Hacked Account -- any experience?

[Morat20]

So, we're trying to install WoTLK for the wifey, and try to log into her account. No dice. So, we figure we're just remembering the password wrong -- it's been at LEAST a year, maybe longer.

So I go ahead and reset the password through her email, and then try to log into her account management to put in her WoTLK key. And get..."This account has been permanently disabled".

That was...a surprise. So I send a message to the proper folks at Blizzard stating, to wit, "This account hasn't been used in 12+ months and it was because we stopped playing. Why is it permanently disabled". Of course, I suspect the reason -- someone grabbed her password and managed to do something annoying. Like sell gold, or spam "FAG!" for hours on global, or whatever.

So I go to the armory and check her profile. She's level fucking 79, but the account won't come up. She doesn't HAVE WoTLK. She left that account a 63 or 64. So someone used her account with WoTLK. I go through her emails -- I find a notice around 12/26/08 mentioning her timecard is about to run out. She apparently never saw that.

So, best guess -- since the account still seems tied to her proper email address, and there appears to be no shenanigans there (but no telling if said asshole was considerate enough just to delete WoW emails -- my wife does have some 900 fucking unread messages, so she's lazy as hell with her email on that account) -- is that someone managed to get into her damn account right after WoTLK came out, resubbed her using a time card (we use a CC), leveled her from 63 to 79, and then got her banned sometime around when the timecard ran out.

WHY is a question I cannot answer. HOW is a question I cannot answer -- that account was fallow.

In any case, I've got emails in to wowaccountsupport or whatever it is. Anyone have any experience with this? Any suggestions on what sort of time frame to fix this clusterfuck? Will she be able to have her 'toon restored to it's state when we stopped subbing off a CC and, apparently, switched to some moron on a timecard? Will we have much of a problem fixing this, or should we just wipe and burn the account and associate her keys with a new account?

Any advice? Suggestions? Thoughts? Because I'm a bit pissy right now about the whole affair. I'm hoping, desperately hoping, that Blizzard keeps records good enough to go "Aww, you switched off of monthly reoccuring back in 5/08. It reactivated later that year, on a timecard. That wasn't you? Well, we can roll your characters back to their 5/08 state -- you'll lose certain enchants -- and should have it restored and your account back up by Friday".

But I bet it won't be that easy. But I can hope.

Who the fuck steals an account, upgrades it to an expansion, and levels someone to 79? That's a fucking ton of work there, especially since it seems to have been done in less than three months. Why? Just to sell gold? Why get it banned?

[Drubear]

My account was hacked and then stripped. I was able to get the password back but had to wait about a week to get all the stuff back.

It was pretty quick actually - not very much in the way of interaction with Blizz, but I did get all my stuff back.

(They disable accounts after a couple mistries on the password. Was about 2 days to get them to resend the password.)

Based on my experience, hold out - you will likely get access back. Dunno what the bizniss will be with the expansion tho.

[Bismallah]

Probably someone that thought they got one over on your wife's account and figured she was never coming back. Or they were trying to get 80 to sell it and were trying to do it before the time card ran out.

[Lantyssa]

If you're worried about security, you could get a security dongle.  Don't know if they can revert the character, though it's possible you'll get a free Wrath expansion out of it if that's the case.  I do not know the specifics, but I do know several people whom have been hacked and got things sorted out in fairly quick time.

If any new accounts are involved, I'm still looking to get a Zhevra... >>

[IainC]

As someone who used to deal with this kind of thing I would say that it's highly unlikely you'll get the account unbanned. 'It wasn't me, it was my little brother/my friend/some hackers' is a pretty common response to a ban and it never flies. Ultimately most operators take the view that you are responsible for anything that happens on your account and are responsible for its security. They don't want to get into he said, she said stuff so the fact that your wife wasn't operating the account at the time is not a reason to unban it.

If you're hacked then Blizzard will try and return the account to whoever legitimately owns it but I can't see them overturning a ban. At a guess, whoever was using the account was macro-farming for an RMT operator and it got caught.

[gryeyes]

Who the fuck steals an account, upgrades it to an expansion, and levels someone to 79? That's a fucking ton of work there, especially since it seems to have been done in less than three months. Why? Just to sell gold? Why get it banned?

Many possibilities, phished the information Im assuming? Get an account farm as much gold on it as possible,use it as a mule to facilitate other transactions,use it for advertising in game,resell the stolen account to a third party and let them deal with the issue when it eventually gets banned. Impressed they will even restore an account to a state a year ago, especially one that was banned? They must have changed tons since ive played.

