

      The negative press is depressing, I agree, but totally warranted, I’d argue.

  17. Belsameth says:


    This article is as biased as blizzards PR department is. Shame on you RPS.

    You’re not liking D3 due to the online requirement, I get that, but your coverage does seem to start smelling of an Anti Blizzard PR campaign…

    • RF says:


      • Belsameth says:

        Oh please, grow up. I’m not defending Blizzard anywhere.

        I’ll quote an important part for you, maybe you should ask somebody with comprehensive reading skills to help you understand…

        “as biased as blizzards PR department is”

        • nibbling_totoros says:

          Exactly what would you have liked them to say on the matter? It is far better to be critical than to be overly naive.

          • beekay says:

            Er, it’s totally obvious that he’d prefer them to be neither overly critical nor naive. I’m not sure why you’d pretend it has to be one of the two.

            That said, I’m quite happy for RPS to keep bringing it up, both because it’s a huge problem and their coverage actually isn’t out of proportion, and also because it seems to be a slow news week.

          • Phantoon says:

            My sarcasm meter is at the limit.

            Do you WANT them to just report “there have been possible account hacks, look at that.” While that’s technically journalism, that’s not what we’re used to. If we wanted news without story, we could just read the Associated Press. But people don’t do that- they want someone to tell them what’s going on and why they should care. The simplest reason being because there is a lot of news out there, and normal people that have other jobs don’t have time to be journalists, because THAT IS A FULL TIME JOB.

            So how dare RPS put a “spin” on an article that they wrote, thoughtfully. Your omission of preference comes across like you’re implying all news sources are like The Daily Mail- am I wrong?

    • mihor_fego says:

      I suppose you complained about RPS campaigning against Ubisoft as well, right? Cause I’m pretty sure the articles concerning their games with always-on DRM (less restrictive than Blizzard’s no doubt) are more than those on Diablo 3.

      Also, why shouldn’t people campaign against something they feel is wrong?

      • Phantoon says:

        Because corporations are just out to make money it’s not bad at all no with how they’ll shaft you if it gets them money or is convenient and how they only have PR as damage control, because it’s a soulless money making corporation that does not care about the games it makes because it wants your money.

        Wait, I did that wrong. Lemme try again.


        Wait. No, that’s not right either.


        Theeeeere we go.

    • Milky1985 says:

      God forbid people in the media take up a massive company for the anti consumer practices.

      Sorry but i hope to see MORE stories from teh media about how blizzard are screwing it up, because it will amke them think twice about pulling this short of crap instead.

      Not all of us like to get shafted while we play a game, most of us just want to sit comfortably.

      • Belsameth says:

        The problem is there’s no real evidence Blizzard screwed up.
        Yeah, there’s people on forums saying they’ve been “hacked” while using an authenticator. So far I’ve not seen any claims of that nature that can actually be verified tho, curiously.
        Even that eurogamer journalist didn’t have one untill *after* the fact.

        While I don’t disagree that something has to be done (and the authenticator, you know, free for every halfway modern phone. Free SMS alerts, warnings all over the place about password security…), just throwing mud at blizzard isn’t actually doing anything.

        If you want to complain about the DRM, make 3 posts a day about how evil the D3 DRM is (which it is). That’s a whole lot more constructive as actively looking for reasons to start a mudslinging contest with very biased articles only supported by vague forum claims.

        The sad fact also is, not just with Bliz, that a very large part of all “hacking” incidents, are actually user errors. recycling passwords, bad/no virus protection (or simply trusting the fact that, because you have AVG/Avast/Norton/whatever, you’re 100% safe) or responding to phishing mails.

        • sneetch says:

          “Yeah, there’s people on forums saying they’ve been “hacked” while using an authenticator. So far I’ve not seen any claims of that nature that can actually be verified tho, curiously.”

          I’m equally curious, how would you verify it? I mean, anyone who says they have an authenticator and have been hacked is basically being dismissed as a liar and the only people who actually know are Blizzard so how could people verify it to your (and the rest of the internet’s) satisfaction?

          There’s also no real evidence that the unidentified people who were hacked screwed up, the assumption is that they did and assuming that is surely as bad as assuming Blizzard did?

