Blizzard account hacked for the 6th time

[Athinira]

Yes, that's right - this is the sixth time now I've gotten an email saying that mt password reset has been sent - I went to the World of Warcraft website to see and it turns out that the account I was on that I stopped playing WoW with 2 years ago now has gained 2 levels on my Paladin, 55 levels on my Black Knight and created a troll hunter when I only ever played Alliance.

The only reason I was able to discover my account was hacked? Because I tried to play a game of Starcraft II and couldn't log on.

So basically for months now somebody has been playing WoW for free using my account information.

This makes me very angry at Blizzard for allowing this to happen - would they not have the ability to detect when my account is being accessed from another city/state/country?

Steam doesn't let me log on to with with another computer in my own house and yet Battle.Net will allow a hacker to use my account for months.

You have NOONE to blame except yourself.

Your account didn't get "hacked" (as in, noone hacked into Blizzards servers and obtained/changed your password). YOU lost your password to malware/virus.

Then there is the fact that you compare Steams and WoW's security system. I'll give you a hint: Those are not the same, and cannot be compared. Steams security-system is designed the way it is because Steam isn't a service that most people use on more than a couple of computers at best. WoW, by comparison, is something people are much more likely to log in to at different places, like for example an internet gaming cafe, at a friends house who also plays WoW, etc. That's why WoW's security is OptIn, while Steamguard is OptOut.

If you weren't busy being lazy blaming Blizzard, you could have done the following a long time ago:
1) Cleaned out/formatted your computer to make sure no viruses/malware can snatch your password
2) Gotten an Authenticator attached to your account. You don't even have to pay for one if you have a smartphone (or an iPod Touch), since the Authenticator exists for both Android, iOS and Windows Phone that costs nothing.
3) Used stronger passwords

I wish people would take some damned responsibility sometimes instead of just complaining.

 

[cgaWolf]

Or he's full of it, who seriously uses a 33 character password? Certainly possible, but it's such an odd thing to that it makes me even more likely to assume one of the things you mentioned is the case. Doesn't exactly suggest sensible behaviour.

My passwords routinely have 20+ characters, so 33 doesn't seem to be too far out there. All depends on how you pad/compose your passwords - in the end, you need something you can remember, and making the password 10 characters longer instead of introducing random substitutions works very well for that. Using passphrases instead of passwords also quickly leads to very long ones


u5|)4ssW0r74917 <- aneurism
thiSiSmY......passworDfoRwarcrafT1166 <--- easy to remember

 

[R3dF41c0n]

My account got hacked once. I bought an authenticator and it never happened again. I suggested investing the $5 for one.

 

[Zenn3k]

Yes, that's right - this is the sixth time now I've gotten an email saying that mt password reset has been sent - I went to the World of Warcraft website to see and it turns out that the account I was on that I stopped playing WoW with 2 years ago now has gained 2 levels on my Paladin, 55 levels on my Black Knight and created a troll hunter when I only ever played Alliance.

The only reason I was able to discover my account was hacked? Because I tried to play a game of Starcraft II and couldn't log on.

So basically for months now somebody has been playing WoW for free using my account information.

This makes me very angry at Blizzard for allowing this to happen - would they not have the ability to detect when my account is being accessed from another city/state/country?

Steam doesn't let me log on to with with another computer in my own house and yet Battle.Net will allow a hacker to use my account for months.

Death Knights START at level 55.

 

[gideonkain]

For those people posting without reading the discussion (everyone after page 1) it turns out my password only had my B-day, not my SSN, and that the account was only accessed for a short period of time between the launch of LichKing and the release of Starcraft 2, it only came to my attention today because while checking my email history I have an email from 2 months ago saying my WoW acount has been restored from being banned (following a 90 day suspension) along with characters associated to my account that I never created.

I was initially freaked cause I rolled a DK on LichKIng day 1, wasn't my thing and quit the game - when I saw it at lvl 55 I was shocked that it could go on that long, then someone pointed out that they start at 55...not the guy directly above me but one of the 3 other people that have mentioned this.

So in conclusion I have the authenticator now, and I am confident that will protect me, but the fact is without that authenticator no matter what your password is, it can be hacked no problem.

