However, we have records that you were already hacked in 2010, when you played WoW account ADAM1902.
If hackers know your passwords, it might be because of any of these reasons:
- A Key Logger or Trojan virus in your computer. - Using the same password for Battle.net as for forums on internet, and not having changed it since months. - Connecting through an unprotected Wi-fi, in a cyber or from someone else's computer. - Buying gold, power-leveling, etc. from gold-sellers in their online stores. - Downloading addons or files from unsecure websites or using addon downloaders.
You can find more information on this topic in our official forums here:
Due to the tone used in your ticket, I had to, unfortunately, place a warning on your account.
Remember to always keep good manners and be respectful when approaching either other players or the customer support. It is not allowed the use of inappropriate language.
Please note that should any further violations of our rules and policies occur, this incident will be taken into consideration to determine the consequences for your account.
We verified no loss in your Diablo III account. However, if you find that you lost any gold or items, contact us back, so we can check further. In this new ticket, please, provide this information:
- Date and timeframe when you played last, just before being hacked. - The approximate amount of gold you had when you quit before being hacked.
If you had not much gold, the restoration might not be worth it. However, if you finally decide to proceed with the restoration, then give us your confirmation with the "Need more help" button below, adding the info I asked you before.
Alright, this is worrying. I'm going to take the time out to cover some of the things you mentioned, purely so you guys can hopefully investigate and get to the bottom of, what I believe, to be security issues your side. My password is a series of letters, numbers and characters, used on ONE other forum - Namely: MMORPG.com (it's also case sensitive, but that doesn't matter on your system, does it?).
My computer was formatted a couple of months ago, and has a valid free Avast Anti-virus installed. I don't illegally stream or download content from the internet from this computer (I use my laptop running a Linux OS for things like that). And I haven't used any unofficial Blizzard game related software or services for a long, long time (not since I used to play WoW way before I got hacked in 2010 - I was actually hacked way after I quit playing WoW, and changed my password to a random series of letters/characters/numbers after that happened) The only other computer I played on, was my best friends. I've known this guy since pre-school, and 110% this wasn't done by him. Now, I COULD assume that HIS computer is infected with a keylogger/trojan... But he plays WoW, and doesn't have an authenticator (his account would be worth quite a lot too). Why hasn't he been hacked?
I'm not going to sit here and say "I DEFINITELY haven't got a keylogger on my system", because obviously, one can never be sure. But I am 99.9% sure my system is clean and I make sure of that.
I'm going to apologise for my 'tone', it was my initial reaction to getting hacked 1) Less than 24-h after purchasing a game, 2) Little sleep due to enjoying playing your game (the GAME, is amazing). Fair enough for giving me a warning, I am a bit of an asshole afterall.
The statement "We verified no loss in your Diablo III account", seriously worries me. I am not asking for it to be restored (I've made too much progress since the incident). But you should be able to check the logs and see that my account was indeed hacked, and the gold was transfered to another character (Even I can see this just from looking at my recant players list for gods sake!!), if you guys cannot see this, that is very, very worrying!
You may as well close this ticket again, because I don't require further support. But I wrote this hoping that it would be forwarded on to somebody higher to further help your investigations of the integrity of your security.
It's either MMORPG.com admins have compromised my account (I'm going to look in to this, could be interesting), or, something wrong on security at your end. And going by the "We verified no loss" statement, it's your end (that, or you didn't either bother checking the logs and it's MMORPG.com).
----------
So this leads me to asking the ultimate question (and I very much look forward to seeing the results, actually!):
_________ Currently playing: Black Desert Korea (Waiting for EU)
Always hating on instances in MMOs! Open worlds, open PvP, territory control and housing please. More persistence, more fun.
I do not have smart phone , so no authenticator. Right now I am expecting to find my characters stripped every time i log in.
I dont care much, its just a game - but I am kind of dissapointed i payed 60 euro for such POS.
Game is quite ok , but all this problems are simply not acceptable.
As for Blizzard claiming there is no session spoofing. You got to understand.
- No company would ever admit such security breach -
If they do. It will ammount to catastrophy - people rightfully demanding refund by hundreds of thousands - and having legal claim to do it,
So only way to get Blizzard to admit this , is to have real solid proof from official sourc.
Which Blizzard would simply bribe to silence , anyway.
So it will never happen.
What will happen though is that RMAH will never be activated.
Right now people are loosing virtual gold and items. When these start be worth actual money. Or when people link their paypal & CC to RMAH. And hackers simply steal actual money from accounts ...
