So much misinformation from people looking for a scapegoat in these threads.

Your knowledge of security is extremely limited at best.

I love it when people display their obviously limited knowledge of security, and then proceed to claim that their system is impenetrable.

Hillarious. News flash for everyone in denial: YOUR SYSTEM IS VULNERABLE TO ATTACK. IT ALWAYS WILL BE.

my wife never owned a computer in her life until we met five years ago. She knows more about security now than most of you.

Originally posted by RealPvPisFPS

Originally posted by expresso

Originally posted by RealPvPisFPS

Too many players have experienced this, myself included. Many of us have security on our computers and have confirmed that our computers are free of viruses, rootkits, keyloggers and other types of malware. Many of us are aware of the fake Blizzard phishing email scams that have actually been circulating for years now and never open them just delete them. There is a possibilty that professional hackers, (not wannabes), hacked into the Blizzard database servers, not individual's computers. It is one of two possibilties or both, database bug or database hacked.

 

For those that are not aware, almost every antivirus program will not detect a rootkit virus. Download Hitman Pro and scan your computer. It's free for limited time and you'll be surprised what you find that your other malware scanners and antivirus missed.

 

It's time for Blizzard to step forward and own up to their accountability and acknowledge they have a major game breaking issue instead of accusing people that it is their fault.

 

Many people playing their game are actually more knowledgeable in what the real issues are. I'm sick of seeing these type of companies treating their customers like they are completely ignorant of facts.

 

Quit being cowards Blizzard and at least accept the responsibility and acknowledge this issue which is clearly on your side of the fence, not ours.

Classic case of "everyones fault but my own", Blizzard have gone on record saying they have not been comprimised.. don't know what else you want from them.

I see...so you just admitted to being one of the Blizzard's zombies that believes everything told to you by them? So if Blizzard claims 'it's not their fault' you believe it 100%?

So if a bank employee makes a mistake with your account and empties it out then tells you it's your fault you must of been a victim of identity theft you just believe it without doing any investigation on your own?

Take a seat and don't speak again, you're a fool.

 

 

Until you or someone else can actually prove that Blizzard is lying to us then you're the fool. Just because someone doesn't agree with your ridiculous tin foil hat conspiracy doesn't mean they're a mindless drone for the company in question either. 

Originally posted by RealPvPisFPS

Originally posted by expresso

Originally posted by RealPvPisFPS

Too many players have experienced this, myself included. Many of us have security on our computers and have confirmed that our computers are free of viruses, rootkits, keyloggers and other types of malware. Many of us are aware of the fake Blizzard phishing email scams that have actually been circulating for years now and never open them just delete them. There is a possibilty that professional hackers, (not wannabes), hacked into the Blizzard database servers, not individual's computers. It is one of two possibilties or both, database bug or database hacked.

 

For those that are not aware, almost every antivirus program will not detect a rootkit virus. Download Hitman Pro and scan your computer. It's free for limited time and you'll be surprised what you find that your other malware scanners and antivirus missed.

 

It's time for Blizzard to step forward and own up to their accountability and acknowledge they have a major game breaking issue instead of accusing people that it is their fault.

 

Many people playing their game are actually more knowledgeable in what the real issues are. I'm sick of seeing these type of companies treating their customers like they are completely ignorant of facts.

 

Quit being cowards Blizzard and at least accept the responsibility and acknowledge this issue which is clearly on your side of the fence, not ours.

Classic case of "everyones fault but my own", Blizzard have gone on record saying they have not been comprimised.. don't know what else you want from them.

I see...so you just admitted to being one of the Blizzard's zombies that believes everything told to you by them? So if Blizzard claims 'it's not their fault' you believe it 100%?

So if a bank employee makes a mistake with your account and empties it out then tells you it's your fault you must of been a victim of identity theft you just believe it without doing any investigation on your own?

Take a seat and don't speak again, you're a fool.

 

 

perhaps you need to step away from the computer for a while, insulting someone for making a valid statement isnt helping your argument at all.

