My WoW-account's been compromised

[Lantyssa]

I do believe I predicted forcing everyone to use the e-mail address would not solve the hack attempts and would increase the problems associated with them.

Some people thought I was crazy back then.  Given recent events, I would like to add to my original comments: "I told you so.  Phhhbbt!"

[Merusk]

Tee hee.

[Fordel]

Anyone checked the WoW tech support forums recently? It's almost entirely hacked accounts threads, most of which are requests to have the authenticator removed. Seems the hackers are buying authenticators, hacking the accounts and then applying the authenticator so that no matter what, you're not getting into your game any time soon.

You can download Authenticators tied to phones for free and you can have the computer you're on pretend its a phone to run said phone Authenticator.

[raydeen]

Anyone checked the WoW tech support forums recently? It's almost entirely hacked accounts threads, most of which are requests to have the authenticator removed. Seems the hackers are buying authenticators, hacking the accounts and then applying the authenticator so that no matter what, you're not getting into your game any time soon.

You can download Authenticators tied to phones for free and you can have the computer you're on pretend its a phone to run said phone Authenticator.

Oh holy shit.

I don't know why I don't just cancel these games and go back to playing the early TES games. At least then I and only I was my own worst enemy.

[Paelos]

Well there goes the chance of me bothering with the authenticator.

Hey Blizzard, why don't you just make my username my SSN? What could go wrong?

[pants]

Anyone checked the WoW tech support forums recently? It's almost entirely hacked accounts threads, most of which are requests to have the authenticator removed. Seems the hackers are buying authenticators, hacking the accounts and then applying the authenticator so that no matter what, you're not getting into your game any time soon.

You can download Authenticators tied to phones for free and you can have the computer you're on pretend its a phone to run said phone Authenticator.

My google-fu must be weak.  I've tried to do this without any success - running an Android emulator didn't work particularly well - do you know where someone has done this?

[Fordel]

Just put a Authenticator on your own account and you've defeated 99% of these account thefts. One Authenticator can cover all your Blizzard accounts/games even.



Pants - I can't even find the damn thing now myself, but I'm positive it exists!

[raydeen]

Well there goes the chance of me bothering with the authenticator.

Hey Blizzard, why don't you just make my username my SSN? What could go wrong?

I think the meaning was that the hackers aren't actually buying authenticators but are running the software versions (through emulation or off of a smartphone) and thus locking people out of their own accounts. I'm assuming that once you've attached an authenticator to your account, it's much harder for them to gain access. Although I'm rather surprised. I assumed the authenticator was a USB dongle akin to the dongle keys that used to be used for high-end graphics software. I was kinda perplexed when I found it was just a little keygen that somehow generates keys on the fly based on the serial number of the device.  A little less secure than what I was hoping for, but then I suppose something could be written to infect the launcher to bypass the authenticator check if it was hardware related. It's not like those old dongle keys were really all that effective in deterring piracy.

Edit: We need biometric security devices. I've always wanted something that would do a fancy retinal scan like in the movies. 'Course then someone would just cut out my eye.

[Sheepherder]

I was kinda perplexed when I found it was just a little keygen that somehow generates keys on the fly based on the serial number of the device.  A little less secure than what I was hoping for, but then I suppose something could be written to infect the launcher to bypass the authenticator check if it was hardware related.

The authenticator that Blizzard uses supports DES, Triple DES, and AES encryption.  My guess is that they use a version of AES, but even with DES you would need to be running a $10 000 custom machine for two days to brute force one password for that little fucking $6.50 fob.

[Fordel]

While on the subject: http://www.mmo-champion.com/news-2/beta-contest-flash-vulnerability-curse-google-scam/



Lord knows how many people fall for the Google Add trick.

[Simond]

Blizzard really should just bump the box price of Cataclysm up $5 and throw a 'free' authenticator into every box.

[Dren]

I'm pretty sure if you saw 611,543 attempts made, you'll take some action.

Which wouldn't do anything, because changing your password at that point doesn't actually prevent them from throwing shit to see if it sticks.

My point was that you would then change your username/email and password once you knew you were a target.  Or just get an authenticator and ignore the fact that somebody is hopelessly throwing passwords at your account.

[Cyrrex]

I think when your MMO requires the same level of security as a corporate bank account, it might be time to move on.

[Sheepherder]

I do believe I predicted forcing everyone to use the e-mail address would not solve the hack attempts and would increase the problems associated with them.