          (Oh, I don’t have a dog in this fight but I don’t see this article as particularly biased).

        • rocketman71 says:


          link to

          And many more. I doubt everybody saying they were hacked while using an authenticator are lying. In fact, I doubt the majority of them are lying.

          But hey, keep complaining because it’s obviously wrong for a gaming site to take to task a huge corporation who added unacceptable DRM in the name of security, only for it to be hacked in a fucking week.

        • Phantoon says:

          I’m going to play your game, because it’s the only way to drive you off- do they give benefits for this job?

          Anyways, what if all but ONE are wrong? What if that one IS the victim of a security breach? What then?

    • nibbling_totoros says:

      RPS has been consistent in their message. I respect them for that.

    • Lord of the Fungi says:

      Yes, how can they write that people are reporting problems, when Blizzard clearly states that all is fine. SUCH BIAS!

    • Emeraude says:

      Why should RPS be “unbiased” ? More to the point, why is it so many people seem to equate unbiased with neutral ?

      They are part of the game-playing audience, and addressing their articles to the very same audience. I think it’s only fair they’d voice the concerns and wants of the community.

  18. RDG says:

    Good thing I’ve uninstalled Diablo 3. Got to level 43 and just got too bored doing the same shit again and again. Normal is _way_ too easy. Nightmare is where the fun somewhat starts, but that’s already too late. You’ve breezed through everything already and seeing the lack of real randomization you recognise everything from the previous playthrough. Blizzard should’ve gone the Torchlight way of allowing people to start on any difficulty.

  19. AmateurScience says:

    I really can’t wait for this sorry episode to be behind us. With this and all the ME3 arguments this has been a really negative start to the year in gaming for me. Everyone seems so angry (justifiably in some cases, but I no longer wish to talk about it), I just hope we can move on and find some stuff to really get behind collectively as a community again.

    • kud13 says:

      How on Earth is this a bad year for gaming?

      we’ve had the Kickstarter wave, the Witcher 2 Enhanced Edition (for free), the announcement of a “proper” X-COM, now we have DayZ, Legend of Grimrock…..

      Yeah, it’s been pretty off-putting for major publishers, but gaming as a whole is booming because of it!

  20. Milky1985 says:

    link to

    Interesting reading, as people possibly in the know are reporting a leak of the email list (one of them is a MVP who mentions being under a blizzard NDA which i assume means related to blizzard somehow)

    You know how even when you only use your account for blizzard stuff and you get spam emails about blizzard stuff, this could be how :P

    Be interesting if it is true, as blizzard have to own up to it under US law.

    • Llewyn says:

      You know how even when you only use your account for blizzard stuff and you get spam emails about blizzard stuff

      No? I’ve used a dedicated email address for my account since WoW accounts could first be merged with them and I’ve never received a single mail to it that wasn’t genuinely from Blizzard. However I have seen some pretty shocking examples of incompetence from them at times.

      In fact, I’ve also never received any junkmail to my PSN addresses, my Kotaku address or my RPS address, despite all of those officially having suffered losses of data. But I have had to change my EA and Atari addresses, although EA insisted there had been no compromises of databases relevant to me and Atari deny having sold my address (both lies).

      • Milky1985 says:

        I like how you partial quoted the line and ignored the “this could be how :P ” bit, note the “could” :p

        But yeah i agree that this sort of thing happens all the time, when i got a new phone i was told that my number is not put on a database. I specifically asked if it was put on a marketing database and they said no.

        Next day a call from someone claiming to be from o2, actually a dodgy marketing company, when asked how they got the number “oh its on a list of newly registered numbers”.

        This sort of crap happens all the time :(

    • Faxmachinen says:

      As I understood it, someone discovered a way to repeatedly check if email addresses have already been registered. This allows one to compile a list of email addresses by brute force or by dictionary attack. I think it’s a fairly common mistake, but Blizzard should know better.

  21. Vayl says:

    Adding to the RPS crusade against Obisidian now it’s the RPS crusade against Blizzard, it’s getting silly, you don’t like the game, awesome. This coverage however is getting silly.

