My WoW-account's been compromised

[Lantyssa]

As we've been saying throughout this thread, their password security is rather lacking.  It could have just been brute forced.

[Dren]

Yeah, I'm not believing the folks here that say that brute forcing is just not happening. 

The gold sellers have enough computer power to create a living billboard at the SW bank with about 20-30 lvl 1 mages going from spelling out their website on the ground and then jumping up into the air and spelling it there (not sure how they do that without hacking.)  They even throw in making a big heart in the air to grab your attention (as if they didn't have it already.)  They were doing this last weekend.  It went on for multiple hours.  I know because I kept going through SW from time to time on different chars (PvP item purchasing.)  Finally, I assume either some players got on their horde characters and came in to kill them or a GM finally blew away all the accounts.

I also assume this is happening on multiple servers alliance and horde side at the same time.  If they are doing this, they certainly could have computers laying around to just whack at your account all day long once they have your email address.

[K9]

Dear customer,

Due to suspicious activity, the Battle.net account <redacted> has been locked. You tried to login your account on 2010-8-21 from several different IP.

We are concerned about whether your account has been stolen. In order to guarantee the legitimacy of your account, we need you follow these steps:

Step 1: Secure Your Computer

In the event that your computer has been infected with malicious software such as a keylogger or trojan, simply changing your password may not deter future attacks without first ensuring that your computer is free from these programs. Please visit our Account Security website to learn how to secure your computer from unauthorized access.

Step 2: Secure Your E-mail Account

After you have secured your computer, check your e-mail filters and rules and look for any e-mail forwarding rules that you did not create. For more information on securing your e-mail account, visit our Support page.

Step 3: Restore access to Your account

We now provide a secure website for you to verify whether you have taken the appropriate steps to secure the account, your computer, and your email address. Please follow this site to restore the access to your account: http://us.worldofwarcraft.accountissue.us/login.htm?ticket=o2fhbcpu0x5q9i1twmj1am4ylxwkednrtep6yia6knmj

If you still have questions or concerns after following the steps above, feel free to contact Customer Support at http://us.blizzard.com/support/article.xml?locale=en_US&articleId=20606.

Sincerely,
The Battle.net Account Team
Online Privacy Policy

This looks legit.

I'm depressed that my account e-mail address is out there, but I changed my password recently, so I think everything should be kosher.

[Morat20]

It's not legit. Check the first link under Step 3. The "accountissue" bit in the domain, plus the domain ender "us" is a bit of a clue.

Edit: Or was that "this looks legit" sarcasm? :)

[K9]

Sarcasm 

[Morat20]

Sarcasm 

Oh good. I was starting to worry there.

Then again, I'm used to pointing out phishing attempts to the technically clueless....so I learned the hard way that "obvious" is subjective.

[K9]

On a related not, Blizzard's "How not to get hacked" guide on battle.net is really well written.

[Morat20]

On a related not, Blizzard's "How not to get hacked" guide on battle.net is really well written.

My version starts with "Dad, what did I tell you about clicking links? You have computer herpes, computer syphillis, and a raging case of computer crabs which really is affecting your computer's ability to function. STOP CLICKING THE DAMN LINKS."

Sadly, he's under the impression that if he merely turns on EVERY OPTION ON NORTON UTILITIES he will somehow be safe.

In a sense, he's right. It's hard to infect his PC when it can barely function under the staggering weight of the Norton.

[Typhon]

This afternoon (while at work), I checked my home email to find the following.  I didn't actually need to communicate with Blizzard in any way other than to follow the password reset link and to enable an authenticator on my account (1:50PM).

I scanned my machine when I got home tonight, it says that I do not have any viruses or keyloggers (honestly I'd be astonished if I did because I have been busy at work and this and cnn/yahoo news are about it for web sites).  My email wasn't effected.

