Diablo® III

I thought Blizzard security is good, no httpS

i had a insanely hard to guess password, i doubt they hacked thousands of users with just an email list. that MAY BE one of the loopholes, but why then did blizzard reply to my ticket me saying no other ip was ever on my account? if it was just a bruteforce+email list, wouldnt they have seen the person log in at least?


according to that website someone posted it would be a couple years for someone to brute my password.
Reply Quote
i had a insanely hard to guess password, i doubt they hacked thousands of users with just an email list. that MAY BE one of the loopholes, but why then did blizzard reply to my ticket me saying no other ip was ever on my account? if it was just a bruteforce+email list, wouldnt they have seen the person log in at least?


according to that website someone posted it would be a couple years for someone to brute my password.
You may be a unique circumstance? I don't think anyone here is saying all the hacks were because of this loop hole, there are still bound to be a few keyloggers and a few trojans. All I can do is throw theories around, but trojan/virus, perhaps they got remote access to your pc, session hack, who knows. Your gf hates you? I'm sorry you got hacked though, and I hope you get your stuff back soon.
Edited by WhiteRaven#1438 on 5/23/2012 10:42 AM PDT
Reply Quote
Just a theory, but is it possible that they are getting people's battletags through the forums when people edit their posts? It shows your full battletag when you do that. From there, can't you just directly add them as a friend and join their game even if it's closed?

I also saw an issue a few days ago where a bunch of people couldn't sign into the game because it thought they were already signed in. Something about joining a public game and leaving, but other people are in that public game so it stays open that Battle.net thinks you're still connected to it.

If that's the case, I would avoid public games altogether until this is fixed and avoid using your D3 avatar or editing posts on the forums which will expose your full battletag. And keep a close eye on your friends list as well.

P.S. I am just brainstorming here and could be completely wrong.
Reply Quote
I was about to edit my post, but just realize it would expose my battletag. I wanted to add that if they can get your battletag on the forums, and then directly add you as a friend and join your game regardless if its open to public or not. Maybe there's a way they can sniff some kind identifier in that game and spoof it so the server thinks you are that person and it resumes sending commands to you instead of them and they are disconnected.
Reply Quote
You can see a battle tag just by clicking on there name, so not editing doesn't really matter. As anyone and everyone has access to it
Reply Quote
05/23/2012 11:05 AMPosted by Ryu
You can see a battle tag just by clicking on there name, so not editing doesn't really matter. As anyone and everyone has access to it


Thanks for the clarification, as you can see I don't have many friends.
Reply Quote
Yeah if it's a security breach with battletags we are all, pretty much, already screwed. If I knew it showed my battle tag, I'd have posted on WoW alt or something. I don't even like my WoW character name out, but too late now.
Reply Quote
Well, let's say they have your e-mail and password. They could be poking around profiles using the battletags of posters in game and then if they look ripe for the picking they match the btag to the e-mail.

That might be a little better for profitability if someone posts they are deep in Inferno, they might have millions of gold. They might need to compromise 100 random accounts (blindly using their e-mail with no btag) to make that big of a score.

It's a nonsensical disaster to ever have anything that could be related to your login or character be exposed on public forums. Even horrible F2P games that are published by horrible publishers use completely different forum names. Impossible to trace back to their game unless an actual exploit is used to link the 2.
Edited by viscrom#1983 on 5/23/2012 11:20 AM PDT
Reply Quote
That might've gotten a bit tinfoil hatty, but it would be who I'd target... anyone well into nightmare and beyond. But couldn't you just look at achievements? Is there away to look at player achievements in diablo? Might be easier pickings through achievements.

Edit: Yeah I should use my SC2 battletag, I never play SC2 anymore... I loved SC1, but different time back then... Did not enjoy SC2 as much, too much micro management, and it seems a lot of work to me.
Edited by WhiteRaven#1438 on 5/23/2012 11:22 AM PDT
Reply Quote
SC2 avatars are not safe. Go look at posts I have edited. Of course it lists my D3 btag when I edit a post. What else would I expect from Blizzard.

