Originally posted by jusomdude I haven't gotten hacked yet, but I'm getting paranoid with people saying they have been hacked even with authenticators. Just gotta wonder if these guys who have been hacked, saying they don't visit unknown websites and keep everything up to date are lying.
I read one thread on the US forums, which has been locked now, about how the OP got "hacked" while he has an authenticator. The blue who locked it apparantly looked into it for the OP and loo and behold, the OP did have an authenticator, but only got it after he was compromised.
Truth be told, I'm on Blizzard side with this. In most cases people are at fault, for clicking delicious links, in badly typed e-mails. It sounds so silly, but it happens way too often. Of course there is no excuse if it turns out to be Blizzard's fault. Time will tell. One thing I can say is that if it's Blizzard's fault, then they will fix it. If people get comprimised, I'm not suprised anymore when I hear that a month later they're comprimised again. For the same thing.
Off topic, something I noticed in these kind of threads, is that a lot of people agree that no system is perfect and that it's entirely possible that (for example, in this case) Blizzard get's hacked/comprimised. But when people point to the complainers and say that they should first look to their own systems, they'll get riled up, claiming that their system is impenetrable. I just find this funny
This is what I have been suspecting of many of the claims of "but I already had an authenticator!!!!"
Even though the authenticator isn't perfect, it is a very good layer of security to add to the login process. What you know + what you have. Some day I expect one of these companies to make a fingerprint scanner on the cheap for people to buy. What you know + what you have + who you are would be very secure.
What I find funny is that any MMO that uses two factor authentication like this (even though it's not forced) is actually providing a higher amount of authentication security than most big business do on their corporate networks. I find that entertaining.
imho if you get hacked, its your own damn fault......i have been playing blizz games for centuries now since the beginning of the battlenet in diablo 2.
Played wow for years, now D3 and i NEVER got hacked.
So it isnt blizz, its you.....surf less porn and keep your damn pc's clean.
i am a support engineer in RL, i know what i am talking about......seen a gazzillion pc's from people who "only" check their mail and get hacked........what they didnt say is that they downloading torrents and movies and at the same time surfing some porn while buying blue pils.
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
If your account has been hacked, please view the previous post for information on contacting our support department.
Originally posted by jusomdude I haven't gotten hacked yet, but I'm getting paranoid with people saying they have been hacked even with authenticators. Just gotta wonder if these guys who have been hacked, saying they don't visit unknown websites and keep everything up to date are lying.
I read one thread on the US forums, which has been locked now, about how the OP got "hacked" while he has an authenticator. The blue who locked it apparantly looked into it for the OP and loo and behold, the OP did have an authenticator, but only got it after he was compromised.
Truth be told, I'm on Blizzard side with this. In most cases people are at fault, for clicking delicious links, in badly typed e-mails. It sounds so silly, but it happens way too often. Of course there is no excuse if it turns out to be Blizzard's fault. Time will tell. One thing I can say is that if it's Blizzard's fault, then they will fix it. If people get comprimised, I'm not suprised anymore when I hear that a month later they're comprimised again. For the same thing.
Off topic, something I noticed in these kind of threads, is that a lot of people agree that no system is perfect and that it's entirely possible that (for example, in this case) Blizzard get's hacked/comprimised. But when people point to the complainers and say that they should first look to their own systems, they'll get riled up, claiming that their system is impenetrable. I just find this funny
This is what I have been suspecting of many of the claims of "but I already had an authenticator!!!!"
Even though the authenticator isn't perfect, it is a very good layer of security to add to the login process. What you know + what you have. Some day I expect one of these companies to make a fingerprint scanner on the cheap for people to buy. What you know + what you have + who you are would be very secure.
What I find funny is that any MMO that uses two factor authentication like this (even though it's not forced) is actually providing a higher amount of authentication security than most big business do on their corporate networks. I find that entertaining.
Indeed, 3 way authentication would be the best. Though you already know why most players don't use the authenticator. It's the same reason a lot of people use the same passwords all the time. It's because it's not userfriendly. An extra step before you can play, in the case of the Blizzard Authenticator.
What you mention about companies is so true. At the moment I'm doing a project for a company about their information security, but the questions I get most often is: "How much will it cost?" and "Is it difficult to use?". That, coupled with the general attitude of "it will never happen to me", is giving me headaches sometimes
I'm not a big fan on the "having" factor myself. It's clunky and unreliable at the moment, though the technology is getting better every day. That aside, I've the authenticator. Logging in from other locations is a lot harder then too. It's worth some hassle in my opinion. Plus, A COREHOUND PET!!!
