Diablo® III

Blizzard authenticator wont help you now

I got hacked an hour ago and my password was not changed all my items were just wiped and gold obviously there is a breach in blizzards security this is rediculous. I had just logged into my account an hour ago and everything was there then i walk away and come back and my sh!t has just dissapeared but i still have full access to my account. This is ridiculous >.<
Reply Quote
Which Auth were you using?
Reply Quote
90 Draenei Shaman
10825
Posts: 14,382
I'm sorry to hear that you were hacked, but no, Blizzard hasn't been hacked. Please, please, /please/ make sure you do a thorough scan of your system with both an anti-virus and a spyware/malware application. Whether you think you were phished or scammed or not, please just do it anyway, to be on the safe side.
Reply Quote
I would like some input from people that know a lot more about this than I do. Please no flaming in this thread.

I'm not programming/hack savvy, but was talking to a programmer at work about this topic and ,here in a nutshell, is his response. Makes sense to me, but again I am not claiming that I am an IT guy and this could be totally off base.

From what he told me, Blizzard isn't lying. Their servers are not hacked or compromised.

This quote from Blizzard stuck out to me after talking with the gentleman from my work.

and we have yet to find any situation where a Diablo III player's account was accessed outside of "traditional" compromise methods (i.e. someone logging using an account's login email and password).


He stated that what could be happening is the hackers using bot.net? have huge lists of passwords and basically thousands of bots are spamming the login screen. When an account is successfully hacked the automation begins to loot the account. People without authenticator are at risk because Blizzard does not have a "timeout" feature on their login, so you can essentially type hundreds of passwords at the login screen and never get the account locked for 15 minutes. He stated this was big reason why some companies and sites use this feature to basically deter bots from spamming their logins. On a basic level, this makes sense to me.

Additionally, they could be doing the same type of bot for the authenticator but from the sound of it, it may be too hard or take too long to spam in order to get the right one for the account.

But, maybe these "hackers" have millions of passwords and are spamming the login screen. According to him it would only take minutes to do this.

Now, after he told me this, I started to think about if this "timeout" feature would piss off a lot of people and also create a lot of extra hours of work for the support staff. Could this be the reason it isn't added to the login screen? I don't know.

What I do know, is that after talking with him it makes ABSOLUTE sense to get the authenticator ASAP.

Like I said, I could be interpreting this all wrong, but would love some input from people much much smarter than me :)

I hope this post contributes something to this forums.
Reply Quote
I got hacked an hour ago and my password was not changed all my items were just wiped and gold obviously there is a breach in blizzards security this is rediculous. I had just logged into my account an hour ago and everything was there then i walk away and come back and my sh!t has just dissapeared but i still have full access to my account. This is ridiculous >.<


Since you never stated it, were you using an authenticator?
Reply Quote
05/30/2012 10:58 AMPosted by Zebracakes
Since you never stated it, were you using an authenticator?


I made the assumption they were, based on the title of the thread.

However, since only 2 of the 3 (4 if people want to try and count (incorrectly) SMS in here) authentification methods that are secure for D3, I asked him which one they are using.
Reply Quote
Well they could implement "Captchas" , though annoying, would be pretty helpful if they are just mass spamming PW's.
Reply Quote
05/30/2012 10:56 AMPosted by artflywheel
He stated that what could be happening is the hackers using bot.net? have huge lists of passwords and basically thousands of bots are spamming the login screen.


What you just described is either brute-forced attack or dictionary attack. Both involved trying out a bunch of passwords, either randomly generated (brute-forced) or using a list of commonly used passwords (dictionary).

However the website login for battlenet does have a timeout feature or so someone said (I haven't tested this myself). The login screen in game takes a while to connect to battlenet to verify login, which takes about 5 - 10s. Unless your password is incredibly to guess (123456, asdf, qwerty ...) I don't see how these attacks are viable at all.

As a software engineer myself I don't believe in all these hacking crap. My account atm is still secure and I have not seen anything suspicious. Just make sure you have a decent antivirus software that has auto protect, firewall and don't click on random links on the internet that ask for your battlenet login.
Reply Quote

Like I said, I could be interpreting this all wrong, but would love some input from people much much smarter than me :)


There are three ways they can get into your account.

  • Hacking Blizzard
  • Finding out your password
  • Trying to guess your password.


Blizzard knows the first hasn't happened.

The second requires either a virus on your computer which records what you type, OR a phishing scam. Phishing would be the hackers pretending they are Blizzard, asking for your password, and then you give it to them. They can do this very creatively.
Do you see the difference between "www.battle.net" and "www.bаttle.net"? They are two different links. One uses the normal letter "a", and the other uses the cyrillic letter "а". They both look the same but to computers they are different. What can also happen is that you use a different website (lets say a diablo wiki or something) and use the same password there, then the diablo wiki gets hacked and then the hackers know your password. You don't need a virus to fall for a phishing scam. Your computer can be really really secure but if you type your password in on the wrong site without knowing it is the wrong site it doesn't matter how safe your computer is because you gave your password away.

