You're not logged in. Register or login to post a comment.

36 thoughts on “Diablo 3 Account Hacking and Security Issues

  1. I’ve been using the Android authenticator since day 1 and haven’t had a single problem. There’s recently been an update though, so if it’s not working you might have an old version.

  2. The bit about the smart phone authenticator not working is incorrect. The blue post is saying that the dial up authenticator isn’t the same as the mobile and that the dial up doesn’t support Diablo. The mobile authenticator works just like the physical.

    • There are “dial in” and “mobile” authenticators, which are not the same thing. Bliz might want to clarify their verbiage on them, as most fans seem to use the terms interchangeably, and think they’re fine when using the wrong one.

      ” While the dial-in authenticator can be a helpful addition to your account security by attempting to detect fraudulent login attempts, it is not the same as the physical and mobile authenticators which require a unique code be generated from the physical or mobile device to allow access to the account.”

  3. The last blue you quote has been miss-understood by yourself.
    The mobile authenticator is fine. It is the the dial-up authenticator which does not work for DIII. The blue is just trying to make a clear distinction between dial-up and mobile.

  4. Thanks for the update! I think there’s an error in your report though – you’re saying the smart phone authenticator doesn’t work for Diablo III, if I read correctly. This is wrong, as your last two Blue quotes show. The Dial-In authenticator does not work. The mobile and physical one offer equal levels of security.

    I’ve been using the mobile one as well and have not experienced any problems with it, btw. 

    /edit – hehe, I seem not to be the only one pointing this out.

  5. The iPhone/Android app is virtually the same as the key-chain authenticator! There is a dial-in thingy for WoW only but that’s completely different. Thus using the free(!) apps is as good as buying the key-chain – please don’t confuse people by saying it is worse or doesn’t even work for D3.

  6. This sites’ forums were compromised for quite a while… Trojan was uploading via unsecured browser/pcs and those threads where simply deleted. Flux im pretty sure you can count yourself indirectly responsible for a couple of hacked guys. Start taking your site security more seriously

    • These issues aren’t the admin’s faults directly, but I agree that it is extremely troubling. Forum users should determinately seek out noscript, or reasonable active AV, like microsoft security essentials.

    • The issue I think you are pointing out was a Vbulletin issue where Vbulletin failed to plug a security hole in their software. Again, as soon as this was fixed by Vbulletin it was fixed here and forums were scaled back and turned off while this was an issue. Needless to say we watched it very closely and dealt with it right away when it happened. Sadly not even paid software is 100% right all of the time which is very fruustrating for us.

      However, none of these hacking issues going on right now with Diablo 3 are related to this which happened a couple of months ago.

  7. The rollbacks is a really nice fix. Because really… this is your fault, if you got hacked. I am a security professional, I work in malware, and deal with rogues and this exact sort of shit, sans video games, day in and day out. If someone asks you for your password, send them a picture of muddy dicks. If someone asks for your login, send them a pic of muddydicks. If your password is abc123, send yourself a picture of muddy dicks.
    Look, email addy’s are public in lots of places. If yours has an easy to guess password, you didn’t get hacked, you got jacked. If you share your password, you got jacked. Hacked is like, someone literally stole your password with mad wizardry, and I am not familiar with anything doing this specifically for D3, although I imagine it’s possible, if you’re an idiot.

    Because really… 99.99999% of the time, this crap is the users fault. I offer no apologies, this is how it is. It’s a jungle out here.

  8. “As for the Authenticator, get the actual physical device. The smart phone one 1) doesn’t work as well, and 2) doesn’t work at all for Diablo III.”
    Everybody rest your case. Another of Bli$$ard’s money making schemes.

    • Have you used the smart phone authenticator at all? No? Then don’t comment about it. It works just fine, the article is incorrect.

  9. The mobile authenticator does work!
    I have the mobile authenticator on a samsung omnia 7 with windows phone 7.5 installed and it works!
    The thing is that you have to enter the code before the time limit has passed/bar reaches full length otherwise it will regenerate a new code.

  10. I’m don’t understand how hackers can hack the accounts if you are playing in a public game.

    I have a question regarding to this problem, is it safe to play with my friends ? I have the mobile Authenticator attached to my account and I have a strong password.

    Well, I think it is strong because I have numbers, capital and non-capital characters in it.

    Also, malware and spyware problems, I scan my computer regularly with the free version of Malwarebytes and I use the full version of Nod32 as well and when I log in from a public computer I always wipe out the history and the cookies from the web browser. What else can I do to make my account more secure ?

    • Sorry to have to tell you this but blizzard don’t recognize upper or lower case in passwords IE AaA is the same as aaa or AAA to them.