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
If your account has been hacked, please view the previous post for information on contacting our support department.
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
If your account has been hacked, please view the previous post for information on contacting our support department.
Hopefully that's the case. I'm probably still avoiding public games for a few more days to be safe.
It can't hurt I guess. Truth be told, I'm more inclined to trust Blizzard on this, then randoms on the forums who make claims. A few people claimed that they're hacked and their friends too. They all worked in IT, so it couldn't possible be their fault. Of course they also had the authenticator, all of them. Now I'm not saying that I'm a measuring stick or whatever, but I've around 20 people in my Real ID list, from which one other then me has the authenticator. The reason he got one was because he clicked a silly link in a silly e-mail and got his account comprimised.
That's mostly the reason why my eyebrows nearly fly of my head when I read posts, mostly in badly English (which is kind of hilarious for these self proclaimed IT specialists), that they got hacked, their friends got hacked, all with the authenticator enabled from day 1. That and all these years on the internet made me a very sceptical person.
Originally posted by fivoroth No facts, jyst random speculations. @guy who said battlenet is easy to hack, how come my account was NEVER compromised. Stupid users I tell you.
Uhm because there are millions of people playing on BNet and not ALL of them get their accounts hacked? That is like saying people dont get cancer becase I NEVER GOT IT.
There was a guy that wrote a post on another forum about how he acquired thousands NCSoft accounts in one weekend.
I won't post the link here, because it gets a little bit descriptive of how he did it to the point where this post would probably get modded.
Also, I will note that this guy is not a "hacker" in the sense that he wasn't doing this maliciously. Just wanted to see what could be done. He submitted all of his data to NCSoft after they had a huge hacking fiasco. This was done to help them determine the amount of people using the same password for a fansite for the game they were playing.
.
First off, I would state that the methods this guy used are very basic and very legit. This is something anyone with a basic level of network security knowledge could accomplish.
I'll explain it in simple non-tech terms.
He, acquired a database of over 200,000 users from several fan sites. Remember, a real attacker is always going to take the path of least resistance. This would be much easier than hacking NCSoft's database as fansites are less secure and have less resources.
A portion of those passwords ( around 50k) were crackable. The passwords were encrypted in the database, but simple dictionary based passwords are vulnerable to cracking. I won't detail how he did it, but he was able to crack the weaker passwords.
He submitted the data of the cracked passwords to NCSoft to compare against their databases. It turned out that about 20% of the accounts on these fansites were using the EXACT same password for the fansite as they were for their game account.
20 FRIGGIN PERCENT. Imagine if he had a database of 1 million users? or 2 million? 20 percent of those would on average have the same freaking password for their game as they use for a vulnerable fansite.
So here's another twist to this story. A very popular Diablo fansite was being listed by google as having been infected with malware recently. It was incgamers diablo fansite I believe. This almost garuntees that they were compromised. They may not have been the only one.
So I have a question for those of you that got hacked. Are you in the 20%?
Originally posted by fivoroth No facts, jyst random speculations. @guy who said battlenet is easy to hack, how come my account was NEVER compromised. Stupid users I tell you.
Uhm because there are millions of people playing on BNet and not ALL of them get their accounts hacked? That is like saying people dont get cancer becase I NEVER GOT IT.
Some people have a lot of cavities, I have none. HOW IS THIS POSSIBLE?
After reading this i did a little experiment and loaded my old WoW account on a brand new computer that hasnt been connected to the internet and has a new boxed version of win 7. Now the last time i used this wow account i changed the email/account name and password then i never played it since. When i left my account it was working and the new email was just for WoW and i havent ever used or even looked at it since i made it . Allso the computer i made the new email was a new computer that i had just finished building. This must be at least 2 years ago and guess what the account was hacked so there is no way that this was my fault and it has to be a breach on battlenet side.
I would of gone back to WoW and played D3 but there is something seriously wrong with battle net and i wont pay extra for a authenticator if a game company cant protect there games then it is there resposnibility to supply authenicators free of charge.
After all when we give personal info to a company we expect them to keep it safe.
Interesting the Diablo servers just went down for unscheduled "Scheduled Maintence". My guess is they will close the exploit and pretend like nothing happened. Sad really that I can't imagine Activi$ion/Blizzard operating any other way.
