My WoW-account's been compromised

[WoopeeTuralyon]

That's creepy make it go away!

Also, these authenticators ruined my fun of playing friend's accounts.

[ezrast]

If you're worried about brute force attacks you're doing it wrong. Even with WoW's relatively short maximum password length and ridiculous case-insensitivity, it's not hard to come up with something that's not going to get brute-forced any time this century. Just use the first 16 characters of a catchy song lyric and replace all the E's with Q's, or something.

[brellium]

The best passwords (and a total pain in the ass) are ones that include ascii charecters.  Go ahead brute force that.

[Lantyssa]

To a computer they're all the same.  It only matters if their algorithm includes them or not.

[Paelos]

I went without an authenticator for 5 years, then I got one after being hacked once. This, to me, seems to be the only responsible way to deal with a hack beyond preventing it with an authenticator in the first place. However, the shocking amount of people who get hacked and only change their passwords in my guild alliance is staggering. I had a guy get "hacked" 3 times before we finally tossed his ass out of the guild. Once, could happen to anybody. Twice, you're not doing your job to keep better security so get on it now. Three strikes, and you're out.

[Morat20]

The best passwords (and a total pain in the ass) are ones that include ascii charecters.  Go ahead brute force that.

I tend to do things like, say, insert a given year (either 4 digits or just 2) that I'll remember, into the middle of my password, then tack special characters onto the beginning or end. I have a handful of years, a handful of six-digit random characters (numbers, letters, capital or not), and three sets of three special characters.

Mix and match them. Of course, I work someplace that requires 12-character passwords, with one capital, one special character, and one number -- and changes them every 60 days on a "no reuse" policy of a year. (They check, the fuckers. And their algorithms are good enough to check minor variations, too).

That's the system I use for work. For games, I have a slightly different one. Same idea, though. Difficult to force, varied enough that I don't use the same passwords in mulitple places, easy for me to jot down cryptic 'hints' that'll let me remember it without giving anything away.

On the other hand, for the RSA SecureID tokens I use for the OTHER half of my work, well...remembering a 4-digit PIN and using a 6-digit paired random number generator is more secure and easier to use.

[Rendakor]

I went without an authenticator for 5 years, then I got one after being hacked once.

Same here; I assumed I was safe (and still I'm not sure exactly what I did to get hacked) til they got me, then I got an authenticator.

[Xuri]

My theory? Blizzard are hacking accounts themselves to force people to get authenticators. 

[Rendakor]

At 6 dollars a pop that's bad business. They could just reskin another mount!

[Paelos]

My theory? Blizzard are hacking accounts themselves to force people to get authenticators. 

Actually the funny thing is that I had that thought when I got hacked. I cancelled my account, and got hacked within about 6 hours. Was it an odd coincidence? Probably yeah, but the timing still gave me pause.

[Fordel]

They sell those things at cost if I understand right.

[Morat20]

They sell those things at cost if I understand right.

I would if I was them. I might even sell them at a slight loss. Much harder to hack an authenticator, and each hacked account has to take up expensive customer support time.

[Ingmar]

Heck the authenticator app is free.

[Fordel]

I half expect Cata boxes to simply have one inside.

[rk47]

I usually just put my mom or dad's mobile number. Helps to keep me remembering of family and less likely for ppl I know to get lucky guesses.

[sickrubik]

They sell those things at cost if I understand right.

I would if I was them. I might even sell them at a slight loss. Much harder to hack an authenticator, and each hacked account has to take up expensive customer support time.

At 6.95, they're barely covering their shipping costs.

[WindupAtheist]

The best passwords (and a total pain in the ass) are ones that include ascii charecters.  Go ahead brute force that.

I tend to do things like, say, insert a given year (either 4 digits or just 2) that I'll remember, into the middle of my password, then tack special characters onto the beginning or end. I have a handful of years, a handful of six-digit random characters (numbers, letters, capital or not), and three sets of three special characters.

I just spell all my passwords in d00dsp34|<.

[Ingmar]

So your password is 7r4mm3l?

[Azazel]

Got another phishing email yesterday. Since I haven't played for 2 years I'm not that concerned about being hacked since I don't even have a b.net account for the game, but it's comforting to know that if I ever do go back to wow, that the haxors won't need to guess my username...

[WindupAtheist]

If you do go back, just make your bnet email one that gets used for absolutely nothing else. And anyway, the fact that you got a phishing email may not mean anything at all. My junk folder is full of Aion phishing mails and I've never touched that game at all.

