Sign in with
Sign up | Sign in

Blizzard Responds to Diablo 3 Account Hacks

By - Source: Blizzard | B 69 comments

Nothing new here, says Blizzard. Move along.

On Tuesday Diablo 3 community manager Bashiok hit the forums and responded to numerous complaints about the loss of gold and items due to account hacking. In short, Blizzard is blaming the problem on passwords that aren't backed up by an official Battle.net authenticator.

"We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring," Bashiok writes. "Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password."

But Bashiok also verifies that the authenticator isn't a 100-percent guarantee of account security. "We have yet to investigate a compromise report in which an authenticator was attached beforehand," he adds. "If your account has been hacked, please view the previous post for information on contacting our support department."

As pointed out on Monday, Diablo 3 players are reporting hacks on both sides of the authenticator fence. They have also been able to watch the hacking take place in real time while taking screenshots in the process. Even Examiner journalist Tara Swadley saw her gold and character items drained after using a Battle.net authenticator.

"This reporter, after having her own account with authenticator hacked, firmly believes this is a serious security breach on Blizzard’s side, though they either do not want to admit it, or are still unaware of the problem," she writes. As hanted to on Monday, there's speculation that this flood of hacking is just a prelude to what's to come once Blizzard launches the real-money auction house next week.

In addition to Bashiok's forum post, another lengthy statement was issued around midnight EST. Blizzard says it isn't uncommon to see increased reports of hacking when a new game or expansion pack is released. Users are suggested to check out the company's new Battle.net SMS Protect which allows customers to use their text-based smartphone to modify their Battle.net account.

"Historically, the release of a new game -- such as a World of Warcraft® expansion -- will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo 3," Blizzard states. "We know how frustrating it can be to become the victim of account theft, and as always, we're dedicated to doing everything we can to help our players keep their Battle.net accounts safe -- and we appreciate everyone who's doing their part to help protect their accounts as well."

"We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them," Blizzard adds.

Currently one hacking theory suggests that an exploit allows for session hijacking. "You will lose connection to the game," reports Frobozz as he describes what will happen when the account is hijacked. "This can result in just the 'Lost connection to server' error message or no message at all."

"A good sign that the connection loss is a hijack attempt and not just a server error is if you are also having trouble surfing the web (i.e. slow connections, or can't load pages)," he continues. "People are reporting that their IP is getting DDOSed to prevent them from relogging into Diablo 3 and thus getting a new session and stopping the attack."

Discuss
Ask a Category Expert

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
Top Comments
  • 24 Hide
    SinisterSalad , May 22, 2012 4:29 PM
    Allowing offline use would be the best way to counter this.
  • 13 Hide
    Anonymous , May 22, 2012 5:16 PM
    Well, very glad I decided not to buy Diablo III, I WIN :) 
  • 12 Hide
    DoofusOfDeath , May 22, 2012 4:38 PM
    Would the man-in-the-middle attack be avoided if D3 used SSL ?
Other Comments
    Display all 69 comments.
  • 3 Hide
    Anonymous , May 22, 2012 4:20 PM
    Either it is the lack of an authenticator or Blizzard just put their foot into their mouth. It would be most amusing it were the latter. Maybe then they would stop thinking that their system as it is, is flawless.
  • 24 Hide
    SinisterSalad , May 22, 2012 4:29 PM
    Allowing offline use would be the best way to counter this.
  • 1 Hide
    seroism , May 22, 2012 4:38 PM
    Blizzard knows it's happening but doesn't want to acknowledge it. They're trying desperately to fix the problem before the RMAH is launched. My money is on the hackers....
  • 12 Hide
    DoofusOfDeath , May 22, 2012 4:38 PM
    Would the man-in-the-middle attack be avoided if D3 used SSL ?
  • 1 Hide
    DroKing , May 22, 2012 4:40 PM
    Why are they talking out of their asses? They've had WoW for how long? Enough said.
  • 7 Hide
    djscribbles , May 22, 2012 4:54 PM
    Some of the rumors floating around point to joining a public game (which gives the hacker access to your session id, which he can then spoof) as being all that is needed to be hacked.
    Maybe true, maybe not, but I'm not going to go try to find any new friends until this dies down.

    Another rumored cause is people infected with malware that lets a hacker use their PC as a proxy server to bypass their authenticator which is configured to "not ask every time" mode, the hacker would be able to login without authentication because the request is coming from the victims own infected PC.

