Diablo 3 Account Hacked

Perhaps you should thank the guy for sparing you hours of grinding, since you'll now be quitting the game...

JK, sorry for your loss man. Run them spyware programs...
 
People need to get sense of what they are doing. Hell, the Chinese farmers themselves call those people out in the video. Those who risk it, are not too keen on security and don't care. IMO, those people have no one to blame but themselves if they use the same information across services. Basic security here folks and I find it hard to take someone who has been compromised in this fashion seriously when they deny it, and troll the community like what is happening ("it just has to be a breach it can be no other way!" *sigh*)

In my opinion, Blizzard does what they can as a business. They shouldn't be acting as peoples Internet security advisor or monitoring accounts for authenticators. It's the users responsibility and it should stay that way.

In terms of using location and authenticators, they use a method like that. If I log on somewhere that is not my home, it requires an authenticator.


I'm not going to dig around this entire thread or the one in the PC Hardware for my answer so I'm just going to get straight to it...

Dude wtf is your problem? Do you have a stick up your ass?
 
I'm not going to dig around this entire thread or the one in the PC Hardware for my answer so I'm just going to get straight to it...

Dude wtf is your problem? Do you have a stick up your ass?
The guy is right though. Most users use simple passwords and share them across services. It's not a good idea. When one site gets compromised and a hacker finds your password, all of the other sites you use that password on are compromised as well. Some guy could hack a site you haven't used for 10 years, but if that site had the same password you use on Diablo 3, you're fucked. Blizzard did nothing wrong in that example.

You would probably be safer by having a different password for every site you ever visit and write it on a piece of paper hanging above your computer, than using the same password on every site you visit and not writing it down. You can control who see's your list, you can't control what sites get hacked.

Bottom Line:
Your Battle.net username and at least password, as well as the email account attached to it, should have a 100% unique password and not used on any other site, ever. Also make sure your security reset question is not stupid easy like "What's my dogs name? Hint: Spot", like I mentioned earlier.
 
Last edited:
http://www.examiner.com/article/diablo-iii-an-authenticator-still-gets-you-hacked

Article on Examiner where the author claims to have been hacked with an authenticator.

Wow that dude has been hacked a lot. However, just as a devil's advocate, he never states what type of authenticator he has. There is a lot of mistaken identification going on since Blizzard has 4 types of authenticators. Would be nice to say which one he has as well as for Blizzard to change their naming schemes on their "authenticators".
 
People need to get sense of what they are doing. Hell, the Chinese farmers themselves call those people out in the video. Those who risk it, are not too keen on security and don't care. IMO, those people have no one to blame but themselves if they use the same information across services. Basic security here folks and I find it hard to take someone who has been compromised in this fashion seriously when they deny it, and troll the community like what is happening ("it just has to be a breach it can be no other way!" *sigh*)

In my opinion, Blizzard does what they can as a business. They shouldn't be acting as peoples Internet security advisor or monitoring accounts for authenticators. It's the users responsibility and it should stay that way.

In terms of using location and authenticators, they use a method like that. If I log on somewhere that is not my home, it requires an authenticator.

Sure, but why not also do what valve does with steam? or my credit card's website. If i log in from a new ip, it does a quick check.

Blizzard's passwords don't allow punctuation, and aren't even case sensitive. I think it's pretty easy to see they could be doing WAY more to help the situation.

ffs, it's not that hard.
 
Totally agree. I think that making passwords case-sensitive and instituting a password expiry condition in there is all that is needed. That isn't really a lot of things to add, and it will shore it up.
 
Last edited:
Wow that dude has been hacked a lot. However, just as a devil's advocate, he never states what type of authenticator he has. There is a lot of mistaken identification going on since Blizzard has 4 types of authenticators. Would be nice to say which one he has as well as for Blizzard to change their naming schemes on their "authenticators".

Definitely, like stating that the mobile authenticator (not the app) isn't supported by D3 when signing up.. not buried in a few support articles.
 
I use an algorithm for my passwords, figuring that it's possible that I cycled back around for my hacked b.net password to one that had been used previously on a message board. Would be at least 5-6 years back, thinking what gaming related forums I might have been using back then, either freelancer or simcity 4 modding. Not unreasonable to think a couple of those might still be sitting abandoned somewhere, especially if they are using old versions of phpbb with known exploits.