It is patently clear that the problem with hacked accounts, although 'hacked' is slightly misleading, remains solely with the player in question, either through poor password security, and lack of an authenticator, to phishing

its easy to be angry if you have been 'hacked' but, the only real recourse there is, that at least attempts to counter the lack of security at the players end, is to add an authenticator to their account, as has already been stated, more than once, there has not been a single case of an account being compromised, that had an authenticator attached to it, in simple terms its this, if Blizzard were the ones being hacked, then whether you had an authenticator or not would not matter, they would be able to bypass that feature, that the authenticator is wholly effective, means that the security issue is, and remains, at the player end of the chain. 

Blizzard can only do so much, to counter this, that they provide authenticators at cost, is commendable. it is, in fact, their attempt to make the security, somewhat idiot proof.

At the cybercafe I'm managing there's daily logins of about 20 accounts, day or night...

Nobody has been hacked yet - in any online game, not just Diablo 3.

Looks like some people have no real protection - no routers / firewalls, no good antimalware. And hackers are getting better  - daily.

 

Originally posted by Unlight

Whatever the spin, in fifteen some odd years of online gaming, I've had my account compromised exactly twice.  The first time was a month or two after linking my WoW account to Battle.net, and the second was about six months later with the same account, which also happened to be about five months after cancelling my sub for the game.  I've never once run into the problem anywhere else online where I've been required to have an account.

Yeah, I'm sure I'll be accused of buying gold, using weak credentials and failing to secure my system with the proper software.  F*ck you.  The only problem I've ever had was with Battle.net.  Even in the three years I played WoW prior to that, I never had an issue.  It was only when I had to link my accounts that something went wrong.  My security habits were perfectly fine prior to that and have been sufficient to prevent a similar episode ever since.

So spin away.  I *know* there's something slipshod about that system.  And if you all think it's so damned secure, ask yourself how many other logins you use today aren't case-sensitive.  Yeah, thought so. 

If nothing else, it proves that Blizzard isn't doing *everything* they can to safeguard your account.  But they are happy to sell authenticators to anyone that wants some additional protection and needs a physical key.  Again, it's interesting that I've never needed an authenticator to login to *any* other account that I have, whether it's games related or not, yet all my many accounts remain intact.

 

 

Am wondering how much they make off selling the authenticaters?

Originally posted by Karahandras

Originally posted by Unlight

Whatever the spin, in fifteen some odd years of online gaming, I've had my account compromised exactly twice.  The first time was a month or two after linking my WoW account to Battle.net, and the second was about six months later with the same account, which also happened to be about five months after cancelling my sub for the game.  I've never once run into the problem anywhere else online where I've been required to have an account.

Yeah, I'm sure I'll be accused of buying gold, using weak credentials and failing to secure my system with the proper software.  F*ck you.  The only problem I've ever had was with Battle.net.  Even in the three years I played WoW prior to that, I never had an issue.  It was only when I had to link my accounts that something went wrong.  My security habits were perfectly fine prior to that and have been sufficient to prevent a similar episode ever since.

So spin away.  I *know* there's something slipshod about that system.  And if you all think it's so damned secure, ask yourself how many other logins you use today aren't case-sensitive.  Yeah, thought so. 

If nothing else, it proves that Blizzard isn't doing *everything* they can to safeguard your account.  But they are happy to sell authenticators to anyone that wants some additional protection and needs a physical key.  Again, it's interesting that I've never needed an authenticator to login to *any* other account that I have, whether it's games related or not, yet all my many accounts remain intact.

 

 

Am wondering how much they make off selling the authenticaters?

Authenticators you buy are $6 w free shipping, its nothing. The Apps for mobile are free.

 

Originally posted by Lobotomist

"Dont play online games, hackers will join you - indentify your session ID , and than log as you without needing a password"

This is all we hear the last few days. Coupled with huge outburst of hacked accounts.

So what do you think is happening ?

Is the vunerability true , but Blizzard are quiet about it because they dont want to lose customers ?

Or are people simply being keylogged ? But blizzard is doing nothing to prevent that either ... ( most asian games have mouse driven interface for extra security passwords )

Are Blizzard passwords simply being forced open , because game does not limit the log in attempts ?

Or maybe this is all fake and trick so that Blizzard will sell authenticators ?

