Diablo® III

Battle.net® Account Security & Diablo® III

(Locked)

05/22/2012 12:28 PMPosted by nemo
WELL THIS MORNING I WAKE UP TO FIND MY ACCOUNT PASSWORD CHANGED. AND YES I HAVE AN AUTHENTICATOR ON IT NOW, AND YES I CHANGED THE PASSWORD BEFORE. SOMEHOW IT STILL GOT ACCESSED WITH THE NEW PASSWORD. WHATEVER THEY ARE DOING AN AUTHENTICATOR ISN'T GOING TO SAVE YOU. NO ONE IS SAFE, TIL BLIZZARD FIXES THIS BIG SECURITY PROBLEM>


People would take you more seriously without the childish all caps. Just saying....


What's his BattleTag?


Hmm, I wonder where Slayer went? He still has yet to reply. He probably found out that his brother actually didn't have an authenticator on his account. Regardless, I hope that all is going well with his brother now and that his account is back up and running =)


Not everyone can post from work or maybe he's at school. It took Blizzard forever to make their post from when it was announced to be posted as "soon".

I love how all of the "blizzard is the best, it's impossible for them to be wrong" crowd assumes the guy is lying just because he didn't reply to Bash promptly.

Also the best thing about that quote is bash asked him for his battle tag. I had about 15 people challenge me on the notion that a battle tag cannot be used to identify a player.

http://us.battle.net/d3/en/forum/topic/5149539216

See this thread for more details.
Edited by viscrom#1983 on 5/22/2012 12:32 PM PDT
This thread is unbelievable, no matter what is said the finger is always going to be pointed back at Blizzard. Some(being nice) of the replies here show an incredible amount of ignorance regarding computer security in general, which is not a problem, as a human being you are not expected to have unlimited knowledge, especially if computing is not your thing.

The big issue here is the arrogance and self-entitlement that some of you have regardless of how ignorant you may be towards account security. I am done explaining the same thing every 3 pages, it's driving me bonkers.
Edited by Sammich#1797 on 5/22/2012 12:40 PM PDT
i'm still at work but i suspect that i might have been hacked too. google would not let me login on my phone, getting authentication error. i logged in to google here at work and i got an email that someone from venezuela was trying to login to my account. i just farmed around 200k gold in the last 12 hrs and if my char get rolled back, it will be a hassle. damn these hackers.
Here is the latest response I received from Blizzard related to a different issue. To all those defending Blizzard please read and respond to my questions afterwords.

The status of your Customer Support ticket #2637xxx has changed to “Resolved.”

You can view your ticket details or check its status by clicking the link below:
<http://us.battle.net/support/ticket/thread/2637xxx>

If you can’t click the link above, copy and paste the entire URL into your browser.

This is the latest response from Customer Support:
Hello Z,

Thanks for contacting us! Unfortunately, I didn't have the opportunity to speak with you, but I certainly hope everything is going well!

At the time we have a system implemented called Battle.net secure that does what was mentioned on your petition. When an IP changes dramatically the account will be locked, preventing access from exploitative login. The authenticator, which can be downloaded for free, will add extra protection.

Should you require further assistance with this issue, please do not hesitate to resend your petition and we will be happy to review it just as soon as we are able.


Best Regards,

Game Master Korromari
Blizzard Entertainment

This leads me to believe that if my account credentials were garnered either through hack or crack or keylogger, they would still notice the IP address change and lock the account. Also, every time I have ever gone through a password change process it involves receiving an email to confirm you are the owner before allowing the change.

Question 1: How do they gain access to an account when the above mentioned IP address change should protect it?

Question 2: How do they change the password when we know they don't also have access to the email?

Question 3: How do they do it when someone is already logged on?

Question 4: Why is it every one of the threads except this one end up getting deleted or locked? Which also makes me wonder how long before this one is locked.

Question 5: To assume your credentials were garnered client side and were used from another computer would imply #1 above doesn't work (still a Blizzard issue then). Explain how this could be true?

Question 6: Which is more likely given the facts as we know them today: That all of the above preventions don't work and that all of your account info was gathered (including answers to secret questions) or that they are somehow gaining session ids that are already currently authenticated (post authenticator) and using/hijacking that connection to change passwords and add friends and steal items/gold?
This leads me to believe that if my account credentials were garnered either through hack or crack or keylogger, they would still notice the IP address change and lock the account. Also, every time I have ever gone through a password change process it involves receiving an email to confirm you are the owner before allowing the change.


It's very easy to spoof an IP address.
Question 4: Why is it every one of the threads except this one end up getting deleted or locked? Which also makes me wonder how long before this one is locked.


Because there is no reason to have multiple threads regarding one issue.
This thread is unbelievable, no matter what is said the finger is always going to be pointed back at Blizzard. Some(being nice) of the replies here show an incredible amount of ignorance regarding computer security in general, which is not a problem, as a human being you are not expected to have unlimited knowledge, especially if computing is not your thing.

The big issue here is the arrogance and self-entitlement that some of you have regardless of how ignorant you may be towards account security. I am done explaining the same thing every 3 pages, it's driving me bonkers.


You continue to believe everything told to you like a sheep.

