My WoW-account's been compromised

[Sheepherder]

The ability to log the IP of the connecting computer combined with the fact that the breach will usually only occur in-game after the account's payment has lapsed for a short period will tell them exactly when the breach occurred.

[raydeen]

Well, my account got hacked. Last Saturday night as a matter of fact. I'm bad with checking emails so I never saw the 'Notice of Password Reset' email come in. I went to log in yesterday and my password wouldn't work. Tried several times as sometimes i type too fast and miss a letter or digit. Nada. So I go to the WoW page and do a password reset. I log in, reset the password, type in my name and the answer to my secret question, reset the pass, log into the game and find some rogue level 1's and some of my toons missing. Fortunately, my main didn't get touched but one of my other 'mains' did get deleted. I'm hoping to get her back as she had the Spirit of Competition pet which frankly was a big deal for me. I emailed Blizz and am waiting for a response. After spending several hours seething and killing a few hundred Alliance fuckers (it was an Alliance fucker who hacked my account so they all had to die because of it), I got to thinking...If the hacker was able to get in and change my password (I'm thinking it was just a very weak password - I don't run addons, only run it from my personal machines and as far as I can tell have clean systems), how would they have known my secret question/answer? If they did somehow figure it out, why would they leave it the way it was? Something's fishy here. I'm thinking maybe Blizz got hacked and not necessarily me. In any event, I'm getting one of those activators now. I always figured I was safe. Guess not.

[Merusk]

Secret questions are always fail because they're often easy to guess.  Particularly if they know the person even a little bit.  I detest that they've become such a commonplace form of 'security.'   But when combined with Blizzards "e-mails ad IDs are a GOOD idea" and "try all you want we won't stop you" brute-forcing, it's stupidly easy to 'hack' accounts.   If you don't have an authenticator you're just asking for it at this point.

[raydeen]

Well, the activator is ordered. Although I gotta say, my secret answer would've been bloody hard to guess even with a dictionary attack. Not a word that I would think anyone would stumble upon. Oh well.

[Lantyssa]

If he knew the original password he wouldn't need the secret question, would he?  You needed it because of a reset.  The e-mail is probably generic for any kind of password change.

[sickrubik]

Yeah, you don't need the secret question to change the password, only for the reset.

[Dren]

Specifically, the Forums don't have a login attempt limiter and you can apparently just power through combos easily enough with whatever technique/software you know.

WoW passwords are not case sensitive either.

Seriously!?  No friggin' wonder everyone and their dog gets hacked.

That's...

This has to be what's happening widespread.  I've never logged into the forums.  Is it directly tied to my account and to whether I went there and started logging in or posting?  They'd have to have my username/battlenet email first though right?

Have the authenticator anyway, but I never really thought about the forums...  That's insane.

[Lantyssa]

The forums use the same login.  An e-mail is easy to get or guess.  If there is no IP lockout, then it's really easy to brute force a password for a list of valid e-mails.

[Merusk]

If you count anyone who's ever signed up for a Curse account (hello Curse "one click update" client!), Wow-head account or many, MANY guild sites they've got a big, long list of valid e-mails.  The percentage of people who use different e-mails for everything is really, really damn low. 

[Righ]

Specifically, the Forums don't have a login attempt limiter and you can apparently just power through combos easily enough with whatever technique/software you know.

That probably explains a few of the crashes of the login server over the years. After all, who hasn't written an overly aggressive attack script and then shared it with all their friends for hacker kudos? It's practically a rite of passage in those circles.

[brellium]

Greetings!
 
Recently, the problem of account invasion is getting worse and worse which cause enormous players’equipments and virtual currency stolen. This severely damages the benefits of mass players, also causes our company lose a lot of customers.
 
Our company has to adopt some measures to safeguard our common benefits in order to strengthen the safety of mass players'accounts, and firmly resist the account to be stolen again.Through our company's research and investigation to xxx customers,we will make the following decisions: we launch a package of updated code strengthen system and dynamic code protection card which can effectively prevent the accounts invaded. We will send this package of code protection system to players free of charge.
 
