Diablo® III

Awesome security Blizz... Just awesome...

So, I purchased the game mid-day monday 5/21.

I played like a !@#$%^ addict for 2 days straight and logged off at like 10am on the 24th (today) at lvl 57 with a shiny new, bought, high dps lvl 60 wep and ~ 350,000.

I log on 8 hours later to a blank character, no cash, no stash, and the only thing left is the bone that u need for the cow-lvl summon.

A new offline friend was on my list by the name 'scooper' <--- ironic aye?

I find it hard to believe that in 2(3ish) days:
1.) I went out and sporadically bought d3 (was hesitant to buy because of said reports of terrible security - Anonymous ddos'ing servers, accounts being hacked; thought Id give it a try regardless - I had never publicly given any notice that I planned on playing d3)
2.) I was targeted as a potential D3 player.
3.) I was coerced into downloading a malicious program
4.) I had logged on with said program installed
5.) I had my account's -*!@ stolen

I am more than reasonably aware of how hacking/phishing works and I an very cautious with what I download and from whom.

It just seams a bit... odd that this could happen within this time frame. I doubt i had a virus installed on my computer beforehand that targets a platform(diablo3) that wasn't even installed at the time. That being said, I haven't downloaded anything within the time of purchase (#$%^-* addict, I really mean it, I played almost non stop).

I'm scanning my computer and I have changed my password... if that will help. I also started the rollback process. I'm fiddling with the dial authenticator -I sadly don't have a smart phone.

Soooo, whats you're move blizz? Gonna say its ignorant user's fault some more? The frequency and stories that people have shared just don't add up to an all user-end related hacking ordeal that seams to be spiking HARD.

I don't want to put so much time into a game, just to have it stolen. I fear how my character will look after the rollback. Some people have reported that their character's were rolled back as far as two days. I've only played for two days... I don't want to log on to a level 0 character with nothing on it, when the day before I had a lvl 57 with 350,000 gold.

If this happens I will most likely quit.

Edit: gotten a couple of posts that seams like people don't read my responses.. so hear goes:

I am not blaming blizzard, well kinda. I'm saying that perhaps the user Isn't at fault either. I am unsure.

People WITH authenticators claim they have also been compromised.

Why can banks and CC companies get away with using a simple password? While blizzard cannot.

lastly, Blizzard said they have logs in place that track all the IP used to access an account... Even with this in place they could not find the perpetrator(s)... how is that even possible? If the 'hacker' was phishing PWs then they would still log on from a different IP and BAM we have someone to blame... according to blizzard: there is no such trace.
Edited by Lopoco#1190 on 5/24/2012 11:47 PM PDT
Reply Quote
bump. anyone else have any stories that indicate a slim chance of user being one to blame...

Edit: Virus scan finished, no viruses.
Edited by Lopoco#1190 on 5/24/2012 9:04 PM PDT
Reply Quote
bump. anyone else have any stories that indicate a slim chance of user being one to blame...

Edit: Virus scan finished, no viruses.


There are quite a few threads with the same story.

Virus scanning would most likely not have code to check for a keylogger that has only been in use for 9 days and hasn't been stopped yet. However I agree with it being hard to believe that everyone of these people could have compromised their account security by all visiting the same webpage or getting the same or similar files.

After everything I've read on here, what type of characters were "hacked" how much money was "taken" , I have a seriously hard time believing that hacking is going on. If you figured out how to, as some suggest, session id spoof, why would you waste your time doing it on lvl 20s with 50k gold, or even going through the trouble of getting the 50k off that character.

While it could be some exploit that got accounts at random its hard to believe you would waste time even bothering with 50k.

But then again this is all pure speculation, Blizzard has made statements that their security is solid and session id spoofing "isn't technically possible"
Reply Quote
There are two possibilities:

1. If you've had a WoW account stolen before, the offenders could've held on to information and retried it once D3 came out. - Happened to thousands of people including myself.

2. If you play public games there is some hack/security flaw allowing people to strip your account without needing your credentials.

Moral of the story, get an authenticator. free on smartphones, 6.50 without one.
Reply Quote
Well Id assume they wouldn't know how much is on an account even if they are able to session spoof. Its still a hit-or-miss situation for the hacker. They find someone that looks like they have a lot of cash and go for it.

I do find it hard to believe that all of these problems are all 'hacks' but perhaps they are the product of data corruption.

I do believe my particular case is a 'hacker' because of the person that was on my FRIENDS list that I did not add...

