Blizzard Responds to Diablo 3 Account Hacks

[mousseng]

[citation][nom]wildkitten[/nom]LOL You do realize D3 HAS been pirated right? It was after one day.What's going to be funny is if a lot of people who paid for D3 went and got the offline pirated version.[/citation]

You know, I actually checked the D3 torrents just a couple days ago, and (maybe it changed since then, but as far as I know) you cannot play the 'pirated' version. It installs, but you still need a legit account to play. From what I could tell, they still hadn't cracked how to properly emulate the D3 servers on a local machine so that you COULD play offline.

Things may have changed in the past two days or so, but I doubt it. Because if I recall, the servers also host all of the mob's AI in addition to characters and items/stashes - that would mean that those that are working on the pirated version would have to find a way to either replicate that or rip it from Blizzard themselves.

 

[mamailo]

I have wait almost a decade to play Diablo again.
but after all the Bovine fecal matter from Blizzard, need to wait more; probably for ever.

 

[Guest]

Blizzard is no longer Blizzard after they got bought out. A god company got bought and turned into the machine of money. Their games as art are no longer.

 

[Guest]

Given that there are botnets consisting of millions of computers and millions more are infected with password and account credential stealing Trojan horses, it is not at all surprising that Diablo 3 players accounts have been compromised. The bad guys are so agile that they know an opportunity to make money when they see one. Blizzard's RMAH is the perfect place to fence stolen goods and turn them into cash. If you don't realize the Eastern European criminal gangs are already executing their plans to fleece Diablo 3 players and make a killing in the RMAH, you need to get a grip on the reality of today's computing environment. The most likely cause of accounts getting hacked is that the user's computer is infected with something their anti-virus is not detecting and not only their BattleNet account is compromised, but probably every other online banking account is also in the bad guys hands already. Blizzard might actually be telling the truth, but it's a lot easier to point the finger at someone else instead of accepting responsibility for keeping your computer free of infections.

 

[olaf]

why are you ppl whining about athenticators, i have had one since the first ones came out and had it attached to my wow account till the day i sold it, 5y of playing and 0 incidents. Common sense applied when surfing and answering emails and especially clicking on those MoP beta invites or "account verification's" that keep comming. Also none is asking you to keep an authenticator on your key-chain, you don't have to buy one, just download the damn app from the market/appstore. Blizzard even gave you lazy sod's the ability to not have to type it in every time you login, only if there is an Ip change or a long time has passed, i'm fairly certain if there is a bug blizzard will shut up about it till they fixed it, and they probably will soon, don't think RMAH will come out till this is sorted.

 

[olaf]

[citation][nom]wildkitten[/nom]LOL You do realize D3 HAS been pirated right? It was after one day.What's going to be funny is if a lot of people who paid for D3 went and got the offline pirated version. Will Blizzard claim that they will be losing out on RMAH sales due to the piracy which is the real reason they insist on offline play? They certainly couldn't accuse them of costing them game sales.[/citation]

as of this day there is no Scene release of Diablo 3, that has a working work around for the always on connection, the only thing you can find is an exact copy after the north american Diablo 3 collector's edition, that has the extra artwork, sound track and behind the scenes. That's about it i'm fairly certain that everyone who got "cracked" version from somewhere else just handed someone a back door to there pc or handed over there account and pass. And FYI you can turn on the ability to have to use the authenticator on every log in.

 

[rantoc]

[citation][nom]wildkitten[/nom]Gotta love when blind sheep like you, even when Blizzard is going through what people said would, just blindly defend them.Perhaps you missed the line where even a journalist got her account hacked though she has an authenticator? Just because Bashiok says something doesn't make it true. He may put his foot in his mouth of often as Zarhym, but Bashiok can be wrong, or is more likely, be given the wrong information to give out to people.It was sheep like you who shouted those of us down when we protested Blizzard making it to that the authentication system didn't ask for the authenticator every time. People even explained how this could be exploited and yet people like you shouted them down and laughed claiming this could never happen.It was good of Blizzard to implement the authentication system, but it was VERY bad of Blizzard to turn around and introduce needless security risks to that system.[/citation]

"Perhaps you missed the line where even a journalist got her account hacked though she has an authenticator? Just because Bashiok says something doesn't make it true."

Same goes the other way mate, if the journalist's PC were indeed infected by a proxy like malware it would be trivial to bypass the authenticator.

Untill someone CAN say for certain what have happened its amazing to see people flame Blizzard without any facts at all blaming the blizzard defenders as sheeps... Both "sides" are Sheeps here without any real facts, haters gonna hate and fanbois gonna blindly love.