I have also learned that people are shockingly quick to bad mouth a person when something bad happens to them. "Got Raped? What were you wearing?" sort of thing.

 

[Nuke_em_05]

All a hacker has to do is plug in my email and click a button, I am a Computer Programmer, I know how computers work, "Hacking" is usually little more than downloading a free application on the internet and supplying an email address for it to then go brute force it's way into your private information.

I am the Ghost of Steve Jobs. See? It's easy to appeal to your own authority on the internet. The problem is, even if your authority is legitimate, it doesn't make you right.

Brute force is the least used form of "hacking". One, they would have to correctly guess the username and password independently. Two, most systems (I would hope Blizzard is included) limit login attempts to prevent it. Usually something like more than 5 in one second or something.

However, you imply that they already had your e-mail address and knew it had a WoW account. How did they know that?

In password security, you never ever use whole words or personal information. First because if someone does get your password, they now have that information. Second, these are the first things that brute force applications guess.

"Hacking" is mostly done through social engineering, phishing, and keylogging.

Getting "Hacked" six times, I have to wonder a couple of things. Have you ever changed the e-mail for your battle.net account? Because even if they brute force guessed the first time, they certainly know that e-mail works for sure now. You've only mentioned your latest password. Have you used any other passwords? Or do you change it to the same thing every time Blizzard resets it for you?

I am saying that it is most likely an error on your part. It isn't classy, but at the same time; it isn't exactly unfair to come to the conclusion that someone who uses personal information in passwords, and even admits as much in a public forum, is likely to have fallen victim to a phishing, keylogging, or social engineering scam. It is also pretty reasonable to assume that even if such a person is a computer programmer and "knows how computers work", that they don't have a strong grasp on computer security.

I'm sorry you got "hacked", it looks like you are taking steps now in changing your password and getting an authenticator. Good for you.

However, I don't share your opinion that Blizzard is to blame for this.

 

[gideonkain]

I change my password each time, but never changed my email - I change my email password frequently - so ya, I'm not constantly vigilant but to be locked out of my account over and over is really frustrating.

 

[Nuke_em_05]

I change my password each time, but never changed my email - I change my email password frequently - so ya, I'm not constantly vigilant but to be locked out of my account over and over is really frustrating.

Well, that's quite an edit.

In response to your 9:18 post and sentiments echoed in the edited response:

Getting hacked sucks. It's frustrating and disheartening. I sympathize. It happens to a lot of people. It has happened to me.

What bugged me about this thread is your attitude: "The system is completely broken and I am infallible in my security practices!"

Yes, true "hacking" can occur, where there was absolutely nothing the user could have done about it. However, that is very rare, and the victims are generally much higher profile than a videogame subscription. In those cases, they have a specific target with a specific purpose.

Most of the time, "hacking" is just a form of social engineering, phishing, or keylogging. It is "preventable" but very few people are ever 100% vigilant. It happens, it sucks, we get over it, change passwords, change e-mails, get some sort of authentication, and move on.

This is less unsolicited people blaming the victim, and more the victim blaming the system and soliciting people for support. Again, while I sympathize, I don't support blaming the system.

 

[Baldr]

Battle.net Authenticator

This. It really is the ONLY way to bullet proof your account, it's extremely difficult to bypass, maybe impossible if they couldn't physically get to your authenticator.

The one problem I have found with it is that it's battery life, and you will lose it a lot. Which seems likely as you go months at a time without logging onto the blizzard service. So don't fucking lose it, if you lose your authenticator then it will be 30x more difficult to retrieve your account than if it just got hacked.

I did lose my authenticator, it took less than a 4 minute phone call to Blizzard Billing to get my account back. (Also I found out they link your phone number to account information, so if you call back for any reason use the same phone, it automatically brings up your account information and it speeds up the process.)

 

[Bad Jim]

The only reason I was able to discover my account was hacked? Because I tried to play a game of Starcraft II and couldn't log on.

A pro-tip: get yourself a firewall and an anti-virus/spyware, don't open all those fishy e-mails offering you a kingdom in Africa and don't go to all those fishy sites that make you click on a hundred different links at once.