[Azazel]

Yeah, though I already have my unlinked diablo bnet account set up and it just reeks of unnecessary stupid to have to have a super sekret wow-only email account (not on the usefulness part, but needing to do it for a stupid game).

Can you merge bnet accounts?

[WindupAtheist]

Dunno, but you can change your bnet email address anytime you want. I change it and my password on a semi-regular basis after scrubbing my PC clean.

Like while I was out of town I logged on from my friend's computer. He keeps things very secure so I didn't really feel at risk of anything bad happening, but if I did get hacked I'd want to know it was a result of my fuckup and not his. So when I got home I ran a few different antiviruses, etc., and then changed my email and password.

[ezrast]

Yeah, though I already have my unlinked diablo bnet account set up and it just reeks of unnecessary stupid to have to have a super sekret wow-only email account (not on the usefulness part, but needing to do it for a stupid game).

Completely agree; if I resub and anything happens to my account I'll just not play for a few days while support puts my shit back together. Really can't be bothered to take any special security measures otherwise.

If hackers target Diablo 3 the way they target WoW, I'll make my account more secure than the Pentagon.

[Paelos]

The fishing emails are getting ridiculous. I'm getting at least 5 a week now. Why oh why did Blizzard decide to make our login the fucking email address!!!!

ARGHAGHAG! 

[SurfD]

The fishing emails are getting ridiculous. I'm getting at least 5 a week now. Why oh why did Blizzard decide to make our login the fucking email address!!!!

ARGHAGHAG! 

A better question would be: who did you give your email address to that managed to allow the fishers to associate it with the fact that you play WoW?  I use my WoW account associated email for lots of stuff, and I have yet to see more than 1 fishing mail a month.

[Rasix]

The fishing emails are getting ridiculous. I'm getting at least 5 a week now. Why oh why did Blizzard decide to make our login the fucking email address!!!!

ARGHAGHAG!  

I've gotten 40+ in a little over a week.  

I imagine it's all from the 3 guild related portals I've signed up for in my time playing WoW.  I don't think I have accounts at any of the major news sites.  Another possible culprit is curse.

However, I haven't played since April.  It has shot up drammatically since the SC2 launch, though.

[Ingmar]

I've never received a fishing email to my battle.net email address, but I get them all the time at my work email address that has never been associated with the account.

[Merusk]

I don't even notice them anymore.  I have a catch-all yahoo account for all web and game stuff that I've had  around since '97.  Their mail filter has been fantastic about catching them after the first day or so of a new one.

[Rasix]

They're all in my spam folder.  Maybe one a month hits my inbox.  Even if every link looks legit, I never click anything.

I just log onto b.net.  Hey look, nothing's changed at all.

[Xuri]

I don't think I've clicked on a link in an e-mail, legit or not, since 1999. Copy the link, paste in browser, inspect text, approve & press enter or disapprove and delete.

[Paelos]

They are in my spam folder as well. Before SC2, I got one a month. Post-SC2 I'm at one a day it seems.

[Threash]

I got an email saying my account was suspended for three hours because:

This suspension happened because one or more characters on the account were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for ""real-world"" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.

Also my password was reset. I wouldn't have believed it was real if it wasn't for the password reset which did happen.  Nothing on the account is missing and i obviously did not spam for gold sellers myself.  What the heck is going on here.

[SurfD]

I got an email saying my account was suspended for three hours because:

This suspension happened because one or more characters on the account were identified exchanging, or contributing to the exchange of, in-game property (items or gold) for ""real-world"" currency. This exchange process negatively impacts the World of Warcraft game environment by detracting from the value of the in-game economy.

Also my password was reset. I wouldn't have believed it was real if it wasn't for the password reset which did happen.  Nothing on the account is missing and i obviously did not spam for gold sellers myself.  What the heck is going on here.

I actually had the same thing happen to me about 4 or 5 months ago.  Had my password reset by blizzard and got a 3 hour suspention (ironicly, it happened on a monday night, so the suspention was carried out during weekly Maintenance downtime, lol) for "spamming / advertising gold seller related websites".   Nothing was taken from any of my characters, and i could find absolutely nothing on my PC that would suggest i was keylogged, so the only thing i could think of was that somehow I was accidently reported by someone messing with the "right click -> report spam" feature.   Never had an issues since, either.

[Lantyssa]

I don't think the right click->report matters unless you get several.  One shouldn't trigger it.

[Threash]

Well i don't have a virus unless malwarebytes is lying to me, I'm all paranoid now.