I haven't been rehacked in the interim despite not adding an authenticator, have switched to a longer more obtuse new password. Have also updated my algorithm so cycling won't occur, at least not within my lifespan.

Still think automatic account lock-down with an email unique hash release upon login from a new IP, as an option within the account control panel would be a nice add-on for people.

Or just remove the absurd shipping charges on authenticators for non-us customers. Just had a 135mm f2.8 lens shipped from the Ukraine for less than Blizzard wants to ship a tiny plastic lump to Alberta.
 
I use an algorithm for my passwords, figuring that it's possible that I cycled back around for my hacked b.net password to one that had been used previously on a message board. Would be at least 5-6 years back, thinking what gaming related forums I might have been using back then, either freelancer or simcity 4 modding. Not unreasonable to think a couple of those might still be sitting abandoned somewhere, especially if they are using old versions of phpbb with known exploits.

I haven't been rehacked in the interim despite not adding an authenticator, have switched to a longer more obtuse new password. Have also updated my algorithm so cycling won't occur, at least not within my lifespan.

Still think automatic account lock-down with an email unique hash release upon login from a new IP, as an option within the account control panel would be a nice add-on for people.

Or just remove the absurd shipping charges on authenticators for non-us customers. Just had a 135mm f2.8 lens shipped from the Ukraine for less than Blizzard wants to ship a tiny plastic lump to Alberta.
You can download Winauth instead. It's like the smartphone authenticator app written to run on your PC. It was created for WoW 2 years ago. Fairly easy and it works great.

You'll probably hear some people screaming about how since it would be running on your PC it's not good enough, but these attacks aren't the result of keylogging/phishing for the majority.

There is a hole somewhere in the client/server communication that's letting them in. Only thing that explains how I could be hacked and the Blizzard folks could find no evidence of anyone, even myself, logging in to make it happen. Also explains why the "hackers" are limited in what they can steal.
 
The guy is right though. Most users use simple passwords and share them across services. It's not a good idea. When one site gets compromised and a hacker finds your password, all of the other sites you use that password on are compromised as well. Some guy could hack a site you haven't used for 10 years, but if that site had the same password you use on Diablo 3, you're fucked. Blizzard did nothing wrong in that example.

You would probably be safer by having a different password for every site you ever visit and write it on a piece of paper hanging above your computer, than using the same password on every site you visit and not writing it down. You can control who see's your list, you can't control what sites get hacked.

Bottom Line:
Your Battle.net username and at least password, as well as the email account attached to it, should have a 100% unique password and not used on any other site, ever. Also make sure your security reset question is not stupid easy like "What's my dogs name? Hint: Spot", like I mentioned earlier.

He'd be right if phishing was how they are accomplishing this act. Unfortunately for the majority, it's not. Blizzard actually refused my rollback because there was no evidence anyone had logged in, even myself, when my stuff was lifted. There are also limitations in what they can steal, if they were phishing people and logging in they wouldn't be limited to a single character and a single stash page.

Blizzard wasn't even interested in information gathering when I called in. The lady on the phone was totally unable to explain how my stuff disappeared, and yet she wanted to gather no details to escalate the issue. Forum goers decided to do it themselves, and if you read the German forum, there is a very clear pattern that this is an exploit and not a traditional password scam.

Blizzard has a hole somewhere. Authenticators seem to plug it, but if they don't fix it it's likely only a matter of time before someone figures out another way to exploit the weakness.
 
Blizzard actually refused my rollback because there was no evidence anyone had logged in, even myself, when my stuff was lifted. There are also limitations in what they can steal, if they were phishing people and logging in they wouldn't be limited to a single character and a single stash page.

This leads me to believe that this may be a bot of some sort. Of course it could be data loss (if that's the case, oh boy am I more nervous than a hacking).

He'd be right if phishing was how they are accomplishing this act. Unfortunately for the majority, it's not.

I've only seen your case where Blizzard had no way to explain or comprehend what happened in your situation. Are there others? How do we know it's the majority? How do we know this isn't just phishing?