[Morat20]

They haven't done anything. I just found this out today. About all I've got going for me is that our family has three accounts (mine, hers, my sons) all charged the same way -- reoccuring charges to a single credit car. I shut mine down April of 08, shut hers down a bit before that. My son's has been active since January of 08. I'm hoping that since whoever got the ban banned it off a timecard, months after I stopped paying for it -- and that my wife has like a 2 year play record that has not even a warning on it -- will help.

I dunno. Other than that, well -- I'm pretty sure to get another account I'll have to buy all three goddamn boxes for her, which really pisses me off. Levelling her toons back up isn't that big a deal.

As for how I found out it was 79 -- Armory has that, just not the detailed character information (so I can't see if, for instance, it's a totally stripped character).

I have no idea if they can restore it with the ban being 6+ months old. I can't even get INTO the account to see when the ban occured, or when the moron started playing with it.

I'm hoping, if nothing else, now that I've resecured the account (changed the password, basically -- on it and her email account, just in case he got that somehow and was stripping out messages) -- that I can at least recover the account even if the characters are totally wiped. I'd prefer to get the characters back, obviously, in the condition I left them. I have no idea if that's feasible, with the whole thing being so old.

Like I said -- someone hacked it, played it for two or three months, then got perma-banned. And we never noticed, because we weren't playing and, to the best of our knowledge, the account was frozen like we left it.

[gryeyes]

Sorry I misread, no way is that account going to be restored. While Blizzard policy is far from standardized (or was when i played), you gotta fuck up pretty bad for the account to be perm banned. Its pretty much exclusive to RMTing of some sort or saying some criminally heinous smack. And since they played it awhile its almost certainly the former. Its a black/white case closed situation if its RMT. Your account,your responsibility even if its hacked. Ive heard of people retrieving an account that was completely taken over by a hacker, but after the judgment is made you are pretty fucked.

Basically everything IainC said.

[Morat20]

Sorry I misread, no way is that account going to be restored. While Blizzard policy is far from standardized (or was when i played), you gotta fuck up pretty bad for the account to be perm banned. Its pretty much exclusive to RMTing of some sort or saying some criminally heinous smack. And since they played it awhile its almost certainly the former. Its a black/white case closed situation if its RMT. Your account,your responsibility even if its hacked. Ive heard of people retrieving an account that was completely taken over by a hacker, but after the judgment is made you are pretty fucked.

Basically everything IainC said.

Well, shit. Hell, I think I can even pinpoint when the fucker was hacked. I found a password recovery request in my wife's inbox on 12/26/08. She wasn't fucking PLAYING on 12/26/08. She hadn't played in months. The account was inactive. Of course, 12/27/08 has a "your sub time will run out in three days". Not sure what's up there. Maybe that's legit and it was for my kid?

Which begs the question of how the fucker got the password -- she does have it tied to her hotmail account, which I suppose means that's compromised. Which makes me glad I forced her to change that password too. Fuckity fuck fuck fuck.

So assuming I can't get the ban overturned -- which apparently involves faxing ID's and stuff -- I guess I'm stuck rebuying the original box and a TBC key, and just creating her a new account? And hoping this teaches her a lesson about password security?

Seriously, if I had access to the fucking payment logs -- even with the account suspended -- I could tell WHEN the goddamn fucker got the account, and tell what's compromised adn what's not. At this point, I'd settle for that.

[Jayce]

I wouldn't be so sure that you won't get the account back. Blizzard does keep VERY good records and I've personally never known them to screw up something like this.  It will probably be a longer investigation, since they have to verify that your CC-based sub expired, then it was reactivated from some other IP and the other IP bought WoTLK, etc then did the thing to get banned.  Then you came back on your original credit card and IP and found it like this.

That's a lot to verify but seems pretty unlikely that you'd have the foresight to play entirely from another area of the country or world while you were planning to do something to get banned, then try to get unbanned by returning back to your original geographic location.

I've had several friends hacked and they all got their stuff back fairly quickly even though the account was pretty clearly used for gold farming. The permaban is another wrinkle but I'd give Blizzard a little faith until proven otherwise.

[Cadaverine]

My account got hacked a while back, and was banned for gold spamming.  After a couple emails back and forth, and them checking the logs for IP addresses, my account was reinstated, and they even gave me a zergling pet in the mail for my trouble.

I don't see them not lifting the ban, based off what you said.  As for the level 79, and all that?  Dunno.  I don't think they could roll the character back, but they might unflag the account as WotLK enabled.