After reading this i did a little experiment and loaded my old WoW account on a brand new computer that hasnt been connected to the internet and has a new boxed version of win 7. Now the last time i used this wow account i changed the email/account name and password then i never played it since. When i left my account it was working and the new email was just for WoW and i havent ever used or even looked at it since i made it . Allso the computer i made the new email was a new computer that i had just finished building. This must be at least 2 years ago and guess what the account was hacked so there is no way that this was my fault and it has to be a breach on battlenet side.
I would of gone back to WoW and played D3 but there is something seriously wrong with battle net and i wont pay extra for a authenticator if a game company cant protect there games then it is there resposnibility to supply authenicators free of charge.
After all when we give personal info to a company we expect them to keep it safe.
Sure. Everything about this post is just a little to perfect for my taste.
Even if it's true, what you are saying contains absolutely no evidence that battle.net was compromised. None.
Interesting the Diablo servers just went down for unscheduled "Scheduled Maintence". My guess is they will close the exploit and pretend like nothing happened. Sad really that I can't imagine Activi$ion/Blizzard operating any other way.
It's maintenance day for Blizzard. They do this every week. Wow is down also.
Seriously. It's been the same day for nearly a decade.
Also, the exploit doesn't exist. There is no session ID exposed by the Diablo client. You are wrong.
BTW, spreading misinformation like this actually hurts the security of a networked environment by misdirecting users. Anything that draws their attention away from the real threats causes them to be less secure overall.
In other words, if you're not part of the solution, you're part of the problem.
Interesting the Diablo servers just went down for unscheduled "Scheduled Maintence". My guess is they will close the exploit and pretend like nothing happened. Sad really that I can't imagine Activi$ion/Blizzard operating any other way.
It's maintenance day for Blizzard. They do this every week. Wow is down also.
Seriously. It's been the same day for nearly a decade.
Also, the exploit doesn't exist. There is no session ID exposed by the Diablo client. You are wrong.
BTW, spreading misinformation like this actually hurts the security of a networked environment by misdirecting users. Anything that draws their attention away from the real threats causes them to be less secure overall.
In other words, if you're not part of the solution, you're part of the problem.
Today was scheduled maintence for for wow. The 8 hour D3 maintence was not scheduled and the breaking news was updated with the maintenence notice after the servers went down. i know lots of player caught by suprise. It's pretty far fetched that people with authenticators attached are being hacked but it's happening. The only way this could be possible is if there is some server side expoit involving a bug with security tokens or something similar. Maybe this is normal maintence and they forgot to add it the the schedule but this seems a bit fishy to me.
Interesting the Diablo servers just went down for unscheduled "Scheduled Maintence". My guess is they will close the exploit and pretend like nothing happened. Sad really that I can't imagine Activi$ion/Blizzard operating any other way.
It's maintenance day for Blizzard. They do this every week. Wow is down also.
Seriously. It's been the same day for nearly a decade.
Also, the exploit doesn't exist. There is no session ID exposed by the Diablo client. You are wrong.
BTW, spreading misinformation like this actually hurts the security of a networked environment by misdirecting users. Anything that draws their attention away from the real threats causes them to be less secure overall.
In other words, if you're not part of the solution, you're part of the problem.
Today was scheduled maintence for for wow. The 8 hour D3 maintence was not scheduled and the breaking news was updated with the maintenence notice after the servers went down. i know lots of player caught by suprise. It's pretty far fetched that people with authenticators attached are being hacked but it's happening. The only way this could be possible is if there is some server side expoit involving a bug with security tokens or something similar. Maybe this is normal maintence and they forgot to add it the the schedule but this seems a bit fishy to me.
/removes tinfoil hat
Blizzard already stated that they have not investigated a single compromised account that added an authenticator before their account was compromised. NOT A SINGLE ONE.
They also stated that EVERY single compromised account that they investigated was accessed through username and password login through a game client by the "hacker."
People are lying about the authenticator. People are lying about responses from blizzard. The official statement from Blizzard is that.
Blue post from Bashiok once again:
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
If your account has been hacked, please view the previous post for information on contacting our support department.
I'm sorry to keep spamming this thread, but this type of thing is very important to me.
I have just confirmed that incgamers (they have a very large diablo fansite) was hacked on may 18th. Their username/pw database was compromised.