But what we do know (coming from someone who actually is in the "scene", the gentlemen from that interview I posted) is that there are a small minority that have been hacked in an entirely different manner. I think he said maybe 90% of hackings are a result of data mining from game community sites. The other 10% could really be anything, including exploits. It's odd that there seems to be some weird correlation between what Blizzard is saying and what that guy, whom Blizzard considers an enemy, is saying. It's quite comedic. :p
 
This leads me to believe that this may be a bot of some sort. Of course it could be data loss (if that's the case, oh boy am I more nervous than a hacking).
It sounds like a bot to those who haven't seen the aftermath. It's hard to explain, but when you see how things are moved, what's left behind, it doesn't give the impression that's what they're using. This is part of the problem, it's hard to accurately convey to those who haven't seen it. I probably should have captured some video so I could show people but since they denied my rollback I went back to playing after finding an authenticator workaround.

I've only seen your case where Blizzard had no way to explain or comprehend what happened in your situation. Are there others? How do we know it's the majority? How do we know this isn't just phishing?
If you believe the posters from the early information gathering threads, there are lots of them. Blizzard seemed to start giving benefit of the doubt as the numbers increased and stopped denying rollbacks. I think as time went on the calm people moved on though, most of what we see now are the crazy exploding complaints instead of calm information collection. Part of that is probably because Blizzard kept locking the posts. Since there was an official response from Blizzard they decided our issues were addressed and there was no need to keep discussing the problem.

But what we do know (coming from someone who actually is in the "scene", the gentlemen from that interview I posted) is that there are a small minority that have been hacked in an entirely different manner. I think he said maybe 90% of hackings are a result of data mining from game community sites. The other 10% could really be anything, including exploits. It's odd that there seems to be some weird correlation between what Blizzard is saying and what that guy, whom Blizzard considers an enemy, is saying. It's quite comedic. :p
Maybe me concluding it to be a majority is premature, I can't really verify that without Blizzard letting me poke around their stuff. From a profiling standpoint though, it seems highly unlikely that every post I've seen (that wasn't obvious phishing) would have the same properties, and then two different causes. It doesn't seem likely to me that standard account compromise would look exactly the same as a weird 10% access exploit. I could be wrong, but I've been managing server security a long time and it just doesn't seem logical.

I was originally entertaining the idea it was a bug, it seemed like any items I touched or modified in the last hour (gold total, re-gemmed items) might have been the only stuff that vanished, but since I had an unknown "last played with" on my list when we'd never touched a public game, it seemed highly unlikely.
 
Totally agree. I think that making passwords case-sensitive and instituting a password expiry condition in there is all that is needed. That isn't really a lot of things to add, and it will shore it up.

Making them case sensitive alone would massively increase the potential password entropy.

If my math is right, using a 12 letter character password as an example with numbers and letters, just allowing upper case would increase the hack time, assuming brute force at 100 fucking TRILLION attempts per second... from roughly 13 hours to over a YEAR. I used a password in the double digits, unique to the battle.net. Since they needed to be online to even attempt it, that probably enormously limits the speed. Even if they somehow smashed the login with at 10,000 per second, the password would may as well outlive the actual human species existence on Earth.

Brute force is likely an impossibility if your password had any semblance of strength, I'd guess there's another exploit in play. There's no timely way they could have guessed my password. I ran multiple scans afterwards and came up 100% clean with everything. I'm pretty sure my machine is clean outside of somehow contracting some brand new, hilariously sophisticated piece of work that is currently under the radar from basically everything and exists solely to attack battle.net accounts.

There has to be something else at play, because I don't see how it could make sense otherwise.
 
Last edited:
Just have your account text message you when something weird happens, such as login from a foreign location or maybe they should do it how steam does it. They require you to enter a code when the location is questionable from the normal locations you log in from.

All the SMS thing does is let you know that your character got cleaned out 20 minutes ago.
 
Making them case sensitive alone would massively increase the potential password entropy.

If my math is right, using a 12 letter character password as an example with numbers and letters, just allowing upper case would increase the hack time, assuming brute force at 100 fucking TRILLION attempts per second... from roughly 13 hours to over a YEAR. I used a password in the double digits, unique to the battle.net. Since they needed to be online to even attempt it, that probably enormously limits the speed. Even if they somehow smashed the login with at 10,000 per second, the password would may as well outlive the actual human species existence on Earth.