      • Wow….
        I found this hard to believe and just logged in to check, and you are absolutely correct!
        This is ridiculous.
        This enforces the need to use long passwords instead, use several lines from a poem or a story you like.

        • or, the authenticator? $$$

          I do find it hard to believe that blizzard, of all companies, doesn’t properly check capitalized letters in passwords.

      • I don’t said it right, I don’t use public computer for logging in to, I just use a computer at my work for email and such. It is a shame that Blizzard not check properly the capitalized letters! 👿 I will change my password to a more complicated then, thanks for informing me about this!

    • There are indeed many, many claims of magical hacks by people who are absolutely certain it wasn’t anything on their machine that led to the problem. Even if we unwisely rule out the strong possibility of some angry trolls throwing blood in the water for their own amusement (consult the D3 reviews on metacritic if you doubt such people exist online), just because someone believes they were hacked doesn’t make it so.

      Not that everyone is lying, as some people can legitimately believe it, but as another commenter said in this thread, and as Azzure and others I know who actually work in IT say, it’s the user 99.999% of the time. This might well be the .00001% when that’s not the case, and I’m certainly not one to blindly accept the word of Bliz PR about anything, but I’m very skeptical of these divine intervention type hack claims.

      Besides, even if the sky is falling, then Blizzard is working frantically to fix the problem, and there’s nothing we can do on the user end about that. What people can do is make sure they don’t have a trojan or virus or fall for some social engineering, which is what claims 99.99% of “hacked” victims, which is why I focused this post on that.

      If it turns out that there really was a hack via, I will certainly post news about it, and reference it whenever possible from now until infinity.

      • People are exonerating Blizzard to fast IMO, especially with the aid of fanboys in a shiny armor defending them from all forms of critics. I agree that the most probable cause for the hacking is keyloggers, but I really think it is weird that so many people were hacked at the same time. Dumb players are always compromising their own account, why would the hacking reports increase so subtly like that?
        Another point is that if it was really a security breach in 2.0 would Blizzard really report the problem for us one week after the launch? That’s a extremely bad publicity for the game.

        • My opinion on the reason for the spike in reported hackings is twofold:
          1) Huge influx of players, including lapsed WoW players who haven’t logged on the in a while.  They have been compromised for a long time now but weren’t logging in to WoW so nothing happened until they logged in to D3.
          2) Smart keyloggers have been salivating about RMAH and “hoarding” hacked account info waiting for D3 to launch so they can snap up gold and equipment to eventually sell on the RMAH.  The end game for these hackers is always to take what they steal and sell it to stupid players on the sly, but until now they’ve been at risk on both the acquisition side and the selling side.  With RMAH they can legitimately sell, so I bet a lot of hackers saved up compromised account info for the D3 launch.

      • You actually expect a publicly traded corporation to admit fault without a judge ordering so?
        This will never happen. Blizzard knows what is going on, but they’ll never admit it, because it would admit fault, and admitting fault opens you up to liability and lawsuits. One could take years to go through the legal process to get the internal memo’s about what is really going on, but by that time I’m sure the exploit will be fixed.

        There is a big security hole. The only way to avoid it is to avoid public games and adding people to your friends list that you don’t know. I know people in my large guild who have an authenticator and who have been hacked. They also had people they didn’t know on their friends list, and played public games. Because the game lacks guilds, we were adding everyone via friends list and thus, he probably accepted people he thought was a guild member but wasn’t.

        Either way, there is an exploit, an authenticator won’t prevent it, passwords are not case sensitive, and Blizzard will never admit fault due to legal concerns. They also won’t launch the RMAH until they fix this exploit, because once you involve real money, then you are dealing with theft that a court will most definitely be interested in the security holes. Blizzard doesn’t need a class-action lawsuit.

        So the fanboys are just doing a disservice to everyone by shoving their heads in the sand and pretending like there isn’t an actual security problem. And Blizzard is doing a disservice to their customers by not warning them to avoid adding people to your friends list that you don’t actually know.

        Just wait, a YouTube video will be up soon showing someone access another players account via the friends list, and then the exploit will be seen by all. 

  11. I disagree with the OP that key logging of your computer is the main course of hacking. I worked in the IT server security for more than 20 years and you know what causes the MOST hacking in on line Applications ? 1. Mail phising: you click on a link in a mail: you enter a fake website and you give your ID and password. Plain stupid. 2. Friends … In fact friends playing on your account is the biggest thread of all. 3. .exe runs in mails and illegal ftp sites. In all 3 cases you have to be a real idiot to fall for this. As for the multi player session ID’s’ NO it simply can not. 1000% sure since those port coms can not be cracked … Or there simply wouldn’t even be an internet alive. Of course t is easy to blame Blizzard for your stupidity, the problem simply is … by now almost 7 million people are playing and a few dozen of these 7.000.000 are not so bright OR sImply are furious that Blizzard yet again launched another block buster and they hate the success. IGN rating of this game is 9.5 and I have to say it is 0.5 too low. Get an authenticator if you belong to the 3 categories of idiots mentioned above. Period.  

