You're not logged in. Register or login to post a comment.

50 thoughts on “Scary Facts on D3 Account Hacking

  1. I’m bored of the game already.
    Hack away.. 😐 The solve media answer is ironically, take it all.

    • I”m always amused by posts that seem written solely to prompt nostalgia for the downvote button. God I miss it sometimes.


      • ^^ I agree these post make me want the down vote button back, at lest for a while.

      • So, in other words, this blue post is just corporate bullshit to assure everyone that everything is fine and that it isn’t their fault, and that they’re doing something about it, and that your real money will be safe, and that the…

  2. This is really good information that I wish everyone would read and I’m sure very few will, and even less will take it to heart.  At one point I felt like I was invincible and that I couldn’t be hacked, but then one day it happened (not in D3).  It happens.  It sucks.  Sometimes it really sucks.  Deal with it.  Get over it.  Take more precautions to make sure it doesn’t happen again.

  3. Sweet!
    Great way to get people ready to hook up actual paypal accounts to this.  Great for the brand, too.
    Not just always-online – always providing a backdoor for half of Moldova.

    • That’s not actually correct, or fair.

      Blizzard are not “providing a backdoor”. They are allowing people (in this case thieves) to log in with the correct username and the correct password, regardless of how that username and password were obtained.

      They also acknowledge that “single-factor” authentication of that kind is not particularly secure, and actively encourage the use of a multi-factor system (the “mobile authenticator”).

      Blizzard can’t protect users if they decide that single-factor (password only) authentication is sufficient for their account, and then have their password compromised though a back-door provided by Adobe, Microsoft, Phishing, Trojans, SQL-injection-on-some-crappy-PHP-site-they-used-the-same-password-for etc. etc. etc.

  4. I have a question.

    How are characters being stripped?

    The system has no inter-character mail, and no persistent games, right? So then is the only way to transfer items to drop them on the ground in a game with another player? And doesn’t your friends tab track who you recently played with? Wouldn’t that mean that a hacker can’t steal someone’s items without revealing the identity of the hacker’s own account? (Eventually – even if they chained items from compromised account to compromised account, the only way to get the value of the items to the hacker is eventually to use the hacker’s own account, no?)

    Or am I missing something obvious? 

    • I’m imagine they use additional hacked accounts to pass things along several times, do transfers in public games, etc, and then slap things into the AH as soon as possible, to convert them to gold, which is then further laundered.  Once the items have been passed on Blizzard can’t do much, since they’d be penalizing other players who weren’t hackers and bought X and Y in the AH without knowing it was stolen.

    • How do Blizzard support actually know if they are hacker?
      For all they know, it could be you trade with them and then ask support to recover the items.
      By the way it could very well be that the account it is transfer is also hacked.

      • This is exactly why, when the RMAH comes online, it will require you to use an authenticator after the first time you lose your stuff. And people will complain about that too. Like everything else, folks who can’t look after themselves make life worse for everyone.

        • You get a time out from the RMAH the first time you’re hacked. Second time, you are banned from the RMAH until you buy an authenticator. I’m surprised they don’t just proactively ban non-authenticator RMAH use altogether.

        • Amen brotha!

          To put it bluntly, people are seldom ever held accountable for their actions.

          If someone got their account hacked, and support discovered that they had malware/virus/trojans on their system, support should say, “Too bad. So sad. Your account is gone forever. Next time:

          1) Get proper protection for your system (AV, Firewall…)
          2) Quit downloading porn or warez
          3) Quit being so F’in gullible and clicking on links when “Blizzard” sends you an email stating that they need your account name and password.”

          • I dunno man, I just got hacked, right after I’d cleaned my PC.  Apparently from Indiana.  And they also got my gmail through bnet.  I’m confused and pissed.  Luckily I didn’t anything worth shit so I only lost a few mediocre items, but still…  

            I never used any third party programs.  I never played in a public game.  I never used either auction house.  All of my programs (except itunes which my wife put on the damn computer) are up-to-date.  I’m not a porn-hound.  I don’t download torrents or anything remotely illegal.  What the heck happened?  Anyone else have this experience?

            Before it happened to me, I scoffed at ll the people who were complaining; I’m careful, I’m not a computer genius, but I know enough to keep malware off my computer. 