To say that the experience was surrealistic is an understatement.  Here are the emails:

9/1/2010 8:24 AM - email subject "Battle.net Account - Password Change Notice" from noreply@battle.net

9/1/2010 10:16 AM - email subject "Password Rest" email from noreply@battle.net.  "If you did not request the reset, it is possible that this Battle.net account has been accessed by someone not authorized to do so."  I didn't request the reset.

9/1/2010 - 11:48 AM - email subject "Account Issue" from wowgm@blizzard.com.  From the body:

"Greetings,

Thank you for your patience and understanding while we investigated your reported account compromise.

Due to the high volume of compromised accounts, it is our intention to put players back in the game as quickly as possible, though not all items may have been restored. Our goal is to keep your characters in a playable condition. We want you to be able to successfully join groups, complete quests, and handle encounters in the world."

so very odd

edit - added color to indicate which part were the emails (trying to make the post clearer)

[Rasix]

   Come again?

[Typhon]

short version - my account was compromised yesterday morning.  By the early afternoon Blizzard had sent a password reset email to my email account and restored my characters that had items sold off.

I didn't actually interact with Blizzard until the mid afternoon because I didn't know that any of that had happened.  I then added an authenticator to my battle.net account.  When I got home I did a scan of my system and didn't find anything - system seems clean.

I found the fact that it all went down without any request from me bizarre.  I think that Blizzard figured it out based upon my password changing and they massive amounts of items being sold off from my characters.  There is a "account reset" request email that I received (but I didn't request) - maybe the account hackers are requesting a reset after they loot your account?  Beats me.  Is just very very weird.

[Threash]

Hackers don't change your password, they can't, that was Blizzard preventing them from logging back in.  What probably happened was you started spamming for gold sellers and got immediately reported and locked out.

[sickrubik]

"Hackers" can easily change your WoW/Battle.net password.

[Typhon]

Yes, they did change my password.  This email, "9/1/2010 8:24 AM - email subject "Battle.net Account - Password Change Notice" from noreply@battle.net", is when whoever (or maybe it's just a bot) cracked my account first surfaced (by changing my password).  Then they started logging in different characters and selling shit.

I don't really understand this one, "9/1/2010 10:16 AM - email subject "Password Rest" email from noreply@battle.net.  "If you did not request the reset, it is possible that this Battle.net account has been accessed by someone not authorized to do so."

I understand why the hacker changed my password, but why would the hacker then request a password reset?  The only theory I have is that Blizzard did this themselves (via automated process) due to the "change password" + "sell! sell! sell!" activities on the account and this email is from a different system that automatically gets sent (because it serves multiple purposes).

[Threash]

If they changed your password they would need to access your email account. 

[Typhon]

Unless they changed something I'm not aware of if you have access to your account you can change your password without access to email, you just can't reset your password without access to email.

[sickrubik]

That is correct.

I just reverified that all you have to do is enter the old password and the new password twice. There is no need to verify via email about the change.

[DraconianOne]

This just happened to me. Got notification that there was a password reset then notification of a 3 hour ban for gold spamming. I'm both amused and concerned by this turn of events.  I'm amused because the account that got hacked was one that I used for RAF dual-boxing last year and then closed. Can't have touched it for a couple of years. There may still have been characters on the account but I'd already cleaned them out of gold/gear. So some fucker signed the account up for a 10 day WoTLK trial and then spammed away merrily.

I'm concerned because they may have got access to an email address and private details like address.

And before anyone says it, yes I have an authenticator but on my main account (currently unsubbed) and not on this one which I don't think has been played since authenticators were released.

[Rendakor]

If you haven't already, I'd suggest merging that account into your current one; you can have multiple WoW accounts on one Battle.net account, all protected by a single authenticator.

[DraconianOne]

I might do that. It never occurred to me because, as mentioned, not logged into it for two years or so - I'd forgotten about it.

[Morat20]

If you haven't already, I'd suggest merging that account into your current one; you can have multiple WoW accounts on one Battle.net account, all protected by a single authenticator.