Hope everything works out, though.

[Morat20]

I wouldn't be so sure that you won't get the account back. Blizzard does keep VERY good records and I've personally never known them to screw up something like this.  It will probably be a longer investigation, since they have to verify that your CC-based sub expired, then it was reactivated from some other IP and the other IP bought WoTLK, etc then did the thing to get banned.  Then you came back on your original credit card and IP and found it like this.

That's a lot to verify but seems pretty unlikely that you'd have the foresight to play entirely from another area of the country or world while you were planning to do something to get banned, then try to get unbanned by returning back to your original geographic location.

That's about the entire reason I'm holding out hope and waiting for a response, rather than just buying a new set of boxes.

I've had several friends hacked and they all got their stuff back fairly quickly even though the account was pretty clearly used for gold farming. The permaban is another wrinkle but I'd give Blizzard a little faith until proven otherwise.

Is it odd that the account was taken, upgraded to WoTLK, grinded up to 79 and then perma-banned? It wouldn't surprise me if the ban was for either gold selling or buying, or botting.

If I found her toon still at 63 or whatever, but all her characters naked with empty banks -- I'd get that. Finding it at 79 on the Armory and banned, I don't get. Was someone botting it up to 80 to sell the hacked account? (Botting would get you banned, and wasn't there a nice wave of bot bans late last year, early this year?). Maybe the moron bought gold. Why wasn't the registered email address changed from her hotmail account, though? Why make it possible for me to recover the password at all?

I mean, I told it "I can't remember my password", typed in her hotmail address, got the link, reset the password just fine. The guy we were going to start playing again thinks it was some moron who bought access to an account with a level 60+ already on it (IE: Bought the password and logon name), paid to upgrade to WoTLK so he could create a Death Knight and dick around for a month or three with the WoTLK stuff and probably got banned for buying gold (she had very little for a 63 -- less than 300) before he hit 80.

Cadaverine:
If they can't roll the account back, she'll probably decide to just nuke all her characters. She's really pissed that, effectively, someone stole all the shit she worked for and then fucked it so she can't go back to where she was. Or rather, I'll probably have to do it for her. She gets upset about that sort of thing, and logging in to find her toons naked -- or worse yet, geared and leveled by someone else -- or new toons created -- will just piss her the hell off.

I have NO idea if they can roll the character back. On the one hand, it seems like a giant hassle. On the other hand, the sort of DB's an MMORPG uses and the automatic logging means they probably have tools and backups designed to do just that. Probably more expensive and time-consuming than they're willing to do, but at least back when I played, Blizzard seemed to generally be on the "better than I really expected" end of customer service.

I appreciate the responses.

[Ingmar]

I'd guess its very likely they were bot-leveling it to 80 to sell it, and got caught botting.

[Jayce]

I'd guess its very likely they were bot-leveling it to 80 to sell it, and got caught botting.

This, or they were farming gold with it and needed Northrend. Does the character have gathering skills?  It's also quite possible the story you stated (some moron bought a character at 60+ then tried to buy gold).

My friend who got hacked had one lower-level character stripped, but his 80 had everything intact and was being used to farm ore, presumably to sell for gold to RMT.  It's really pretty random and I don't think they usually systematically strip all characters and their banks.

Very curious to hear how the story turns out.

[gryeyes]

They can roll a character back, but im not sure how long that information is kept around. And unless they have changed something you need to have access to the original email address to change it to another one, or directly talk to someone and have it changed. But in that case you need to know the original account information. I believe the full names and phone number stuff is XXXXXX out in your account for this reason.

Its possible they will reinstate your account but the amount of time that has passed and how long they had access to the account makes this seem unlikely. If your account was logged onto by a strange IP for a day or two while they spammed gold messages changes the situation a good deal. It also takes forever to be banned for botting even after they are 100% certain you are botting they will still wait and then ban them all in one chunk so it looks good. The account would also be 80 in a week or two. It doesn't even tell you why it was suspended? Sift through the emails guaranteed there is one detailing what happened.

[Morat20]

They can roll a character back, but im not sure how long that information is kept around. And unless they have changed something you need to have access to the original email address to change it to another one, or directly talk to someone and have it changed. But in that case you need to know the original account information. I believe the full names and phone number stuff is XXXXXX out in your account for this reason.