Trying out your password is the unlikely one but still possible. If I have to guess your password like a computer I would start with; Is your password "a"? Is your password "b"?, and then when I reach "z" I ask; Is your password "aa"? I continue like this until I guess the right password. This is called brute force because you are just trying every combination. If you put letters and numbers in your password brute force takes a lot longer. It takes even longer for them to try if you put in symbols like !@#$%^*, etc. If I want to guess a password that is 10 letters long I have to guess 26*26*26*26*26*26*26*26*26*26 times. (which is guessing 141,167,095,653,376 times)

Hackers realized that doing this takes really long, and they also realized that for normal people it is easier to remember passwords if they just make it a word. Instead of going down the list guessing every possible password they go down a list of words. They guess dictionary words instead. Now even this is a bit slow, so they decide to get lists of commonly used passwords in general, and decide to try those out. (Some stupid people use really easy passwords http://www.pcmag.com/article2/0,2817,2113976,00.asp)

When you try to guess someones password you need to have a fast computer to make many many guesses as fast as possible. What is faster than one computer? Two computers! What is faster than 2 computers? A botnet, which is a network of computers with virusses on them so that the person who put the virus on can use them. That network basically works as one big fast computer, and thousands of computers can guess faster than just one or two computers. The problem is, Blizzard only allows one guess per 5-10 seconds. This makes guessing next to impossible. It would take more than a minute to guess a password that is a single letter. It would take years to guess a password that is 10 letters.

Now here comes the authenticator. The authenticator says that if you try to type in the code, and you get it wrong, you have to wait a little while. If you have to guess a completely random string of 8 numbers, there are 10*10*10*10*10*10*10*10 possibilities. (100 million) Lets say that someone has to wait just a single second to try again if the authentication is wrong. this would still mean that to correctly guess the authenticator code, it would take millions of minutes, or thousands of hours. The code changes every 30 seconds. Even the fastest computers can't guess the code like that. Every authenticator gives a different code so even if hackers guess the code (which is impossible) they still wouldn't be able to use it to hack more than one account.

Whenever I connect from somewhere else Blizzard asks me for an authenticator code. So if someone has your password and they connect on their computer, Blizzard will know that it isn't the same computer trying to get in my account. (they know because they aren't connecting with the same internet connection) Since it is a different computer or a different internet connection, Blizzard asks for the authenticator code. Even if I give my password to a hacker they wont be able to get in, since when they try to login Blizzard asks them for the authenticator code. Hackers would have to go into my house and steal my authenticator to be able to hack my account.

05/30/2012 11:02 AMPosted by MYDJAXT
Well they could implement "Captchas" , though annoying, would be pretty helpful if they are just mass spamming PW's.


Captchas only help if they are trying to "guess" the password. Blizzard already has measures against the "guessing" of passwords like the time it takes if you input the wrong password
Edited by Leprecon#2217 on 5/30/2012 12:01 PM PDT
Reply Quote
OP makes a topic: Authenticator won't help you now

OP never says they have an authenticator.

OP does not have an authenticator.
Reply Quote
Posts: 94
I got hacked an hour ago and my password was not changed all my items were just wiped and gold obviously there is a breach in blizzards security this is rediculous. I had just logged into my account an hour ago and everything was there then i walk away and come back and my sh!t has just dissapeared but i still have full access to my account. This is ridiculous >.<


Authenticator or GTFO...
Reply Quote
90 Blood Elf Warrior
6890
Posts: 48
Just report scaremongering/fake/trolling posts like this and move on.
Reply Quote
I remember a few years ago that one of the bulletin boards had an exploit, the exploit was used to get all the names/secret answers/dates of birth/emails/passwords from as many as possible.

Then they just ran that through everything they could think of. A lot of people were caught out and had other accounts for other online services compromised and kept gathering everything.

I remember the admin of an online game even being compromised, which led to the game itself being compromised.

How many that have been hacked have used a thrid party program or service to 'enhance' their D3 experience?

Lets face it, no one would attack Blizzard or Sony or EvE or MineCraft or League of Legends or ...
Reply Quote
Posts: 30,431
they dont need to change your password once the have it. more than likely, you gave someone your password without knowing it. there are plenty of sites out there dressed up to be identical to regular Bnet, or any other popular site.
Reply Quote
I did not give anyone my password, I did not do anything suspicious, at all. I just woke up this morning to find everything is missing. All my money, everything in my stash. Everything that I had equipped was untouched, oddly enough.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]