Battle.net® Account Security & Diablo® III

Blizzard Archive
Prev 1 20 21 22 209 Next
05/21/2012 10:44 PMPosted by Bootes
Well thought-out retort.. but pretty serious question here: do you honestly think that bliz GUID/SID's are clear-text?


absolutely not - first of all I don't think a GUID is useful for anything, but the reports I have seen that worry me are about this esoteric "Session ID" creature. A d3 "session id" going through a database server side possibly ties itself to the actual oracle sid and serial# and that is where I think the possibility of exploit lies. I want someone to tell us that this is simply not the case.
I'm sorry, but I disagree - this Session ID thing is not what you think - Diablo 3 is a client/server game not a website and it's driven by a combination of oracle and other databases - i assume this because i frequently checked blizzard job postings for programmer analysts in the last several years. You are making far too many assumptions about what a session id is in this context. If it were just a unique identifier assigned by the d3 server to a client upon login (where they only record your IP on login to boot) there is no reason to assume you can't edit it in unprotected memory on the client and then your client becomes the new default for that session id after bumping the original off. Then, when the actual user tries to log in they can't because the session is still active.

Again I am not saying that this is happening - I'm just really concerned that this is a possibility and the OP did not specifically say this is not possible due to how they designed the game. Before I get flamed to hell - I don't know if this is happening and I doubt it because I am a blizzard fanboy - but the possibility is there depending on how the client/server architecture is implemented. I want blizz reps to tell us that it is not possible and I would believe them.


Well thought-out retort.. but pretty serious question here: do you honestly think that bliz GUID/SID's are clear-text?

Does it need to be clear text to be copied?
Well my wizard just got hacked ._.
Way to beat around the bushes Blizzard

The issue is specific to Diablo 3, not Battle.net accounts. Of course our Battle.net accounts are safe, they are not obtaining our login credentials.

The problem is the hackers having unauthorize access to our Diablo 3 account due to a flaw somewhere in the game itself.

The hackers are probably laughing away at this. As Blizzard continues to bury their heads on the ground, they continue to steal...

Great job there Blizzard.
From observing all of the information here, I am still very suspicious there are all phishings and keyloggers and using credentials from other sites, but I'm going to keep my eyes up on it - And believe when this discovery is found, it'll just be hotfixed.
WHAT THE HELL IS THE MATTER WITH YOU PEOPLE?

Logon credentials were not compromised.

That means someone did not PHISH/HACK/KEYLOG anything.

Wow, just wow. (No I am not talking World of Warcraft)

Get a grip and stop blaming everyone.

Only a white3 hat will be able to come in and set the record strait. Blizzard will not do it.

I am off to bed. All you young kids that are ready to make fun of someone elses misery can stay up and make stupid faces at each other.


I don't recall seeing a single Blizzard post that said logon credentials were not compromised. So I would ask you, what the hell is wrong with you and why do you think that pulling information out of your....hat and then yelling as if it's true means anything?
I believe it, they work off of random number generators and those often work off of the system clock it's running on. If you can sync your clock to the servers clock you can often times come up with a program RNG that will give you the exact same "random" numbers every single time.
This happened historically on Absolute poker which used a RNG to deal the cards. Someone broke the code


I am not a computer expert but Im sure Blizzard auth's are harder to crack than that. If the auth code was cracked, it would blaze across the internet, the same way the first successful MITM attack n a WoW account hit MMO champ front page.


Like I said just google 3rd party authenticator. I'm not going to do your research for you. If you don't take me at my word that's fine. You really have no good reason to. But you do owe it to yourself to do a little research and see if what I am saying is true. Being "sure" of something you don't know is never a good thing. And be careful.

Does it need to be clear text to be copied?


If it's encrypted, copy paste don't work homie.

And you seriously think it involves Select, ctrl-C, Ctrl-V?
So basically it's all the same old same old and they are deflecting blame from themselves despite this being a massive occurrence?

I've been though with Blizzard for 3 expansions, it has never even been as close as bad as this.


Yep, it's the same old same old players being phished or keylogged or etc. and then blaming Blizzard for it.