    • Yep it usually is an idiot that either A: log on to a fake website and so gave there password away.
      B: they downloaded something to there computer that harvests the info from ethier a website or an email (and reports it to the hacker).
      c: they got a lameass password like abc123 or password that can be easily guessed.
      D: they shared they info with a friend at some stage and haven’t changed the password since then so when that friend decided to nick all there stuff they can do it in seconds.

  12. I can’t believe how some people believe everything Blizzard says. I’m quite dissapointed of Blizzard and those fanboys. I know 2 people who got hacked, one of them could have been a keylogger but the other one definately knows how to secure his PC. Blizzard told him that it was his fault, of course. But it’s getting worse. In order to get the Items on his account the Hacker added himself to the friends list and was the only unknown name on the recently players list. This guy, is still logging in, everyday since he hacked dozens of accounts, his name was posted several times in the forum. It’s just sad that it looks like he gets no punishment and the only one punished is the user who got hacked, first by being accused of Blizzard that it is his own fault and then again by seeing the hacker online all the time, maybe because he is clearing out more accounts. If this would happen in a game from a smaller company it would get bashed by every site and user but Blizzard can get away with this lies. And yes, I enjoy Diablo 3 and have enjoyed Blizzard games since \The Lost Vikings\ and I would not say anything if Blizzard just could be honest and say \We have a security hole and fixing it asap. Sorry for the inconvience\

    • Even someone who ‘knows how to secure his PC’ isn’t immune to new viruses/malware etc.

      Also – if he hasn’t got an authenticator, then he certainly isn’t that good at securing his stuff! 

  13. Blizzard is full of shit because they completely fail to recognize the large amount of people who’ve been screwed over with physical authenticators.

    • You have specific examples I assume?  All the claims I’ve seen of physical or mobile authenticator cracking have been refuted by evidence that the authenticators weren’t added to the account until after the hacking.

  14. Wall Street uses my greed against me?  Seriously Flux, I come to this site to learn about gaming and for 12 years I’ve grown to respect it’s creaters/moderators.

    -1 for that one. 

  15. They have publicly stated that there have been zero incidents of someone gaining access to someone else’s account through public games.  Not a statement with spin, but a direct statement that this has not occurred.  When you’re a publicly traded company (or even if you’re not) you simply cannot make knowingly false statements like that.  There’s WAY too much risk.  Consider this: 1) There’s a exploit.  Blizz shuts down public games, announces they discovered an issue, and in essence comes clean.  Downside: turns off a lot of players, dampens future sales of D3, Co-op suffers a huge blow and never really recovers. 2) There’s a exploit.  Blizz decides to play the Nixon card, covering it up like nobody’s business.  Meanwhile, hacks go on and on and affect RMAH transactions too.  Real money being lost.  Eventually the truth leaks out – it always does, there are too many people who would all have to be kept quiet – whether through a whistle-blower or a youtube vid by a hacker.  Blizz is now sued in class-action and could lose the whole company. Since they are making the statements they are, do you honestly think it’s option 2?  Really?  Take off the tin foil hat for a bit, let your dome get some air…is it more likely there’s a vast conspiracy or more likely that people’s anecdotal accounts of how they got hacked are exaggerated and designed to shift blame off themselves?

  16. Funny that those who supposedely got hacked with keylogger had no issues after changing their password. If they would have had a keylogger shouldn’t the hacker not get the new passwords again? :p
    Authenticator? BNET Passwords are not even case sensitive which is a standard for years, I can’t trust in a security tool made by a developer who doesn’t even know the basics of password security.
    Btw why should the hackers say something right now? These guys are still online, they did not get banned or anything. They are still online as everyone who got hacked can see in their recently played list.
    Next week comes the big loot for them. Why announce now how they did it, if they could exploit it again as soon as millions of players use the Real Money Auction House? If I was a/the hacker, I would stay low and wait for the big loot coming soon.

  17. I wouldn’t be surprise to find out that a lot of these people used the same login information for their Bnet accounts on other web forums.  It happened before with WoW, so it’s not an outlandish idea that it could happen again.  Hackers probably had a long list of potential accounts to break into and they just ran through their list after the game went live.

Comments are closed.