"Censorship is never over for those who have experienced it. It is a brand on the imagination that affects the individual who has suffered it, forever." - Noam Chomsky
EDIT: By the way, authenticators are more of a money making scheme than anything at this point. Actual hackers couldn't possibly care less whether they exist or not.
All righty then, thanks for the info about what "actual hackers" care about.
I could have sworn that nearly all compromised accounts were caused by keylogger programs, phishing, or password sharing—and that none of those methods work for authenticator-enabled accounts—but who am I to question some guy on the internet?
The official forums are going to address the massive hacking/bug issue soon. If it is indeed hacking, that's not good at all. Something has gone very wrong if people are getting hacked who have authenticators and some reports of getting hacked and kicked out of their game while playing.
"Censorship is never over for those who have experienced it. It is a brand on the imagination that affects the individual who has suffered it, forever." - Noam Chomsky
EDIT: By the way, authenticators are more of a money making scheme than anything at this point. Actual hackers couldn't possibly care less whether they exist or not.
All righty then, thanks for the info about what "actual hackers" care about.
I could have sworn that nearly all compromised accounts were caused by keylogger programs, phishing, or password sharing—and that none of those methods work for authenticator-enabled accounts—but who am I to question some guy on the internet?
It's much easier to just blame Blizzard, then taking a good look at yourself first. Nothing new.
EDIT: By the way, authenticators are more of a money making scheme than anything at this point. Actual hackers couldn't possibly care less whether they exist or not.
All righty then, thanks for the info about what "actual hackers" care about.
I could have sworn that nearly all compromised accounts were caused by keylogger programs, phishing, or password sharing—and that none of those methods work for authenticator-enabled accounts—but who am I to question some guy on the internet?
It's much easier to just blame Blizzard, then taking a good look at yourself first. Nothing new.
Why don't you just wait before assuming the mass hacks are due solely to users? As I said, this type of thing has happened before and required a server side fix by Trion for Rift. Anyway, welcome to ignore as you're just trolling those that got hacked at this point.
EDIT: By the way, authenticators are more of a money making scheme than anything at this point. Actual hackers couldn't possibly care less whether they exist or not.
All righty then, thanks for the info about what "actual hackers" care about.
I could have sworn that nearly all compromised accounts were caused by keylogger programs, phishing, or password sharing—and that none of those methods work for authenticator-enabled accounts—but who am I to question some guy on the internet?
It's much easier to just blame Blizzard, then taking a good look at yourself first. Nothing new.
Why don't you just wait before assuming the mass hacks are due solely to users? As I said, this type of thing has happened before and required a server side fix by Trion for Rift.
What mass hacks? Where? People are just blowing it out of proportion!
Just because now a guy from a popular website happened to got his account hacked and posted a rant article about it with pure speculation an rants... doesn't suddenly mean it is happening on massive scale!
If this would have been the case, all gaming forums would be on fire at the moment! Seeing how many million people are playing DIII at the moment.
So far (as I follow the official forums closely) it has been just a handful of people. Nothing more! And a lot of them have been visiting a popular US fansite, that was flagged by Google last week! All too convinient that the hacks started to happen shortly after that!
There is a screenshot....on the article...of a person talking back FROM THE HACKED ACCOUNT that is not the owner, stating they just bought the account.
How are people arguing this is speculation? I don't even...what?
"Forums aren't for intelligent discussion; they're for blow-hards with unwavering opinions."
There is a screenshot....on the article...of a person talking back FROM THE HACKED ACCOUNT that is not the owner, stating they just bought the account.
How are people arguing this is speculation? I don't even...what?
Most likely the original owner of that account used a dodgy site, like RMT site to buy either a cheap CD key, bought gold, whatever and uses the same email address and password on that dodgy site.
So dodgy site tries out email address and password on battle.net.... Voila! Sell account to someone else for cash or strip it naked and sell the gold instead.
This is EXACTLY how a lot of these RMT scumbags work. And in most cases it's the users own fault by visiting these dodgy sites.
