Diablo® III

Battle.net® Account Security & Diablo® III

(Locked)

48 Gnome Mage
420
Posts: 37
Bashiok, the rumors / forum posts that are flying about this issue keep referring to session ID spoofing, a kind of a attack that seems to bypass the authenticator safeguards by stealing your session in progress, rather than logging in to your account directly.

I don't pretend to have any expertise with this issue, but could someone at Blizzard do one of the following:

1) Address the rumors that this kind of attack is happening; and
2) Give the playerbase some kind of input or feedback on either what is being done to guard against this or what can be done (on your end our ours) to prevent these kinds of attacks.

Thanks.
I've only played SOLO so I'm not sure where all the claims of "public games" are even relevant.
100 Draenei Paladin
20120
Posts: 716
I believe that Blizzard has yet to encounter a hacked account that had Authenticator activated ahead of time.

However, my experience leads me to suspect that some sort of central event is at play here. Such as a compromise at Blizzard in which usernames and passwords were stolen (or at elast the email usernames), or some sort of phishing spread via the Blizzard forums themselves.

It generally doesn't happen that so many users of a particular service would get compromised in such a short period of time, unless there was some sort of vector targeting that service. A general-purpose spammer with a list of 100,000 random email addresses or facebook accounts isn't likely to have much success targeting Diablo 3 customers. Somehow the source of the attacks is able to successfully target Diablo 3 players, meaning at the very least they have access to a list of Diablo 3 players' email addresses to send them malware links, or have posted malware links to a Diablo 3 user hub like these forums. Maybe a fake Facebook Diablo 3 app or something?

My guess would be something that spread via the forums, or Twitter, or email, or Facebook, that targeted people interested in Diablo 3 with an invite to a fake D3 beta or something. Or, Blizzard really did mess up and allow a database of email addresses and/or passwords to get compromised. Something like that had to happen, though. There's no way this many accounts would get compromised just from errant spam or drive-by downloads. Some sort of Diablo-specific vector had to be involved.

The length or complexity of your password doesn't mean much. Account takeovers do not occur via brute force these days and hackers aren't likely to spend time trying to guess your password. Your password can be 12345, it isn't going to matter very much. Once a hacker has your password, they can cut and paste "IUFn298r0nalokjo&^5nbsn" just as easily as they can cut and paste "12345" or "password". Doesn't matter.

All of the above are pretty successfully protected from if you use 2-factor (Authenticator). They even offer it via POTS now, so you don't need a dongle or even a fancy smartphone, you can use any old telephone to do it, for free. Blizzard ought to do more to force people to use it and do more to force people to acknowledge the risks if they don't.

Now, maybe there is a session hijacking thing going on. That would be pretty revolutionary to see something that complicated being launched successfully in such high numbers in such a small period of time. So, it's possible, but I highly doubt it... or I highly doubt that something that advanced is the cause of anything more than a tiny fraction of the account takeovers.

tl;dr: something more than just your typical account takeover is going on, it might be Blizzard's fault, but it might not. Either way, so far I doubt that it is affecting people who use Authenticator.


It's not a Bnet issue. Again, looking at statistics, if even just 50% of the reported hacked players used WoW we'd see WoW hacking threads en mass as well.

We're not. In fact, in both the WoW General AND CS forums there is not 1 hacking thread on the first page.

Which means the issue is isolated to D3. After all, both D3 and WoW use the same login credentials. If it was a Bnet issue, we'd see some mass report on the WoW forums by now, this has been going on for over a day and a half.

And I have not seen one person who plays both game, who reported being hacked in D3, saying they were hacked in WoW. Which again, says it's a D3 issue. Since there's no security measure players have access to that differentiates between WoW and D3, it can't be a player security measure, or again we'd see mass WoW reports.
Posts: 311
What I don't understand is all of the caustic replies and trolling aimed towards people who have experienced some form of account compromise.

Blizzard is a big company. They're big boys and girls, they'll be okay. They don't need legions of fans crowding into a thread dedicated to account access issues to insult those who have legitimate concerns. This is coming from somebody who has been pro-D3 since far before release. Saying "lol authenticator" or definitively stating you have the answer to the cause of the hack is pretty silly.

