Diablo® III

Yea, because everything a company says in its PR releases is necessarily true. Even if the issue was on their end, I very much doubt they would admit it when the RMAH is about to be released. If it is proven the security issues are on Blizzard's ends, RMAH would be dead on arrival.

But hey, you keep believing what corporations tell you, my friend, they are people after all, right?

Conspiracy theory much? Put on that tinfoil hat! If such an exploit ever existed, there would have been videos of it on YouTube by now. Someone would have blown the whistle on Blizzard, but alas, nobody can recreate this "exploit" because it never happened.

https://www.facebook.com/pages/Diablo-3-hacked-support-group/120826248054700

Really upset right now, my account was hacked and I lost everything lvl 60 monk and farmed inferno a lot was my only character. This is what they said,

It appears the security of the Diablo III account attached to this Battle.net account was compromised and the account was accessed by someone not authorized to do so.

During the course of our investigation, we determined that a restoration point -- which would allow us to return your account to a previous state -- does not exist. As a result, the restoration you requested is not possible. We apologize for any inconvenience this may cause.

Account security is critically important. To help protect your account, we recommend following the Security Checklist (http://us.battle.net/security/checklist) on our Account Security site: http://us.battle.net/security/.

If you have further questions regarding this issue, please reply directly to this ticket.

Thank you for contacting us. We hope you continue to enjoy your experience in Diablo III!

Awesome thanks Blizz.

Post from a non Blizz forum (entry will get most likely deleted anyway..)

*************************************
My coworker (btw, I am a Systems Security Engineer for the govt (CISSP), and have been doing security for decades) started up Wireshark, and then D3.. he was telling me how easy it was to hijack his session..the session ID floating around out there.. and then we got into the 2 step process it took to reverse engineer his authenticator.

Now granted, we have a more knowledgeable background than the layperson.. but if we showed you guys how much is out there to be found.. and how after a few minutes you too could see this stuff.. you can bet your !@# the hackers are even further along with just a tiny bit more effort.

While everything is hackable, what's going on with D3 right now is rather troublesome. --for the record, he stopped playing last night after witnessing what he saw.

I still want an answer to this question -

Why did Blizzard decide to start using an email address as part of a login process ?

When I first started playing WoW years and years ago, your account was linked to a user generated account name, and this account name was used in the login process, then, around the time of Wrath, they changed to using an email address, and the email address became the login name.

Why did they do that ?, does anyone know ?

That one change made no sense whatsover to me, it seemed like a step backwards in terms of security.

Hackers know full well that large numbers of people still have the bad habit of using the same email address for pritty much everything, and then added to that they also know that large numbers also use the same password, both fatal mistakes.

So now all the Hackers have to do is go email hunting, they don't hack Blizzard, that's nonsense, they hack 3rd party sites that are related to WoW, and now Diablo, because a large number of these 3rd party sites require you to register, giving an email address and a password.

Hackers work on percentages, they know a certain percentage of those given emails and passwords will be exactly the same as the email address and password that is being used for the WoW or Diablo account.

Hackers are not Hacking Blizzard, they are hacking 3rd party sites.

Even Guild applications now require you to register and give up an email address and a password.

These 3rd party sites are not secure, a very popular WoW related site was Hacked a few years ago, Hackers got in and stole email addresses, those email address were then spammed with fake Blizzard emails.

That particular 3rd party site openly admitted to being the subject of a breach in security, and apologised to its user, a topic was started on the WoW forums relating to it, it was instantly deleted.

Forcing the user to use an email address as part of a login process just seems to create even more mess.

So the question still stands, why did you do it Blizz ?

Why not just revert back to a Unique User Generated Account name, that is then used as part of the login process ?

25/05/2012 15:03Posted by Tsaritsin

Why did Blizzard decide to start using an email address as part of a login process ?

It's what all the cool kids like facebook were doing.

Seriously idk where this trend for using e-mail as login details came from, but it's ridiculous given it's something that is supposed to be shared and given out to people.

Why did Blizzard decide to start using an email address as part of a login process ?

It's what all the cool kids like facebook were doing.

Seriously idk where this trend for using e-mail as login details came from, but it's ridiculous given it's something that is supposed to be shared and given out to people.

Exactly,

And as far as I am aware Blizzard have never given a reason for the change, if they have and I missed it, then I would like them to repeat that reason.

The old system where the user created a unique account name was far more secure, so why not go back to the old system ?

Blizzard are saying they are doing everthing to protect account security, and yet they are using an email address as part of the login process, so I'm sorry Blizz but I have to question whether you really are.

Unless of course there is a good reason, if so, just tell me.

A very simple system of evading fishing e-mails i have found out is to stop all newsletters or e-mails from Blizzard in the Account Settings part. If you know you stopped all Blizzard newsletters you know the crap you still get saying they are Blizzard is total BS.

And seriously any player who visists the battle.net sites fairly frequently will also know the stuff they send out in their monthly newsletters...

btw, an Authenticator is costing like what? 8-10€'s these days and it bulletproofs your account... So if you are that worried spend the cash and/or stop hanging around crummy websites that will stick spyware on your PC in the first place!

A friend of mine just lost everything and I was listening live to the drama since we both were in TeamSpeak. He just finished a Butcher run he did with another buddy of us and logged out in order to get some food from the kitchen. When he logged in again, like 15 minutes later, everything was gone.

He, like me too for example, never joined a random public game. He also never added unknown people to his friends list. However, after he was "hacked" some unknown "ufgsrdcd" kind of random name appeared in the list with a friend request.