Some people thought I was crazy back then.  Given recent events, I would like to add to my original comments: "I told you so.  Phhhbbt!"

Haven't been hacked yet.  And no phishing email in my junk folder.  You guy are just doing it wrong.

[Kageru]

We've had a string of hacks and the most recent one (yesterday) gave us a demonstration of the ability to ignore bank withdrawal limits.

I've ordered an authenticator but paying 20$ to get it mailed bites. So shipping one in cataclysm has my support.

If the forums really allow unlimited log-in attempts with no cool-down that's near being an accessory, especially now they've made account name eminently discoverable.

[Dren]

I do believe I predicted forcing everyone to use the e-mail address would not solve the hack attempts and would increase the problems associated with them.

Some people thought I was crazy back then.  Given recent events, I would like to add to my original comments: "I told you so.  Phhhbbt!"

Haven't been hacked yet.  And no phishing email in my junk folder.  You guy are just doing it wrong.

Keeping an email account only for the use of your WoW account and absolutely nothing else would probably prevent all issues outside of trojans and keyloggers.  I'd imagine many people screw up at some point and put that email address into a list of emails that have a very high probably of being WoW players either current or past.  Once a hacker grabs that list, most of the work is done for them.  Just go down the list and blast each one with password combinations until you get a hit.   If you don't get a hit, you can still spam them with phishing until you catch a sucker.

Lantysaa is just saying the probability of people screwing up and getting their email on a list is higher now.  I happen to agree.

[Selby]

Keeping an email account only for the use of your WoW account and absolutely nothing else would probably prevent all issues outside of trojans and keyloggers.

I do this.  My forum email address I've used since 1998 randomly started getting WoW spam a few days ago (like 1-2) yet my WoW account is on a completely different email address that never gets spammed.

[brellium]

We've had a string of hacks and the most recent one (yesterday) gave us a demonstration of the ability to ignore bank withdrawal limits.

I've ordered an authenticator but paying 20$ to get it mailed bites. So shipping one in cataclysm has my support.

If the forums really allow unlimited log-in attempts with no cool-down that's near being an accessory, especially now they've made account name eminently discoverable.

I bought an IPod Touch just for the free app, two weeks later I quit WoW, I'm still listening to music on the IPod six months later.

[Azazel]

I haven't played in well over a year now, but now and then consider going back for awhile. One of the things that really puts me off is the whole "battle.net email id" bullshit. I don't want to use my fucking email address for my login. Jebus.

[ezrast]

Blizzard really should just bump the box price of Cataclysm up $5 and throw a 'free' authenticator into every box.

No, they should stop being retarded about their account security. Who the fuck implements case-insensitive passwords? If I hadn't just unsubbed I would probably try to get some people on the official forums riled up about that. Too bad I don't care enough.

[WindupAtheist]

Email address used for absolutely nothing but WoW.

Firefox with AdBlock, FlashBlock, and NoScript addons.

There could be a Flash bug that makes your PC fucking explode and I wouldn't know about it unless it turned up in a Youtube video. Seriously, I read about shit like this and think "There are still people who let Flash run without explicit permission?"

[Sheepherder]

Note: most free mail things are capable of forwarding your mail to your everyday inbox via parental controls if nothing else.

[Lantyssa]

Most people are too damn stupid to accomplish even that.  Sure the 1% of those of us with a clue can protect ourselves.  That doesn't mean Blizzard shouldn't take security seriously, especially since their #1 cost right now is probably paying CSRs to deal with hacks.

[Paelos]

Most people are too damn stupid to accomplish even that.  Sure the 1% of those of us with a clue can protect ourselves.  That doesn't mean Blizzard shouldn't take security seriously, especially since their #1 cost right now is probably paying CSRs to deal with hacks.

Still less money than sending out authenticators to everyone for free, apparently. I think they should just offer people who have played the game for over two years a free one personally.

In leiu of that, however, I would expect that the "Collector's edition" of the expansion should include one.

[Redgiant]

Don't underestimate the danger of using the same password for different accounts. No keylogging or other fancy hacks needed; just let the power of human nature run its course.

Having an account that uses the same password as a game account is as good as telling them your password.