Getting hacked sucks, and regardless of whose fault it is and how it happened, Blizzard has an excellent opportunity to demonstrate good stakeholder management by offering some form of rollback or restitution.

Now, given that this thread was created 18 hours ago, its safe to say this sudden influx of account hacks reached a certain point worthy of warranting an official response within the last 48 hours. Regardless of whether this is happening through a delayed mass account/password access through visiting an infected 3rd party website, AH bugs, client ID glitches, or for any other reason stated in this thread, the important fact is that the volume and scale of this problem is quite large. Again, this is subject to dispute as evidenced in this thread, but if a sudden influx of account issues happens to the scale of warranting a stickied thread on the issue, you can all but guarantee that the SHTF at Blizzard and this is being sorted out. We all know how tough it can be to get a "blue" response on anything, so its safe to infer that since a stickied thread was created to address the issue, some kind of threshold was breached and an official response was made.

My hope is that Blizzard is engaging in some form of systemic analysis on the issue and will issue a response when they've determined a greater idea of whats going on. They have an excellent opportunity to demonstrate good stakeholder management by offering restitution simply based on the volume of the problem alone.

Until then, take it easy. No amount of trolling, taking sides or asserting the true cause is going to change the fact that 1. a significant volume of accounts have been compromised and 2. they are currently doing something about it.

FWIW, my account has been hacked, and I'm probably "at fault." Just going to do due diligence on my end and get on the phone. I ain't even mad..
Edited by jarude#1572 on 5/22/2012 3:20 PM PDT
Posts: 22
To those saying contact customer support, trust me, I have already. I've reported in game as well as submitted a ticket containing this information. I simply responded here to let others know what's going on. As far as a keylogger being there for weeks etc, I keep a pretty tight ship, so while I will never completely rule out that there was user error on my part, I will say that I doubt it to be the case.

Others have stated seeing their friends get booted from bnet and someone else taking over and stealing their crap. I am not about to say that those reports are absolutely true, however us ruling those cases out because we're "IT Professionals and know better" is ludicrous. Hackers are damn good, if you think something isn't possible, think again.

As far as my assertion that this is a ridiculous amount of hacked accounts getting reported and others saying that it really isn't, I won't argue the validity of your arguments that key loggers may lie in wait. However according to many reports, accounts are not properly being restored and blizzard CS seems to be giving a giant FU to everyone with issues. That said, I'm waiting to see how my process ends. Hopefully, I'll have my gold returned to me.

I just feel bad for those who had characters wiped as well. :/
[quote]

Which means the issue is isolated to D3. After all, both D3 and WoW use the same login credentials. If it was a Bnet issue, we'd see some mass report on the WoW forums by now, this has been going on for over a day and a half.


You just hit the nail on the head. This means it is not Client side.
how about next time you release a game dont wait for a couple weeks after release to activate the warden.

just fyi, warden has not been activated yet.
To those saying contact customer support, trust me, I have already. I've reported in game as well as submitted a ticket containing this information. I simply responded here to let others know what's going on. As far as a keylogger being there for weeks etc, I keep a pretty tight ship, so while I will never completely rule out that there was user error on my part, I will say that I doubt it to be the case.

Others have stated seeing their friends get booted from bnet and someone else taking over and stealing their crap. I am not about to say that those reports are absolutely true, however us ruling those cases out because we're "IT Professionals and know better" is ludicrous. Hackers are damn good, if you think something isn't possible, think again.

As far as my assertion that this is a ridiculous amount of hacked accounts getting reported and others saying that it really isn't, I won't argue the validity of your arguments that key loggers may lie in wait. However according to many reports, accounts are not properly being restored and blizzard CS seems to be giving a giant FU to everyone with issues. That said, I'm waiting to see how my process ends. Hopefully, I'll have my gold returned to me.

I just feel bad for those who had characters wiped as well. :/


Yep, my current attitude towards Blizzard right now would be a LOT different if they had rolled back my character when its plain that ALL of my items and gold are gone, rather than effectively saying "logs are clean, !@#$ off".
Posts: 2,535
I believe that Blizzard has yet to encounter a hacked account that had Authenticator activated ahead of time.