Brute force is likely an impossibility if your password had any semblance of strength, I'd guess there's another exploit in play. There's no timely way they could have guessed my password. I ran multiple scans afterwards and came up 100% clean with everything. I'm pretty sure my machine is clean outside of somehow contracting some brand new, hilariously sophisticated piece of work that is currently under the radar from basically everything and exists solely to attack battle.net accounts.

There has to be something else at play, because I don't see how it could make sense otherwise.

See, this is one thing I take a lot of issue with. There seems to be a big trend of people blaming the victim, as it were, when it comes to falling victim to B.Net account hacking, but no one wants to talk about the fact that Blizzard's own security policies leave a lot to be desired. And meanwhile, widespread account hacking seems to be an isolated problem for Blizzard games. It happens from time to time in other games/MMOs but it does not seem to be anywhere near as common of an issue.
 
My Diablo account was hacked this week and this was my experience. I am not new to blizzard games but I am just a casual player. I did not know that the threat of getting your account hacked was as high as it was. I guess I just thought it would never happen to me. With that being said, I did not have an authenticator nor did I even know about it. I have it now though plus the SMS text notification tool.

The last time I played was Sunday May 3rd around 7:30pm. I got up Monday morning at 3:00am to play a little before I had to go to work. I always check my gear that I have posted on the auction house first thing. When I was in the auction house I noticed that I had 0 gold and both tabs of my stash were empty. My witch doctor still was equipped with all of the gear that i had left him with.

I submitted a ticket to have my account restored around 3:30am on Monday May 4th. I received a response from Blizzard around 8am on Tuesday May 5th. It was asking my permission to use 1 of my 2 possible account rollbacks. I replied to the the support ticket and authorized them to roll my account back. When I woke up at 3:49am on Wednesday morning and had received an email from Blizzard at 3:30am stating that my account had been restored to a previously saved point.

I was at level 60 when I stopped playing on Sunday. I was currently at the checkpoint right before you enter the cave and fight the spider queen. After the rollback, I was at the same point. It appears that they rolled my account back to probably the previous day cause I was missing a couple pieces of gear that I had purchased on Saturday night.

Overall it was a decent experience. I did not lose much at all and did not have to replay any of the game to get back to my original checkpoint. I am sure that this would be different for everyone but i know that there are quite a few people awaiting a roll back and i just wanted to provide some hope. Hang in there, there is light at the end of the tunnel.

What I learned from this was first, get the damn authenticator if you haven't. Second, make sure to use a more complicated password utilizing numbers, characters and symbols. Third, change your password often.

I am not sure how i was hacked. I do not play in public games but I have clicked on an item someone has put in the public chat offering to sell. i do not look at porn on my computer. My internet browsing really only consists of gaming websites, forums, paying bills and some general googling. I never open suspicious emails. I have Norton complete internet security and perform regular scans.
 
That is great to hear goodkat, according to another blizzard blue post they still haven't found any correlations to public games being hacked. But someone else did say people are going out of their way to hack sites your password could be stored at, possibly the same one you use to login to diablo.

I haven't been hacked yet *knock on wood but I use an authenticator.
 
Interestingly enough, I just activated my copy of Diablo III last night around 6pm. Starting around 3am or so I started getting tons of spam from various gold selling sights for Diablo III. I've never gotten these before and the fact that I registered the game and suddenly started getting the spam really makes me wonder if the battle.net site is in fact compromised. Either way, I've changed all my passwords today from a different computer just to be safe.
 
Interestingly enough, I just activated my copy of Diablo III last night around 6pm. Starting around 3am or so I started getting tons of spam from various gold selling sights for Diablo III. I've never gotten these before and the fact that I registered the game and suddenly started getting the spam really makes me wonder if the battle.net site is in fact compromised. Either way, I've changed all my passwords today from a different computer just to be safe.

Yea that's a little fishy...

Luckily for me I have always had a unique password for my battle.net account because of their silly no punctuation rule lol

No authenticator, and don't plan to get one because it doesn't seem they help this matter.