I personaly think that its high time that Blizzard starts talking , or at least ramp up security. Add mouse driven password , capital letters passwords , login location security ... (and not forcing people to buy authenticators)

For a time my husband and I were told that it was an inside Job. That Account GM's were getting kickbacks from gold farmer companies for helping them compromise accounts. 

Apparently Blizzard is so big now that it doesn't matter to them as long as they make the sales. The next concern of theirs will solely be the amount they make off of the RMAH. I wouldn't look to them to actually do anything constructive about any of this because in 2007 when all of my household accounts were hacked similtaneously WITH authenticators on each one, they even refused when we came back to restore the items in our accounts for a time. It was ridiculous but pretty much what you would expect from a company that doesn't really care about anything until they lose 2 million subs, then they actually react.

@itgrowls

You may already know this, but it is relevant to your post. If you di know this already, I'm leaving it here as a basic lesson in password encryption that hopefully will help someone out there.

I'm going to go ahead an assume your conspiracy theory is correct for the sake of argument.

Let me explain to you what would happen in a scenario like that.

First of all, when you log into a service like wow or battlenet or Diablo, the client has to transmit your password to the server right?

Well it doesn't send it in clear text. When you hit that submit button the client encrypts your password into what is known as a hash. Ideally the hash is not reversible.

So 'password' becomes 1f23eaxz45oe79stpfyu or something like that. No other password will make that same hash, and you cannot turn the hash back into the plain text of 'password'


So every time you log in, the client sends not your password, but a hash to the database. The hash is compared to the hash created when you set your password. Your actual password never leaves the client. In fact the other end doesn't have your plain text password. They just have the hash. If they match the server knows the password is right.


The reason I explained this (and you may be aware already I don't know) is because if it was an inside job, the only thing any Blizzard employee has access to is that hash. Blizzard does not have your text password.

The importance of this is password strength. If the bad guys get that database there is likely only one thing they can do to retrieve passwords from it.

They have to guess. First the attacker will set up a piece of software to take a list of words and turn them into hashes. Thes dictionaries are huge and contain every real word and lots of made up ones. This is a very fast attack.

If the hash for 'password' or 'yankees' or '123456' matches a hash in the database, they know that password.

Studies have shown that a dictionary attack can reveal around 20% of a password database on average. If you had Blizzards 10 million users and you got 20% of them this way....well you get the idea.

They will then set up a program to randomly combine letters into passwords of specific lengths. Then they will raise that length and characters used until it is no longer feasible time wise to wait forthe software to finish.



My long drawn out point is this: if your password is complex enough it will never be retrieved from a database in this way.


Length is important. Use 15 characters. Capital and lowercase letters as well as a number and a symbol will make the password basically unguessable by these methods.

Noone is even going to attempt the guessing attack needed to get your password because it would literally take thousands of centuries.



Tl;dr

Companies get hacked all the time. If you use a strong enough password, you don't need to worry about your password being compromised because of it.

Use 15 characters. Use capital and lowercase. Use numbers and punctuation. Do these things and you never have to worry if a companies database is compromised. Well, you don't haveto worry about your password at least.

Originally posted by niceguy3978

Originally posted by expresso

Originally posted by Thorbrand

Main issue is Blizzard doesn't allow complex PW creation, they are still using a rule set for the 90s. If Blizzard allowed their customers to actually create advanced complex PWs like other gaming companies there would probably be less accounts hacked. Every screams authenticator when the company isn't even on par with PW creation. How about Blizzard catches up with the rest of the world when it comes to account security first.

I myself don't care about my Blizzard account enough to given this Billion dollar company more money for security when there are many other means to ensure accounts are protected before jumping into a authenicator.

How is a complex password going to help when a user is clearless with their details, Blizz don't enforce complex but my password has a capital letter and numbers and if I dont type it right it's rejected, so they do support complex password it's just not enforced and as I said enforced or not if some one is keylogged or giving away their details its for nothing.

I have capitals in my password too, and I actually thought it mattered until yesterday after reading one of these threads.  I just held shift for the entire password (except for the numbers) and it logged me on, non case sensative is a bit of a joke.

