You're not logged in. Register or login to post a comment.

59 thoughts on “Diablo III Accounts Being Hacked

  1. Yer this happened to a mate of mine, all his chars deleted. This has been a VERY rocky start for Diablo 3 so far.

      • You have to live in US to use the free authenticators if I remember well.
        The key question is how those accounts are being hacked. If its keyloggers them I don’t care about their problems, but its really frightening if hackers are managing to discover passwords, even if they are weak, by using bruteforce or any technique like that.

        • Hmm, im not a hacker so i don’t pretend to know how to do this stuff, but i know a real good hacker. He’s been my friend for 9 years. Ill ask him 🙂

    • His characters were probably not deleted. There is a bug that switched people to another region. All your friend needs to do is switch it back to the region he had his characters on and they will re-appear.

  2. Probably posting in the chat doesn’t help as it uses your account tag doesn’t it?

  3. I was thinking it most likely that the account information is being snagged through WoW addons that have keyloggers in them

  4. Mobile Authenticator is for free for anyone who have iPod or use smartphone with Android system. Or it costs 0.5$ for everyone else.

  5. Sorry but the example is kinda fake. IF the guy’s account was hacked … He would not be able to log in and change his pasword again.

    Simple as that.

    I am not saying the hacking  is not present only this guy’s story is faked as the hacker will always change your pasword so you no longer can enter and he has full control of the account.


    • No they wont.
      I had my WoW account hacked a few months ago and whoever hacked it did not change the password for some reason.

    • Unless the hacker didn’t change the password and wanted the poor sap to go thru the process again to get good loot and then go back and re-hack him.

    • The hackers aren’t out to cause misery, they are out to steal what they can sell for profit. It was very common for people to get hacked in WoW without their passwords being stolen.

      It would be like a burglar stealing all your valuables, and then changing all the locks on your house. There’s no point.

      • That was back in 2005, this is 2012 new state of minds. How do you know hackers haven’t changed their MO’s? 🙂

  6. Hang on, why does the authenticator cost $6.50 in the US and £8.99 (just over $14 at the current exchange rate) in the UK?  I’m used to an exchange rate of $1 to £1 but this is just excessive.  The euro rate gives $12.76, still too high but slightly better than the UK.

    Plus there is no Diablo one, just Starcraft.

  7. there is a theory on this posted on bnet forums….
    The current theory is hijacking session identifiers. Basically, every time you complete a mission, get an achievement, ect. your client communicates with the server but doesnt have to go through the authentification servers. If I hijack one of your session ID’s and submit it through my client instead of my own session ID, it would kick you off and essentially let me take over your account without ever having to type in a password… since it doesnt go through the authentification server the client doesnt report it as a compromised account.
    if true this is really really bad.. wtf are they thinking

    • If this is true you could have authenticators, sms message security, and a 100 digit password with letters, number, and symbols and you account could still be hacked.

      From my light skimming it seems even people with authenticators are being hacked.

      I wonder what Blizzard will do when the RMAH is launched a hundreds of people are not allowed to use it because their accounts were hacked before it was even live.  It’s a two strike rule right now, right?

    • It always amazes me how willing people are to believe the most idiotic theories spread on Battle.Net.
      I guarantee you no-one with an authenticator has been hacked.
      I haven’t seen the BNet protocol but I have several hats, and I will eat all of them if the D3 servers blithely accept a new source address/session ID tuple as evidence that the session is still valid but has miraculously migrated to a new client. Much more likely is that the session is immediately binned, the account in question is thrown off the network, and both source IP’s are immediately flagged as suspicious.

        • So? Why do you believe them? Much more likely is one of:
          – Their account is much less secure than they think it is
          – They’re mistaken
          – They’re lying, because they can
          – They’re using spurious hacking reports to validate support claims to get their stuff back
          – At the very worst, it’s possible that the D3 back-end still has bugs causing people to lose their stuff.

  8. That is why I decided to finally install Mobile Authenticator yesterday. With ridiculous amounts of play time game like this requires, it is the least I can do to protect myself. The Authenticator works like a charm and now someone will get access to my account only if he ganks me and loots my Legendary phone.

  9. Yesterday my anti virus detected this site having Malware.

    I have a feeling that if you logged on here using the same email/password, whoever added the malware got your details.
    It makes sense, because this is such a high traffic site to target as well.

  10. “Don’t use that password for any other site”

    Does anyone do this? Do you Flux? People actually use a different password for every site they register on? Mmaybe if they’re on 4 sites that’s possible, but for real people I don’t think this is legit advice. I can see what’s good about it but there’s the obvious downsides that make it impractical and therefore pretty useless. 

    • You can be practical and have different passwords for things that are actually important.
      Your email for example should never ever ever share a password with anything else.
      Then for stuff that you dont really care about (logins to various gaming forums or whatever) you can use a shared password.