Than whole hell will break loose for Blizzard.
So. At this point I dont see RMAH being implemented , maybe even never ...
Alright, this is worrying. I'm going to take the time out to cover some of the things you mentioned, purely so you guys can hopefully investigate and get to the bottom of, what I believe, to be security issues your side. My password is a series of letters, numbers and characters, used on ONE other forum - Namely: MMORPG.com (it's also case sensitive, but that doesn't matter on your system, does it?).
Change it. This site use to get attacked a lot. A whole lot. I have been using no script for some time and no idea how often it gets attacked anymore.
Don't use the same password as anywhere else. Not trying to bust your balls more than just say. Anyone who has been here long enough knows this site use to get attacked on a weekly basis. Not to mention you just told everyone who looks at this thread that you like to reuse passwords...
Aïe aïe aïe if it is true that the passwords stored by D3 are not case-sensitive! That is a disaster. I haven't been hacked yet, but I am now extremely worried. I do have an authenticator, but since I got D3 through the Annual Pass, my WoW is tied to the same account.
I too thought it was a bad move to force people to use an email address as login. I think they should revert to using user-generated names. Though it is not a massive block to stealing information, it does make it a bit harder.
Session hacking absolutely exists, and having an authenticator does absolutely nothing against these types of hacks. I'm not saying that password phishing isn't the most prevailant, because it is. However, putting the blame on the user is a bit absurd in this case.
Thanks for your response. Your apology is wholeheartedly accepted and does you credit - and we agree that this whole thing was sufficient grounds to get plenty angry about.
To address a few of the points you raised (both in your first and second ticket):
-Session spoofing in D3 That's actually a downright myth. We're not even using an architecture like the people who claim this to happen insist on, and the design we *do* use makes it technically impossible to perform such a feat. This is a bold statement, but we have the evidence to back it up - and we have tested this to lengths no sane person would normally go. We have no idea why "normal" people would try to spread this myth so much, but in some cases it may be an intentional smokescreen to deceive people into caring less about the actual security holes that do exist on their system and worry about fictious ones they cannot hope to address.
-No losses/compromise visible to us There is a chance, albeit a small one, that our logs do not cover an incident. Server stability issues may play a role here, but in the vast majority of cases it is down to a.) "domestic" compromises (e.g. angry little brother stripping your characters from your home computer) or b.) a mistake/oversight on the first investigation performed. Just humans here, after all.
-Case-sensitive passwords That one is being bounced around a lot, but it honestly makes no sense. Case-sensitivity only plays a role when attempting to bruteforce- or "dictionary"-hack a password, which isn't a common method since the 1980s and furthermore doesn't work on our login systems as they simply throttle and deny "spammed" login attempts. Furthermore, even for systems that do use case-sensitive passwords the added complexity of upper/lowercase letters adds significantly less security than simply adding any random letter to the password length (you can look up the math on that, it is staggering). We opted to keep the passwords convenient and to not create a chimera of added security when there in all reality is none.
-The why me/why now You mentioned playing on your friends computer - there is a chance your login information was keylogged there, and you asked why he wasn't targetted. In truth he may have been, considered not a valueable target enough (yet), and his account information put on the backburner by the hacker to be used in the future. We saw a small "wave" of compromises with the launch of Diablo 3 that indicated the stolen user passwords had been obtained weeks or months before, and the hackers just waited until they could pull in the maximum haul in one go, before players had time to react and upgrade their security.
-Hacks are a scheme to sell authenticators If it was solely up to us, we'd have authenticators in each game box (we'd put it into every "kids menu" and breakfast cereal box if we could). Trouble is that those things are only available in limited quantities from the retailer (and we're already not getting as many as we want, hence they sell out so quickly) and do cost a sizeable chunk of money to make, so we'd have to either up box retail prices or recoup in some other way (maybe through subscriptions). The best we can do is offer physical authenticators at production cost and the application version fully free if you have an iOS or android smartphone, like the one you recently got. We'll even pay for the shipping to your place if you want the "token" version - the token we use is build by VASCO and is a version of the Digipass Go6, if you want to look it up and compare prices.
-Our findings on your account From our records, your battle.net password remained the same between 2012-02-13 and 2012-06-05. Means, apart from violating the "toothbrush-rule" (share with noone, change once a month), this allowed the hackers plenty of time to get and store it for later use. Your WoW licence in all honesty isn't a much attractive target in terms of sheer revenue for them, but since Diablo 3 was expected to sell in huge quantities to existing Blizzard customers it made sense to keep your data stored and abuse it at a later date. This is what we're guessing happened in your case, and there was sadly nothing we could do to prevent it.