 

[logical_1]

Emotions aside, my account along with many others were compromised. Blizzard has not owned up to this issue, and seem to be blaming this on their consumers for not enabling all levels of security on their accounts. Like many others, I did play public games, and I think it is ignorant to find the reason behind the hacked accounts there. We all played the game as intended, and didn't compromise any of our account information beyond normal use, or for abuse. From reading through the comments, it bewilders me to see fans of the game bickering and pointing fingers at each other when this is obviously a Blizzard issue.

 

[renz496]

the best thing is people who wants to enjoy the game themselves (solo campaign) also dragged into this mess.

 

[michalmierzwa]

There seems to be growing number of issues with D3 which if they not correctly handled will spin out of control and do real PR damage

 

[undomiitable]

I was hacked yesterday I played maybe 5 multiplayer sessions and there was no funny business. A couple of things I found weird was when 1. I was in the auction house, bought a ring there were only 2 up at the time, it took 10mins to show up in the area where you can send it to your stash. It took my money and the item never showed. When it did 10ppl had bought the same ring. I THINK THEY WORK THROUGH THE AUCTION HOUSE. I am lvl 57 and most of my lvl'n was done with my brother. When my account was hacked my brother noticed I wasen't sitting next to him -.- so it was pretty obvious. There were 4ppl in the room My brother,ME Undomitble (HACKED),aizen,Zebieff lvl 1 witch doctor (the hacker). When the hacker left my brother logged into my account. And hit the printscreen key. I noticed something weird, he had added me as a friend. Later on when I got home the hacker was no longer my friend. He was just in my recent players list. I thought at 1 point he might be working with aizen but when I looked into aizen a lvl 50 something character , his was missing all his gear also. That leads me to believe they hack multiple accounts at a time. I want to know why they add you as a friend though. look into his account and look at the account name its attached to if he isn't banned yet. It's very much a hacker name(it attached to and account name like dddsd. ps I don't want an authenticator. When Sony got hacked the shut everything down and made people wait, yes it sucked but they owned up. Here you get hacked and they offer you a piece of mind. Sounds to me like there robbing your house and coming the next day and trying to sell you a security system. I'm telling everyone all this because I think there trying to say its the public gameplay, when I have not mentioned a soul mention the auction house or anything funny goin on while your in there.

 

[h4ndsome]

There is no session ID spoofing going on. It's already been tested (check the forums on mmorpg.com). You're herpa derpin because you saw someone just as clueless as yourselves say it somewhere else.

There were a number of Diablo fan sites/forums that were compromised over the past few weeks, and assuming the attackers have their databases of logins/passwords are simply using them to log in D3. Pretty simple right? Oh yeah.

BTW, people complaining about the authenticator. Think about this. Why does a Blizzard game have more layers of security than your online bank account?

 

[Guest]

This doesn't look good. 60$ for a game my computer isnt capable of playing. Another 200-300$ in power supply/video card just to play d3. And now i hear d3 is riddled with account theft? Good thing i held off on that computer upgrade. I'd hate to spend all that money for nothing. Hope they figure this out soon.

 

[Guest]

I was one of the unfortunate souls hacked. Should i have to pay 60 dollars for a game and then have intimate knowledge of computer coding and sciences to understand how to keep it safe from hackers? NO. i run anti virus and anti malware had an authenticator that i had to use everytime to log and i was still compromised. I do know that if i had a key logger on my machine would not my bank account be empty as well as my diablo 3 toon?

 

[Guest]

I was playing today when I got hacked. Booted me out and said that someone had logged into my account. I went immediately to the site and did the recovery. Within the 3-5 mins it took to do that all of my items were drained. The saddest part, and perhaps strangest part, is it was literally 2 mins after I had gotten the Gibbering Gemstone to drop, completing what I needed for the Staff of Herding. Also, when I got back there was a person on my social named DarkMase playing a character named anweu, a level 1 barbarian. I do not understand how this can be so rampant with a tracking infrastructure already in place. This is totally an internal compromise, and they are just not willing to admit it. It is no wonder they are not able to bring the real money auction live, they can not protect your in game character, much less your cash. This is going to be a very serious issue for Blizzard, although wtf do they care, they broke sales records already. I am very disappointed, and as a long lived Diablo fan, this is a sad day. -Level 34 naked barbarian.

 

[hythos]

I don't even have Diablo3, and haven't logged in to WoW since ~December.
My account was hacked last Saturday, and my password shouldn't have been an easy thing to guess.
There's more going on than just D3 - Bliz seems to have a considerable vulnerability with B.net.

 

[TheRealArtlover]

[citation][nom]wildkitten[/nom]LOL You do realize D3 HAS been pirated right? It was after one day.[/citation]

No, it's hasn't been pirated. A couple of idiots ripped their discs and posted them. Big deal, any moron can do that. Still require an active internet connection and server account to be able to play. D3 will never be pirated and playable offline any more than a game like WOW.