            So, anyone else?  Or am I just damn unlucky? 

    • When a friend of mine got hacked, he found the culprit (or a puppet of the culprit) on his friends list. So no, you’re not entirely off-base. Let’s just hope that Blizzard thought of this ahead of time and has some way to identify the problem accounts and ban them.

  5. Frankly, I’d rather find out I had malware on my PC via a lost D3 account than lost email/CC/PayPal/Bank information. My lack of authenticator can be seen as a canary.

    • Yep the one thing you dont want is for the hackers to get access to something where they can spend every penny you got on stuff.

  6. There’s still many spreading rumours that it’s that’s been compromised, passing it on as fact that thousands or sometimes even tens of thousands of players are posting they’ve been hacked despite their computers not being compromised. While I’m sure there’s people who’ve been compromised, the rumor spreading and fanning of flames almost seems organised.

  7. Excellent execution, Blizzard. We go to the store and spend $60.00 + tax to buy Diablo III – a game that has been in development for years upon years. Then, we play a game with an auction house that lacks commodities at the moment and there is currently no PvP. Let u not forget that there is no RMAH at this time either. We were sold an incomplete and thrown together game. You guys really think this is an excellent, outstanding game? Game of the Year candidate? Really? This is pathetic. Accounts hacked, extreme lag, bugs, annoying quests, and you are really satisfied? You may call me nostalgic, but I wouldn’t mind a secure atmosphere to play in. If Blizzard cannot fix this, DIII will fail and prove to be the biggest FLOP ever, and everyone will go back and make a hammerdin on D2. Usually, when I spend $60.00, I expect a finished, well-polished product that lasts. This game has already began to erode, and it is still so young. Time is the greatest test – we will see.

    • If you’d like a secure atmosphere to play in, scan your computer for keyloggers and trojans and get a free mobile authenticator.

      Or just rage more on the internet and feed us with your tears. 

      • Aww, yet another devoted Blizzard fanboy. Please try to construct a sound argument before replying. You sound like a complete idiot with the personal attacks. I have not been hacked. My computer has never had malware or trojans on it, because I know how to take care of a computer. Blizzard is wrong and at fault here, not me. They completely denied the allegations in the first blue post concerning this issue. By doing so, they called every hacked individual a liar – what a company! I’ve never had a company call its customers a liar before, whether it was implied or not. Now, good paying customers are risking being hacked and are playing an INCOMPLETE game. What about incomplete do you not understand? This is not a finished game. It will be finished when all the account hacking ends, the auction house functions at 100%, and PvP is patched. That will be a start.

        • When there will be some account may have a point.. but for now are just random avarage whiny kid on the internet.. classic..

  8. I was infected once with a bootlogger program after downloading a no-cd.exe file for Crysis. I noticed it immediately and tried to remove it with no luck. Finally just re-formatted my hard drive and re-installed Windows.
    It immediately returned. Took me days to eradicate it.
    Turned out it could spread via flash drives, other hard drives, infected .exe files, and other computers on my home network.
    So when anyone says that they are perfectly safe from malware…..then I don’t believe them.

    • Yep, we had a computer at work that had been compromised with e-mail account getting hacked. If there were any suspicious programs they’d been hidden well, and 5 different anti-virus and various malware programs were unable to recognize any threats. Finally we gave up and just formatted the sucker as there was no other way to eliminate the culprit.

      Most people think if they run an antivirus program they’re safe. Afraid you’re not even close to being safe.

  9. I agree that “Compromised” is the word……for now. There will be hacks and dupes eventually, people just do what you can to ensure your safety. Blizz are being really good about this and I feel some pity for them.

  10. /highfive kaldonis.
    Seriously, props. his candor is spectacular, and his obvious working knowledge of the securities field is spectacular.

  11. Flux: In light of this information, what is the position of on gold sellers, and will you continue to run banner ads for them?

    Edit: I see that your banners are Google ads. Does that mean you can’t control which ones display?

    • To my knowledge google adds picks what it wants to show based on the adds tags, the money it will generate and the type of website it is. Since this is a Diablo fansite we get adds for gaming and any adds with Blizzard tags etc.