So whatever happened to him and a lot of other players isn't limited to public games. I'm not going to add rumors since that's exactly as bad as defending Blizzard saying there's nothing wrong. I don't know what's going on but something IS wrong. The only thing that makes me really upset is Blizzard basicly saying "there is no problem, we do not need to look into it and it's all your fault".

26/05/2012 15:36Posted by Borell

The only thing that makes me really upset is Blizzard basicly saying "there is no problem, we do not need to look into it and it's all your fault".

It's annoying that is pretty much their response, but what your friend can do now is make sure that his account is safer in future (assuming he hadn't done all he could before it was compromised): http://eu.battle.net/en/security/help
He may not have joined public games, or added random people to his account, but did he have an authenticator enabled? Has he used his battle.net e-mail address for other websites online, or other gaming accounts? (istr RIFT being compromised at least twice and we all had to change our passwords etc. because the attackers got all that info. Anyone using the same details for games like WoW would be vulnverable there as well). Does he share his account with anyone etc.?

If it becomes more clear that people are definitely not being compromised by the usual means, we may see a lot less of the instant "get an authenticator, don't visit dodgy sites" responses, and actually get somewhere :)

I haven't gotten hacked but the lack of responds and responsibility taken by Blizzard in this matter is a joke.

I mean all game have there problem during launch but security issues like this and launching real money in the game??

Common Blizzard it's time you do something, when people start loose real money this will be 100 times worse if you can't provide security, you are responsible for the servers and there security.

I'm responsible for my Pc but tbh i don't believe that all these ppl that got hacked have virus/Trojans or whatever, i believe there is an exploit out there and you are not communicating with your costumers.

http://www.youtube.com/watch?v=A97mnS3D9a8&feature=related

Now since there is a hack going on an exploit, atleast many people believe that and you are not denying it.

That means we should not play public so i spent 60 euro on a game i can't use 100% is that why you are not saying anything because you are afraid that someone will sue you?

I mean i can play public but then i risk getting hacked so the security on the public servers aren't working and i might rollback (if i get hacked) 10-20 Lvl's if i'm in bad luck.

If you don't do something and the player base you have today will never trust you or any new game from Blizzard again.

Take the public servers down until they are secure, sure people will whine but in the end they rather have safe environment then what we have now.

Common things to help protect yourself
1) always always always use a different password for each site that requires a username / login see lastpass.com if nothing else
2) if you can use different email address [not as practical but you can use gmail dotted addresses]
3) never buy gold or levelling up services , or share your account details
4) use a proper firewall [see IPCop - though this will not protect the stupid]
5) use uptodate virus software
6) change your password [see lastpass]
7) don't believe your 'friends' when they say it's safe , or they never bought gold etc.

Care to explain how it is that the hacking is done while in public games? video - http://www.youtube.com/watch?v=8iQoOMJ9n8k&feature=related

That video is showing what's happening to compromised accounts after the account owner has already lost control of it.

I'm surprised how poor this whole incident has been handled.

I've also been affected. While I don't care so much for the progress I've lost, I worry that Blizzard are punishing players for something they cannot do anything about, and that they "force" us to buy an extra service to remedy a problem that shouldn't be there. Also, what if this happens to us again in the future? How can we trust Blizzard?

A simple stash pin code would partially solve such issues, and many worse/cheaper games have done just that. It also seems that logging in on the battle.net homepage doesn't use https, unless you go through the support pages.

I'm not impressed.

If people didn't buy gold, there'd be no one for the gold sellers to sell gold to, no need for them to steal gold from compromised accounts, so no reason to compromise accounts. There's probably something Blizzard could do to help stop the gold sellers too, but the action on the user end is a lot simpler.

Can't say I'm overly worried about account security when no one can log in half the time ^^

I have the text system and authenticator and still got hacked and i havent played it in a few days... bought nothing from auction house and never use public games. So i spent £8.99 on an item that is useless to me and its great getting a text saying. "This is blizzard informing you your password has been changed".... 3 seconds later "this is blizzard informing you your email address has been changed".... 2 seconds later "this is blizzard informing you that you will no longer recieve messages to this number as it has been changed." i mean seriously in less than 10 seconds a whole account is changed. stupid. To make matters worse i get a reply from blizzard saying... please read our security section on the forums to help make your account more secure. LIKE WTF? you kidding me? thats all you guys can say? read a page that i already know and have taken them measures and still get hacked.... FYI blizzard with all the advice you give and players still get hacked NEWS FLASH FIX YOUR GAME. This should have been resolved and prepared for in closed beta, these kinda stupid issues shouldnt exist in such a new game that has so many huge games backing it. Learn from experience guys... sheeesh. Oh and blizzards way of making the servers even more secure.... 4 maintenance (over exhagerated) each day for 4-5 hours each. Payed $80 for this i could play ragnarock and have half these issues...

31/05/2012 19:05Posted by joeninety

"This is blizzard informing you your password has been changed".... 3 seconds later "this is blizzard informing you your email address has been changed".... 2 seconds later "this is blizzard informing you that you will no longer recieve messages to this number as it has been changed."

That's actually rather shocking. If a password change occurs, you should have to confirm via your current battle.net e-mail address if you want to then change e-mail and/or SMS notification #...

Have you been able to get anything more out of support? Did they tell you if the person logging in and changing your password was doing so from your usual location, or somewhere else entirely?

actually the email changed first followed by password then my sms notification. I checked over the texts just now. Support wouldnt tell me anything except i must have been keylogged... i just said to them how the heck can an authenticator be keylogged? you kidding me? they closed the issue 2 hours later without reply. So it seems from all this i would never buy anything from blizzard or trust them with any money or anything. This is why i left wow origionally i would have thought with these new games they would have improved security but it seems like they are just a bunch of goldfish on a computer.