    Personally, I think this is a huge risk to blizzards reputation, I sure hope they are willing to admit if the vulnerability is on their side, and get it fixed soon. Personally I think this seems way too 'big' to be a bunch of schmoes with PC's loaded with malware, but it would be possible they have been saving up a big list of targets, as battlenet accounts were around long before diablo3 launched, and there is likely a large intersection between diablo3 players, wow players, and SC3 players.
  • -7 Hide
    bgaimur , May 22, 2012 5:00 PM
    http://imgur.com/oGxWd

    This picture sums up the entire situation. By the way, that picture proves it's Blizzard's fault.
  • 1 Hide
    maxinexus , May 22, 2012 5:00 PM
    Play with the someone you know.
  • -5 Hide
    bgaimur , May 22, 2012 5:01 PM
    DoofusOfDeathWould the man-in-the-middle attack be avoided if D3 used SSL ?

    Using SSL on a d3 session would be about as useful as putting a password on a telnet session. If you need to ask why, just take my word for it. No.
  • -2 Hide
    spookyman , May 22, 2012 5:03 PM
    Its a shame you can play this game like the original Diablo. It was great to play on a local area network at work and play with friends without having to log on to the internet.

    As for the account problems. How hard is it to secure your account?

    Could they use WoW as a guide on account security.
  • -1 Hide
    hoof_hearted , May 22, 2012 5:03 PM
    An authenticator ... great ... now I need a proprietary smartcard to play a single-player game?
  • -6 Hide
    bgaimur , May 22, 2012 5:07 PM
    hoof_heartedAn authenticator ... great ... now I need a proprietary smartcard to play a single-player game?

    Proprietary smart card... well if you invest anything into something, you do what's convenient and available to secure it. In this case, you use a two-step authentication process. Sure, you can memorize a password, but can you type in numbers that you're reading from a keychain?! Preposterous!
  • 13 Hide
    Anonymous , May 22, 2012 5:16 PM
    Well, very glad I decided not to buy Diablo III, I WIN :) 
  • 2 Hide
    Anonymous , May 22, 2012 5:18 PM
    Sadly this is happening more and more in multiplayer online games now. Happened to valve, nexon, blizzard and the rest etc. The usual denials and silence attitude till it is way too late for the victims. Then insufficient compensation that doesn't even help the victims. So get your $60+ D3 to play (if even can login to play or not get dcd even) coaster and work hard only to have your stuff get stolen. Blizzard already got your money and doesn't care.
  • 6 Hide
    mobrocket , May 22, 2012 5:19 PM
    I remember SC2 launch going a lot smoother than this
  • -2 Hide
    mchuf , May 22, 2012 5:20 PM
    So in trying to get a piece of the action from gold farmers, Blizzard has allowed a way for it's customers to get hacked. And of course, it isn't Blizzard's fault.
  • 9 Hide
    Anonymous , May 22, 2012 5:21 PM
    IMO - Blizzard invited these lazy money grubbing hackers to the party by comming up with such a hairbrained scheme as the RMAH. Blizz - you have truely shown your ignorance just to support your own greed. You don't want people to buy Gold for WoW because you don't get your cut. Now you introduce a way to get your cut and are bringing the worst out in many people.

    You want to stop the hacking, be smart like Trion and introuduce some sort of account lock tied to the users e-mail (like Trion did for Rift) when played from different PCs. Otherwise, indefinately delay the RMAH until you get get your $h1t together.
  • 2 Hide
    kartu , May 22, 2012 5:29 PM
    SinisterSaladAllowing offline use would be the best way to counter this.

    Uhm, but it would mean some would be able to play it for free!!!
    Who cares that additional cost of servers needed to serve solo play is hardly justified by "reduced piracy".
  • 8 Hide
    bigdragon , May 22, 2012 5:34 PM
    So I have to buy the game and then purchase an authenticator in addition to it just to have some sort of account security in a Blizzard game? No thanks. What a nightmare. I am so glad I avoided Diablo 3. All this news just makes it easier for me to say no. I really really wanted to get a good 4-person cooperative game to play with friends. I had such high hopes for this game, but these news stories are frightening. Diablo 3 seems to be a game that's more stressful than work.

    I miss the days when games weren't built around unlockable content. I miss the days where micro-transactions and parts packs weren't worked into every product. I miss the days where games were fun experiences to enjoy. Where did it all start going so wrong?
  • -2 Hide
    atmos929 , May 22, 2012 5:41 PM
    mobrocketI remember SC2 launch going a lot smoother than this

    yes, even though it did not have LAN either, it did not require active internet connection...
Display more comments