In fact, this EXACT same thing happened when the new battle.net was implemented. Tons of people had keyloggers on their computers, but because they had "remember my account" checked, they never actually typed their account name anywhere. Then when they were forced to type in their new battle.net email instead of account name, the keyloggers (which were there for days, weeks, months, even years) captured everything and hackers had a field day of new information. Same old same old. People who never had to enter their login information for days, weeks, months, or longer all of a sudden had to enter it at least once in the brand new D3 login screen. They put it all out there for keyloggers to grab.

If you think it's never been as bad as this, then you're either lying or failed to observe the new battle.net implementation. Go back in the forums and read up on it. I'm sure you can find lots of information on fansites too, although I'd be wary of visiting them right about now.
05/21/2012 10:54 PMPosted by Bootes
If it's encrypted, copy paste don't work homie.


If the encryption is just a sha1 checksum - copy -> sha -> paste certainly does work


Wasn't Sony one of those responsible enterprises? Steam? Just about any other company in existence?


Sony was absolutely irresponsible, their servers were almost entirely unsecured and unencrypted.

Next business.


What about all the companies and organizations , who were all compromised at some point ,i named in my previous posts ?

For the record im not saying with 100% certitude that Blizzard got compromised. However i do think its a good possibility under the circumstances. Certainly more than a super key logger who infected thousands of people playing at the same game at relatively the same time. If you paused for a moment and started to think about it you would realize that. Unfortunately you seem to think that Blizzard is some sort of uber unhackable digital entity which im laughing my !@# off.

Anyway im done with you. You`re a waste of time
I am playing with two accounts on my computer, I am one of the victims that got hacked. The difference between the things that have been done with acc 1 and acc 2.

Acc 1: I have visited AH, placed bid on item and even placed out items for sale, I have joined Public Games.

Acc 2: Single mode all the way, no AH interaction or go public interaction.

Seeing the difference between the accounts and seeing how I play on 2 accounts but only 1 account that got hacked if the case is that I got keylogged, phished or whatever, the hacker would have hacked both of my accounts instead of just one? Why take one when you can take two?


Correlation is not causality.

still waiting for ANY one of you hacker victims to provide ANY EVIDENCE WHATSOEVER that the security exploit was on Blizzard's end and not yours. I'm not saying one way or the other. What I AM saying is:

Those who make the claims fall under the burden of proof. I'm not saying it didn't happen on Blizzard's end, I'm simply asking you to prove it.


I had noticed that too about the Auction House.

I have 2 friends who have not visted the Auction house, or use it, and I have.

They did not get hacked. I did.

Might there be a trend? Or can someone confirm that they have not used the auction house and still got hacked?
Oh well, seems to me blizzard will go with sweep under the rug approach for this issue, just hope I get my stuff back.

Also, the restoration policy said I have two chances, but the customer service told me I only got one restoration and need my approval to continue....36+ hours after I approve, still nothing has been done.

ps. I have in touch with a few hack victims much like myself, and we noticed a few "mystery friends" were banned/removed/banished this afternoon.
So I assume blizzard is dealing with the issue, even if they don't want to admit it openly.


Sony was absolutely irresponsible, their servers were almost entirely unsecured and unencrypted.

Next business.


What about all the companies and organizations , who were all compromised at some point ,i named in my previous posts ?

For the record im not saying with 100% certitude that Blizzard got compromised. However i do think its a good possibility under the circumstances. Certainly more than a super key logger who infected thousands of people playing at the same game at relatively the same time. If you paused for a moment and started to think about it you would realize that. Unfortunately you seem to think that Blizzard is some sort of uber unhackable digital entity which im laughing my off.

Anyway im done with you. You`re a waste of time


What about all the companies and organizations , who were all NOT compromised at some point?

Oh, did we forget about those? What about Blizzard, who hasn't been compromised in at least 8 years of major online gaming, aka never?

For the record, if Blizzard was compromised, you wouldn't see a few hundred accounts compromised. You would see hundreds of thousands of accounts compromised. And since the forums aren't swamped by hundreds of thousands of people who were hacked, I think it's pretty damn safe to say it didn't happen. No one thinks that Blizzard is immune to hackers, no one thinks that Blizzard is an uber unhackable digital entity. The evidence and their track record, however, say that they weren't hacked this time.
If anyone thinks all these people were phished/keylogged they're an idiot

Join the Conversation

Return to Forum