1. Person buys WoW gold from some site. More people do this than will ever admit to it.
2. They make you create a login and password for their own site. People are lazy and just use the same cryptic-except-to-them-string they use in other places.
3. They know your WoW account name and at least one character on it since the deliver to you in-game.
4. 2+2=4...They try the password you gave for their account, using your WoW login account. Works pretty often.

[Rasix]

Just yesterday, the only non-IRL friend of mine in my guild (we're small) was probably hacked. He hadn't been online in months even before I stopped playing.  Reappeared, took everything in the bank, and removed all characters but his officer from the guild.  My friend that moved to Virginia told me this over the phone as I was picking up food for my son's birthday party.  So now the bank is unusable unless a GM can do something.

I may have to reactivate my account to kick his remaining character, transfer guild ownership to my RL friend that's still playing, and see if I can find someone that can get a hold of him (despite him being my only real WoW "friend" I don't have any contact info for him).  

YAY.  

[Goreschach]

Blizzard really should just bump the box price of Cataclysm up $5 and throw a 'free' authenticator into every box.

No, they should stop being retarded about their account security. Who the fuck implements case-insensitive passwords? If I hadn't just unsubbed I would probably try to get some people on the official forums riled up about that. Too bad I don't care enough.

It's funny because you actually think this is the problem.

Most of these account hackings are coming from suspect interactive websites and people logging into compromised public computers/networks. Really, the problem wouldn't be very difficult to fix, and Bliz probably just neglects to do it for fear of inconveniencing users and causing them to quit. What they need to do is implement a mandatory tear-away password dongle that's linked to an account during creation.

[Dren]

Most of these account hackings are coming from suspect interactive websites and people logging into compromised public computers/networks....

I'm truly not trying to be an ass, but where do you get this information?  I'd seriously like to see where they have broken down the incident rate for root cause on hacked accounts.  I suspect this is your opinion, but if you have data please share.

[Sjofn]

I don't take my security particularly seriously, yet my email (my ONLY email) gets no fake-WoW emails and I never got hacked (although after the fiftieth time someone in my guild did, I got an authenticator because while I was pretty sure I would continue to not be hacked, I didn't want to be THAT PERSON). So I don't think the email login = ZOMG DOOM. There's other shit (like passwords not being case sensitive, wtf) I can see being all rabble rabble about, but the email thing just doesn't strike me as a big damn deal. It's certainly not the only thing I use that wants my email to be my login.

[Rasix]

Follow up:

After review, it has been determined that the above character has gone more than 30 days without logging in to the World of Warcraft. We have received a request from a guild member for a new Guild Master to be appointed to allow for proper guild management and growth. In order to facilitate this, we have demoted the former Guild Master to Officer status.

We hope you continue to enjoy your experience in World of Warcraft!

It might not be speedy, but they resolved the issue without me having to re-up.

[Rendakor]

Fuck my life, my account just got hacked. Woke up and went to log in this morning, "Please type authenticator code". Sent an email to blizzard and am running a virus scan or 3. Gonna call Blizzard CS after work tonight to at least get the fucking Authenticator removed. No email messages saying my password was changed, an authenticator added, etc. Email address had a different password than the WoW account, although I suppose if I hit a keylogger or something it would've picked that up too.

[Paelos]

That sucks. Let us know what kind of turnaround time you have.

[Rendakor]

Just got home from work, no reply to my emails to Blizzard. However, I see that they've transferred one of my toons (my level 72 Warlock  ) to a new server, and as icing on the cake, my account's been closed for "Exploitative Activity: Abuse of the Economy". Sigh. I'm on hold with customer service now.

I ran MalwareBytes, CounterSpy and Avast and none of them turned up anything on my system. However, I've done stupid things like played on an unsecured Wireless network, logged into my account on the college campus, etc. so I can only assume they've had my password for a while. Of course, this makes me wonder if every time I've gotten a disconnection in the past few months has been an attempt by a hacker to log in.

Edit: Just got off the phone. The guy was very helpful; he took the Authenticator off my account and escalated my support emails. I changed my password immediately, and now I can log in, but it still says I'm banned. Supposedly I'll hear back about getting the account reactivated within a few hours.

[kildorn]

"Exploitative Activity: Abuse of the Economy"

Sorry to laugh at your shitty experience, but for some reason I find this hilarious, and picture it being said by someone with a monocle reading off an official announcement.

[Sheepherder]

Said message gets sent out to every hacked account, as far as I can tell.  I'm guessing the GM's don't actually have the option to initiation a ban without an automated message.