I understand that virus scans and definitions would not pick up new loggers, and I did not include following information in first post because most don't even know what this means; BUT in addition to the virus scan I also threw down a hijack-this to check my processes and ran through my startup registry. No rogue processes and no start up reg entries that I did not recognize... I found a couple of apple automatic updates that I didn't want running(!@#$ers)... but that's about it. I like to manually remove my malware...
Reply Quote
it happened to me exactly!
Reply Quote
I believe you when you say your computer is not infected, unlike, it would seem, a company that has some of your money. What is more important than your money though, is now they have your time.
Reply Quote
05/24/2012 09:15 PMPosted by MrH
Not trying to poke the bear but if your account means so much to you why haven't you bought an authenticator? When Diablo III had a release date the first thing I did was buy one because I would hate to be hacked, even though I'm extremely careful.


I don't believe a RSA real time authenticator is required to keep my DIABLO III safe. I can name at least 5 other sources in which I use a simple english-ascii-char password to secure REAL LIFE MONEY and BANKING information.

Its ridiculous that people believe that they must have an authenticator in order to feel secure... The authenticator is for people who are phishing-prone. I am NOT one of those people.

Furthermore, there are plenty of people who claim to have the authenticator up and running but were still hacked.

Take this concept into consideration:

If people are session spoofing (meaning they trick the server into thinking THEY are YOU coming from YOUR ip) the current authenticator setup does not have you authenticate if you are logging in from the same IP. This would make the authenticator practically useless as far as a security measure goes. Granted you can make it ask you for the key EACH and EVERY log on... but it isnt defaulted to that. Thats assuming session spoofing requires a login, which it may very well not - one may be able to just 'take over' a connect. Pretty useless feature imo.

I suppose I coulda been brute-forced.. it was a 9 char 2 number password... kinda weak.

Edit: ahahaha, and shoot me dead if blizzard is going to admit a security flaw... that would just FLOOD the gates.. lol
Edited by Lopoco#1190 on 5/25/2012 2:50 AM PDT
Reply Quote

Edit: ahahaha, and shoot me dead if blizzard is going to admit a security flaw... that would just FLOOD the gates.. lol


I agree with you again, they would almost certainly never reveal that there was this type of exploit. But I have to say, if there was, wouldn't most people understand that mistakes are made, and it really is just an electric signal that you lost...
Reply Quote
Sorry let me clarify. It would just FLOOD the gates - for the exploiters/hackers** if blizz admitted a known security flaw and that they HADENT fixed it at that time. It would be hack anarchy.

I guess what im trying to say is; If i were in blizz's shoes, I sure as hell wouldn't admit a known, non-fixed exploit.
Reply Quote
05/24/2012 09:55 PMPosted by MrH
If you set the authenticator to require a code every time I don't see how you'd ever get hacked. At the end of the day there are people out there that want your account and if you don't secure it as well as possible (authenticator) then you can't really blame Blizzard.


Again, as I said in the other posts, I have about 5 other sources that use a simple english character password that manage REAL money and have almost never had issues with MASSIVE floods of hack reports. The authenticator is for people who don't know how to spot a phisher or download everything under the sun.

I don't believe I need a dynamically changing, RSA secure link to a password FOR A GAME...

ps: I also pointed out that this could be done, thank you for being redundant.
Reply Quote
Sorry let me clarify. It would just FLOOD the gates - for the exploiters/hackers** if blizz admitted a known security flaw and that they HADENT fixed it at that time. It would be hack anarchy.

I guess what im trying to say is; If i were in blizz's shoes, I sure as hell wouldn't admit a known, non-fixed exploit.


naturally until fixed, there is no spoon
Reply Quote
Posts: 1
05/24/2012 09:39 PMPosted by Lopoco
Not trying to poke the bear but if your account means so much to you why haven't you bought an authenticator? When Diablo III had a release date the first thing I did was buy one because I would hate to be hacked, even though I'm extremely careful.


I don't believe a RSA real time authenticator is required to keep my DIABLO III safe. I can name at least 5 other sources in which I use a simple english-ascii-char password to secure REAL LIFE MONEY and BANKING information.

Its ridiculous that people believe that they must have an authenticator in order to feel secure... The authenticator is for people who are phishing-prone. I am NOT one of those people.

Furthermore, there are plenty of people who claim to have the authenticator up and running but were still hacked.