Hoping i don't get hacked! /roll
 
Interestingly enough, I just activated my copy of Diablo III last night around 6pm. Starting around 3am or so I started getting tons of spam from various gold selling sights for Diablo III. I've never gotten these before and the fact that I registered the game and suddenly started getting the spam really makes me wonder if the battle.net site is in fact compromised. Either way, I've changed all my passwords today from a different computer just to be safe.

After using an email address that I would associate with most online sites I would subscribe to for bnet registration, I switched it to a second email account that I rarely use for anything.

I still get a LOT of spam and phishing attempts to my old address but have yet received a single spam email at the new address over a 4+ year period, WoW, SC2, and D3. Its actually nice to know that when I do get an email from Blizzard its actually legit even though I still am wary of every single one.

Point is, as I'm sure its been mentioned by others, changing your bnet email/login to a rarely used account is a good way to keep it out of the hands of spammers/phishers.
 
Seems to have died down quite a bit. The last couple weeks seems like a few people a day were getting hacked, now not so much.
 
No authenticator, and don't plan to get one because it doesn't seem they help this matter.

Hoping i don't get hacked! /roll

:eek:

So if you do get hacked, you're not going to rage, right? Just going to make a post saying "aww shucks, guess I should have bought an authenticator?" :D
 
Well few weeks after playing this with the authenticator... I have yet to be hacked. Played in both private and public games. Basically playing it normally.
 
Interestingly enough, I just activated my copy of Diablo III last night around 6pm. Starting around 3am or so I started getting tons of spam from various gold selling sights for Diablo III. I've never gotten these before and the fact that I registered the game and suddenly started getting the spam really makes me wonder if the battle.net site is in fact compromised. Either way, I've changed all my passwords today from a different computer just to be safe.

Are you talking about the general chat when you first login with the gold spam websites? That's completely normal.

Or are you talking about some gold spam website emailing you directly?
 
Are you talking about the general chat when you first login with the gold spam websites? That's completely normal.

Or are you talking about some gold spam website emailing you directly?

I'm talking about 3 different gold spam websites emailing me directly. The email address I have setup with bnet is only used on 3 sites - Amazon.com, SWTOR, and bnet. It's also from my personal domain and is unlisted, so I don't know where else they may have gotten it from. Especially since I had never received this type of spam at that address before registering Diablo.

*I have an authenticator, so hopefully that'll help reduce my risk profile. But this really makes me question their security practices.
 
Well few weeks after playing this with the authenticator... I have yet to be hacked. Played in both private and public games. Basically playing it normally.

I haven't been hacked since i got one. Someone made fun of me at one point, but jokes on them!
 
Another markeedragon video:

http://www.youtube.com/watch?v=8NUQTATy5dc&t=23m57s - link to the hacking portion

Diablo 3 Gold farmer. User is communicating with a text-to-speech program so "flow" is broken often. Stream from the farmer is included.

In addition, he explains how people are getting hacked.

1. "They do not hack people's computers. The passwords."
When they say they don't hack the computers, do you mean players or Blizzard?
"They hack forums and such, take the same e-mail and password and test it on Blizzard."

2. "It's easy."

3. Uses Facebook and other various websites, even non-Blizzard sites. Testing for "combo" lists use PayPal or Bank information and then can resell that information out. In short, these hackers hack the Blizzard sites and then can sell the other accounts.

4. What about Blizzard, are you able to get anything out of there? "No, Blizzard is bulletproof, logically."

5. Up to a million accounts phished in this way. If only 10% work, it's still a lot of accounts.

6. A lot of these forums that are getting compromised, are they getting compromised over and over again? "Yeah"

Most of the video is about farming. Figured I'd highlight what I heard.
 
Another markeedragon video:

http://www.youtube.com/watch?v=8NUQTATy5dc&t=23m57s - link to the hacking portion

Diablo 3 Gold farmer. User is communicating with a text-to-speech program so "flow" is broken often. Stream from the farmer is included.

In addition, he explains how people are getting hacked.

1. "They do not hack people's computers. The passwords."
When they say they don't hack the computers, do you mean players or Blizzard?
"They hack forums and such, take the same e-mail and password and test it on Blizzard."