I was leaning towards siding with Blizzard on this one but after putting my password in 4 different ways and being able to log into the game.  I don't feel all warm and fuzzy for Blizzard.  

      I noticed no one replied to the mention of what happened in Rift. It did turn out to be a weakness on Trion's side, not the players, and it had to do with session IDs. Of course, this is what people could be screaming to cover the fact they weren't secure. However, the only game anyone in my family has ever had hacked was WoW.  (Insert obligatory my brother works in IT), yep it was his account that was hacked, 6 months after he quit using it. They only knew because another guy who worked with him saw him login, and knew he was playing another game.

 

   Yes, my brother is the one who taught me password security, and is the most paranoid at such things. He uses a laptop for normal browsing, so his gaming laptop is only for games, with serial passwords of the max allowable length.

 

  I'm going to hold judgement on what caused this rash of hackings, simply because I refuse to believe that many people could have surfed the wrong site or clicked the wrong email link (click now or lose your account forever!) (Congrats, you're in the beta, just click here with your financial info!!) Seriously?

Tl;dr

Companies get hacked all the time. If you use a strong enough password, you don't need to worry about your password being compromised because of it.

Use 15 characters. Use capital and lowercase. Use numbers and punctuation. Do these things and you never have to worry if a companies database is compromised. Well, you don't haveto worry about your password at least.

I highligthed the above, misleading part when related to Diablo or your Battle.net account.  I am not sure about other Blizzard products but they are probably the same.   Caps don't matter.  

At the very least Blizzard has made it easier for the hackers to guess passwords and they have complete control over that.

@newmoon

Alright! More uninformed speculation about session tokens!

Fact is, there is no session ID hack.


Look, I know how to perform that particular exploit. I could do it to you if I wanted. I tested D3 and it is not present.


Also, FYI a session hijacking is the result of an attack on the client machine not the host.

It is the client's computer that is vulnerable to this. Not the server.

None of you understand how to hack something of this calibur, I do and it is not happening because blizz does have hard enough intrusion detection, that is not what is going on here... It is something else...

Originally posted by Newmoon

      I noticed no one replied to the mention of what happened in Rift. It did turn out to be a weakness on Trion's side, not the players, and it had to do with session IDs. Of course, this is what people could be screaming to cover the fact they weren't secure. However, the only game anyone in my family has ever had hacked was WoW.  (Insert obligatory my brother works in IT), yep it was his account that was hacked, 6 months after he quit using it. They only knew because another guy who worked with him saw him login, and knew he was playing another game.

 

   Yes, my brother is the one who taught me password security, and is the most paranoid at such things. He uses a laptop for normal browsing, so his gaming laptop is only for games, with serial passwords of the max allowable length.

 

  I'm going to hold judgement on what caused this rash of hackings, simply because I refuse to believe that many people could have surfed the wrong site or clicked the wrong email link (click now or lose your account forever!) (Congrats, you're in the beta, just click here with your financial info!!) Seriously?

You should read a little more about the early exploit in Trion's client-server process.  It wasn't a simple session ID exploit.  It also didn't allow the other player to steal items from the victims inventory.  It allowed the exploitive user to login as the other person and then sell their stuff as though they had the user/password combo of the victim.  This is why Trion first implemented "Coin Lock" after they patched the exploit and then offered  an authenticator to further enhance security.

If there is a Diablo exploit it doesn't sound at all similar to Trion's exploit.  If it is like Trion's past vulnerability you and a friend should be able to easily reproduce this.  If not then the exploit isn't what it is being billed as.

Originally posted by Newmoon

      I noticed no one replied to the mention of what happened in Rift. It did turn out to be a weakness on Trion's side, not the players, and it had to do with session IDs. Of course, this is what people could be screaming to cover the fact they weren't secure. However, the only game anyone in my family has ever had hacked was WoW.  (Insert obligatory my brother works in IT), yep it was his account that was hacked, 6 months after he quit using it. They only knew because another guy who worked with him saw him login, and knew he was playing another game.

If I had access to a thousand accounts you could see why this suddenly makes a lot more sense.