The only ones who are safe are WoW posters and it's funny because I wrote a huge post on how btags on the website are a key / possible component to compromising accounts and it was like 5 pages of people trolling me before it got buried 2 days ago.
Edited by viscrom#1983 on 5/23/2012 11:26 AM PDT
Reply Quote
05/23/2012 11:23 AMPosted by fremd
SC2 avatars are not safe. Go look at posts I have edited. Of course it lists my D3 btag when I edit a post. What else would I expect from Blizzard.
I was teasing you when I said it. That's why I said it. =P

Yeah I wish it didn't show battletags, who knows who added me now... it's so easy to add people with battle tags I love it, but you think they'd be hidden... If I want to give it out, I will.
Reply Quote
05/23/2012 11:26 AMPosted by WhiteRaven
SC2 avatars are not safe. Go look at posts I have edited. Of course it lists my D3 btag when I edit a post. What else would I expect from Blizzard.
I was teasing you when I said it. That's why I said it. =P

Yeah I wish it didn't show battletags, who knows who added me now... it's so easy to add people with battle tags I love it, but you think they'd be hidden... If I want to give it out, I will.


That's how I feel too. If I want to give it out I will.

Why would I want random people who I've never played with or even know me messaging me in game.

99% of the time they are going to be harassing/spamming you or trying to phish you.
Reply Quote
That's how I feel too. If I want to give it out I will.

Why would I want random people who I've never played with or even know me messaging me in game.

99% of the time they are going to be harassing/spamming you or trying to phish you.
Oh dear god and no addons with D3... so no badboy to filter my whispers... *sobs softly*
Reply Quote
meanwhile, the main thread about it has been going on for several pages now saying "Blizzard might be blocking brute force attacks". Any word on that, Fremd?
Reply Quote
I would say wait and see what Glides and MVP have to say. I trust them over a random general discussion poster who says "might be blocking".

What are his credentials? Did he test it first hand? If so, why did he write "might". Surely if he tried it first hand he would have an answer.

In other words it's likely a typical mutant fanboy spreading misinformation.
Reply Quote
Yeah... what's scary? sent this round to RPS (Nathan Grayson), and just now, Forbes (Erik Kain)... de nada from them... the main story running? Diablo 3 sells boodles. Which yes, is newsworthy, but...
Reply Quote
85 Undead Warlock
5795
I searched for HTTPS and found nothing.. so posted a new thread about it.

https://*.battle.net should be the default.
Reply Quote
That's not the main issue right now, Dropzone. The main issue is that there's no real password lockout (some post claims a CS fed them the Activision line about "It's a one time buy, so we're less concerned about security", but I'd need confirmation of that before anything is done), IP Spoofing is currently possible (which may have led to the cases where CS are saying "Nope, nobody accesased your account"), and the only real protection is their auth keys, which, if you don't have an iPhone or something, are an expensive proposition.
Reply Quote
85 Human Rogue
9215
05/23/2012 12:27 PMPosted by ReviewerJay
, are an expensive proposition.


$9 is not expensive
Reply Quote
I noticed the gamertag being posted in edits, definitely not good on a forum.

I also posted in another thread that the incidence and frequency of reports does seem to point to some sort of email enumeration, though I had no knowledge of one.

However, I don't think that brute force is involved here. Sure, it's possible. But account takeovers, especially ones performed by a group looking to steal D3 gold, are amost certainly going to be stolen passwords (phished, keylogged), not brute-forced ones. You can cut and paste 'aBcDeF' just as easily as you can 'abcdef' so case sensitivity is probably not a significant factor here.

As others pointed out, the introduction of a new client means re-typing your username, which could be related to latent keylogger activity. But reading this thread I'm now leaning back towards email enumeration and phishing.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]