Now this may not be the source of the attacks, and even if it is it probably isn't the only source but regardless:
IF YOU USE THE INCGAMERS WEBSITE AND ESPECIALLY IF YOUR PASSWORD IS THE SAME THERE AS IT IS FOR BATTLE.NET PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE
CHANGE YOUR BATTLE.NET PASSWORD!
Even so lets pretend this is how usernames and passwords were obtained.
If I gave you my username and password and had an authenticator attached to my account you still cannot log in. The amount of people hacked with authenticators flys in the face of this sort of exploitation. Also Blizzard is telling some of these people that their account has not been logged into yet all their stuff is missing. It just doesn't add up is all.
It's all he said she said. Sure a lot of these people could be lying. Sure Blizzard could also be lying. Only time will tell how this all plays out. All this could magically go away. /shrug
I'm sorry to keep spamming this thread, but this type of thing is very important to me.
I have just confirmed that incgamers (they have a very large diablo fansite) was hacked on may 18th. Their username/pw database was compromised.
Now this may not be the source of the attacks, and even if it is it probably isn't the only source but regardless:
IF YOU USE THE INCGAMERS WEBSITE AND ESPECIALLY IF YOUR PASSWORD IS THE SAME THERE AS IT IS FOR BATTLE.NET PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE
CHANGE YOUR BATTLE.NET PASSWORD!
Even so lets pretend this is how usernames and passwords were obtained.
If I gave you my username and password and had an authenticator attached to my account you still cannot log in. The amount of people hacked with authenticators flys in the face of this sort of exploitation. Also Blizzard is telling some of these people that their account has not been logged into yet all their stuff is missing. It just doesn't add up is all.
According to blizzard not a single person who had an authenticator before they were hacked has been investigated. As in those people are full of it. Please read the blue post I copied.
Whelp, the typical Diablo Defenders are out in force now. The last few pages is like 80% 2 people trying their hardest to paint it in a better light. As always.
Once this RMAH actually starts rolling and people start spending real cash on items, the attacks are only going to grow in number. Expect a rollercoaster month as people begin to get brute force hacked more and more.
It's all he said she said. Sure a lot of these people could be lying. Sure Blizzard could also be lying. Only time will tell how this all plays out. All this could magically go away. /shrug
I'll take a blue post over random raging out forum nerds any day of the week on this matter.
I highly doubt that Blizzard would lie about this issue. It would be very damaging to their security to mislead the users in this way.
If the problem is on their end, they would need to be upfront about it. If it's not then they need to be as clear as possible so that people are aware of the threats to be avoided.
From a security perspecitve, lying here would do more harm than good.
Whelp, the typical Diablo Defenders are out in force now. The last few pages is like 80% 2 people trying their hardest to paint it in a better light. As always.
Once this RMAH actually starts rolling and people start spending real cash on items, the attacks are only going to grow in number. Expect a rollercoaster month as people begin to get brute force hacked more and more.
I'm sorry did you do a detailed packet analysis of all of the date being transferred between the client and server to determing if this session hijacking hack was real or make believe?
Oh no thats right, of course you didn't.
I know someone who did though, it was me. I'm not defending Diablo. This has nothing to do with the game. This is pure and simple technology which happens to be my field of expertise.
If you can look through a packet capture to find an SSL Session ID Token and determine if one is present, by all means tear it up and try to prove me wrong.
Comments
This is what I have been suspecting of many of the claims of "but I already had an authenticator!!!!"
Even though the authenticator isn't perfect, it is a very good layer of security to add to the login process. What you know + what you have. Some day I expect one of these companies to make a fingerprint scanner on the cheap for people to buy. What you know + what you have + who you are would be very secure.
What I find funny is that any MMO that uses two factor authentication like this (even though it's not forced) is actually providing a higher amount of authentication security than most big business do on their corporate networks. I find that entertaining.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
imho if you get hacked, its your own damn fault......i have been playing blizz games for centuries now since the beginning of the battlenet in diablo 2.
Played wow for years, now D3 and i NEVER got hacked.
So it isnt blizz, its you.....surf less porn and keep your damn pc's clean.
i am a support engineer in RL, i know what i am talking about......seen a gazzillion pc's from people who "only" check their mail and get hacked........what they didnt say is that they downloading torrents and movies and at the same time surfing some porn while buying blue pils.
So, just check yoself.....