    • sneetch says:

      News coverage of major issues that gamers are having with a major game release isn’t a crusade, you know.

    • JackShandy says:

      It’s silly to ask RPS not to blog about a game as big as Diablo 3, and it’s silly to ask them not to be honest about their opinions on it.

    • LionsPhil says:

      It’s more of a Nathan Grayson crusade.

  22. Gnarf says:

    “Because the universe loves comedic irony, Diablo III’s online infrastructure specifically put in place to keep out cheaters and hackers is currently being besieged by cheaters and hackers.”

    Ironic in the same way that it is ironic when armored cars are robbed even though their armor was specifically put in place to keep out robbers?

    • Emeraude says:

      If the armor happens to be the very reason and/or mean for the theft, then yes.

    • diamondmx says:

      Ironic in the way that an armoured car, specifically designed to keep robbers out, gets robbed because they forgot to actually lock the door.
      Which may or may not be irony. It’s so hard to work these things out.

    • Salt says:

      If the armoured car was robbed using a means that is only possible because of its armour. Maybe some dastardly fiends trapped it in quicksand which it was too heavy to escape from.

      If Diablo III was a traditional single-player game, a character’s state would be saved to your local machine and so be relatively safe. Only because of the always online nature of the game is it possible to log in and find your character gutted.

      • Phantoon says:

        No! It’s more like if they used a giant magnet.

      • Gnarf says:

        “If Diablo III was a traditional single-player game, a character’s state would be saved to your local machine and so be relatively safe. Only because of the always online nature of the game is it possible to log in and find your character gutted.”

        No, that doesn’t have a great deal to do with always online. We’d like them to keep our characters safe either way. Cheats and hacks and that was an issue in D2 as well.

    • Narzhul says:

      No. Ironic in that the armored car could’ve just been a car, with no money in it, and sits quietly in the garage.

  23. mire says:

    I can only assume that none of the “OMG BLIZZARD SHILL” crowd have had the pleasure of working in IT or retail. I’ve done both, and people are the worst when it comes to stuff like this. I take Blizzard’s word that this isn’t happening to authenticator-protected accounts not because they’re infallible supermen, but because I’ve personally seen the contortions people will go through to convince you that they had *NO IDEA* their copy of Photoshop was pirated, and they *NEVER* go on any website that might give them a virus. People lie.

    • Milky1985 says:

      I work in IT I know people lie.

      I work in IT I know that companies don’t tell the full truth.

      • HothMonster says:

        So I wonder what piece of proof makes you believe either side in this case? Personally I doubt there is any kind of server side hack going on but I would not be surprised if Blizzard comes out in a week and says, whoops we was hacked.

        If you know people lie when their computer breaking down is their fault. You know people think that running Mcafee and Norton at the same will catch 100% of root kits and keyloggers. You know that corporations will lie and report data theft well after it happens and spin their knowledge of it to keep them in compliance with the law. If you know all this what piece of evidence has pushed you to believe that the forum posters are telling the truth and that session hijacking is really going on?

        If they were really broadcasting your session id to other people I would think someone would have been able to provide concrete evidence of being able to see these and spoof them. This whole thing just reminds me of the NCsoft rumor fiasco. Where everyone flipped out on ncsoft only to find out a few weeks later tens of thousands of people had used the same password on a forum that got hacked.

        The only thing that I’m ready to stab them with the pitchfork for is not having any kind login attempt limit with things like this out there.

  24. Zihua says:

    What an utterly pointless rant. Blizzard gives players the possibility to use authenticators, which is as much security as your bank offers. There’s nothing more they can do. Nobody’s been hacked. They’ve been stupid.

    • Milky1985 says:

      Other than the reports of characters having items removed, while people have been loged in.

      The journo who god hacked despite having a authentictor.

      The thread relating to a way to list all the email address.

      The llack of basic anti brute force protections.

      yes there have been reports if you bother to actually read up on them.

