diablo 3 accounts hacked

Honestly, have you read the threads on the Diablo III forums? The people are morons.

Welcome to the internet :p

Normally I would agree(it's of course possible that I had a trojan or something), but with the amount of accounts being taken over in the last 48 hours I tend to think something else is going on.
 
Welcome to the internet :p

Normally I would agree(it's of course possible that I had a trojan or something), but with the amount of accounts being taken over in the last 48 hours I tend to think something else is going on.

Indeed, it's too early to know for sure. But I would assume that Blizzard would do an emergency maintenance if it was an exploit issue. But who's to say what it is, time will tell. Based on the threads that I've read on the D3 Forums, it seems that a lot of people are just being keylogged.

Diablo people love using Bots, etc and people love to exploit their gullibility.
 
Don't forget that these folks claiming they were hacked with an authenticator could be using the software app on their rooted/hacked phone that you're explicitly warned not to do. Not only that, there's plenty of unsavory apps out there that want all kinds of ridiculous access to your phone, which people will blindly give up so they can get that free app or game they want. Result? Easily stolen authenticator key... Mystery solved.

Now, for the people using the actual hardware autheticator, it's damn near impossible this key is stolen. I can think of a couple ways this could be stolen, but all of them are a result of the person giving up information they shouldn't have on a website/form, account sharing, or leaving it around and a roommate/friend/ex etc getting it and ripping you off. Even if there was a keylogger on the computer, the only way they could get a valid key would be to immediately log in on their computer before the key expired, which would kick you off and should raise a red flag to you immediately.

Call me skeptical (because I am) but I don't believe the stories.
 
Well Blizzard is aware of the issue: https://us.battle.net/d3/en/forum/topic/5149539239#4

Hopefully a fix is coming out soon.

Based on the number of affected users, this sounds like a feasible explanation of how this is happening.

The reason I say this is because it avoids the need to know victim's password and/or authentication key because they are able to hijack the victim's already authenticated session, and trick the server to thinking the attacker is actually the victim. That would mean there would not be any log of another user logging in their account, which fits with Blizzard's response of not seeing any activity.
 
Don't forget that these folks claiming they were hacked with an authenticator could be using the software app on their rooted/hacked phone that you're explicitly warned not to do. Not only that, there's plenty of unsavory apps out there that want all kinds of ridiculous access to your phone, which people will blindly give up so they can get that free app or game they want. Result? Easily stolen authenticator key... Mystery solved.

Now, for the people using the actual hardware autheticator, it's damn near impossible this key is stolen. I can think of a couple ways this could be stolen, but all of them are a result of the person giving up information they shouldn't have on a website/form, account sharing, or leaving it around and a roommate/friend/ex etc getting it and ripping you off. Even if there was a keylogger on the computer, the only way they could get a valid key would be to immediately log in on their computer before the key expired, which would kick you off and should raise a red flag to you immediately.

Call me skeptical (because I am) but I don't believe the stories.

So your saying my authenticator (which is not a software app on my phone but the stand alone one on my key chain of which I got when I attended Blizzcon) experience is bullshit :confused:

What would I have to gain by lying about it here? The entire point of talking about my experience is to voice that something in the chain of how Blizzard runs its security for these games , is flawed. How can people who have stand alone authenticators be hacked if the password can only be randomly generated and not "guessed"? Your summation in its origin makes sense but I didn't expose my computer or my phone to keyloggers or trojans or anything of that matter.

I ran "Vanilla" WoW meaning without mods , which let me tell you sucks. Mods make WoW better in so many ways (especially in the early days when WoW lacked tons of interface features and raid tools) and when you are scared to run even the basic level stuff you know millions of people use without issue because you might get your account hacked and finally banned then it destroy's the experience.

I've got former guild members who've also been hacked through similar circumstances as I have , with authenticators and clean PC's. Like I said before I don't know how , but something odd is happening and has been for quite some time with Blizzard's security methods. I've got nothing to gain by "lying" about it and somehow slandering Blizzard .They've already got 5+ years worth of sub money from me , expansion money, character transfer fee's , character appearance changing fee's and finally merchandise I've bought. But if there is a chance that when I buy Diablo 3 I'll have to deal with this all over again than I would rather skip Diablo 3 entirely and play something I know I'll have a very little chance of getting hacked while playing.
 
The authenticators aren't as secure as everyone likes to believe. FFXI used them too. When I lost mine it took about 10 min to find and d/l the exploit to bypass my authenticator then remove it from my account. Yeah I hacked myself :p
 
My level 60 inferno character was hacked last night at 2am while I was playing it. I got kicked out of the game and it said someone else logged into my account. I knew right away I was fucked and tried to switch my password as quickly as possible but was too slow lost everything.

entered a ticket with Blizzard and they said they restored my character but I haven't checked it yet.