Blue post from Bastiok
If your account has been hacked, please view the previous post for information on contacting our support department.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Indeed, 3 way authentication would be the best. Though you already know why most players don't use the authenticator. It's the same reason a lot of people use the same passwords all the time. It's because it's not userfriendly. An extra step before you can play, in the case of the Blizzard Authenticator.
What you mention about companies is so true. At the moment I'm doing a project for a company about their information security, but the questions I get most often is: "How much will it cost?" and "Is it difficult to use?". That, coupled with the general attitude of "it will never happen to me", is giving me headaches sometimes
I'm not a big fan on the "having" factor myself. It's clunky and unreliable at the moment, though the technology is getting better every day. That aside, I've the authenticator. Logging in from other locations is a lot harder then too. It's worth some hassle in my opinion. Plus, A COREHOUND PET!!!
Hopefully that's the case. I'm probably still avoiding public games for a few more days to be safe.
Heh, i usually avoid public games so i don't have to waste time with dumbasses, but that's another story.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
It can't hurt I guess. Truth be told, I'm more inclined to trust Blizzard on this, then randoms on the forums who make claims. A few people claimed that they're hacked and their friends too. They all worked in IT, so it couldn't possible be their fault. Of course they also had the authenticator, all of them. Now I'm not saying that I'm a measuring stick or whatever, but I've around 20 people in my Real ID list, from which one other then me has the authenticator. The reason he got one was because he clicked a silly link in a silly e-mail and got his account comprimised.
That's mostly the reason why my eyebrows nearly fly of my head when I read posts, mostly in badly English (which is kind of hilarious for these self proclaimed IT specialists), that they got hacked, their friends got hacked, all with the authenticator enabled from day 1. That and all these years on the internet made me a very sceptical person.
Mission in life: Vanquish all MMORPG.com trolls - especially TESO, WOW and GW2 trolls.
Uhm because there are millions of people playing on BNet and not ALL of them get their accounts hacked? That is like saying people dont get cancer becase I NEVER GOT IT.
My gaming blog
There was a guy that wrote a post on another forum about how he acquired thousands NCSoft accounts in one weekend.
I won't post the link here, because it gets a little bit descriptive of how he did it to the point where this post would probably get modded.
Also, I will note that this guy is not a "hacker" in the sense that he wasn't doing this maliciously. Just wanted to see what could be done. He submitted all of his data to NCSoft after they had a huge hacking fiasco. This was done to help them determine the amount of people using the same password for a fansite for the game they were playing.
.
First off, I would state that the methods this guy used are very basic and very legit. This is something anyone with a basic level of network security knowledge could accomplish.
I'll explain it in simple non-tech terms.
He, acquired a database of over 200,000 users from several fan sites. Remember, a real attacker is always going to take the path of least resistance. This would be much easier than hacking NCSoft's database as fansites are less secure and have less resources.
A portion of those passwords ( around 50k) were crackable. The passwords were encrypted in the database, but simple dictionary based passwords are vulnerable to cracking. I won't detail how he did it, but he was able to crack the weaker passwords.
He submitted the data of the cracked passwords to NCSoft to compare against their databases. It turned out that about 20% of the accounts on these fansites were using the EXACT same password for the fansite as they were for their game account.
20 FRIGGIN PERCENT. Imagine if he had a database of 1 million users? or 2 million? 20 percent of those would on average have the same freaking password for their game as they use for a vulnerable fansite.
So here's another twist to this story. A very popular Diablo fansite was being listed by google as having been infected with malware recently. It was incgamers diablo fansite I believe. This almost garuntees that they were compromised. They may not have been the only one.
So I have a question for those of you that got hacked. Are you in the 20%?
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Some people have a lot of cavities, I have none. HOW IS THIS POSSIBLE?
After reading this i did a little experiment and loaded my old WoW account on a brand new computer that hasnt been connected to the internet and has a new boxed version of win 7. Now the last time i used this wow account i changed the email/account name and password then i never played it since. When i left my account it was working and the new email was just for WoW and i havent ever used or even looked at it since i made it . Allso the computer i made the new email was a new computer that i had just finished building. This must be at least 2 years ago and guess what the account was hacked so there is no way that this was my fault and it has to be a breach on battlenet side.
I would of gone back to WoW and played D3 but there is something seriously wrong with battle net and i wont pay extra for a authenticator if a game company cant protect there games then it is there resposnibility to supply authenicators free of charge.