Finally: As per your request we won't perform a rollback on your Diablo 3 licence, but we would like to extend an offer of assistance to you - if you need any further advice or have questions, please contact us. We'll be happy to share whatever we know.
Kind regards,
Gamemaster Khaleyd Blizzard Entertainment Europe
Fair enough. I'm still quite concerned that they couldn't pick it up on the logs though, and that those 3 little thiefs in my recant players list are still logging in and out like nothing ever happened.
Doubt I was keylogged on my friends PC either, his WoW account would easily go for around £250 on PlayerAuctions and that wasn't hacked and he has no authenticator either. But my measly little 100k was. So common sense would tell that it wasn't this PC that got my account dicked on. And it definitely wasn't any of my friend(s) or family, I'm 1000% sure of this.
I'm pretty sure what happened to my account has to do with this forum.
Also when I logged in to Diablo this morning (after a 4 hour power nap) I was greeted with a "This account has failed too many login attempts" type of message. So the fuckers are still at it.
Pretty sure it has to do with this forum.
Originally posted by Zezda
hahaha
You think session spoofing is going on?
okay
I was unsure, I'd read about how loads of players had been hacked streight after playing their first game and assumed this, you probably would too if you got hacked pretty much instantly after purchasing a game - and everyone was saying it all over the internet. But after reading Blizzards response, and doing some packet sniffing of my own (purely for fun and education, I wouldn't manipulate anything or attempt to access an account without owners permission) the packets from the B.net login are nothing like those of a certain Facebook game (which I know full well is possible to session spoof, hehe).
So I doubt it tbh, but you never know what people are capable of. Nothing is ever fully secure, ever.
_________ Currently playing: Black Desert Korea (Waiting for EU)
Always hating on instances in MMOs! Open worlds, open PvP, territory control and housing please. More persistence, more fun.
Its kind of hard to retain credibility when you bash the company who maintains the game (and your account), refer to smokin green and you shared an account with your buddy. Somehow this one might be less tin foil and more user error.
Edit: Its nice to see that Blizzard were reasonable and helpful when responding. Their service levels certainly aren't lacking.
Comments
To which I responded:
----------
Alright, this is worrying.
I'm going to take the time out to cover some of the things you mentioned, purely so you guys can hopefully investigate and get to the bottom of, what I believe, to be security issues your side. My password is a series of letters, numbers and characters, used on ONE other forum - Namely: MMORPG.com (it's also case sensitive, but that doesn't matter on your system, does it?).
My computer was formatted a couple of months ago, and has a valid free Avast Anti-virus installed. I don't illegally stream or download content from the internet from this computer (I use my laptop running a Linux OS for things like that). And I haven't used any unofficial Blizzard game related software or services for a long, long time (not since I used to play WoW way before I got hacked in 2010 - I was actually hacked way after I quit playing WoW, and changed my password to a random series of letters/characters/numbers after that happened)
The only other computer I played on, was my best friends. I've known this guy since pre-school, and 110% this wasn't done by him. Now, I COULD assume that HIS computer is infected with a keylogger/trojan... But he plays WoW, and doesn't have an authenticator (his account would be worth quite a lot too). Why hasn't he been hacked?
I'm not going to sit here and say "I DEFINITELY haven't got a keylogger on my system", because obviously, one can never be sure. But I am 99.9% sure my system is clean and I make sure of that.
I'm going to apologise for my 'tone', it was my initial reaction to getting hacked 1) Less than 24-h after purchasing a game, 2) Little sleep due to enjoying playing your game (the GAME, is amazing). Fair enough for giving me a warning, I am a bit of an asshole afterall.
The statement "We verified no loss in your Diablo III account", seriously worries me. I am not asking for it to be restored (I've made too much progress since the incident). But you should be able to check the logs and see that my account was indeed hacked, and the gold was transfered to another character (Even I can see this just from looking at my recant players list for gods sake!!), if you guys cannot see this, that is very, very worrying!
You may as well close this ticket again, because I don't require further support. But I wrote this hoping that it would be forwarded on to somebody higher to further help your investigations of the integrity of your security.
It's either MMORPG.com admins have compromised my account (I'm going to look in to this, could be interesting), or, something wrong on security at your end. And going by the "We verified no loss" statement, it's your end (that, or you didn't either bother checking the logs and it's MMORPG.com).