Its possible they will reinstate your account but the amount of time that has passed and how long they had access to the account makes this seem unlikely. If your account was logged onto by a strange IP for a day or two while they spammed gold messages changes the situation a good deal. It also takes forever to be banned for botting even after they are 100% certain you are botting they will still wait and then ban them all in one chunk so it looks good. The account would also be 80 in a week or two. It doesn't even tell you why it was suspended? Sift through the emails guaranteed there is one detailing what happened.

The "why the account was suspended" emails almost certainly came into the junk folders and were never seen. I've rectified that -- whitelisting blizzard's email addresses -- but until Blizzard contacts me I can't even find out why it was suspended. I'm guessing those folks don't work the weekend, so I probably won't know until sometime Monday or Tuesday. (I'd imagine I'd get at least a 'Your account was banned for X' message).

We DO have access to the original email address -- that was never lost. Like I said, I used it to reset her password when I couldn't log into her account. (In retrospect, I couldn't log into her account to upgrade it to WoTLK because someone had hacked it and changed the password). Judging by the last email I do have from Blizzard to her account -- a notification of a password change and an upcoming "running out of play time" message in late december 2008, it looks like someone hacked her account right after WoTLK came out, and probably used the account less than a month before they got banned.

I can't really hold out hope they keep logs going back a year or more. That's a ton of fucking data. :)

[gryeyes]

We DO have access to the original email address -- that was never lost. Like I said, I used it to reset her password when I couldn't log into her account.

Ya I meant whoever had taken over your account couldn't change the email unless he had all of specifics beforehand (full name,phone etc). Since you have to confirm it through the original email or talk to a human and be asked specific questions that somebody wouldn't know just looking at your account page.

[Morat20]

We DO have access to the original email address -- that was never lost. Like I said, I used it to reset her password when I couldn't log into her account.

Ya I meant whoever had taken over your account couldn't change the email unless he had all of specifics beforehand (full name,phone etc). Since you have to confirm it through the original email or talk to a human and be asked specific questions that somebody wouldn't know just looking at your account page.

That explains a lot. Thanks.

[Sheepherder]

I can't really hold out hope they keep logs going back a year or more. That's a ton of fucking data. :)

No, but there's a fair chance they keep an archived account state when shit happens like a change in billing type or password, or they flagged the account's data to be preserved once GM's started investigating.

[Megrim]

Not to be an arse, but are you sure it wasn't just your son loaning the account out to a friend, since it wasn't in active use?

[apocrypha]

One thing I've found with Blizzard CS (in the EU at least) is that it's very hit and miss. One CSR can be helpful with the next can be completely intransigent on the same issue.

If you get nowhere first try then try again.

If it does come to a completely new account then definitely do the Recruit-A-Friend thing, it'll ease a lot of the pain.

[Nebu]

If it does come to a completely new account then definitely do the Recruit-A-Friend thing, it'll ease a lot of the pain.

This. 

My account also got hacked and rather than go through the hell that is CS, I just had a friend send me a recruit a friend invite.  It makes the trip from 1-60 trivial... like 40-50 in a few hours trivial. 

[Sjofn]

Plus you get a zhevra mount and have people like me and Lantyssa burn with envy.

[Fordel]

You should get your other Sister to join WoW, I'm sure they'll implement the "Super Duper Extra Special refer a friend" offer the week after. 

[gryeyes]

Man, lots of people have gotten their WoW account "hacked", how do you even manage that without downloading something naughty or responding to the constant stream of phishing emails? Closest experience I ever had was people purchasing an account and then trying to be shading and jyping me through Paypal.

Someone else mentioned your children being responsible, I was kinda wondering the same thing. Kid knows your mom has quit and lends the account to a buddy or something?

[Merusk]

Man, lots of people have gotten their WoW account "hacked", how do you even manage that without downloading something naughty or responding to the constant stream of phishing emails? Closest experience I ever had was people purchasing an account and then trying to be shading and jyping me through Paypal.

I've always wondered the same thing.  I had a friend get hacked 3 times in 6 months, even after changing his password twice.  There I was pretty sure he had some malware tied to his computer.  I had another guy get hacked and he was religious about changing his password.  Me, on the other hand, until I moved over to the Battle.net account system had used the same password for 4 years without a problem. 

Although now that it's tied to a public e-mail for the username (stupid fucking system) I'm changing it regularly.

[Oban]

Not to be an arse, but are you sure it wasn't just your son loaning the account out to a friend, since it wasn't in active use?

I was thinking along the same lines, sounds more like your son was using the account.