Often they don't even have to create an account there, visiting will be enough to receive a beautifully crafted nice little keylogger installed on your PC! Entirely free without any hassle! ;-)
According to some posts on the diablo forums there is an exploit that lets others see your session ID in multiplayer games, allowing hackers to bypass authentication totally, and steal your log in. They don't need your password, authenticator, or anything.
So don't play with anyone you don't know for the time being.
According to some posts on the diablo forums there is an exploit that lets others see your session ID in multiplayer games, allowing hackers to bypass authentication totally, and steal your log in. They don't need your password, authenticator, or anything.
So don't play with anyone you don't know for the time being.
"At first this looked like it might have been yet another glitch on the Blizzard servers. Now it looks like we’re dealing with something far more nefarious: hackers exploiting security flaws in Diablo 3 and stealing peoples’ virtual items in order to sell them later in the Real-Money Auction House."
- Forbes.com
"Censorship is never over for those who have experienced it. It is a brand on the imagination that affects the individual who has suffered it, forever." - Noam Chomsky
The reason i havent bought D3 is because its run through battle net. I have worked on computers for 25 years and i know them inside out and how to keep them safe from account theft but a few years ago two of my WoW accounts got stolen and allthough i got one back it had been striped.A few weeks later it was stolen again and this was on a completly clean comp with new password ect. I know that there was no way it came from my side so it had to come from battlenet and i sure as hell wasnt gonna pay 12 euro to potect a game that was supposed have potection.
I have played most the main MMos and never had my account stolen even when lots were getting there Rift account stolen i never did.
So as long as battlenet has anything to do with a game i will never play it.
According to some posts on the diablo forums there is an exploit that lets others see your session ID in multiplayer games, allowing hackers to bypass authentication totally, and steal your log in. They don't need your password, authenticator, or anything.
So don't play with anyone you don't know for the time being.
Glad I've been playing mostly single player.
There were reports of people turning up in peoples friends lists they didn't know.
EDIT: By the way, authenticators are more of a money making scheme than anything at this point. Actual hackers couldn't possibly care less whether they exist or not.
All righty then, thanks for the info about what "actual hackers" care about.
I could have sworn that nearly all compromised accounts were caused by keylogger programs, phishing, or password sharing—and that none of those methods work for authenticator-enabled accounts—but who am I to question some guy on the internet?
It's much easier to just blame Blizzard, then taking a good look at yourself first. Nothing new.
Well in all fairness I don't use the same info, I hadn't been on in 11 months, I didn't give them my information like my wife did from a phishing email, I always have malware security on my pc, I change passwords periodically thanx to being military it's now a habit, and I hadn't been to any websites remotely related to WoW, Blizzard, or MMORPG's in general since I was actually coming back from a deployment when the account breech happened.
Now instead of just being angry I tried to resolve the issue through Blizzard support more than I should have. Even after the account was repaired and I wasn't planning on resubbing, I still wanted to know how it happened and what could be done to prevent this on my wifes account as well since she still played. After trying everything that the support sent me, they finished with buy the authenticator and had no more answers for me. Sure it's easy for you to sit there and claim that as a customer it is easy to blame the company, but I went way beyond what I should have to resolve the issue and still came out of it not knowing how the account got hacked. Sorry but being away for 11+ months with very little to do with internet or my PC (which was at home across the planet) I couldn't help but think it had nothing to do with something on my end. Step off the soapbox man.
QFT. Happened to my WoW account. I had been inactive for almost a year when my buddy texted me welcoming me back. I was like "What do you mean?" and he said I was on in SW. I called Blizz right away and it was resolved in no time.
Just because it was fixed promptly doesn't mean I gave them a pass on the incident. They sent me a nice email detailing the things I could do to avoid this such as PW changes and running malware to scan for keyloggers. lastly they said purchase an authenticator. Funny, when I asked how me doing any of those things (which I had changed PW and I have malware protection), was going to help when the account was inactive for 11 months. I got no response on this question. The authenticator should be added without the extra charge since it isn't always the persons fault that got hacked.
Same thing happened to me, yes I believe it coresponded with the battle.net switch.