----------
So this leads me to asking the ultimate question (and I very much look forward to seeing the results, actually!):
_________
Currently playing: Black Desert Korea (Waiting for EU)
Always hating on instances in MMOs! Open worlds, open PvP, territory control and housing please. More persistence, more fun.
This is just horrible ...
I do not have smart phone , so no authenticator. Right now I am expecting to find my characters stripped every time i log in.
I dont care much, its just a game - but I am kind of dissapointed i payed 60 euro for such POS.
Game is quite ok , but all this problems are simply not acceptable.
As for Blizzard claiming there is no session spoofing. You got to understand.
- No company would ever admit such security breach -
If they do. It will ammount to catastrophy - people rightfully demanding refund by hundreds of thousands - and having legal claim to do it,
So only way to get Blizzard to admit this , is to have real solid proof from official sourc.
Which Blizzard would simply bribe to silence , anyway.
So it will never happen.
What will happen though is that RMAH will never be activated.
Right now people are loosing virtual gold and items. When these start be worth actual money. Or when people link their paypal & CC to RMAH. And hackers simply steal actual money from accounts ...
Than whole hell will break loose for Blizzard.
So. At this point I dont see RMAH being implemented , maybe even never ...
I don't have an authencator and have never been hacked.
I've had the game since launch and play in public games most of the time.
The majority of people don't get hacked, just a small minority.
Remember that before posting rubbish.
FYI
mmorpg.com is not a safe site. I am member for ... what 7 years allready ? Wow...
And it was hacked and breached at least 3 times to my recollection. With several times spreading keyloggers and viruses to anyone that logged in..
never use same password for forum and for game account.
Actually never use same password for anything if you can help it.
Change it. This site use to get attacked a lot. A whole lot. I have been using no script for some time and no idea how often it gets attacked anymore.
Don't use the same password as anywhere else. Not trying to bust your balls more than just say. Anyone who has been here long enough knows this site use to get attacked on a weekly basis. Not to mention you just told everyone who looks at this thread that you like to reuse passwords...
Aïe aïe aïe if it is true that the passwords stored by D3 are not case-sensitive! That is a disaster. I haven't been hacked yet, but I am now extremely worried. I do have an authenticator, but since I got D3 through the Annual Pass, my WoW is tied to the same account.
I too thought it was a bad move to force people to use an email address as login. I think they should revert to using user-generated names. Though it is not a massive block to stealing information, it does make it a bit harder.
Playing MUDs and MMOs since 1994.
To the people who think having an authenticator answers the hacking problems:
http://www.youtube.com/watch?v=FBX3ZnepBDs
Session hacking absolutely exists, and having an authenticator does absolutely nothing against these types of hacks. I'm not saying that password phishing isn't the most prevailant, because it is. However, putting the blame on the user is a bit absurd in this case.
hahaha
You think session spoofing is going on?
okay
Fair enough. I'm still quite concerned that they couldn't pick it up on the logs though, and that those 3 little thiefs in my recant players list are still logging in and out like nothing ever happened.
Doubt I was keylogged on my friends PC either, his WoW account would easily go for around £250 on PlayerAuctions and that wasn't hacked and he has no authenticator either. But my measly little 100k was. So common sense would tell that it wasn't this PC that got my account dicked on. And it definitely wasn't any of my friend(s) or family, I'm 1000% sure of this.
I'm pretty sure what happened to my account has to do with this forum.
Also when I logged in to Diablo this morning (after a 4 hour power nap) I was greeted with a "This account has failed too many login attempts" type of message. So the fuckers are still at it.
Pretty sure it has to do with this forum.
I was unsure, I'd read about how loads of players had been hacked streight after playing their first game and assumed this, you probably would too if you got hacked pretty much instantly after purchasing a game - and everyone was saying it all over the internet. But after reading Blizzards response, and doing some packet sniffing of my own (purely for fun and education, I wouldn't manipulate anything or attempt to access an account without owners permission) the packets from the B.net login are nothing like those of a certain Facebook game (which I know full well is possible to session spoof, hehe).
So I doubt it tbh, but you never know what people are capable of. Nothing is ever fully secure, ever.
_________
Currently playing: Black Desert Korea (Waiting for EU)
Always hating on instances in MMOs! Open worlds, open PvP, territory control and housing please. More persistence, more fun.
Its kind of hard to retain credibility when you bash the company who maintains the game (and your account), refer to smokin green and you shared an account with your buddy. Somehow this one might be less tin foil and more user error.
Edit: Its nice to see that Blizzard were reasonable and helpful when responding. Their service levels certainly aren't lacking.