What you call "hacking" is nothing more than you being stupid. Real hacking doesn't work that way. You either gave your login data away willingly through a phishing e-mail or unwillingly through a keylogger.

Geez, people, learn some basic computer science before you start throwing technical terms around.

Actually hacking does happen. For instance, on the old Battle.net it was once possible to hijack an account like this:
- request a password reset
- open your email with the password reset link
- replace the account details embedded in the link with the details of your victim.
- send the email with a forged header
- log in to victims account

This was 100% a security hole in Battle.net 1 and was impossible for the victim to prevent. I don't know about unpatched security holes but it is a reasonable guess that they exist and someone is probably using some of them.

 

[Bad Jim]

Let me just direct You to something that might actually make You review Your view on mixed capitalization and general randomness

Spoiler

I've often thought that was a good idea, with one huge problem. "Correct horse battery staple" is 28 characters long, while most services only allow passwords up to about 14-20 characters in length.

There should be a law requiring the max length to be at least 100 characters I think. Short passwords may have saved valuable disk space in the 80s, but the saving is miniscule now and it makes people choose bad passwords.

 

[Keava]

I've often thought that was a good idea, with one huge problem. "Correct horse battery staple" is 28 characters long, while most services only allow passwords up to about 14-20 characters in length.

There should be a law requiring the max length to be at least 100 characters I think. Short passwords may have saved valuable disk space in the 80s, but the saving is miniscule now and it makes people choose bad passwords.

The funny thing with password length is that hashes have same length no matter how many characters the original string had.

 

[TheOneMavado]

Keep in mind that one of the most common ways the badguys get your password is by sending you an email saying your account has been hacked 'click here' to go to our website.

Yeah, no kidding. I get about 20 of those a week claiming to be from Blizzard and saying that my Warcraft account has been hacked.

Only, I've NEVER played World of Warcraft, EVER. I typically hate online multiplayer and subscription based games are a big no no in my book.

 

[Rasmus Emilsson]

Battle.net Authenticator

This. It really is the ONLY way to bullet proof your account, it's extremely difficult to bypass, maybe impossible if they couldn't physically get to your authenticator.

The one problem I have found with it is that it's battery life, and you will lose it a lot. Which seems likely as you go months at a time without logging onto the blizzard service. So don't fucking lose it, if you lose your authenticator then it will be 30x more difficult to retrieve your account than if it just got hacked.

There is an authenticator battle.net app for android

 

[CrawlingPastaHellion]

Actually hacking does happen. For instance, on the old Battle.net it was once possible to hijack an account like this:
- request a password reset
- open your email with the password reset link
- replace the account details embedded in the link with the details of your victim.
- send the email with a forged header
- log in to victims account

This was 100% a security hole in Battle.net 1 and was impossible for the victim to prevent. I don't know about unpatched security holes but it is a reasonable guess that they exist and someone is probably using some of them.

I never said hacking doesn't happen. It just rarely happens, since an object of hacking has to have some sort of vulnerability, which is patched quickly once it becomes a known issue. In this case by the object of hacking I of course refer to a login server or an equivalent.

Another way to hack is crack the encryption, but since it's become so advanced recently, it's pretty much a non-issue. Most of the internet uses 32 to 512 bit encryption keys, depending on the level of security required. If you have a 256 bit key, you basically have 2 to the power of 256 possible combinations. 2 to the exponent of 128 is already more combinations than atoms in the known universe. There is no way any of the modern computers can crack these keys fast enough, it'll take until the end of time, literally.

Most of what internet refers to as hacking is nothing but being careless, since people often take security for granted. As an escapist here said: "security doesn't just happen". I'm merely talking statistics here. If you're "hacked" the chances are it's your own fault.

 

[Kuilui]

Hey is there a way to search on the WoW site if my account has been active? I got one of those password recovery things long ago but ignored it because I checked and none of my old characters had done anything and were still inactive. Is there a way to search for my old account to see its active?

 

[^=ash=^]

I have also learned that people are shockingly quick to bad mouth a person when something bad happens to them. "Got Raped? What were you wearing?" sort of thing.

#

Comparing getting your WoW 'hacked' to being raped. Not cool.