    • We don’t allow links to hacks or gold sales sites in the forums, we don’t run ads for gold or item or character hacks/sellers in D2 or WoW, and we remove such ads when they show up. Elly and Rush have turned down very high bids for their entire network from gold sellers who have bought some majors WoW sites, which (amusing enough) remain in the Blizzard fansite program since the ownership is through proxies and the sites don’t run direct ads for the banned services.

      If you see any such ads, take a screenshot or at least send us the URL and info about it via the send news button. We can get ads removed from the automated feed, but we have to know about them first. Everyone around the world sees different ads based on your location, time of day, etc, and they’re all auto-served, so we have no preview of the ads don’t know what you’re seeing, etc.

      • Excellent answer. Thanks for taking the time to respond, and for taking such an ethical position.

  12. Blizzard should have added an authenticator with each Diablo box sold. I propose to do this with the new Wow expansion too. FYI: what struck me is that Blizzard has proof that forum posters deliberately post false information about this security to fool everyone. So sad. The only ones laughing is the gold maffia who make dozens of millions if dollars by destroying the gaming fun of players. Diablo 3 and Wow are up to an up hill battle they can never win: sick hating trolls that create  fake ID’s  on metacrtic, hackers that want off line playing modes so they sell illegal copies and create fake private servers, and the multi million dollars gold maffia that spew misinformation to hide their stealin (remember the lying around game ID multi player sessions). I guess these bandits even coordinate: tell Blizzard their account was stolen, then get the gold back to rerolling the avatars history….. If you still got hacked by now, you really are an idiot for not adding an authenticator.!!!

  13. Excellent! Useful, informative, and concise. I’m more sure know then before that even BEFORE i try to go on-line that I’m DEF getting a Real Authenticator for my Battle,net account.

  14. I was hacked. I didn’t have an authenticator. Even if you don’t think it’ll happen to you, you should get an authenticator, especially if you use a mobile device anyway and can get it for free. You might not think it’ll happen to you, but I didn’t think it’d happen to me. Consistant with other reports, I was cleaned out very shortly after reaching level 60 with a character, although I don’t know how long before that my account was compromised.
    I don’t click on suspicious stuff, and I’ve certainly never been directly to any gold-buying websites. My biggest concern is really that scans of my machine haven’t found a thing, so I’m concerned that I may still be at risk.

  15. Given all the attention this topic has gotten lately, I thought people might like to hear what an information security professional has to say. As someone who’s been in IT since before the franchise was launched and in Infosec since 2004, I hopefully have a relevant word or two to put in.
    Bottom line is that it seems Blizzard is doing a good job, but there’s room for improvement. They claim the compromises they’ve looked into are on the player’s side, and that’s consistent with what I’ve seen in other industries and cases. But that doesn’t mean they can’t do more. Whether they should is a matter of opinion, but I’ve got some advice if they decide to up their protections more.
    My full comments are here:

  16. I’m still playing the good ol’ D2. I really don’t care about D3. The bots now also spam about D3 gold selling and powerleveling and I was curious to see how in the hell they would power level someone. In the only website I searched it was saying for the user to give them their password and disable the authenticator so they can power level you char. Dafuq? Now I don’t know if they are stupid scammers or if the players are really THAT dumb to get fooled by an obvious thing like that.
    But anyway, gold and item selling is already strong in D3. Now I can laugh about fanboys that believed in all that Blizzardcrap making them think the RMAH would end the business of item stores. Why would anyone pay fees to an intermediary to handle the transaction if they are already used to buy item from legit item stores for more than 10 years already? Now I’m curious to see if alternative currencies (aka FG) will be used in D3, and I bet they will, and that will seriously screw the gold based economy.

    • I think you misquoted Kaltonis on the first point.  He said that every computer that had been hacked through a physical or mobile authenticator had tons of malware and backdoor programs and such.

  17. I mentioned this in a forum post but For all those people who have gotten hacked I ask you 1 question. Do you also have or had a subscription to WoW? If I was one of these “hackers” and knew D3 was coming out with a RMAH and the fact hey 1 year WoW sub gets you D3 and lets be honest there is somewhere a big database of valid user/pass of WoW subscribers that hey they just might have D3 play it and have gold/items I can strip to resell on that RMAH at a later time.