So people said it was a keylogger--Yet nobody has been able to find this mythical thing.

Then it was phishing -- Yet plenty of security minded people have their network and computer on lockdown and know all about phishing.

Here is the problem, many people put in a ticket once they were "hacked". The CS reps said that there was no suspious activity on the account therefor they would not perform a roll back.

Let us back up and revisit this last sentence.

You have your last known logout time and your last known login time. No other login time between those two points. How then could someone have hacked logon credentials, logged in, stripped the characters, then logout?

Two options here.

One is an exploit.

Two is that there is database issues.
05/22/2012 12:37 PMPosted by Bul
This leads me to believe that if my account credentials were garnered either through hack or crack or keylogger, they would still notice the IP address change and lock the account. Also, every time I have ever gone through a password change process it involves receiving an email to confirm you are the owner before allowing the change.


It's very easy to spoof an IP address.


no, and however if you spoof an IP address the packets will be send to the real (the original) IP address.
Edited by SirBigmark#2202 on 5/22/2012 12:45 PM PDT
05/22/2012 12:42 PMPosted by Ganelon
You continue to believe everything told to you like a sheep.


Actually I didn't need to be told what was happening here, being the knowledgeable and sane person I am I formed my own opinion. A theory that has proven to be 100% correct so far ( indirectly confirmed by Bashiok in this thread, my reply is directly after his, which leads to a thread on reddit where I explained what was happening HOURS before Bashiok did. http://us.battle.net/d3/en/forum/topic/5149619846?page=32#633 )

The first thing I questioned was the massive amounts of threads popping up saying "battle.net" vulnerability, session spoofing, and so on.

If that's what you call a sheep, I don't see why I should bother with the rest of your reply. Have fun with your conspiracy theory.
Edited by Sammich#1797 on 5/22/2012 12:56 PM PDT
Here is the latest response I received from Blizzard related to a different issue. To all those defending Blizzard please read and respond to my questions afterwords.

The status of your Customer Support ticket #2637xxx has changed to “Resolved.”

You can view your ticket details or check its status by clicking the link below:
<http://us.battle.net/support/ticket/thread/2637xxx>

If you can’t click the link above, copy and paste the entire URL into your browser.

This is the latest response from Customer Support:
Hello Z,

Thanks for contacting us! Unfortunately, I didn't have the opportunity to speak with you, but I certainly hope everything is going well!

At the time we have a system implemented called Battle.net secure that does what was mentioned on your petition. When an IP changes dramatically the account will be locked, preventing access from exploitative login. The authenticator, which can be downloaded for free, will add extra protection.

Should you require further assistance with this issue, please do not hesitate to resend your petition and we will be happy to review it just as soon as we are able.


Best Regards,

Game Master Korromari
Blizzard Entertainment

This leads me to believe that if my account credentials were garnered either through hack or crack or keylogger, they would still notice the IP address change and lock the account. Also, every time I have ever gone through a password change process it involves receiving an email to confirm you are the owner before allowing the change.

Question 1: How do they gain access to an account when the above mentioned IP address change should protect it?

Question 2: How do they change the password when we know they don't also have access to the email?

Question 3: How do they do it when someone is already logged on?

Question 4: Why is it every one of the threads except this one end up getting deleted or locked? Which also makes me wonder how long before this one is locked.

Question 5: To assume your credentials were garnered client side and were used from another computer would imply #1 above doesn't work (still a Blizzard issue then). Explain how this could be true?

Question 6: Which is more likely given the facts as we know them today: That all of the above preventions don't work and that all of your account info was gathered (including answers to secret questions) or that they are somehow gaining session ids that are already currently authenticated (post authenticator) and using/hijacking that connection to change passwords and add friends and steal items/gold?
should be a thread of its own


Thanks for posting. If this is true, thats a bummer!
Well, I re-opened the ticket and told them that my stuff is still gone, I don't really care what THEIR definition of "unauthorized access" or "damage" is. If they don't fix it I'm contesting the charges for the game on my credit card. We'll see I guess.
I'm in the same boat as SouCHe. Huge SC2 player and fan of bliz in general but I log in to find all my gear missing? Didn't know security was so bad that I needed an authenticator... My antivirus software is good and I have had no suspicious emails. I'm no troll but between the rocky launch and being hacked, I think people are justified in being a little miffed with Blizzard...
05/22/2012 12:44 PMPosted by SirBigmark


It's very easy to spoof an IP address.


no, and however if you spoof an IP address the packets will be send to the real (the original) IP address.


No i think it wouldn't be too far off from other hacking methods that shall not be named.
Just got hacked.

Two options here.

One is an exploit.

Two is that there is database issues.

yup, big companies are known for making found exploits and intrusions public immediately....such as MS, sony, nintendo, steam....etc etc.

corporations will keep their intrusions secret just like half the WoW players will keep the hundreds of gigs of Sh*Male p*rn on their pcs secret. dont hang your laundry to dry in the front yard.

its just funny to me that people are getting their mystical two handed warhammer of cold force shattering stolen and freaking out. Blizzard, dont expect to see my credit card again for a very long time.


Exactly. It will probably all come out eventually but like the PSN debacle, they won't tell the truth unless they absolutely HAVE to.
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]