      • Strabo says:

        The please link those reports that have not turned out to be actually fabricated. Yesterday I saw one person on SA claim to have been hacked despite authenticator. 2 hours later, after some help of other readers, he had to admit that he had a very nasty keylogger rootkit stuck on his PC, which of course is also able to read the authenticator number you just entered (they are valid for another 60 seconds after all).

        • FCA says:

          link to

          I don’t know how reliable the Examiner is, but at least someone is willing to put a real name under such a report.

        • Milky1985 says:

          Well I did actually post a link on a earlier comment, but since searching for information seems to be to difficult for the average fanboy mind I will post the link again.

          its on your favorite site in the whole wide world btw

          link to

    • bladedsmoke says:


      • Phantoon says:

        Fanboys of these stripes aren’t capable of logic- or they might notice the failures therein.

        It’s more like “MY INFALLIBLE”. Because there’s nothing there.

    • FCA says:

      My bank sends an authenticator to me for free after I open an account there. I am required to use it to log in.

      Furthermore the following list of security boo-boo’s were observed:
      – No case sensitivity in passwords
      – No lockout of account after extreme amounts of login attempts from different ip’s
      – No extra security question/sms/mail after login from very different (different country/continent) location
      – emails could be enumerated
      – No possibility of extra account protection like Steamguard.

    • Katar says:

      Blizzard give you the possibility of buying “at cost” an authenticator. My bank forces me to use an authenticator they provide for free and a more secure password entry system. One of them I trust, within reason, with my money the other one I don’t. Guess which is which?

  25. MasterDex says:

    I recall my WoW account being hacked, long after I had stopped playing, so I wasn’t too bothered. Then I had the idea that I might return for a month and see how it goes so I went about taking back control of my account. Change my password? No problem. Change my email address? I needed to send in copies of ID – driver’s license and Passport. Of course, since I didn’t have those that was a problem and no other ID I had would do them so they demanded my birth cirtificate. MY BIRTH CERTIFICATE?!

    At that point, I stopped bothering. I asked if a dated, annotated, photo of me holding my box with the key displayed would be enough but no, they wanted my birth certificate. Screw that! No way I’m giving them my birth certificate.

    Anyway, this wasn’t all that long ago so those who have similar trouble as a result of Diablo III, might want to be ready for Blizzard’s heavy-handed “protection”.

    • Gasmask Hero says:

      If they didn’t do this, and some naughty Nigerians or romping Romanians got hold of your account, would you use more or less capital letters than here when making shouty forum posts about it? Just curious.

      It’s a pain to be sure, but i think it’s an appropriate level orf security when dealing with what could be potentially high value accounts.

      • MasterDex says:

        Firstly, the only capital letters I used together was to exclaim that Blizzard were asking for my birth certificate. That hardly makes my post shouty.

        Secondly, Blizzard have absolutely no cause to ask for someone’s birth certificate as a photocopied certificate could be easily doctored and doesn’t contain any relevant information beyond my name and date of birth – which several less personal forms of ID could provide just as easily. Unless Blizzard have already, illegally, acquired a copy of my birth certificate, they have no reason to ask for it.

      • Phantoon says:

        Those accounts aren’t worth that much anymore- believe me, I looked and I had max level everything on one high population server.

        And why is it they have a system where they can change the email address without that stuff unless you, as the person with the original CD key, wants to change it and can prove you’re that person?

        Might as well ask for your social security number.

    • malkav11 says:

      At least they were willing to try to verify your identity. They never even asked me.

    • Innovacious says:

      I had to remove my authenticator once when my phone factory reset and i lost it. They asked me for my birth certificate too. I said no and instead listed the CD keys to all of the games and expansions i have on the account, and gave them the account names to both wow accounts linked to it. Things only i would be able to know, unless someone broke into my house and stole all my CD keys, but they would have been able to steal my birth certificate too so there shouldn’t be a problem. they said it wasn’t good enough.

      Every time they said it wasn’t good enough, i just resent the e-mail. Eventually, someone who was able to think for themselves and see this was valid rather than spouting “NO, YOU MUST FOLLOW THE DESIGNATED PROTOCOL” got the e-mail and the authenticator was removed.

  26. Strabo says:

    ” given that we’ve been hearing reports of hackers working their dark magics unimpeded by Blizzard’s supposedly unassailable data fortress.”