 

Of course I'm going to wait until they go inactive.. I can either sell them or put them to use with less chance of the compromise being noted and reported to Blizzard. Why people think this is weird strikes me as a bit odd. Just because they have access to your account doesn't mean it's smart for them to wipe it out right then and there. It all comes down to what they are using it for and how long it remains usefull to them.

I put through password changes to all my MMO accounts either before or straight after they go inactive after I started hearing reports that people's WoW accounts were being used after they had stopped playing. If I'm being really anal I'll do it on my laptop which I don't use to play any games on. People might have trouble keeping up with all these passwords but it doesn't take too much effort to make a 'system' that makes it easy for you to remember a password for a given game/website/system but keep a secure format and to keep the passwords for each thing different, put some thought into it.

In the past year there have been a flood of different company's user accounts information being stolen (one of which is SOE). I'm guessing a lot of people use the same passwords for a lot of their different gaming accounts so all the account theives have to do is try to use the stolen account information to log into Diablo 3. I foolishly used the same password as my SOE account and you can see what happened to me below.

Today I logged into Diablo 3 to find my character in a different act than I had logged off on yesterday, and an immediate game invite from someone who I had never played with before (and who had a name full of giberish 'adfasdf'). The first ten seconds I was sitting there wondering what the hell was going on and it dawned on me that my account was logged into by someone else right when I logged into it.  I went directly to my bnet account and immediately changed my password. Looks like the only thing they stole was the gold from my account, but all my items were left. I was extremely lucky to log in right in the middle of them doing it.

I was stupid to use to the same password as many of the other gaming accounts I have set up. I can't even count how many company's have been hacked in the past year and I'm positive that this is how they accessed my Diablo 3 account.

@desalus

An excellent point. Yet another on of the million possibilities that could cause this that are neither "I have a virus" or "Blizzard got hacked".

So many things that could be going on.

Originally posted by dubyahite
@desalus

An excellent point. Yet another on of the million possibilities that could cause this that are neither "I have a virus" or "Blizzard got hacked".

So many things that could be going on.

  That was my point. Not that it was absolutely "session ID" or using account numbers, like what happened in Rift. I meant the 400 page long threads with the finger pointing about how all these HAD to be buying gold, or clicking email phishing. It could be a breach on Blizzard's part, unlike what they've been saying. Trion first said it was the player's fault, until a "white hat" player figured out how it was done and told Trion. Coin lock came in reallly fast. 6 months later, their database was hacked, and usernames/passwords were taken- but the info was encrypted.

   I changed all my passwords anyway. I use different passwords for each game, and while they are serial, they aren't guessable from each other, and all are at max length. I also change them frequently. When physical authenticators are offered, I take them. I've been lucky and have never been hacked, even after playing literally over 100 MMOs, from AAA titles to basic Korean grinders.

 

   Alll that screaming taught me to withold criticism until we figure out how it is being done. I refuse to believe that many people clicked on (click now or forever lose your account) and (beta invite, just give us your financial info!).

Originally posted by Desalus

In the past year there have been a flood of different company's user accounts information being stolen (one of which is SOE). I'm guessing a lot of people use the same passwords for a lot of their different gaming accounts so all the account theives have to do is try to use the stolen account information to log into Diablo 3. I foolishly used the same password as my SOE account and you can see what happened to me below.

Today I logged into Diablo 3 to find my character in a different act than I had logged off on yesterday, and an immediate game invite from someone who I had never played with before (and who had a name full of giberish 'adfasdf'). The first ten seconds I was sitting there wondering what the hell was going on and it dawned on me that my account was logged into by someone else right when I logged into it.  I went directly to my bnet account and immediately changed my password. Looks like the only thing they stole was the gold from my account, but all my items were left. I was extremely lucky to log in right in the middle of them doing it.

I was stupid to use to the same password as many of the other gaming accounts I have set up. I can't even count how many company's have been hacked in the past year and I'm positive that this is how they accessed my Diablo 3 account.

I had a friend of mine who got hacked on a game a while back (can't remember the game) and one of the first things I asked him was if he  used the same password on other sites.  He in fact used the same password on all the sites he used not just games but regular websites that required password.  He finally changed them all to be different.