[IainC]

In my experience the method was almost always social engineering. The number of password grabbers and trojans around is a relatively recent phenomenon. Commonly, the 'hacked' account would have been lent to someone else who was laxer with security than the original owner. I remember one instance where an entire guild in DAoC got hacked simultaneously. Of course what had happened was that they all had each other's passwords so that they could log in absent guildies for ML credit, buffbots etc and one guy had a sheet with all the logins and passwords taped to the PC he used at the local internet café....

Sometimes it was a close friend or relative of the victim taking advantage of weak passwords on a webmail account and finding account details that way. The number of times I had to look into hacks where the account was registered to <main character name>@hotmail.com and the password turned out to be something retarded like the guy's forum name (or vice versa) was amazing.

I'm not saying that's what's happened in Morat's case but, until recently at least, actual hacks using malicious software etc were pretty rare.

[Simond]

Man, lots of people have gotten their WoW account "hacked", how do you even manage that without downloading something naughty or responding to the constant stream of phishing emails? Closest experience I ever had was people purchasing an account and then trying to be shading and jyping me through Paypal.

Certain goldfarming companies are known to use weaknesses in Flash-based adverts to infect people's PCs with trojans. How do they know which websites to use? Well...WoWhead, Allakhazam and Thottbot are all owned by goldfarmers so it's not exactly difficult to target. Or they can just hack random popular websites instead.

And if you think I'm being paranoid: http://news.bbc.co.uk/1/hi/technology/6526851.stm
Please also note that a hacked WoW account is worth more nowadays than a stolen credit card. 

[Morat20]

Not to be an arse, but are you sure it wasn't just your son loaning the account out to a friend, since it wasn't in active use?

Yeah, mostly because my son doesn't know that password, and judging by his WoW playing habits and the conversations he's had with his friends in my presence, none of his friends play WoW -- they're all Xbox junkies.

He'll be 13 in a month or two, and if this had happened a year or two from now, I'd be a lot more suspicious about him. We've always been religious about passwords and him, mostly because both mine and my wife's PC's contain data we don't want him to see, and she's paranoid about him being online in an MMORPG without parental supervision.

But I don't consider it being an arse to ask that sort of thing -- it's more than a valid question, and teenagers often don't really think about sharing accounts and passwords. Or "borrowing" their parents stuff.

As for how the password got stolen -- I dunno. As simond notes, there's a lot of useful WoW stuff owned by goldfarmers -- and my wife has used Allakhazam and Thhottbot a lot. She also used a number of add-ons, and it's possible she wasn't as careful as she should have been. And, lastly, her password was really weak. I've been warning her about that for years. 6 digits, all characters, variant of a friend's name.....

REALLY crappy password, and I wouldn't put it past her to use it the same name/password combo for a guild website login/password. In fact, I'd say someone managing access to a defunct guild website is a really likely path.

[Merusk]

REALLY crappy password, and I wouldn't put it past her to use it the same name/password combo for a guild website login/password. In fact, I'd say someone managing access to a defunct guild website is a really likely path.

Y'know, you're probably on to something here.  Did she do a "see you around" post when you all quit? If so, some individual may have given it a shot, knowing you weren't going to be coming back.

The Thott trojan is probably how my friends got hacked.  They were all avid thottbot users, even after I warned them the last time Alla/ Thott were 'hacked' in a similar way.. and I know they both use IE. 

[Sheepherder]

Firefox with NoScript.

[gryeyes]

And if you think I'm being paranoid: http://news.bbc.co.uk/1/hi/technology/6526851.stm
Please also note that a hacked WoW account is worth more nowadays than a stolen credit card. 

Oh im completely aware of the sites being infected, but who doesn't use firefox with the plugins to filter that shit. Or something with a similar effect.  Especially with this crowd who are older and PC savvy.

[Morat20]

And if you think I'm being paranoid: http://news.bbc.co.uk/1/hi/technology/6526851.stm
Please also note that a hacked WoW account is worth more nowadays than a stolen credit card. 

Oh im completely aware of the sites being infected, but who doesn't use firefox with the plugins to filter that shit. Or something with a similar effect.  Especially with this crowd who are older and PC savvy.

My wife is not PC savvy. I mean, compared to a lot of her coworkers and, say, my dad she's like a computer guru. Compared to, say, the average user on this site? She can barely turn it on. :)

[Lantyssa]

Oh im completely aware of the sites being infected, but who doesn't use firefox with the plugins to filter that shit. Or something with a similar effect.  Especially with this crowd who are older and PC savvy.

The significant others' of those posters?

(Oh, Morat got it while I was reading/posting.)