Please open this connection:  http://www.worldofwarcraft.com/secure
 
If your account passes the check successfully, we will send this package of dynamic code protection card to you in the form of e-mail.
 
In 3 days after you receiving the e-mail, if you don't submit your information, we have right to freeze your account, every player is obligated to protect the safety of the account. You must work together with us to be determined to crack down all the behaviors of destroying games.
 
If you had already authenticator your account, please disregard this automatic notification.
 
Regards,
 
The World of Warcraft Support Team
Blizzard Entertainment
http://www.blizzard.com/support/wowindex/

Nice email with all the hidden urls, quite amusing as I deleted all of my charecters prior to quiting.

[Koyasha]

I don't understand why these people can't seem to write something that doesn't give itself away with obvious language screwups.  Is it just because so many people are stupid enough to fall for it even when it's blatantly obvious?  It's as though they intentionally leave the broken english callsign.

[Fordel]

I don't understand why these people can't seem to write something that doesn't give itself away with obvious language screwups.  Is it just because so many people are stupid enough to fall for it even when it's blatantly obvious?  It's as though they intentionally leave the broken english callsign.

Yup.

[Rendakor]

Another factor is that these phishers and spammers are probably not native English speakers.

[brellium]

Greetings,

Your World of Warcraft account may be involved in a trade. Trading/Selling World of Warcraft virtual property is against Blizzard's End User License Agreement. If your account is found violating Terms of Use, it can, and will be suspended / closed / or terminated.

In order to keep this from occurring, you should immediately verify that you are the original owner of the account. Click on the link below to verify your Battle.net account:

http://battle.net/account/management/

For more information, click here for answers to Frequently Asked Questions or to contact the Blizzard Billing Account Services team.

Regards,
The Battle.net Account Team
Online Privacy Policy

This one was actually better, it actually got me to visit battle.net to check my account in a different ie tab (I deleted by authenticator off my ipod, so I couldn't log in). Only later did I notice there was an hidden url.

I enjoy the fact I seem to get these after I quit WoW, and coincedentally deleted my charecters (which means there's no way to check my inactivity).

[Ingmar]

I got a very well done one:

Hello ian,

This is an automated notification regarding your Battle.net account. Some or all of your contact information was recently modified through Battle.net Account Management. If you recently made changes to your account information, please disregard this automatic notification.

You can log in to Account Management at the following link to review your account settings:
http://www.battle.net/account

If you cannot sign into Account Management using the link above, or if unauthorized changes continue to occur, click here for answers to Frequently Asked Questions or contact the Blizzard Billing & Account Services team.

Account security is solely the responsibility of the account holder. Please be advised that in the event of a compromised account, Blizzard representatives will typically lock the account. In these cases the Account Administration team will require faxed receipt of ID materials before releasing the account for play.

Regards,

The Battle.net Support Team
Blizzard Entertainment
Online Privacy Policy

Other than not capitalizing my name it is pretty much free of typographical errors or obvious bad grammar. All the links (you can't see them all here) in it were legit too except for the battle.net/account one and the 'click here' one. Sadly they sent it to an address that isn't associated with a battle.net account. 

[Paelos]

I'm amazed that I never get any of this shit. Are you people signing up for things or something?

[Ingmar]

I get like 2000 spam messages a day, but I am sort of a special case as things like "netadmin@mycompanyname" go through my filter.

[Rasix]

I'm amazed that I never get any of this shit. Are you people signing up for things or something?

I imagine it's one of the couple WoW guild hosting sites I've signed up for in the past.  I really need to set up a gmail account for this kind of crap.   I get on average 2 WoW phishing emails a day, but none of them make it out of the spam box.

[Xanthippe]

I just looked at my spam folder, because I never see any of this crap - although real email from Blizzard comes through.

It was chockful of these phishes.