I hadn't played or been active in WoW for 6 months, when I recieved a ban for RMT. I LOL'd and forwarded the email and a screenshot of my inactive account to Blizz and explained that this was going on my list of reasons to not play thier games. In responce I got the same, "get an authenticator, blah blah". After thinking about it my paranoia led me to "believe" it was an attempt to sell me the authenticator and my acct had not been hacked and it was just Blizz.
Funny thing is this crossed my mind while I was batting emails with Blizz support back and forth and they kept coming back to me purchasing the authenticator. If it's such a great too it should be included in the game since you are paying a sub. With the work that probably goes into account restores and the investigation, they could save the man hours and effort and include the damned thing.
Everyone knows that when accounts get stolen 99.9% of the time it is the users own fault. Everything in that article is speculation.. words like 'suggested' are evidence that the whole article is completely factless. Even the word 'hacked' isn't accurate right now because no one knows why those items went missing.
Well....honestly I think its more to do with the Battle.Net system than the user. The reason I say this, I had/have a WoW account for 4 years (from Launch),and as soon as they switched to the Battle.Net for WoW my account got hacked 3 times in 6 months,and im a very well versed user.
I am reading the other forums guys and I can’t post there but it may not be public games since many accounts have been hacked when the person is solo and has never even joined a game. I remember in the beta that you could link people from public chat so maybe it is from that end.
Honestly guys (from Someone involved in IT and specifically security) I don't think you understand what session hijacking is.
Session hijacking usually requires a few things. One of those things is almost always some sort of security breach on the users end. This could be in the form of clicking a malicious link (doesn't need to install malicious software btw).
It could also be accomplished through a man in the middle attack, which isn't the case here for obvious reasons.
Having access to the data on someones harddrive could possibly also lead to this. This would probably involve malware, however.
Now, the claim is that the game is somehow exposing data that is allowing the attacker to steal a user's session. While I wouldn't rule anything out, I am not entirely convinced that this is the case. From a technical standpoint i think that it is possible that something in the game is causing this, however I'm skeptical that the attack is as described by the masses.
What this would mean is that somehow the client is exposing it's packets to all the clients in the same game as it. This would be common in a game where one person is the host and everyone connects to that person, however I don't believe Diablo should function in this way. I'm very skeptical of this guess by everyone.
Again, what is more likely is that people are clicking some kind of link that exposes them to a session hijack on the website. The strange users showing up in their recent players list could be explained by that beig the account hackers are dumping your stuff to.
This post is not meant to educate you all on the technical issues at play here. I don't have time or the will to do that. I am simply mind dumping some of the basics about session hijacking. This is a very simplified and definitely not all inclusive post aboutthe issue.
One thing is important to note, however. This can be verified or disproven. A security expert would know exactly what kind of tools/means would be needed to accomplish this.
When I get home tonight (traveling right now) I am going to analyze some of the data that is being involved in a multiplayer game of D3 and see what I can find out.
I can find anything an attacker can find. If it is as you guys are claiming it can be easily duplicated by anyone with intermediate security knowledge.
Again, I don't rule anything out. If there is one thing I have learned about security, it is to never underestimate the bad guys. I am skeptical that the attack is carried out the way people say it is.
Comments
Dupe... forum lag?
"Censorship is never over for those who have experienced it. It is a brand on the imagination that affects the individual who has suffered it, forever." - Noam Chomsky
All righty then, thanks for the info about what "actual hackers" care about.
I could have sworn that nearly all compromised accounts were caused by keylogger programs, phishing, or password sharing—and that none of those methods work for authenticator-enabled accounts—but who am I to question some guy on the internet?
The official forums are going to address the massive hacking/bug issue soon. If it is indeed hacking, that's not good at all. Something has gone very wrong if people are getting hacked who have authenticators and some reports of getting hacked and kicked out of their game while playing.