However, my experience leads me to suspect that some sort of central event is at play here. Such as a compromise at Blizzard in which usernames and passwords were stolen (or at elast the email usernames), or some sort of phishing spread via the Blizzard forums themselves.

It generally doesn't happen that so many users of a particular service would get compromised in such a short period of time, unless there was some sort of vector targeting that service. A general-purpose spammer with a list of 100,000 random email addresses or facebook accounts isn't likely to have much success targeting Diablo 3 customers. Somehow the source of the attacks is able to successfully target Diablo 3 players, meaning at the very least they have access to a list of Diablo 3 players' email addresses to send them malware links, or have posted malware links to a Diablo 3 user hub like these forums. Maybe a fake Facebook Diablo 3 app or something?

My guess would be something that spread via the forums, or Twitter, or email, or Facebook, that targeted people interested in Diablo 3 with an invite to a fake D3 beta or something. Or, Blizzard really did mess up and allow a database of email addresses and/or passwords to get compromised. Something like that had to happen, though. There's no way this many accounts would get compromised just from errant spam or drive-by downloads. Some sort of Diablo-specific vector had to be involved.

The length or complexity of your password doesn't mean much. Account takeovers do not occur via brute force these days and hackers aren't likely to spend time trying to guess your password. Your password can be 12345, it isn't going to matter very much. Once a hacker has your password, they can cut and paste "IUFn298r0nalokjo&^5nbsn" just as easily as they can cut and paste "12345" or "password". Doesn't matter.

All of the above are pretty successfully protected from if you use 2-factor (Authenticator). They even offer it via POTS now, so you don't need a dongle or even a fancy smartphone, you can use any old telephone to do it, for free. Blizzard ought to do more to force people to use it and do more to force people to acknowledge the risks if they don't.

Now, maybe there is a session hijacking thing going on. That would be pretty revolutionary to see something that complicated being launched successfully in such high numbers in such a small period of time. So, it's possible, but I highly doubt it... or I highly doubt that something that advanced is the cause of anything more than a tiny fraction of the account takeovers.

tl;dr: something more than just your typical account takeover is going on, it might be Blizzard's fault, but it might not. Either way, so far I doubt that it is affecting people who use Authenticator, and I doubt that it matters whether your password is complex or simple.

Still tl;dr: Authenticator.


The central event is likely just the new place to login. This happened when the new battle.net system was rolled out and the login was changed from account name/password to email/password.

Before the system was implemented, people were just using their account name and password. Lots of people had checked the "remember account name" box and therefore never actually entered their account name. At some point, these people's computers because infected with a keylogger, but since the player only entered the password, the keylogger never led to them being hacked. It just never got a full set of login information.

Enter battle.net. Account names are no long valid for logging in, everyone has to use their email now. So literally every single person in the above situation now had to enter their email for the first time in days, weeks, months, or longer. Bam, the keyloggers, which had been hiding for those days, weeks, months, or longer, now recorded the new email login as well as the password and transmitted the information to the hackers. End result: tons and tons of people were hacked all at once.

The Blue OP in this thread alludes to this, saying that this is nothing out of the ordinary, it's the same thing that happens at every game release, aka when there is a new launcher and people have to type a login name that they may have had saved for a long period of time up until that point.

As for other theories, passwords weren't stolen from Blizzard. They're stored in a 1-way hash that destroys the password if you try to unhash it. When you login, a hash is created and compared to the hash they have on file and if they match, you win, but just stealing the hashes won't lead to compromises. Phishing websites and emails is highly likely, and people would be more susceptible to them since they haven't seen too many D3 phishes thus far.

As for your authenticator tl;dr..... /signed /signed /signed /signed /signed /signed /signed /signed
Posts: 220
If anyone who thinks this is just people being dumb want to put their money where their mouth is I would be willing to enter into a legal contract with either blizzard or any forum member whereby I will pay for my computer to be checked by a professional for any malware/keyloggers that could have done this.