I tested out the action house and bought some stupid 5000 gold 10% gold find belt and 5 minutes later hacked.

I'm not authenticated.....but will be after this even if the security is just an illusion.
 
My level 60 inferno character was hacked last night at 2am while I was playing it. I got kicked out of the game and it said someone else logged into my account. I knew right away I was fucked and tried to switch my password as quickly as possible but was too slow lost everything.

entered a ticket with Blizzard and they said they restored my character but I haven't checked it yet.

I tested out the action house and bought some stupid 5000 gold 10% gold find belt and 5 minutes later hacked.

I'm not authenticated.....but will be after this even if the security is just an illusion.

that sucks dude. really.

I have an authenticator on and mobile alerts just in case
 
So is Blizzard liable? With real money being able to be stolen at some point you have to wonder what legal shit storm could crop up. Interesting that they sold thousands of these authenticators and now they are worthless? Are they responsible for those too? Refunds? Will they mail you a new version?
 
So is Blizzard liable? With real money being able to be stolen at some point you have to wonder what legal shit storm could crop up. Interesting that they sold thousands of these authenticators and now they are worthless? Are they responsible for those too? Refunds? Will they mail you a new version?

who said authenticators are worthless ? :O

I feel you on the RMAH though.. I'd be stressed out if I got hacked and my bank account was attached
 
My level 60 inferno character was hacked last night at 2am while I was playing it. I got kicked out of the game and it said someone else logged into my account. I knew right away I was fucked and tried to switch my password as quickly as possible but was too slow lost everything.

entered a ticket with Blizzard and they said they restored my character but I haven't checked it yet.

I tested out the action house and bought some stupid 5000 gold 10% gold find belt and 5 minutes later hacked.

I'm not authenticated.....but will be after this even if the security is just an illusion.

I was using an authenticator and still got hacked. Joined a public game and was kicked out a few minutes later.

Seems to be a server side issue. Authenticator seems to be useless in combating this problem from what I've read so far. Basically, just group with friends or play solo until they resolve the issue.
 
who said authenticators are worthless ? :O

I feel you on the RMAH though.. I'd be stressed out if I got hacked and my bank account was attached

If they can bypass the authenticators, or have cracked the code, well then they are worthless. There are several reports of ppl who had authenticators and were hacked. This raises several questions as to what Blizzard is responsible for. I suspect that they had hack reports early on and this is why they delayed the rmah even further.
 
my retail box copy of D3 is arriving tomorrow from amazon, i think i might send it back... this is retarded.

I feel the same way, and I'm glad I decided to wait a while on buying D3. Now with all the bullshit I've seen over the last week I won't bother getting it at all...lol, what a fiasco.
 
I was using an authenticator and still got hacked. Joined a public game and was kicked out a few minutes later.

Seems to be a server side issue. Authenticator seems to be useless in combating this problem from what I've read so far. Basically, just group with friends or play solo until they resolve the issue.

Unfortunately we're all screwed if the security failure is on the server side. Authenticator or not, there's nothing you can do to prevent it except not join public games or non login at all. It's an exploit in the game code that allows them to hijack your account while you're logged in. It's a pretty big "oops" on Blizzard's part.

So your saying my authenticator (which is not a software app on my phone but the stand alone one on my key chain of which I got when I attended Blizzcon) experience is bullshit :confused:

What would I have to gain by lying about it here? The entire point of talking about my experience is to voice that something in the chain of how Blizzard runs its security for these games , is flawed. How can people who have stand alone authenticators be hacked if the password can only be randomly generated and not "guessed"? Your summation in its origin makes sense but I didn't expose my computer or my phone to keyloggers or trojans or anything of that matter.

I ran "Vanilla" WoW meaning without mods , which let me tell you sucks. Mods make WoW better in so many ways (especially in the early days when WoW lacked tons of interface features and raid tools) and when you are scared to run even the basic level stuff you know millions of people use without issue because you might get your account hacked and finally banned then it destroy's the experience.

I've got former guild members who've also been hacked through similar circumstances as I have , with authenticators and clean PC's. Like I said before I don't know how , but something odd is happening and has been for quite some time with Blizzard's security methods. I've got nothing to gain by "lying" about it and somehow slandering Blizzard .They've already got 5+ years worth of sub money from me , expansion money, character transfer fee's , character appearance changing fee's and finally merchandise I've bought. But if there is a chance that when I buy Diablo 3 I'll have to deal with this all over again than I would rather skip Diablo 3 entirely and play something I know I'll have a very little chance of getting hacked while playing.

I'm not saying you're lying. I'm thinking there's probably some other factor that you or I haven't accounted for that's causing your repeated hackings. There just isn't a valid way for someone to hack your authenticator unless they hack into Blizzard's servers and were then able to decrypt that info, and that seems unlikely. Perhaps there's a way to bypass the authenticator, but I haven't heard of it on WoW. Or for instance, if the attacker is able to spoof your IP it may not ask him for the authenticator because the game believes it's you logging in.

