Diablo III Accounts Being Hacked
Posted 21 May 2012 by FluxIt’s only been five days, but we’ve seen what appears to be the first big rush of “hacked” Diablo III accounts. Numerous players have reported changed passwords or an inability to log on at all, while others have logged on to find their best items, gems, and gold all stripped. There doesn’t seem to be any common denominator to the affected users — they didn’t all try some new maphack program that was actually a key-logger trojan — but that sort of thing was the culprit countless times back in the D2 days, almost always delivered via social engineering.
As Blizzard (and every other security company always says), do not share your password with anyone ever for any reason. Not even if that someone is in chat and sounds totally convincing when they tell you about the secret cheat that can wildly enrich you and which they’re willing to set up for you just because they’re such a super nice guy like that. Blizzard will never ask for your password, especially not in those emails that look almost perfectly authentic. (I get them regularly in regards to the World of Warcraft account I’ve never had.)
All the other common sense precautions also apply; pick a password that no one could ever guess, don’t use that password for your log in on any other sites or forums, and it’s not a bad idea to get a Blizzard keychain Authenticator as well. That’s the first precaution listed on Blizzard’s Security Checklist, and not just because Blizzard sells them for $6.50. (Diablo III model now in the Blizzard Store.) You probably don’t want to spend the money, but would you pay $6.50 to get back all of your lost items and gold? How about $114 in Bobby Bucks™ you earned from RMAH sales that someone just stripped from your online balance?
A typical user account, from Buu in our forum:
My account was just broken into.
I was playing in NM trying to get to Act III. I got disconnected. After reconnecting, I get booted again, this time reading the error message. Another computer has logged on to my account. I reconnect and check my stash, to find that all of my gems, and about half of my items are gone. Needless to say, I immediately changed my password into a (hopefully) strong password.
Similar brand new reports from the B.net forums can be seen here and here. Also here and here and here and here and here and here.
Thanks to Mark for the tip and URLs, which he was viewing for a very painful personal reason you can well imagine.
Update: Several people in comments point out that the Blizzard mobile authenticator works with any smart phone and is free or very cheap, depending on your service. Get the US or EU version.
Yer this happened to a mate of mine, all his chars deleted. This has been a VERY rocky start for Diablo 3 so far.
Authenticator, does everyone not know that its free with a smartphone?
You have to live in US to use the free authenticators if I remember well.
The key question is how those accounts are being hacked. If its keyloggers them I don’t care about their problems, but its really frightening if hackers are managing to discover passwords, even if they are weak, by using bruteforce or any technique like that.
Nope. Living in Denmark and using the Authenticator.
Hmm, im not a hacker so i don’t pretend to know how to do this stuff, but i know a real good hacker. He’s been my friend for 9 years. Ill ask him
His characters were probably not deleted. There is a bug that switched people to another region. All your friend needs to do is switch it back to the region he had his characters on and they will re-appear.
Probably posting in the chat doesn’t help as it uses your account tag doesn’t it?
It shows your battle.tag not your e-mail address.
I was thinking it most likely that the account information is being snagged through WoW addons that have keyloggers in them
Mobile Authenticator is for free for anyone who have iPod or use smartphone with Android system. Or it costs 0.5$ for everyone else.
Sorry but the example is kinda fake. IF the guy’s account was hacked … He would not be able to log in and change his pasword again.
Simple as that.
I am not saying the hacking is not present only this guy’s story is faked as the hacker will always change your pasword so you no longer can enter and he has full control of the account.
No they wont.
I had my WoW account hacked a few months ago and whoever hacked it did not change the password for some reason.
Unless the hacker didn’t change the password and wanted the poor sap to go thru the process again to get good loot and then go back and re-hack him.
The hackers aren’t out to cause misery, they are out to steal what they can sell for profit. It was very common for people to get hacked in WoW without their passwords being stolen.
It would be like a burglar stealing all your valuables, and then changing all the locks on your house. There’s no point.
That was back in 2005, this is 2012 new state of minds. How do you know hackers haven’t changed their MO’s?
There is also a mobile authenticator which doesn’t need to be bought for extra security.
https://eu.battle.net/account/support/mobile-auth-download.html
Nearly everyone has an iPhone, I guess.
Hang on, why does the authenticator cost $6.50 in the US and £8.99 (just over $14 at the current exchange rate) in the UK? I’m used to an exchange rate of $1 to £1 but this is just excessive. The euro rate gives $12.76, still too high but slightly better than the UK.
Plus there is no Diablo one, just Starcraft.
Shipping over seas
it is made in China
there is a theory on this posted on bnet forums….
The current theory is hijacking session identifiers. Basically, every time you complete a mission, get an achievement, ect. your client communicates with the server but doesnt have to go through the authentification servers. If I hijack one of your session ID’s and submit it through my client instead of my own session ID, it would kick you off and essentially let me take over your account without ever having to type in a password… since it doesnt go through the authentification server the client doesnt report it as a compromised account.
if true this is really really bad.. wtf are they thinking
If this is true you could have authenticators, sms message security, and a 100 digit password with letters, number, and symbols and you account could still be hacked.
From my light skimming it seems even people with authenticators are being hacked.
I wonder what Blizzard will do when the RMAH is launched a hundreds of people are not allowed to use it because their accounts were hacked before it was even live. It’s a two strike rule right now, right?
Oh my God…
It always amazes me how willing people are to believe the most idiotic theories spread on Battle.Net.
I guarantee you no-one with an authenticator has been hacked.
I haven’t seen the BNet protocol but I have several hats, and I will eat all of them if the D3 servers blithely accept a new source address/session ID tuple as evidence that the session is still valid but has miraculously migrated to a new client. Much more likely is that the session is immediately binned, the account in question is thrown off the network, and both source IP’s are immediately flagged as suspicious.
people with authenticators have reported losing items and gold
So? Why do you believe them? Much more likely is one of:
- Their account is much less secure than they think it is
- They’re mistaken
- They’re lying, because they can
- They’re using spurious hacking reports to validate support claims to get their stuff back
- At the very worst, it’s possible that the D3 back-end still has bugs causing people to lose their stuff.
why do you not believe them?
This.
Why do I not believe them? Balance of probabilities.
Which is more likely:
- Blizzard have broken their authentication framework so that it can be sidestepped by a simple, low-IQ hack
- Some people on the internet are wrong
This issue has been confirmed by a blue post earlier: http://us.battle.net/d3/en/forum/topic/5149539239
best avoid public games for now.
If you mean “confirmed” as in “rebuked”, then you’re right. Blizz have stated that they haven’t found any instance of hacking that wasn’t down to a simple compromised account.
That is why I decided to finally install Mobile Authenticator yesterday. With ridiculous amounts of play time game like this requires, it is the least I can do to protect myself. The Authenticator works like a charm and now someone will get access to my account only if he ganks me and loots my Legendary phone.
Yesterday my anti virus detected this site having Malware.
I have a feeling that if you logged on here using the same email/password, whoever added the malware got your details.
It makes sense, because this is such a high traffic site to target as well.
Your antivirus software didn’t detect anything. What you (and everyone else) got was a false positive google warning, apparently from something in an ad. We submitted it to Google and got the warning removed at once, since it was unjustified. As their own auto-generated report said.
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&site=http://www.incgamers.com/
It wasn’t just this site. Mozilla.org itself was generating those errors reporting that it was unsafe. In firefox. Lol?