    As far as I know all the reports of people claiming to have a authenticator attached to the account have turned out to be lies by people themselves, having attached the authenticator later on or simply never had one on the account, but were too embarrassed to admit they used the keylogger-infected maphack.
    There is apparently nor evidence yet of SQL-injection as Eurogamer without a source claimed or session ID spoofing as others claimed (again without a source).

    • Milky1985 says:

      I’ve seen plenty of reports of auth attached accounts having issues that have yet to be refuted.

      Also the whole specific characters losing items thing that has yet to be refuted (these did actually go to blizzard and classed as no hack from the wording of peopels customers server responses).

      The sql injection and sessionid thing yes have no scources, but i think something was confirmed on the sessionid front on blizzhackers forums (good luck finding that tho i fonud a thread referncing it but it looks to have been deleted and no google cache) and was mostly theorying anyway.

      To say “its peoples fault nothing wrnog at blizzard” becuase some it is some peoples fault is silly, because the rest of the people might have an issue with blizz. Just as saying “its blizzards fault not the peoples” is also silly, because people will be silly.

  27. RegisteredUser says:

    I would just like to sign the “Was here to gloat, point fingers and mutter ‘well deserved'” checkboard.

    I hope that everyone who gave money to Blizzard gets defrauded ten times that when the RMAH launches.

  28. malkav11 says:

    The easiest way for Blizzard to keep accounts safe would have been to not require you to tie your copy of Diablo III to them.

  29. Shortwave says:

    I’m so very happy I didn’t buy this game.
    I decided to try out a Guest account last night just to see how the game felt from Beta to now.
    Well.. I spent a good half hour warping around randomly in the village and than gave up.
    Then went and played Tribes on a European server with 80ping, from Canada.

    : ) Lol, yup…

    • Phantoon says:

      Comparing this game to Tribes is unfair.

      Tribes gets by, by being fun.
      This gets by, by being obsessive about loot.

  30. Paravel says:

    I’m just going to throw it out there that I never played Diablo 2 offline. If was down during my D2 days, I simply would not play. This DRM whinefest seems to stem from people who want to play exclusively solo. But I ask you: Do you want to play solo forever? You probably at some point want to use the Auction House, or play with a friend, right? You probably want to do that with the character you worked so hard to build up in single player. That requires you be online in some fashion separate from your offline data. Why? Because your offline data is stored on your computer, and easily edited. The online aspect would be flooded with duplicated items and level 9000 characters (see: Open in Diablo 2).

    Diablo 3 cut out the middle man of an ARPG that is designed to be played online; in countries where high speed internet and constant connection is the norm (ex: my cell phone, barring battery death, is always connected to the internet), do we really have a right to be upset? I mean, all this aside, I have yet to have a problem connecting to D3. Even on launch day I was frying imps in the Cathedral with no hiccups. So that being said, I don’t have a feeling of being denied something I’d payed for. But, on the other hand, if the service is uninterrupted for me and coming from the same source as you, how is that their fault? Isn’t that your ISP/Wireless card/weather in your area? My Blizzard account has never been hacked. I use an authenticator. I use the security tools provided to me free of charge, and they work. So I can’t complain about that, either.

    I think what bothers me is that we have a vocal minority of disgruntled DRM-a-phobes who can’t look past those three letters and see the reason Blizzard has made things this way. Most of these people state that they DID NOT EVEN BUY DIABLO 3. How can you comment negatively on a games functionality if you have not played it yourself and don’t even own it? You’re basing your criticisms on other people’s criticisms. That would be like a movie reviewer writing a review based on a review he read on a blog somewhere. Do you realize how silly that is? On the other hand; anyone who COULD try to defend Diablo 3’s case is probably too playing Diablo 3 and having a great time doing so… online… with their friends.

    My battlenet handle is Paravel#1807 and I invite you to come blast some demons back to hell with me or kindly go back to your dark, friendless, pure-single-player corners of the offline universe. You’re happier there, and that’s okay! Just please, stop popping up to bring us all down. Thank you, goodnight.