I just think if the same situation keeps happening to you over and over that you need to start looking for another source for the problem. Seems really frustrating though. I know I'd be pissed if I took a lot of security measures and something was still allowing access to my account.
 
Is this only occurring while people online, as you say, or are accounts being compromised as well when people are offline? That is a massive security hole if so, what in the hell?
 
that sucks dude. really.

I have an authenticator on and mobile alerts just in case

When my account got hacked 3 times in one week, I broke down on got an authenticator. Then turned on mobile alerts and holy CRAP that went off a lot. I turned it off but I'm about to turn it back on to see if its still going on. Maybe I'll just request to get my email changed to my other personal email thats pretty sterile.

I'll be picking up D3 soonish, had no interest to get it off the bat, I remember what D2 was like playing on battle.net and the problems they were having during the first few weeks.
 
Just got home and logged in lost about a day.......a ton of good gear. Went from Inferno act 2 to Hell Final Act.....so about 10 hours or so and all my inferno lute.

When I got hacked I was playing alone and I have never played a public game I only play with my friends. I got hacked because I bought something in the auction house or I was just that unlucky.
 
I do not think blizzard is @ fault here. I would say that 90% of the people had there information stolen due to the types of sites they visit and that's not even safe anymore with the recent add hacking events.

Hell, I had a hotmail ad banner try to inject a trojan keylogger that MSE and MalwareBytes Pro both caught, once... let's just say I tend to run noscript (and adblock plus on a good number of sites) nowadays on just about everything :eek: . While safe browsing habits are still of course extremely important, so are making sure you're blocking off things that could infect you and having proper protections in place.
 
Just got home and logged in lost about a day.......a ton of good gear. Went from Inferno act 2 to Hell Final Act.....so about 10 hours or so and all my inferno lute.

When I got hacked I was playing alone and I have never played a public game I only play with my friends. I got hacked because I bought something in the auction house or I was just that unlucky.

is there a correlation with auction house purchases and getting hacked?
 
is there a correlation with auction house purchases and getting hacked?

I have a feeling its an indicator these hackers use to select profiles. Maybe they can track your stream from a simple purchase, that could be how they set a target.
 
is there a correlation with auction house purchases and getting hacked?

Nope, it's just random or user fault. I've used the AH a ton, mostly to sell shit and have accumulated quite a bit of gold but my account is fine. Don't have an authenticator either.
 
LOL its not surprising that people are getting hacked... ATM Diablo 3 passwords are not even case sensative. I saw a comment about it and I went and changed my password and sure enough capital letters in a password mean NOTHING. Since when has having a password not register capital letters been acceptable for ANY site?!?!?!?!?!?!?
 
Adding symbols and capital letters does almost nothing for the security of your password. The best way to have a secure password is by making it longer.
 
Considering that a capital letter is a different than a non capital letter it does in fact add more complexity rather than needing just 26 letters you now have 52 letters... Sorry but case sensativity is fairly important to password security...... If you have a ten digit password and only use one of 26 characters it is far less secure than the same ten digit password with 52 possible characters. Also making something longer password wise does not make it necessarily stronger...


Which would be harder to guess / EaIoUaLmNaHsadHre / OR / ealoualmnahsadhre /... Pretty sure its the first one thats would be harder to guess.
 
Last edited:
Well Blizzard is aware of the issue: https://us.battle.net/d3/en/forum/topic/5149539239#4

Hopefully a fix is coming out soon.

THIS is how accounts are being hijacked (or something very close to it). It's got nothing to do with poor password practices, and authenticators will not protect you. There are malicious users grabbing your authenticated session IDs from games, and using that to access your account without needing to log in. This is a seriously amateurish mistake and a major cock up on Blizzard's part.
 
If you wanted a 4 character password and just used lower case letters and numbers 0-9 you would have 36^4=36*36*36*36 OR 1,679, 616 combinations.
If you were to include both lower and upper case characters and numbers 0-9, the number of possible combinations goes up to 14,776,336 (62^4).
Start adding in all the special characters on the keyboard and you start rapidly expanding the number of possible combinations and thats just a 4 character password.

For grins a ten character password only using small letters and numbers is 3,656,158,440,062,976 combinations same password with uppercase letters too is 8.3929936586834e+17..... Sure looks to me like adding the extra uppercase letters sure as heck added alot of complexity to the passwords........
 
This is a seriously amateurish mistake and a major cock up on Blizzard's part.


LOL i still contend not having case sensative passwords is even more amateurish and an even worse cock up as you put it... I mean come on since when have passwords not been case sensative on any decent website?!?!?!
 
I don't know what to say really. Concerned more about RMAH being blasted wide open, it'll basically be Bitcoin 2.0 if this shit keeps up.
 
