Where is your Authenticator now?

General Discussion
Have Diablo 3 accounts already been compromised?

A quick glance on the Diablo 3 forums reveal that Saturday afternoon, dozens of players logged into their characters to find nearly all of their items stripped away between Friday Night and Saturday morning. Some are even claiming to have been using Blizzard Account Authenticators. While most “victimized” players have submitted tickets and had quick responses, even rollbacks at players’ requests, others have waited over 24 hours with no response at all. Several players are reporting names on their “Recently Played With” list that they don’t recognize, with others reporting names on their “Friends” list that they didn’t add. Below are just a few of the examples:

Original Topic:
http://us.battle.net/d3/en/forum/topic/5149008104
(Topic is full)

Secondary Topic:
http://us.battle.net/d3/en/forum/topic/5149008518

Others:
http://us.battle.net/d3/en/forum/topic/5149178429
http://us.battle.net/d3/en/forum/topic/5150108566
http://us.battle.net/d3/en/forum/topic/5151718112
http://us.battle.net/d3/en/forum/topic/5149178166
http://us.battle.net/d3/en/forum/topic/5151717968
http://us.battle.net/d3/en/forum/topic/5150108566

Still others:
http://us.battle.net/d3/en/search?q=hacked&f=post&forum=3354739
(Search for "Hacked" in the General Discussion Forum)

http://us.battle.net/d3/en/search?q=hacked&f=post&forum=5386227
(Search for "Hacked" in the Technical Support Forum)

This issue has put a lot of players on standstill, with several losing motivation to continue playing just one week after the release. With Blizzard’s weekend support team requesting people submit tickets, a wide array of disappointed but eager gamers hold their breath for Blizard’s weekday crew to come with answers. One things for sure, most of the reported incidences are the same - "I was playing Friday night, logged in Saturday, and most or all my stuff was gone... There's someone on my 'Recently Played With' list that I don't recognize. I submitted a ticket. Still Waiting/They Rolled Me Back/They Said I wasn't hacked"

When the weekday Blizzard Support staff comes in on Monday, they're going to have their hands full. Until then, players like myself will be counting down the hours til answers are finally provided.
Dozens? Out of millions! It's an epidemic!
05/20/2012 11:24 AMPosted by Legend
Some are even claiming to have been using Blizzard Account Authenticators.


"Claiming" being the keyword, and most of those who have been hacked openly admit they weren't using one. Blizzard has provided the tools to prevent hacking, don't blame them if you refuse to take advantage of them.

If you have an authenticator and you're still getting hacked it's probably not by strangers out on the internets, but rather by someone in your house who has access to your authenticator too. Brothers, friends, roommates... etc.
05/20/2012 11:34 AMPosted by DeadPan
Some are even claiming to have been using Blizzard Account Authenticators.


"Claiming" being the keyword, and most of those who have been hacked openly admit they weren't using one. Blizzard has provided the tools to prevent hacking, don't blame them if you refuse to take advantage of them.

If you have an authenticator and you're still getting hacked it's probably not by strangers out on the internets, but rather by someone in your house who has access to your authenticator too. Brothers, friends, roommates... etc.


^^^ This.
Not sure why this dude's post was reported, it's actually really accurate. If you were compromised over the weekend you've probably been following all of the threads (there's over 60 pages now across a couple of threads).

His list of threads is a good resource to familiarize yourself with the issue.
The pains of online gaming.

Learn 2 protect yourselves.
I have an authenticator on my account, yet I have never had to provide my authenticator key when I log into Diablo. So it is possible that they had authenticators and still had their accounts accessed by an outside party.
05/20/2012 11:37 AMPosted by CthulhuDawn


"Claiming" being the keyword, and most of those who have been hacked openly admit they weren't using one. Blizzard has provided the tools to prevent hacking, don't blame them if you refuse to take advantage of them.

If you have an authenticator and you're still getting hacked it's probably not by strangers out on the internets, but rather by someone in your house who has access to your authenticator too. Brothers, friends, roommates... etc.


^^^ This.


And when your Authenticator is a cell phone with a lock on it? Or when the people you live with are completely ignorant on using a computer, much less playing a game or using multiple devices to authenticate? Where's your logic on that?

I admit I did not have an authenticator, I have since added one. However, I do not give out my email address, all my personal friends have added me using my battletag and my previous password was pretty damn beefy.

I also have no viruses, I have fallen for no phishing attempts, and in fact use the computer I've installed Diablo 3 on strictly for Diablo 3.
I have an authenticator on my account, yet I have never had to provide my authenticator key when I log into Diablo. So it is possible that they had authenticators and still had their accounts accessed by an outside party


You may want to check that. It sounds like its not linked properly or you do not have it set to authenticate on every login. I have to provide mine every login.
I have an authenticator on my account, yet I have never had to provide my authenticator key when I log into Diablo. So it is possible that they had authenticators and still had their accounts accessed by an outside party.