    • FCA says:

      Dear Paravel: what does the wanting to play solo or multi have to do with the hacking of accounts?

      1. If the servers cannot handle the load due to excessive number of people wanting to log in, it inconveniences all users, either multi or solo.
      2. Why do you presume to know how I want to play the game. Apart from some Battlefield 2, I never played online. I’m like that, sue me. I live in a high speed connected country, but I am on the move a lot. Due to the roaming costs, it means I could never ever play Diablo 3 while on the move. And even when I am at home, my internet connection sometimes drops because my wifi sometimes has problems. I could lay cable, but that involves a lot of work, and why should I do this to play a game?
      3. People who didn’t buy this game are critical, because we fear that if it works out OK for Blizzard, other companies will follow. The new Simcity title seems to have always online, that is worrying. If we don’t kick and scream now, and Diablo 3 is a big all around success, almost all games by big publishers will have this “feature” in the future.
      Also, maybe they wanted to buy the game, but knew that they couldn’t play smoothly with the DRM. This means that due to this requirement, they were denied a game they’d like to play. That is something to be annoyed about.

    • V. Profane says:

      Yes, I want to play offline forever. I never played Diablo 2 online, or wanted to. I might have bought Diablo III if I could play offline. I would have bought the new SimCity game if not for the online obligation. Bring on the second great collapse of the video game market because this bullshit makes me fucking sick. Instead of ET carts being buried could we make it fanbois and CoD kidz please?

    • kud13 says:

      “Do you want to play exclusively solo?”


      “in countries where high speed internet and constant connection is the norm”

      Well then, I guess Blizz should only sell the game in countries where there is 0% chance of internet failure. Then there would be no one complaining. Oh wait, that’s irrelevant when their servers are down or lagging.

      I’m still waiting for the shitstorm and DdoSing that will inevitably start once D3 hits the Russian market. Blizz alienated LOTS of people who used to swear by them for LAN

    • malkav11 says:

      Yes, I would probably play solo primarily or exclusively. However, weirdly enough, there have been ways of playing online with other people separate from an offline singleplayer for a long, long time, so even if I did want to play with friends, it wouldn’t validate Blizzard’s setup for Diablo III.

  31. Emeraude says:

    But I ask you: Do you want to play solo forever?

    Many did with D2 do for D3. And then the problem for those who wouldn’t mostly stems from Blizzard’s LAN removal. As for wanting to use the auction house…

    I think what bothers me is that we have a vocal minority of disgruntled DRM-a-phobes who can’t look past those three letters and see the reason Blizzard has made things this way

    Being part of the usual suspect vocal minority, I think what we have here is much more than that. Also, I do think the people complaining understand Blizzard’s reasons – at least partially – and either they don’t care, or find them specious.

  32. ukpanik says:

    Why are accounts being hacked? What’s in it for the hackers?

    • FCA says:

      Real money auction house.
      Or of course, selling it on some other site, which seems to work well enough for MMO’s…

      • HothMonster says:

        I doubt that they plan to sell their stolen goods on Blizzard’s own ah. I’m not clicking on any of these links but the black market is always the better place to fence stolen goods.

  33. Bhazor says:

    I have to say F5ing the Diablo 3 general discussion forum is the funnest game I’ve played in a while.
    Some threads just straight up vanishing right off the front page.
    Hundreds of “Diablo 3 isn’t worthy of the title” threads.
    Thousand post threads for reporting hacks.

    All I can imagine is the Blizzard forum admin staff staring at it like Sisyphus looking at a big patch of bird crap on his rock.

  34. CorruptBadger says:

    Authenticators are useless, all they do is slow down hackers. In my experience with WoW i was hacked 3 times. The first time was through my son’s fault because he goes on fishy websites looking for cheats for his games (on a side note, he’s a little bastard when it comes to games, cheating his way through anything). So I rang up blizzard who advised me to fully scan my computer and I also banned my son from using my computer, and bought him a cheap ipod to play on instead.