They are getting better, although some not.  This one's my favorite:

Olá, diego
    This is greetings from the World of Warcraft in preparation for accession to the World of Warcraft: The disaster of the beta test, come on! Azeroth world turmoil coming, and you certainly do not want to be forgotten in the cold winds of Northrend , unable to enjoy the pleasant sun Corzine on the island.
    To ensure the participation of the application to the candidate in order to verify your identity, please visit the following [totallyfakeurl] From World of Warcraft account information for all the other games you are interested click series. Since your participation.
     you will get a large disaster closed beta Blizzard Entertainment Gift Pack for eligibility. Features such as mount / weapon. Thank you for your participation in the Blizzard team will continue to bring great catastrophe the most informative piece of information fast information.               
      Only Account Administration will be able to assist with account retrieval issues. Thank you for your time and attention to this matter, and your continued interest in World of Warcraft.

Blizzard Entertainment Inc Account Administration Team
P.O. Box 18979, Irvine, CA 92623
Blizzard Entertainmen
2010.5.15

                                                                                                                                                       

Sincerely,
Account Administration

And I'm not even named diego.  It's like put through the google translator or something.

[Paelos]

"You will get a large disaster..."  "The disaster of the beta test, come on!" 

[Mattemeo]

I think I've just received the non-Engrish version of Xanth's latest phishing email example...

world of warcraft: Cataclysm Beta Test Invitation!

Get those opt-ins ready for the World of Warcraft: Cataclysm closed beta! The sundering of Azeroth is nigh, and you don’t want to be left out in  the cold of Northrend when you could be enjoying the sun-drenched beaches on the goblin isle of Kezan. To ensure you’re opted-in and eligible as a  potential candidate, you’ll need a World of Warcraft license attached to your Battle.net account, have your current system specifications uploaded  to the Battle.net Beta Profile Settings page, and have expressed interest through the franchise-specific check boxes.

Get the Installer - Log in to your Battle.net account:

http://haha.no

** IMPORTANT ** To avoid graphical bugs and other technical issues, please ensure your video card drivers are up-to-date.

Enjoy the game!

?2010 Blizzard Entertainment, Inc.

They didn't even try to entice me with free mounts and weapons! I feel somewhat slighted.

[MrHat]

Just got an email from WoWaccounts saying that my account has been banned for exploiting.


I haven't even played it in over a year...

[Rendakor]

One of my officers just got hacked. Again. And robbed the guild bank completely: Primordials, stacks of Eternals, Epic Gems, etc, all gone. I've had guildies hacked before, but they were members who only had access to 3 stack withdraws per day and the GM's restored that to us; last time this particular guy got hacked was a while ago, before we had a guild bank. Hopefully we'll get it all back, or at least most of it.

[Ingmar]

We've had our vault hacked 4 times now, and the restores sometimes take a while but they're never missing anything important.

After the last time we instituted a new 'you need to have an authenticator to be an officer or do more than 5 stacks/day' policy. We already had an officers-only page for the really valuable stuff, added after hack #2 or 3. Hopefully this will now put the issue to bed permanently.

[Merusk]

There's a hack for the stacks/ day.  I don't know if it's been patched or not, but we had someone clear out several tabs that were limited to 1/day.  So we've now got a policy that you need an authenticator to get bank access AT ALL.  No pet show, no bank.

[Fordel]

Well half our guild leadership secretly wants our vault to be cleared out, since it's usually full of shit like glass vials and level 5 healing potions. 

[Rendakor]

Yea I'm afraid I'm going to have to make a new "Officer Who Gets Hacked" rank with no Guild Bank access for my two officers with poor password security.

[lesion]

This thread makes me want to pee myself a little. I'd like to think made-up words with numbers are good enough to not need an authenticator, and my account can still be used for ancient youth-restoring ritual sacrifice.
Anyone know if the hacks are limited to phishing and brute force? If so I think I'll spend that five bucks on ice cream, or meat. Then hubris will take me like a bearded man on a deserted island.