"Censorship is never over for those who have experienced it. It is a brand on the imagination that affects the individual who has suffered it, forever." - Noam Chomsky
the only time i was "hacked" was on a wow account not eq, UO, eq2 , rift , ffxi , L2 , ect ect
WOW and was just 1 month .....strange enough was ....
i played for years....but 1 month (july i stoped playing ) because i was going on vacation...
when i came back in august....my account was ACTIVE , password changed and all that , called blizz and resolved the problem
the question is WHY after playing for yeas i was hacked just the month i froze my account ?
was blizz ? i think so, this account is innactive , pass info to RMT....
all my gear disenchanted , nude all characters , but gained like 20k :P , and got my gear back (no gems /enchants) ....
It's much easier to just blame Blizzard, then taking a good look at yourself first. Nothing new.
Why don't you just wait before assuming the mass hacks are due solely to users? As I said, this type of thing has happened before and required a server side fix by Trion for Rift. Anyway, welcome to ignore as you're just trolling those that got hacked at this point.
What mass hacks? Where? People are just blowing it out of proportion!
Just because now a guy from a popular website happened to got his account hacked and posted a rant article about it with pure speculation an rants... doesn't suddenly mean it is happening on massive scale!
If this would have been the case, all gaming forums would be on fire at the moment! Seeing how many million people are playing DIII at the moment.
So far (as I follow the official forums closely) it has been just a handful of people. Nothing more! And a lot of them have been visiting a popular US fansite, that was flagged by Google last week! All too convinient that the hacks started to happen shortly after that!
My b-net account has been hacked so many times and I haven't used it since D2 came out and then only for patches.
Hell, I don't even remember what the name and password I used was it has been so long.
Can't blame the user for hack-net.
There is a screenshot....on the article...of a person talking back FROM THE HACKED ACCOUNT that is not the owner, stating they just bought the account.
How are people arguing this is speculation? I don't even...what?
"Forums aren't for intelligent discussion; they're for blow-hards with unwavering opinions."
Most likely the original owner of that account used a dodgy site, like RMT site to buy either a cheap CD key, bought gold, whatever and uses the same email address and password on that dodgy site.
So dodgy site tries out email address and password on battle.net.... Voila! Sell account to someone else for cash or strip it naked and sell the gold instead.
This is EXACTLY how a lot of these RMT scumbags work. And in most cases it's the users own fault by visiting these dodgy sites.
Often they don't even have to create an account there, visiting will be enough to receive a beautifully crafted nice little keylogger installed on your PC! Entirely free without any hassle! ;-)
Cheers
Companies have to stop requireing email addresses as the login.
Wa min God! Se æx on min heafod is!
I wouldn't link a WoW account with D3 account. If you're WoW account has been compromised, your D3 account probably will be too.
Better to have two seperate accounts with an authenticator.
Yes you are right. I don't like it either. So I use authenticators on those.
But still, if every site suddenly shifted to unique accountnames, then RMT sites just change their account pages too.
And people are stupid enough to use the same account name on those dodgy sites as well.
So it really won't help all that much to be honest. But yeah.... it would make it at least a tad bit more difficult for hackers.
According to some posts on the diablo forums there is an exploit that lets others see your session ID in multiplayer games, allowing hackers to bypass authentication totally, and steal your log in. They don't need your password, authenticator, or anything.
So don't play with anyone you don't know for the time being.
Glad I've been playing mostly single player.
sometimes its better to play with yourself-hehe
Blizzard Breached: 'Diablo III' Player Accounts Hacked, Items and Gold Stolen
"At first this looked like it might have been yet another glitch on the Blizzard servers. Now it looks like we’re dealing with something far more nefarious: hackers exploiting security flaws in Diablo 3 and stealing peoples’ virtual items in order to sell them later in the Real-Money Auction House."
- Forbes.com
"Censorship is never over for those who have experienced it. It is a brand on the imagination that affects the individual who has suffered it, forever." - Noam Chomsky
The reason i havent bought D3 is because its run through battle net. I have worked on computers for 25 years and i know them inside out and how to keep them safe from account theft but a few years ago two of my WoW accounts got stolen and allthough i got one back it had been striped.A few weeks later it was stolen again and this was on a completly clean comp with new password ect. I know that there was no way it came from my side so it had to come from battlenet and i sure as hell wasnt gonna pay 12 euro to potect a game that was supposed have potection.