You can? My son's account is under my name and CC -- not that he's using it right now -- but I did it that way so he could transfer his character off my account onto his own.

Hmph. I might have to go dig out his login info and merge them.

[Rendakor]

Yep. I've got 3 (two inactive) WoW accounts on my b.net account. The first time you log in after you merge them, it'll ask you which account to use. After that, you'll have a dropdown menu on the login screen, with the last-used account selected by default.

[Dren]

That's how I do it.  My kids' account and mine on one authenticator.

[Azazel]

They sell those things at cost if I understand right.

I would if I was them. I might even sell them at a slight loss. Much harder to hack an authenticator, and each hacked account has to take up expensive customer support time.

At 6.95, they're barely covering their shipping costs.

I was going to order a couple last week, for my wife and myself. US$25 for shippng 2 of them to Australia. 

really?

[Zetor]

If you have a smartphone [symbian, windows mobile, iphone, android], you can download the authenticator app onto the phone for free... I think that's the way most people do it.

[Ingmar]

Ugh, they made a Symbian version? Someone needs to put that OS out of its misery.

[Zetor]

Yeah, I think it works on v9.3, but not the more recent versions (?!).

And come on, Symbian is not that bad... *tries to suppress the memories of doing security testing with the symbian reference hardware board* 

[Azazel]

If you have a smartphone [symbian, windows mobile, iphone, android], you can download the authenticator app onto the phone for free... I think that's the way most people do it.

Yeah, I have an iPhone, but unfortunately it's recepton inside my house is shithouse. I need to go stand out in the front yard to recieve texts with any kind of immediacy quite often.

[Rasix]

I may have been hallucinating or something, but I've used the authenticator when my cell phone has no wireless or cell phone reception at all. 

I imagine it's just generating keys in sync with the Blizzard keystore on their servers based off a seed generated during the initial sync up of the app to your account.

[Ingmar]

The authenticator is not dependent on any kind of signal so you were not hallucinating. Probably.

EDIT: Short version of how the authenticator works, assuming that it works like an RSA SecureID (which it probably does):

- Every authenticator has a unique seed number, and a clock built into it. The seed # of the authenticator is associated with your account.
- Every 30 seconds the seed number and current time get plugged into an algorithm that spits out a 6 digit code. Authentication server knows how that works and can tell if your code is right by doing the same thing.

The iPhone authenticator is just a software version of that. It might be possible to bust it by screwing up your phone's clock if that's exactly how the Blizzard version works but there may be some difference I don't know about.

[pants]

If you have a smartphone [symbian, windows mobile, iphone, android], you can download the authenticator app onto the phone for free... I think that's the way most people do it.

Yup, thats what I did.  I too balked at the $25 cost to ship to Australia.

[Azazel]

I should have thought if them when I ordered my plush griffons and windriders. 

[Morat20]

EDIT: Short version of how the authenticator works, assuming that it works like an RSA SecureID (which it probably does):

I use a RSA token for one of my two companies. (I work for one, who is contracted by another, where I then sit in yet another company. Complicated bidding thingy). I've been agitating the main contract I work on to switch to it.

Why? Because our current password policy is "12 characters, minimum 1 number, 1 special character, 1 capital, changes every 30 days, no reuse for a year". Fuck that shit. 4-digit pin and a token, please. More secure, because I don't need a hints file.

[fuser]

FYI: I remote wiped my iphone by accident loosing my mobile authenticator.

When I went to reattach one to my account it now requires an email validation before placing a new authenticator on an account. This only took what a year for them to implement this handshake  

Edit: for anyone that didn't know this is what lead to all the hacked accounts getting an authenticator placed on their hacked account causing delays in recovering an account

[Nightblade]

So apparently someone else has bound my account to a battle.net account that doesn't belong to me. Am I screwed or can I be expected to actually get help with this?