After all when we give personal info to a company we expect them to keep it safe.
Interesting the Diablo servers just went down for unscheduled "Scheduled Maintence". My guess is they will close the exploit and pretend like nothing happened. Sad really that I can't imagine Activi$ion/Blizzard operating any other way.
Sure. Everything about this post is just a little to perfect for my taste.
Even if it's true, what you are saying contains absolutely no evidence that battle.net was compromised. None.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
It's maintenance day for Blizzard. They do this every week. Wow is down also.
Seriously. It's been the same day for nearly a decade.
Also, the exploit doesn't exist. There is no session ID exposed by the Diablo client. You are wrong.
BTW, spreading misinformation like this actually hurts the security of a networked environment by misdirecting users. Anything that draws their attention away from the real threats causes them to be less secure overall.
In other words, if you're not part of the solution, you're part of the problem.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Today was scheduled maintence for for wow. The 8 hour D3 maintence was not scheduled and the breaking news was updated with the maintenence notice after the servers went down. i know lots of player caught by suprise. It's pretty far fetched that people with authenticators attached are being hacked but it's happening. The only way this could be possible is if there is some server side expoit involving a bug with security tokens or something similar. Maybe this is normal maintence and they forgot to add it the the schedule but this seems a bit fishy to me.
/removes tinfoil hat
I'm sorry to keep spamming this thread, but this type of thing is very important to me.
I have just confirmed that incgamers (they have a very large diablo fansite) was hacked on may 18th. Their username/pw database was compromised.
Now this may not be the source of the attacks, and even if it is it probably isn't the only source but regardless:
IF YOU USE THE INCGAMERS WEBSITE AND ESPECIALLY IF YOUR PASSWORD IS THE SAME THERE AS IT IS FOR BATTLE.NET PLEASE PLEASE PLEASE PLEASE PLEASE PLEASE
CHANGE YOUR BATTLE.NET PASSWORD!
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Blizzard already stated that they have not investigated a single compromised account that added an authenticator before their account was compromised. NOT A SINGLE ONE.
They also stated that EVERY single compromised account that they investigated was accessed through username and password login through a game client by the "hacker."
People are lying about the authenticator. People are lying about responses from blizzard. The official statement from Blizzard is that.
Blue post from Bashiok once again:
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
If your account has been hacked, please view the previous post for information on contacting our support department.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Even so lets pretend this is how usernames and passwords were obtained.
If I gave you my username and password and had an authenticator attached to my account you still cannot log in. The amount of people hacked with authenticators flys in the face of this sort of exploitation. Also Blizzard is telling some of these people that their account has not been logged into yet all their stuff is missing. It just doesn't add up is all.
It's all he said she said. Sure a lot of these people could be lying. Sure Blizzard could also be lying. Only time will tell how this all plays out. All this could magically go away. /shrug
According to blizzard not a single person who had an authenticator before they were hacked has been investigated. As in those people are full of it. Please read the blue post I copied.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
Whelp, the typical Diablo Defenders are out in force now. The last few pages is like 80% 2 people trying their hardest to paint it in a better light. As always.
Once this RMAH actually starts rolling and people start spending real cash on items, the attacks are only going to grow in number. Expect a rollercoaster month as people begin to get brute force hacked more and more.
I'll take a blue post over random raging out forum nerds any day of the week on this matter.
I highly doubt that Blizzard would lie about this issue. It would be very damaging to their security to mislead the users in this way.
If the problem is on their end, they would need to be upfront about it. If it's not then they need to be as clear as possible so that people are aware of the threats to be avoided.
From a security perspecitve, lying here would do more harm than good.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
I'm sorry did you do a detailed packet analysis of all of the date being transferred between the client and server to determing if this session hijacking hack was real or make believe?
Oh no thats right, of course you didn't.
I know someone who did though, it was me. I'm not defending Diablo. This has nothing to do with the game. This is pure and simple technology which happens to be my field of expertise.
If you can look through a packet capture to find an SSL Session ID Token and determine if one is present, by all means tear it up and try to prove me wrong.
Shadow's Hand Guild
Open recruitment for
The Secret World - Dragons
Planetside 2 - Terran Republic
Tera - Dragonfall Server
http://www.shadowshand.com
I just read Blizzard changed the authenticator but didn't publicize this information.
You now only need to use the authencticator once a week instead of every time.
This could explain why people with the authenticator are still getting their account stolen.