Diablo® III

Where is your Authenticator now?

Have Diablo 3 accounts already been compromised?

A quick glance on the Diablo 3 forums reveal that Saturday afternoon, dozens of players logged into their characters to find nearly all of their items stripped away between Friday Night and Saturday morning. Some are even claiming to have been using Blizzard Account Authenticators. While most “victimized” players have submitted tickets and had quick responses, even rollbacks at players’ requests, others have waited over 24 hours with no response at all. Several players are reporting names on their “Recently Played With” list that they don’t recognize, with others reporting names on their “Friends” list that they didn’t add. Below are just a few of the examples:

Original Topic:
http://us.battle.net/d3/en/forum/topic/5149008104
(Topic is full)

Secondary Topic:
http://us.battle.net/d3/en/forum/topic/5149008518

Others:
http://us.battle.net/d3/en/forum/topic/5149178429
http://us.battle.net/d3/en/forum/topic/5150108566
http://us.battle.net/d3/en/forum/topic/5151718112
http://us.battle.net/d3/en/forum/topic/5149178166
http://us.battle.net/d3/en/forum/topic/5151717968
http://us.battle.net/d3/en/forum/topic/5150108566

Still others:
http://us.battle.net/d3/en/search?q=hacked&f=post&forum=3354739
(Search for "Hacked" in the General Discussion Forum)

http://us.battle.net/d3/en/search?q=hacked&f=post&forum=5386227
(Search for "Hacked" in the Technical Support Forum)

This issue has put a lot of players on standstill, with several losing motivation to continue playing just one week after the release. With Blizzard’s weekend support team requesting people submit tickets, a wide array of disappointed but eager gamers hold their breath for Blizard’s weekday crew to come with answers. One things for sure, most of the reported incidences are the same - "I was playing Friday night, logged in Saturday, and most or all my stuff was gone... There's someone on my 'Recently Played With' list that I don't recognize. I submitted a ticket. Still Waiting/They Rolled Me Back/They Said I wasn't hacked"

When the weekday Blizzard Support staff comes in on Monday, they're going to have their hands full. Until then, players like myself will be counting down the hours til answers are finally provided.
Reply Quote
60 Worgen Hunter
420
Dozens? Out of millions! It's an epidemic!
Reply Quote
05/20/2012 11:24 AMPosted by Legend
Some are even claiming to have been using Blizzard Account Authenticators.


"Claiming" being the keyword, and most of those who have been hacked openly admit they weren't using one. Blizzard has provided the tools to prevent hacking, don't blame them if you refuse to take advantage of them.

If you have an authenticator and you're still getting hacked it's probably not by strangers out on the internets, but rather by someone in your house who has access to your authenticator too. Brothers, friends, roommates... etc.
Reply Quote
05/20/2012 11:34 AMPosted by DeadPan
Some are even claiming to have been using Blizzard Account Authenticators.


"Claiming" being the keyword, and most of those who have been hacked openly admit they weren't using one. Blizzard has provided the tools to prevent hacking, don't blame them if you refuse to take advantage of them.

If you have an authenticator and you're still getting hacked it's probably not by strangers out on the internets, but rather by someone in your house who has access to your authenticator too. Brothers, friends, roommates... etc.


^^^ This.
Reply Quote
Not sure why this dude's post was reported, it's actually really accurate. If you were compromised over the weekend you've probably been following all of the threads (there's over 60 pages now across a couple of threads).

His list of threads is a good resource to familiarize yourself with the issue.
Reply Quote
The pains of online gaming.

Learn 2 protect yourselves.
Reply Quote
I have an authenticator on my account, yet I have never had to provide my authenticator key when I log into Diablo. So it is possible that they had authenticators and still had their accounts accessed by an outside party.
Reply Quote
05/20/2012 11:37 AMPosted by CthulhuDawn


"Claiming" being the keyword, and most of those who have been hacked openly admit they weren't using one. Blizzard has provided the tools to prevent hacking, don't blame them if you refuse to take advantage of them.

If you have an authenticator and you're still getting hacked it's probably not by strangers out on the internets, but rather by someone in your house who has access to your authenticator too. Brothers, friends, roommates... etc.


^^^ This.


And when your Authenticator is a cell phone with a lock on it? Or when the people you live with are completely ignorant on using a computer, much less playing a game or using multiple devices to authenticate? Where's your logic on that?

I admit I did not have an authenticator, I have since added one. However, I do not give out my email address, all my personal friends have added me using my battletag and my previous password was pretty damn beefy.

I also have no viruses, I have fallen for no phishing attempts, and in fact use the computer I've installed Diablo 3 on strictly for Diablo 3.
Reply Quote
I have an authenticator on my account, yet I have never had to provide my authenticator key when I log into Diablo. So it is possible that they had authenticators and still had their accounts accessed by an outside party


You may want to check that. It sounds like its not linked properly or you do not have it set to authenticate on every login. I have to provide mine every login.
Reply Quote
I have an authenticator on my account, yet I have never had to provide my authenticator key when I log into Diablo. So it is possible that they had authenticators and still had their accounts accessed by an outside party.