    Not saying those who do, have bought “services” for WoW or did anything different to compromise their accounts, but considering its just 1 user/pass for all their games…  *shrug*
    I’m sure they have backup accounts they don’t compromise at that very moment often with WoW subs for later use… Just saying something to think about…

  18. I just finished changing all of my info after my account was compromised. I had both the Dial-in Authenticator and SMS messages activated naively thinking the “green checkmarks” next to both my security options in would be enough. I don’t play WoW, no virus, and definitely not level 60.

    I have 5 characters on D3. My highest level character is a lvl 16 and I had about 12k gold. They cleaned out the inventory, stash, and gold of the last character I had logged in with but none of the inventories of my others. My guess is some robot guessed at my password, but who knows. I have since changed my password, removed the Dial-in authenticator and switched to the mobile authenticator. I’ve started a Support Ticket and can only hope they’re able to roll back my characters to pre-theft. But, if not, it’s really no big loss. I had barely even started Act 2. My other characters had better gear anyhow…  guess I was lucky there  😐

    • Their turnaround was quite quick. Apparently every account gets 2 guaranteed rollbacks. So my first, and only, should be sufficient to get everything back! Thanks Blizzard!  😀

  19. How exactly they steal account password?
    Keylogger? Couldn’t virtual keyboard fixed this problem?
    I mean my bank use virtual keyboard and never ask for full password but for random letters from it.

  20. If one gets hacked its either a kid or a stupid idiot -_- End of discussion.

    One can not get hacked if it does not share pass or acc info and uses an authenticator. Also if you use 3rd party software – to make you dear Diablo screen have darker tones…then you qualify for the second category >> that is stupid idiots.
    Do not give me the >> but I do not enter any suspicious sites, I do not show off on forums compromising my account etc. bullshiet.

    Other arguments are just random talking and nonsense.

    • Yeah, it’s pretty black and white, no grey in this argument. Every adult that gets hacked is a stupid idiot.  😆

      See, the problem with your reasoning of “One can not get hacked if it does not share pass or acc info and uses an authenticator” is that:
      a) I never share my account info
      b) According to I had two green check marks next to my security profile: 1) Dial-In Authenticator (notice the word Authenticator) and SMS Messaging

      In retrospect I recognize that the Mobile Authenticator and Dial-In Authenticator are in two TOTALLY different leagues. Not because I wasn’t paying attention, I simply chose one of two Authentication methods supplied. I have seen it suggested that they change the name for the Dial-In so it’s not considered an Authenticator. I would highly support this change. Because what they really have is one legit Authenticator (in multiple physical forms), and several notification systems for when you get hacked (although none of the alarms/texts/e-mails/dial-ins went off during or after my account being compromised). 

  21. Y’know how I could prevent my game account from being compromised? My single player game? By not having it require a fr’n on line profile attached to it. I’d be perfectly happy with a single-player-only character, no AH, no accomplishments, no mutliplayer. Would never be hacked. Man, what an innovative idea.

  22. This is just the beginning of a bigger problem yet to come when the RMAH update gets here. You watch and see how many accounts get compromised and their real money gets stolen. What will Blizzard say then ? It is your fault again ? 

  23. Mhh, strange. I was hacked too, a char and the stash was completly empty and i HAVE/HAD the mobile authenticator activated. No password change, no message on my mobil. So, whats wrong?  Anybody must know both, my battlenet email adrss AND the password. Nor clicked on emails or somethings else. And believe me, i surly played in public games and screamed around my email and pw.
    So, whats up blizz, how can they catch this information? For me, i feel absolutly not secure atm.
    Thumbs up for the support. Fast reply, fast help with an rollback. So i lost time, but not all items and my playtime…
    We will see,i hope they adress the issue very fast.

  24. I was hacked by a backdoor application. A trojan got through my anti-virus shield and allowed remote access by an external user. Unfortunately, I’d left my D3 account logged in, so the hacker didn’t even need to crack through my password and authenticator. I felt the need to post because I do in fact have Authenticator set to \always ask\, so don’t feel safe behind it.

Comments are closed.