"Be aware that there are restrictions on the number of rollbacks available - it seems to be two based on answers to submitted tickets - and that being hacked more than once will cause your account to be banned permanently from using the soon-to-be-released real money auction house. "....lol. Even if it's not the fault of the user?

They have a similar warning in WoW about hacked accounts. But my account has been hacked 4 times before, 3 without authenticator 1 with, and each time my account was restored. Think 1 character was restored 3 times. Not a huge deal IMO.

When my account was hacked with the authenticator they said that "I" had sent them something about removing it and when it was removed my account was hacked. Kind of a piece of shit, but still safer than without having it, and hey, it was free for me.
 
If you wanted a 4 character password and just used lower case letters and numbers 0-9 you would have 36^4=36*36*36*36 OR 1,679, 616 combinations.
If you were to include both lower and upper case characters and numbers 0-9, the number of possible combinations goes up to 14,776,336 (62^4).
Start adding in all the special characters on the keyboard and you start rapidly expanding the number of possible combinations and thats just a 4 character password.

For grins a ten character password only using small letters and numbers is 3,656,158,440,062,976 combinations same password with uppercase letters too is 8.3929936586834e+17..... Sure looks to me like adding the extra uppercase letters sure as heck added alot of complexity to the passwords........

It does raise the number of combinations.
However, that's for a brute force attack. You really think they are hitting blizzards login servers thousands of times a second for each account?
 
I wonder if Blizzard's eco system could be covered by the Anti Money Laundering and Terror Financing laws in place in most developed countries. Those laws require banks to have very strict security policy and perform customer risk evaluations.

I wonder how much online games like WoW and others are used for funding gangs, drug manufacturers, fraudsters, and for general money laundering.
 
my retail box copy of D3 is arriving tomorrow from amazon, i think i might send it back... this is retarded.

I returned mine to BB tonight. I'll wait this out and see how things turn out.
 
I returned mine to BB tonight. I'll wait this out and see how things turn out.

I'm wishing I hadn't even ordered it... bought it from Blizzard directly and haven't really even played it at all yet (all of 10-15 minutes). :( This sounds like a major screw-up. I'm going to try for a refund, can't hurt... not thinking I even want to play it with all the issues cropping up!
 
We'll know there's something wrong with Diablo 3 itself if my account gets compromised. I run on a very minimalist and isolated environment and have been for the passed 10 years.
 
Guess I'm lucky so far. Only been playing the starter edition levelling up to 13 with each character type.

Will be buying full version this week when I get paid.

So from what I have observed Im gonna have to take security serious with this thing.

I have already changed pass to the max 16 chars, with random numbers, letters and symbols.

I have attached SMS alerts, email alerts. and the Android authenticator (though I may change this to a device).

I am going to stay away from public games, and the auction house. (I wish I could delete the 'recently played' list too, or at least block people, or have people expire after 24 hours or something).

I am going to get my AV to scan my computer each day before I log into Diablo. I am going to beef up my firewall, create a seperate 'clean' install for Diablo 3, not download anything in my 'clean' install, never touch bots or any other dodgy stuff. I will not browse the internet on my clean install too incase of drive by hacks.

If I still get hacked I am going to take my game back to the store for a refund.
 
Guess I'm lucky so far. Only been playing the starter edition levelling up to 13 with each character type.

Will be buying full version this week when I get paid.

So from what I have observed Im gonna have to take security serious with this thing.

I have already changed pass to the max 16 chars, with random numbers, letters and symbols.

I have attached SMS alerts, email alerts. and the Android authenticator (though I may change this to a device).

I am going to stay away from public games, and the auction house. (I wish I could delete the 'recently played' list too, or at least block people, or have people expire after 24 hours or something).

I am going to get my AV to scan my computer each day before I log into Diablo. I am going to beef up my firewall, create a seperate 'clean' install for Diablo 3, not download anything in my 'clean' install, never touch bots or any other dodgy stuff. I will not browse the internet on my clean install too incase of drive by hacks.

If I still get hacked I am going to take my game back to the store for a refund.


Your paranoia is on an epic scale. Don't bother, just don't play. Problem solved there.
 
Your paranoia is on an epic scale. Don't bother, just don't play. Problem solved there.

Yeah... after playing the starter edition I *really* want to keep playing, but I don't want to get hacked.

Perhaps I will just wait until they fix their servers and stop the hacking before I buy it.

I still have 3 classes left to level up, and a few achievs before I 100% the starter edition.
 
LOL i still contend not having case sensative passwords is even more amateurish and an even worse cock up as you put it... I mean come on since when have passwords not been case sensative on any decent website?!?!?!

Who cares about case sensitive passwords, this isn't the 90's, brute forcing passwords is oldhat and no longer relevant in this context. People now use keyloggers and various automated methods to hijack accounts.
 
Back
Top