    Second time was caused by god knows what, and it wasn’t the fact that it took weeks for them to even respond to my email, or the fact that all of my gold apparently “could not be recovered”, but the fact that I then got a call from blizzard asking if i was involved in gold farming, and after explaining that i was a victim of a hack, then getting 5 minutes of ear-ache that i should buy an authenticator to protect my account and that there so cheap for the benefits they reap ect.

    Well the dross woman on the phone bored me so much i simply just replied yes to shut her up and bought one. Needless to say a few months after that i got hacked once again… sigh

    • HothMonster says:

      Did you activate it on the account before the third hack? Are you saying this statement ” Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.” is a blatant outright lie?

      • psyk says:

        That quote is talking about D3 not WoW

        • HothMonster says:

          I took it to mean “we have never investigated an instance in which a authenticated account has been broken into,” not just “none of the compromised accounts from the last week since D3 released had authenticators.” What makes you think he only means D3?

          • psyk says:


          • HothMonster says:

            Its the same account for D3 and WoW, the same authentication and login process. You really think he would say “we have never investigated “when he means “we have not, in the last week, seen it happen”?

          • psyk says:


            Crowd – People got hacked in D3 and they were using an auth.

            response – None of the accounts we investigated had an auth device attached.

            It’s not hard

          • HothMonster says:

            Well I guess it wouldn’t be the first time Bash made a disingenuous comment. Thinking more about it I guess it is pretty outrageous to think that in all these years no one has had their authenticator keylogged and accessed before the code refreshed.

          • psyk says:

            You would have to be stupidly quick to use it before they did, surely? But yeah trojans have been bypassing two factor authentication (bank sites) for awhile now.

  35. Brun says:

    I’m very happy I bought Diablo 3. I’ve enjoyed it immensely so far.

    Commenters’ vitriol just makes me want to like it even more, despite the fact that I disagree with the DRM. I’d rather stand on the sidelines than make a stand with thousands of screaming children who give me a headache.

    • lordfrikk says:

      Those who played it most assuredly got their money’s worth out of it few days after release and don’t really care about people arguing all over the Internet.

  36. lofaszjoska says:

    wow. this is low. a new low, i mean.

  37. RegisteredUser says:

    Turns out D3 is now the fastest selling PC game.

    That’ll show them not to put always on DRM and bad launch support into games!

    FUUUUUUUUUUUU I hope all the buyers get !@Q%@#$^#&*\35\ 5\12

  38. GSGregory says:

    Seems to me that when issues arrive like server issues they just say well this is normal for mmos and when there are issues like the auction house transactions failing they talk about how its a single player game and not a core part of it.

    SO what is it blizzard? Is the game a mmo or a single player game.

  39. rockman29 says:

    I’m enjoying the game… but man… the connection seems so finicky. Not only do you get a half second delay or a full second delay when you use abilities sometimes, other times your ability doesn’t trigger at all! I feel like I’d be able to play the game more easily without the lag. Still… great game… but I dunno… I think I’m Diablo III’d out already. Definitely bought into the hype a bit too much. The game is a little too bare bones on everything except looting things… and now I have a headache from playing it… the game scales to get a little too fast paced for me… I don’t think this is my kind of game anyway. Good game, with bad stuff, and all, I think I’m done :D

  40. EternalSoul9213 says:

    I have the mobile authenticator. I have a not so hot password. I have yet to be hacked. Besides the initial server overload I have yet to experience issues logging in or lag. I play with two other people and again besides the initial server overload they have yet to experience lag or issues logging in. One of the two has a machine that has a single core processor at 3.8 GHZ (I think, it might be 4.0) and 4gb of RAM. He just started lagging in Act 3 with all the background animations going on + the crazy amount of effects what with the large amount of enemy units.

    I have not experienced any of the issues any article I’ve read has complained about. I have thoroughly enjoyed playing and don’t regret spending the $100 on the collector’s edition at all. This game is everything and more that I hoped for. I do miss some things from Diablo 2 but simply remaking Diablo 2 would’ve been a fatal mistake. All this whining seems senseless to me. I’m sure people are experiencing issues but I have yet to experience ANYTHING wrong so I have a hard time believing all the griping all the news sites are doing, at least in the scale they seem to claim. Page hits seems more important than facts, oh well.