 

[verox]

Diablo 3 Duplicate Hack v2.1b
Team: RaIDZone


Instruction

1. Run Hack "Diablo 3 Duplicate Hack v2.1b"
2. Run Diablo 3
3. Go login account
4. Port to Town (wait 1-2 min)
5. automatically start the hack enjoy 🙂


More information is in the hack !!!

http://oron.com/1l1sjdwxj92e
http://leteckaposta.cz/774156042
http://share-rapid.cz/stahuj/e053w9k9
http://czshare.com/2995925/Diablo+3+Duplicate+Hack+v2.1b.exe
http://www.ulozto.cz/xncaFUs/diablo-3-duplicate-hack-v2-1b-exe
http://qshare.com/get/1060489/Diablo_3_Duplicate_Hack_v2.1b.exe.html
http://download.hellshare.cz/diablo-3-duplicate-hack-v2-1b-exe/7660995
http://rapidshare.com/files/187843575/diablo-3-duplicate-hack-v2-1b.exe
http://www.edisk.cz/stahni/33219/Diablo_3_Duplicate_Hack_v2.1b.exe_1.51MB.html
http://www.filefactory.com/file/5iavzaf3ecnp/n/Diablo_3_Duplicate_Hack_v2.1b.exe
http://www.quickshare.cz/stahnout-soubor/738131:diablo-3-duplicate-hack-v2-1b-exe_2MB

 

[Guest]

i bet battlenet have done it deleated tons of items that the people will buy new gear in the ah for real money XD

 

[Guest]

"we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password."

Traditional means, lol.

I stopped playing Blizzard games back when they merged battle.net accounts with your gaming accounts. There are some serious flaws in security at Blizzard and they have persisted for quite a while. I think that we are just seeing a large number of them pop up due to a huge influx of people who wanted to play Diablo III.

I was hacked while playing WoW after returning from an extended absence which spanned the boundry between pre and post battle.net. As best as I can determine someone used the password reset mechanism for my account and then forced an account reset which allowed them to log on. One very suspicious thing was that the email for account recovery had never been read. A second was that they indicated that I was already logged onto battle.net when the account recovery was initiated.

I'm a very savvy computer user with very good security practices. I'm probably one of the most educated customers they have in terms of computer security. I pointed out many problems with Battle.net that were wrong which were compromising security. Blizzard didn't want to hear any of them and continually told me it was a "trojan or keylogger". Scan's of my system showed none of the above.

Here are the list of current security problems at Blizzard from what I could see as of a year ago:

1. The account name is the same as the email account used for password recovery.
2. In order to use the account recovery you do not need to answer any private security questions.
3. There is a high probably of a back-door that allows a malicious hacker to force password recovery without being logged on.
4. There is a high probably that a hacker can reverse the algorithm for creating random web pages used in account recovery so that they can correlate that with your password recovery during non-peak hours for the US.
5. They do not use authentication cookies when logging into battle.net or on the game.

Let me go into detail a bit more on the list above so that you understand that Blizzard isn't taking security seriously and purposefully endangering the user community.

Having the account name the same as the password recovery email address is a BIG BIG no-no. The person who thought this was a good idea should be fired. If they have already been fired, hire them again, then fire them in the worst way you can think of. You need to know two things to log on to your account. The first is the username the second is the password. In order to connect with your friends over multiple games on battle.net your username is shared, thanks for handing out my email address to whomever wants to know. Oh and by the way, if you compromise that email address you can also recover my password. Blizzard put a huge bulls-eye on your back with this one. The sheer stupidity of it amazes me. At least you could have required your account name to be different than the recovery email address.

If you log in from a new computer or need to recover your password you should always have to answer your private security questions. Default Blizzard policy is to not require you to answer those questions when performing an account recovery if you have already logged onto Battle.net. My account was compromised in this fashion. Why would I need to recovery my password if I'm already logged on. Sheer stupidity on Blizzards part. Security fail.

The previous one leads me to this conclusion. There very likely is a huge security breach internally at Blizzard where your username/password is leaking from an internal employee. The other likely scenario is that there is a way to spoof that you are logged in and ask for account recovery at the same time.

During account recovery they send an email to your account recovery email. Normally you would open the email and click on the psudo-random link that is created and sent to you. Clicking on that link will allow you to reset your password. One assumes that you would have had to log into the email account to know the link that they sent you. The problem is that if someone snoops OR someone can scan battle.net servers for new webpages OR someone can determine what the next account recovery webpage will be then they can reset your password without logging into your email account.

A lot of these problems can be solved with authentication cookies, a small bit of information shared between you and battle.net when you log in from a new computer. If you are logging in from somewhere new then you are required to answer the security questions before they will send you a new authentication cookie.

I will never play another Blizzard game and I have asked them to remove all information from there servers regarding my name, email address, credit card information, etc. They have shown that they cannot do security properly and that cannot be trusted with that information.