Sigh... I've been Hacked. Be careful.

[Corale]

It's all hearsay, but I heard talk at work that this was about a simple database injection attack, grabbing active sessions and hijacking them. Best case, Blizzard will have fixed it soon, and it was a "one time" attack.

[hasuprotoss]

From what I've heard, apparently this whole "Session ID" thing let's the hacker log on with their credentials, but get it to be on one of your characters (apparently only one character, too but maybe the information I've received has been wrong). Further, they can do it potentially through the friends list (but I think if the above information is correct, they can only do it on their own personal friend's list) or through public games and potentially the Auction House.

Not 100% sure how correct this information is, but it seems to match up with others' claims.

[snowieken]

That is really scary. So far I felt pretty safe as I don't join public games, but I guess now that is not failsafe either. I also have an authenticator, still from playing WoW, but this needs to be fixed as soon as possible. God, I can only imagine how one must feel seeing that error pop up on their screen... Good luck getting back up and running.

Would be awesome if they would fix it with an offline mode, but that is just wishful thinking there...

I usually have a lot of respect for Jay Wilson and I generally like the guy, but in the quote Solar Ice posts, he sounds more ignorant than ever. People not realizing there was an online mode and then QQ-ing that they can't transfer their character when they finally discover the button? And you actually don't include an offline SP option just to cater to them? Que?

[Smips]

I had a hack attempt on my account. About a year ago, I had a WoW account hacked(even though I barely played it anyways). After that, I changed my b.net password. I'm thinking hackers that had collected passwords and usernames are just running through the lists again and grabbing people who haven't changed their passwords. I'm guessing someone had my old password and whatever automated program they have kept entering the wrong password until my account got flagged as suspicious. Needless to say, I changed my password again and started using the mobile authenticator, which I suggest everyone use as well.

[yxalitis]

guys, I would be very careful of accepting anecdotal evidence regarding "apparent" hacking methods like database injections and what not, the word "apparently" is no guarantee of accuracy, and as someone who works in IT (no, I really do!), it is an unlikely attack vector, as it requires access to the database, behind Blizzards firewalls, and secured (I can assure you) with very high levels of authority.
If such an attack was possible, it would be catastrophic, they could walk off with millions of account details, and any such attack would leave obvious traces behind, Blizzard would immediately know a security breach had occurred.

Now I do hate to say this, but over 6 million copies of Diablo 3 were sold, many hundreds of thousands of people are logging on to the Blizzard servers every day, and a small percentage have been hacked.

Diablo is going to be a huge draw card for professional hackers, goods acquired can be sold for real money, a MAJOR incentive to attract negative attention of this type.

Now, I know everyone who gets hacked says "I checked my PC for viruses, and it's clean" but your PC may have been compromised months or years ago, a little database is built up of email addresses and passwords, which are then used to brute force accounts.

I also hate to add this, but I don't think you had an authenticator BEFORE you were hacked, and not AFTER, as a result of that very attack.

It is all to easy to leap up and down, point fingers, and accuse blizzard of poor security, and much harder to admit that you slipped up somewhere .
Blizzard is a billion dollar company with a long history of hosting massive numbers of online connections, you are some average Joe end user, where is the mistake more likely to be have occurred?
The common trend in modern account violations is to attack via social engineering, not other, more sophisticated methods that have been suggested as possible causes.
Indeed, this very site links to gold farming sites, where you can "Buy Diablo Gold!" Guess where you can be compromised...?

It isn't by joining an MP game
it isn't by clicking on the auction house (that's just silly, you have ALREADY logged on at that stage!)

[Thyiad]

Indeed, this very site links to gold farming sites, where you can "Buy Diablo Gold!" Guess where you can be compromised...?

ANY ads like that need to be screenshotted and reported to either a Moderator or an Admin, with information of where you are from (country) and any other information you can give.

This site does not accept gold selling and any ads which show up are reported to our ad provider who is instructed to remove them ASAP.

I used to have ads on my own site but had to pull them because while I had build guides, breakpoints etc, Google would bring up dross like item-selling sites and I couldn't stop them. IncGamers can but we need to know about them first.

Obviously NEVER click on them.

[TheNix]

ANY ads like that need to be screenshotted and reported to either a Moderator or an Admin, with information of where you are from (country) and any other information you can give.

Deleted pic, I'll send it to thy instead.

[Drystan]

I get the some one TheNix is getting - from Australia. But Thy, you're about to get the same pic twice (just in case.)

[Kitteh]

Somebody hacked into my account the other day and took my 650k gold. However, they didn't touch the mil+ of items on my barb/hardcore monk

[Valhauros]

Might as well share a tidbit of info: I was getting extra paranoid about the client's insecurities, so I went to check the emulator sites in search for answers. I found a couple hours ago this emulator site, where the project leader had found, from their own hacking (in order for them to recreate a private server), that the security problem is in the chat, and Blizzard has been deploying constant, but low grade, fixes that according to them, are easy to overcome.

Edit: well, will you look at that, the page is already down. <I removed the link because I'm not sure it's allowed>