    • I use tons of different passwords for different things, and the same passwords for some things like forum log ons or registrations on sites that aren’t anything important to me. For things that are important, like online banking or paypal or my d3 account I use unique passwords for each. 

    • Get LastPass. All your passwords can be completely random crap, and you don’t have to remember a thing.
      That said, it doesn’t work in programs outside of browsers (maybe it does if you get the premium version). So it wouldn’t necessarily be viable for Diablo.

    • Of course it’s legitimate advice and I’m sure there are ‘real people’ out there that have different passwords for different things for obvious reasons.

  11. Never use same pass for any two accounts anywhere. Always make sure your pass at least 9 chars long and contains alphanumeric chars and brackets/quotes/special chars.
    I use Keepass to generate and store passwords, and it’s autotype feature is very handy – it fills login forms itself (works with diablo too).

    @JWBS – at least create unique passes for your valuable accounts, and you may have a single pass for all your ‘trash’ accounts.

      • I don’t believe his entropy estimation is correct. The choice of words is not truly random, some are used much more frequently than others. An attack crafted specifically against long dictionary-based passes can be optimized in many ways to reduce entropy.

      • Whatever works for you, as long as you are not using the name of your pet, that’s already a good start. I’ve been using different passwords for every single place I need to log-in, using the gibberish password method (which look like this : jrbRC&3386g. I haven’t had a problem with that yet. They are not trying to hack a password for a zip file, I’m positive that Blizzard has a system in place to detect brute force methods so even if your password would take 3 days to get instead of 550 years, it’s a very unrealistic scenario that they would be wasting all this time on a single account. Usually they use the social engineering methods Flux described, they get a whole bunch of user / pass and then they sell them or distribute them. The script kiddies will try the user / pass pair, and if it doesn’t work they will try another user, because it’s much faster that way.

  12. The sad thing is, a lot of these accounts that now got accessed, were probably hacked months, possibly even years ago when their wow accounts didn’t have anything worth stealing. Now that they’re playing d3 and getting stuff. The hackers are using their old hacked password database for something new. you should change your password regularly, and not use the same password twice.

  13. I think that the authenticator will prevent 90% of these hacking cases. Use it guys

    • More than 90% – I can’t understand why people don’t use them any more. Also, in case anyone is worried, you don’t have to enter the code each login from the same machine. It’ll ask you on any new machine you use, and also every week or so in general

  14. Could be a huge security hole, or backdoor method. We’ve seen this in other games, such as Guild Wars. At this point, who knows what the cause is. May be user related, or may be on server side, which we know hasn’t been reliable.

  15. n00b hackers, who gets all them account details only to use in the first week? LOL even when theres no RMAH, ROFLMFAO.
    Soooo funny. not hackers, just unintelligent script kiddies. L2P

  16. Don’t worry.  Having online-only will surely stop all of the hacks/dupes/piracy.

    I said don’t worry dammit! 

  17. I don’t trust the mobile authenticators. I bought a physical one as soon as they were made available. Ive never had my D2, WoW, or D3 account hacked, ever. I would highly suggest, those with the extra $7, to invest in a physical authenticator.

  18. Pretty sure this is on blizzards end.   The first time I played a co-op game to beat an end boss I kill boss, log out go to work. When I log back in my char is empty no items no stash no gold no crafting supplies. And a second char I made and got to level 3 was selected instead of the last char I played.   My password was unchanged. The account was new and the password was one i never used before. From personal experience it wouldn’t surprise me if someone has hacks that take your session id.

  19. I can personally confirm that accounts with a physical keychain authenticator have been compromised..  I’m looking at my authenticator while I type this, and just logged into my D3 account to find my character stripped and my stash empty.  Needless to say, I’m not happy

  20. “…and not just because Blizzard sells them for $6.50.”
    I’m pretty sure Blizzard makes little to nothing off of the authenticators. Especially considering they ship them overnight FOR FREE in the US. I’m as ready as the next guy to gaze suspiciously at Blizzard’s motives, but in this case, I’m convinced that they are selling them at cost, as a service to strengthen the security of their system. In fact, they probably lose money on the authentication program as a whole, since the mobile version is free, and that code didn’t write (nor does it maintain) itself.
    Bottom line, $6.50 is a steal.

  21. HAHAHAHAHA there you go Blizzard!!! everything is more secure when it’s online-only huh??? suck shit now and put offline SP back in while you’re at it, there’s no reason to delay it any longer

  22. Should make new front page warning about this hack:
    Nothing will help you, they can bypass all securities and take a hold of your account!

  23. My entire battlenet account email was moved to some rando [email protected] without any of my consent. Blizzard’s contact pages are all based around logging in with that email…

Comments are closed.