2. Specifically mentions certain websites. "It's easy."

3. Uses Facebook and other various websites, even non-Blizzard sites. Testing for "combo" lists use PayPal or Bank information and then can resell that information out. In short, these hackers hack the Blizzard sites and then can sell the other accounts.

4. What about Blizzard, are you able to get anything out of there? "No, Blizzard is bulletproof, logically."

5. Up to a million accounts phished in this way.

6. A lot of these forums that are getting compromised, are they getting compromised over and over again? "Yeah"

Most of the video is about farming. Figured I'd highlight what I heard.

Thanks for the tldw =P
 
I think the single best thing you can do to protect your account:

Set up an email account specifically for this game. Never use it to send mail, but only to receive replies from blizzard. Also, use a password that is unique to battle.net only, and not some sports website that you happen to be a part of as well. If you play another battle.net game, set up another unique email address and password.

Now... with that being said....

I've read a few pages of this forum but have yet to see any single person mention that any other character besides their main was hacked. Looking at this logically, if the hacker had your log-in credentials.. why would they not take everything from every character on your account? (replies to this one should be amusing :) )

While the authenticator can provide a good deal of protection, I think in the majority of cases people are experiencing, it would have been useless. People that tell you the authenticator is the salvation are sheep just regurgitating what they have read somewhere else.

To theorize as to what is going on...

I suspect that when you 'quit a game' there is a network packet that is sent to kill your session that is being intercepted. The user then spoofs the credentials of the user that has logged off.. effectively becoming that character. They have access to that character and the stash of that character.. but do not have the ability to log off, and switch characters. My main was hacked, but my lvl 40 was not.
 
I've read a few pages of this forum but have yet to see any single person mention that any other character besides their main was hacked. Looking at this logically, if the hacker had your log-in credentials.. why would they not take everything from every character on your account? (replies to this one should be amusing :)

You can safely assume the person doing the actual looting of accounts is probably a lowly paid worker that's given account info to use. They are most likely paid per accounts looted and slowly going through every account is probably less efficient for them than just going to the main character and dumping anything that seems obvious. It's also less likely that non-main characters have the most expensive gear...

For what it's worth, my WOW account (without authenticator) was hacked and used as a gold farming mule for at least two weeks. It was an inactive account that they somehow gained my login info (probably from one of the forums I frequented....it was a while ago when I was a noob and used identical passwords). At least two weeks where a "hacker" was playing my character, yet only my main char had anything touched. Rest of the toons still had all their gear and loot in bags.

I personally believe Blizzard when they say session spoofing is not possible (mainly since wireshark seems to support their claims), unless you have proof otherwise?
 
Last edited:
I think the single best thing you can do to protect your account:

Set up an email account specifically for this game. Never use it to send mail, but only to receive replies from blizzard. Also, use a password that is unique to battle.net only, and not some sports website that you happen to be a part of as well. If you play another battle.net game, set up another unique email address and password.

Agreed.

I've read a few pages of this forum but have yet to see any single person mention that any other character besides their main was hacked. Looking at this logically, if the hacker had your log-in credentials.. why would they not take everything from every character on your account? (replies to this one should be amusing :) )

I would think that it would be time versus gold reward. Gold is stashed regardless of your character and is shared. Most of the time, the gold is stolen and only a few valuable items will be taken.

While the authenticator can provide a good deal of protection, I think in the majority of cases people are experiencing, it would have been useless. People that tell you the authenticator is the salvation are sheep just regurgitating what they have read somewhere else.

I still haven't met anyone, personally as in a friend or family member, who has been hacked with an authenticator.

I suspect that when you 'quit a game' there is a network packet that is sent to kill your session that is being intercepted. The user then spoofs the credentials of the user that has logged off.. effectively becoming that character. They have access to that character and the stash of that character.. but do not have the ability to log off, and switch characters. My main was hacked, but my lvl 40 was not.

If you took Wireshark and used it to listen in on the conversation, you would see a few things:

1) Computer sends data.
2) Data is then hashed.
3) Blizzard servers receive hashed data and have a key to unlock it.
4) User is logged in and playing.
5) Ongoing information is hashed.

If you don't have the proper "key" to unlock the hash, you can't intercept the data. If there was a way to do this, Battle.net accounts wouldn't be the first thing this new breakthrough would be tested on.
 
Back
Top