Authenticators track the IP addresses we use to login, and will require authentication if logging in from a new location. Go over to your friends house and try logging in there, then it will ask for authentication.
I didn't have one previous to this incident. It is on there now, and linked properly and set to every time, thanks. You guys are definitely right, I see how the authenticator would help (the subject to this thread is facetious).

However, with a password as mine was, I really thought it unnecessary. I do IT security work, I'm well aware of the importance of a strong password and all password checkers at account-creation time have rated my passwords at "very strong". I'm disappointed in myself for this one, but frustrated with Blizzard for this occurring en masse four days after launch.
Authenticators only work if you set your account to require the authenticator on every login.

The authenticators are based on the same premise as RSA SecurID tokens, which are generally a secure form of providing 2 factor authentication for people.

Get a grip.


^^^ This.


And when your Authenticator is a cell phone with a lock on it? Or when the people you live with are completely ignorant on using a computer, much less playing a game or using multiple devices to authenticate? Where's your logic on that?

I admit I did not have an authenticator, I have since added one. However, I do not give out my email address, all my personal friends have added me using my battletag and my previous password was pretty damn beefy.

I also have no viruses, I have fallen for no phishing attempts, and in fact use the computer I've installed Diablo 3 on strictly for Diablo 3.


Just because your antivirus software didn't find any malware, that doesn't mean you don't have any malware. Everyone, unless you aren't connected to the internet, has some sort of malware on your computer. I can almost guarantee that. It's naive to think otherwise.

As for not giving out your email. Have you signed up to anything with it? Anything at all? even the most benign of things can give your password away to God knows who. I use a separate email for Wowhead. Why? Because I don't trust them to keep my email a secret. My B.net email is exclusive to B.net. I literally do not use it for anything else. Even that may not make me entirely safe, though. What if one of my friends has a keylogger? if I give them my email, when they go to type it into their client to add me to their friends list, that keylogger, on their computer, now has my email address.

You're not entirely safe. Ever. However, an authenticator is the best protection you can get. It can still be circumvented, don't get me wrong, but it is the most powerful protection available.

Authenticators only work if you set your account to require the authenticator on every login.

The authenticators are based on the same premise as RSA SecurID tokens, which are generally a secure form of providing 2 factor authentication for people.

Get a grip.


Blizzard would not have implemented the system they did if it were not safe. If anything is even remotely different about your login location, it will ask foryour authenticator again. Hell, There was once where I was having problems with my wired internet so I swapped over to my wireless and it asked for my authenticator again, just like that. Besides, for security purposes, you should never be logging into the game on any computer other than your own anyway. I would never in a million years log into even my closest friends' PCs. I have no idea what kind of crap they could have. The only computer I know enough to trust is my own, and even it might not be safe.
Blizzard should consider adding a dial-in PIN system to the log-in screen. Many online games use these now. Basically its like a phone pad on the screen and you'll have a 4 digit number that you need to to use to log in. You would have to click on the number buttons, not type in the numbers (no keylogging) and the positions of the numbers are randomly placed, so mouse tracking would still have a hard time figuring out your PIN

It would be opt-in of course though so those who didn't want the hassle wouldn't need it

(PS I do have an Authenticator, just saying this option might go a long way in preventing hacks from people who don't have them)
I have an authenticater as well, however unlike SC2 diablo only asks me to authenticate once every time I change computer. Anyone else's doing this?

edit: n/m read the rest of the thread ;(
you mean people of questionable morals are attempting to steal game accounts that could possibly net them real money in a future patch??

FASCINATING.
I have an authenticater as well, however unlike SC2 diablo only asks me to authenticate once every time I change computer. Anyone else's doing this?

edit: n/m read the rest of the thread ;(


Apparently you now need to set that up in security settings, which wasn't the case for WoW or SC2.
It should also be noted that "dozens" vastly undersells the problem. Hundreds are known to have the problem, and likely thousands actually are effected.
Blizzard should consider adding a dial-in PIN system to the log-in screen. Many online games use these now. Basically its like a phone pad on the screen and you'll have a 4 digit number that you need to to use to log in. You would have to click on the number buttons, not type in the numbers (no keylogging) and the positions of the numbers are randomly placed, so mouse tracking would still have a hard time figuring out your PIN

It would be opt-in of course though so those who didn't want the hassle wouldn't need it

(PS I do have an Authenticator, just saying this option might go a long way in preventing hacks from people who don't have them)


Any good antivirus program has such a keypad. I know Kaspersky does.

Join the Conversation

Return to Forum