[Sheepherder]

Anyone know if the hacks are limited to phishing and brute force? If so I think I'll spend that five bucks on ice cream, or meat. Then hubris will take me like a bearded man on a deserted island.

Blizzard and hackers know.  Neither will tell.  But:

1. The authenticator doesn't protect you if the server or hash function is compromised, you would see a metric shitton of hacked authenticator accounts if the hacker could generate valid keys at will.
2. Compromising secure servers is risky and manpower intensive compared to phishing and brute force.
3. There proliferation of phishing attacks in the wild is a good indicator.

[Dren]

Out of the people I know that got hacked and the individuals that post here that have been hacked, I'm pretty confident they weren't phished.  It seems much more reasonable to me that their username was found somehow and used the password found through programs blasting the server until it worked.

That also explains why they continue to have issues with hacking even after getting everything fixed including wiping harddrives, etc.  The username was found, worked, and had good stuff!  Why not wait a few months and do it again?

The username is now your email address.  Not tough to figure that one out anymore.  Until Blizzard makes it harder for hackers to blast the server with password attempts, I don't see any other deterrent than the Authenticator.

Hell, Blizzard should just report how many failed attempts were made since the last successful login when you log on.  I'm pretty sure if you saw 611,543 attempts made, you'll take some action.  Make the forums a separate system with a different password perhaps.  Leaving that wide open is just stupid.

[Sheepherder]

I'm pretty sure if you saw 611,543 attempts made, you'll take some action.

Which wouldn't do anything, because changing your password at that point doesn't actually prevent them from throwing shit to see if it sticks.

Plus, a 6 digit random alphanumeric password will have been cracked roughly by ~58 475 attempts.

But both facts are irrelevant, because phishing, trojans, and dictionary attacks hitting as wide a number of people as possible is a far more likely approach.

[Zephyr]

Out of the people I know that got hacked and the individuals that post here that have been hacked, I'm pretty confident they weren't phished.  It seems much more reasonable to me that their username was found somehow and used the password found through programs blasting the server until it worked.

That also explains why they continue to have issues with hacking even after getting everything fixed including wiping harddrives, etc.  The username was found, worked, and had good stuff!  Why not wait a few months and do it again?

The username is now your email address.  Not tough to figure that one out anymore.  Until Blizzard makes it harder for hackers to blast the server with password attempts, I don't see any other deterrent than the Authenticator.

Hell, Blizzard should just report how many failed attempts were made since the last successful login when you log on.  I'm pretty sure if you saw 611,543 attempts made, you'll take some action.  Make the forums a separate system with a different password perhaps.  Leaving that wide open is just stupid.

Can it be brute forced?  I had some network problems a few weeks ago where I kept getting knocked off at the character screen.  I panicked thinking that I may have been hacked and forgot to get a new authentication key each time I tried logging in.  I made about 4-5 login attempts before getting an error that my account was locked and I needed to contact billing support by phone to unlock it.

[Mosesandstick]

I want to side on brute forced. As I said earlier I changed my password to gibberish and never touched WoW again and my account still got hacked. And I don't think I would've had any WoW-related trojans, but I can't remember as it was a long time ago.

[raydeen]

Anyone checked the WoW tech support forums recently? It's almost entirely hacked accounts threads, most of which are requests to have the authenticator removed. Seems the hackers are buying authenticators, hacking the accounts and then applying the authenticator so that no matter what, you're not getting into your game any time soon.

I went back through the older posts and it seems like this really started in earnest about 2 months ago and has just grown exponentially since. I was getting impatient as it's been a week and still no response from Blizzard but after seeing the raft of support requests and horror stories, I'm pretty sure I'm in for quite a bit of a wait. It would seem I'm near the end of a very long queue that's only getting longer.

Edit: Got my authenticator today but I'm seriously considering writing a Python script to generate stupidly long random character strings and changing my password on a daily basis using whatever it spits out.