I have played most the main MMos and never had my account stolen even when lots were getting there Rift account stolen i never did.
So as long as battlenet has anything to do with a game i will never play it.
There were reports of people turning up in peoples friends lists they didn't know.
Well in all fairness I don't use the same info, I hadn't been on in 11 months, I didn't give them my information like my wife did from a phishing email, I always have malware security on my pc, I change passwords periodically thanx to being military it's now a habit, and I hadn't been to any websites remotely related to WoW, Blizzard, or MMORPG's in general since I was actually coming back from a deployment when the account breech happened.
Now instead of just being angry I tried to resolve the issue through Blizzard support more than I should have. Even after the account was repaired and I wasn't planning on resubbing, I still wanted to know how it happened and what could be done to prevent this on my wifes account as well since she still played. After trying everything that the support sent me, they finished with buy the authenticator and had no more answers for me. Sure it's easy for you to sit there and claim that as a customer it is easy to blame the company, but I went way beyond what I should have to resolve the issue and still came out of it not knowing how the account got hacked. Sorry but being away for 11+ months with very little to do with internet or my PC (which was at home across the planet) I couldn't help but think it had nothing to do with something on my end. Step off the soapbox man.
RIP Jimmy "The Rev" Sullivan and Paul Gray.
Funny thing is this crossed my mind while I was batting emails with Blizz support back and forth and they kept coming back to me purchasing the authenticator. If it's such a great too it should be included in the game since you are paying a sub. With the work that probably goes into account restores and the investigation, they could save the man hours and effort and include the damned thing.
RIP Jimmy "The Rev" Sullivan and Paul Gray.
Well....honestly I think its more to do with the Battle.Net system than the user. The reason I say this, I had/have a WoW account for 4 years (from Launch),and as soon as they switched to the Battle.Net for WoW my account got hacked 3 times in 6 months,and im a very well versed user.
I have a hard time believing the session hijacking conclusion everyone is jumping to, but there is something weird going on.
We shall see soon hopefully.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
If you are interested in making a MMO maybe visit my page to get a free open source engine.
Session hijacking usually requires a few things. One of those things is almost always some sort of security breach on the users end. This could be in the form of clicking a malicious link (doesn't need to install malicious software btw).
It could also be accomplished through a man in the middle attack, which isn't the case here for obvious reasons.
Having access to the data on someones harddrive could possibly also lead to this. This would probably involve malware, however.
Now, the claim is that the game is somehow exposing data that is allowing the attacker to steal a user's session. While I wouldn't rule anything out, I am not entirely convinced that this is the case. From a technical standpoint i think that it is possible that something in the game is causing this, however I'm skeptical that the attack is as described by the masses.
What this would mean is that somehow the client is exposing it's packets to all the clients in the same game as it. This would be common in a game where one person is the host and everyone connects to that person, however I don't believe Diablo should function in this way. I'm very skeptical of this guess by everyone.
Again, what is more likely is that people are clicking some kind of link that exposes them to a session hijack on the website. The strange users showing up in their recent players list could be explained by that beig the account hackers are dumping your stuff to.
This post is not meant to educate you all on the technical issues at play here. I don't have time or the will to do that. I am simply mind dumping some of the basics about session hijacking. This is a very simplified and definitely not all inclusive post aboutthe issue.
One thing is important to note, however. This can be verified or disproven. A security expert would know exactly what kind of tools/means would be needed to accomplish this.
When I get home tonight (traveling right now) I am going to analyze some of the data that is being involved in a multiplayer game of D3 and see what I can find out.
I can find anything an attacker can find. If it is as you guys are claiming it can be easily duplicated by anyone with intermediate security knowledge.
Again, I don't rule anything out. If there is one thing I have learned about security, it is to never underestimate the bad guys. I am skeptical that the attack is carried out the way people say it is.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Show me an online, account-driven game that doesn't get hacked at some point.