If there is then I'm out the money and will officially create a thread on these forums stating I'm an idiot and was hacked.

If there isn't then you owe me double the money I spent to get it checked out (because I'm the one doing all the hassle work and putting up my money up front) and you have to create a thread saying you are an idiot and I was not hacked.

Any takers?
To those saying contact customer support, trust me, I have already. I've reported in game as well as submitted a ticket containing this information. I simply responded here to let others know what's going on. As far as a keylogger being there for weeks etc, I keep a pretty tight ship, so while I will never completely rule out that there was user error on my part, I will say that I doubt it to be the case.

Others have stated seeing their friends get booted from bnet and someone else taking over and stealing their crap. I am not about to say that those reports are absolutely true, however us ruling those cases out because we're "IT Professionals and know better" is ludicrous. Hackers are damn good, if you think something isn't possible, think again.

As far as my assertion that this is a ridiculous amount of hacked accounts getting reported and others saying that it really isn't, I won't argue the validity of your arguments that key loggers may lie in wait. However according to many reports, accounts are not properly being restored and blizzard CS seems to be giving a giant FU to everyone with issues. That said, I'm waiting to see how my process ends. Hopefully, I'll have my gold returned to me.

I just feel bad for those who had characters wiped as well. :/


I actually had some random btag add me as a friend last night and put in the join request comment, "buy d3 gold dirt cheap, ect ect" but I just reported it to Blizzard and blocked them. I can only wonder if the people who got hacked whispered the person who sent them the request a bunch of crap and screwed themselves in the process.


No, these kinds of responses are just infuriating. I didn't click a fishing email, I have ONLY solo-ed, I don't play WOW or any other Blizzard game and I work in IT. I'm not a security expert but I'm not a dolt and I'm getting aggravated by everyone pointing fingers at the user over this issue.
One important fact and two resultant situations have to be included in all of these theories guys.

The FACT is...D3 has/will have the RMAH! For the first time there will be an easy and relatively risk free way of fencing ALL this stolen gold.

There have probably been multiple operations running to gather login information on as many bnet accounts as possible since the moment the RMAH was announced.

It is no coincidence that these accounts were not accessed untill after business hours the Friday before the RMAH was scheduled to go online... maximum time for all the compromised accounts to do the farming for these scum, and minimum chance of emergency action from Bnet.

So saying it has to be a hole because they were all hacked at once isn't really relevant.

Saying it must be a hole because my computer was shrink wrapped till 30 seconds before I was brutally hacked isn't relevant.

What is relevant is the fact that unless (and I assume they are) the folks at bnet aren't hunting down and squashing as many of these cockroaches as possible, once they open up the RMAH a high percentage and probably billions in stolen gold will flood the market.
Posts: 984
05/22/2012 03:24 PMPosted by Czarspeed
You just hit the nail on the head. This means it is not Client side.


Or it means the hackers gathered info to target D3 specifically and not waste their time trying to sort through which accounts had active WoW accounts attached.

These guys just want to get in and out as quickly as possible, as efficiently as possible.
Posts: 2,535
Bashiok, the rumors / forum posts that are flying about this issue keep referring to session ID spoofing, a kind of a attack that seems to bypass the authenticator safeguards by stealing your session in progress, rather than logging in to your account directly.

I don't pretend to have any expertise with this issue, but could someone at Blizzard do one of the following:

1) Address the rumors that this kind of attack is happening; and
2) Give the playerbase some kind of input or feedback on either what is being done to guard against this or what can be done (on your end our ours) to prevent these kinds of attacks.

Thanks.


Bashiok directly addressed the rumors in his post here:

We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

If your account has been hacked, please view the [url="http://us.battle.net/d3/en/forum/topic/5149619846?page=1"]previous post[/url] for information on contacting our support department.


I underlined the parts that are relevant to your first question.

This information has been posted and has been linked ad infinitum. Players still choose to ignore it because it's not what they want to hear. Blizzard can say the same information a hundred different times in a hundred different ways and these people will still plug their ears, yell LA LA LA CANT HEAR YOU, and ignore anything but their stupid theories.
This topic is locked.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]