Take this concept into consideration:

If people are session spoofing (meaning they trick the server into thinking THEY are YOU coming from YOUR ip) the current authenticator setup does not have you authenticate if you are logging in from the same IP. This would make the authenticator practically useless as far as a security measure goes. Granted you can make it ask you for the key EACH and EVERY log on... but it isnt defaulted to that. Pretty useless feature imo.

I suppose I coulda been brute-forced.. it was a 9 char 2 number password... kinda weak.

Edit: ahahaha, and shoot me dead if blizzard is going to admit a security flaw... that would just FLOOD the gates.. lol


My authenticator makes me type in a code even if it's from the same IP adress, so yes an authenticator would help.
Reply Quote
Once again, I pointed this out.

In addition, I also pointed out that many people WITH authenticators ALSO got hacked; So, apparently, it may not help as much as you are implying.

I made this post to try and bring into light that perhaps there is a security breach at Blizzards end amongst their code. All evidence points to such. If you actually read what I wrote then you would know this. I Literally said exactly what your post says as an example for argument to people who would bring this up. Please, once again, refer to above statement of people with authenticator still being 'hacked'.

Edit: I guess a better question to ask you is:
If I don't need to use a authenticator for my credit card and banking accounts to feel secure, why then must I use a device that is more secure for a less valuable item(diablo). Furthermore, why have my credit card accounts not been hacked within the first two days of making them... seeing as how they are actually worth something...

A password is plenty secure.. There is another issue at play here...
Edited by Lopoco#1190 on 5/24/2012 11:05 PM PDT
Reply Quote
90 Orc Warrior
12090
Posts: 2,011
So, I purchased the game mid-day monday 5/21.

I played like a !@#$%^ addict for 2 days straight and logged off at like 10am on the 24th (today) at lvl 57 with a shiny new, bought, high dps lvl 60 wep and ~ 350,000.

I log on 8 hours later to a blank character, no cash, no stash, and the only thing left is the bone that u need for the cow-lvl summon.

A new offline friend was on my list by the name 'scooper' <--- ironic aye?

I find it hard to believe that in 2(3ish) days:
1.) I went out and sporadically bought d3 (was hesitant to buy because of said reports of terrible security - Anonymous ddos'ing servers, accounts being hacked; thought Id give it a try regardless - I had never publicly given any notice that I planned on playing d3)
2.) I was targeted as a potential D3 player.
3.) I was coerced into downloading a malicious program
4.) I had logged on with said program installed
5.) I had my account's -*!@ stolen

I am more than reasonably aware of how hacking/phishing works and I an very cautious with what I download and from whom.

It just seams a bit... odd that this could happen within this time frame. I doubt i had a virus installed on my computer beforehand that targets a platform(diablo3) that wasn't even installed at the time. That being said, I haven't downloaded anything within the time of purchase (#$%^-* addict, I really mean it, I played almost non stop).

I'm scanning my computer and I have changed my password... if that will help. I also started the rollback process. I'm fiddling with the dial authenticator -I sadly don't have a smart phone.

Soooo, whats you're move blizz? Gonna say its ignorant user's fault some more? The frequency and stories that people have shared just don't add up to an all user-end related hacking ordeal that seams to be spiking HARD.

I don't want to put so much time into a game, just to have it stolen. I fear how my character will look after the rollback. Some people have reported that their character's were rolled back as far as two days. I've only played for two days... I don't want to log on to a level 0 character with nothing on it, when the day before I had a lvl 57 with 350,000 gold.

If this happens I will most likely quit.

You don't have an authenticator. It's your fault.
Reply Quote
I really hope your trolling me. Ignorant people... saying ignorant things...

If you were to get shot right now Id say: YOUR FAULT YOU WERENT WEARING A BULLET PROOF VEST!!!! LAWL NOOB LAWL LEARN TO LIFE.

ps: its your fault
Edited by Lopoco#1190 on 5/24/2012 11:07 PM PDT
Reply Quote
sigh... I guess I wont point out, again, the claims of people saying they too got hacked even with an authenticator...

Furthermore, I never said I was 'too good' for it, I said there should be no need for it. If places with more valuable things use a simple password, why is blizzard specifically having problems?

If I had a smart phone, id be using it. I didn't know a authenticator was necessary to keep the integrity of a casual online game... Kill me for making the assumption that I would not need to buy a dynamic key for my game...

Furthermore, I never said It was explicitly blizzards fault... I just find it kinda hard to believe that In 2 days I was targeted, coerced, and attacked.. Its kinda a small time period even for the best of hackers to accomplish...
Edited by Lopoco#1190 on 5/25/2012 12:43 AM PDT
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]