Authenticators track the IP addresses we use to login, and will require authentication if logging in from a new location. Go over to your friends house and try logging in there, then it will ask for authentication.
Reply Quote
I didn't have one previous to this incident. It is on there now, and linked properly and set to every time, thanks. You guys are definitely right, I see how the authenticator would help (the subject to this thread is facetious).

However, with a password as mine was, I really thought it unnecessary. I do IT security work, I'm well aware of the importance of a strong password and all password checkers at account-creation time have rated my passwords at "very strong". I'm disappointed in myself for this one, but frustrated with Blizzard for this occurring en masse four days after launch.
Edited by Legend#1795 on 5/20/2012 11:54 AM PDT
Reply Quote
Authenticators only work if you set your account to require the authenticator on every login.

The authenticators are based on the same premise as RSA SecurID tokens, which are generally a secure form of providing 2 factor authentication for people.

Get a grip.
Reply Quote
85 Blood Elf Priest
10925


^^^ This.


And when your Authenticator is a cell phone with a lock on it? Or when the people you live with are completely ignorant on using a computer, much less playing a game or using multiple devices to authenticate? Where's your logic on that?

I admit I did not have an authenticator, I have since added one. However, I do not give out my email address, all my personal friends have added me using my battletag and my previous password was pretty damn beefy.

I also have no viruses, I have fallen for no phishing attempts, and in fact use the computer I've installed Diablo 3 on strictly for Diablo 3.


Just because your antivirus software didn't find any malware, that doesn't mean you don't have any malware. Everyone, unless you aren't connected to the internet, has some sort of malware on your computer. I can almost guarantee that. It's naive to think otherwise.

As for not giving out your email. Have you signed up to anything with it? Anything at all? even the most benign of things can give your password away to God knows who. I use a separate email for Wowhead. Why? Because I don't trust them to keep my email a secret. My B.net email is exclusive to B.net. I literally do not use it for anything else. Even that may not make me entirely safe, though. What if one of my friends has a keylogger? if I give them my email, when they go to type it into their client to add me to their friends list, that keylogger, on their computer, now has my email address.

You're not entirely safe. Ever. However, an authenticator is the best protection you can get. It can still be circumvented, don't get me wrong, but it is the most powerful protection available.

Authenticators only work if you set your account to require the authenticator on every login.

The authenticators are based on the same premise as RSA SecurID tokens, which are generally a secure form of providing 2 factor authentication for people.

Get a grip.


Blizzard would not have implemented the system they did if it were not safe. If anything is even remotely different about your login location, it will ask foryour authenticator again. Hell, There was once where I was having problems with my wired internet so I swapped over to my wireless and it asked for my authenticator again, just like that. Besides, for security purposes, you should never be logging into the game on any computer other than your own anyway. I would never in a million years log into even my closest friends' PCs. I have no idea what kind of crap they could have. The only computer I know enough to trust is my own, and even it might not be safe.
Edited by Bloodhawk#1896 on 5/20/2012 11:59 AM PDT
Reply Quote
Blizzard should consider adding a dial-in PIN system to the log-in screen. Many online games use these now. Basically its like a phone pad on the screen and you'll have a 4 digit number that you need to to use to log in. You would have to click on the number buttons, not type in the numbers (no keylogging) and the positions of the numbers are randomly placed, so mouse tracking would still have a hard time figuring out your PIN

It would be opt-in of course though so those who didn't want the hassle wouldn't need it

(PS I do have an Authenticator, just saying this option might go a long way in preventing hacks from people who don't have them)
Reply Quote
I have an authenticater as well, however unlike SC2 diablo only asks me to authenticate once every time I change computer. Anyone else's doing this?

edit: n/m read the rest of the thread ;(
Edited by Laurence#6727 on 5/20/2012 11:57 AM PDT
Reply Quote
you mean people of questionable morals are attempting to steal game accounts that could possibly net them real money in a future patch??

FASCINATING.
Reply Quote
I have an authenticater as well, however unlike SC2 diablo only asks me to authenticate once every time I change computer. Anyone else's doing this?

edit: n/m read the rest of the thread ;(


Apparently you now need to set that up in security settings, which wasn't the case for WoW or SC2.
Reply Quote
It should also be noted that "dozens" vastly undersells the problem. Hundreds are known to have the problem, and likely thousands actually are effected.
Reply Quote
85 Blood Elf Priest
10925
Blizzard should consider adding a dial-in PIN system to the log-in screen. Many online games use these now. Basically its like a phone pad on the screen and you'll have a 4 digit number that you need to to use to log in. You would have to click on the number buttons, not type in the numbers (no keylogging) and the positions of the numbers are randomly placed, so mouse tracking would still have a hard time figuring out your PIN

It would be opt-in of course though so those who didn't want the hassle wouldn't need it

(PS I do have an Authenticator, just saying this option might go a long way in preventing hacks from people who don't have them)


Any good antivirus program has such a keypad. I know Kaspersky does.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]