13 replies to this topic

[IMG News]

In response to recent reports of Diablo III users losing items and gold after having their accounts hacked, Blizzard Entertainment has posted a response to player concerns about the game's security. First citing similar numbers of compromised accounts with other new releases, Blizzard went on to detail measures players should take to keep their account information safe.

We'd like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game -- such as a World of Warcraft® expansion -- will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we're dedicated to doing everything we can to help our players keep their Battle.net accounts safe -- and we appreciate everyone who's doing their part to help protect their accounts as well. You can read about ways to help keep your account secure, along with some of the internal and external measures we have in place to help us achieve our security goals, at our account security website here: www.battle.net/security.

We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever unusual activity is detected on your account, keeping you aware of important (and possibly unwanted) changes.

We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior -- such as logging in from an unfamiliar location -- we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.

Learn more at the link below.

Return to Full Article - InsideMacGames News

[cleansanchez]

Seems a lot of people, especially Europeans, have been hit. Very curious. Easy to dismiss as the users being bunch of lamers with dodgy security habits and so on but a couple of people are claiming that they had Authenticators. Apart from the question of whether or not the Authenticators were Official Blizzard (3rd party downloaded internet ones that you invoke each time on your PC are way less secure) I have a hunch there is a real problem here and this is why, in a simplistic kind of explanation:

If you think about the amount of data being passed to Blizzard to and from your computer then all it takes is for someone to intercept that data along the way. Perhaps through a vulnerability on the client side PC. Data through the very well known Diablo III ports (we are required to port forward and the list of ports for Blizzard products is not at all a secret) only needs to be monitored.

Patterns in the structure of the data soon emerge. Password packets are soon located. People with weak passwords will be subject to a brute force attack perhaps. Or if the data packets are formatted for database accessing such as SQL variants then the structure of the data can be very easily "read".

(I suspect the gold based Auction House here. I can sense there is a SQL like database behind the scenes and it is very very new software. It is not working smoothly at all and I suspect there are a lot of unnecessary and expensive reads happening for example. It just doesn't feel right. It has massive latency. Anyone with RDB experience will know that in this scenario parts of it are being rewritten as I write this. Blizzard aren't chumps. This AH bit is my own speculation btw, take it with a grain of salt. But I've been around IT a bit and i can smell a dog lol)

Anyone who has worked in IT and had their boss figuratively dump a wad of data on their desk and been told to identify it, pull it apart, fix it, and put it back together will know that all you need is a knowledge of the basic data structures and comms structures within your company to eventually succeed at making sense of the mess.

In short: vulnerable computers and the sheer volume of same looking data from many PCs is a recipe for something like what I think is happening.

[Ichigo27]

So who else thinks about this? I wonder because I had a chance to play a little bit of the beta while it was public for a couple of days.

[Matt Diamond]

Complete speculation. It's easy to imagine patterns when the sample size is so large. When a game sells so many copies so quickly, to people who mostly have longstanding Battle.net accounts, there's bound to be an explosion of problems. Some victims' accounts could have been compromised months ago.

I think Blizzard sincerely believes there was no breach of their back-end. They may be wrong of course. But its not possible for us to draw conclusions (or even judge the scope of the problem) just by reading online posts from the loudest victims.

As far as the specific method outlined above: properly encrypted passwords cannot be read from packets. You also can't tell if the person's password is weak from the packets.

[Wumpus]

I've had a battle.net account for awhile, but I've never played WoW with it, only Warcraft 3, Starcraft, SC2 and now of course, Diablo 3. I never played D2 online, so I don't recall needing a bnet account for it. Not particularly worried about this, though I may get the authenticator. I use the AH a little, but mostly just regular in game stuff and coop.

[Wumpus]

Haha, I feel very silly after my last post. Someone just changed my battle.net account password. Fortunately Blizzard emails you the moment your account password is changed, and my email checks itself every 5 minutes. I immediately did their support page for an account reset if hacked, and they'll remove any and all malicious things done and restore all progress, items, etc that you had. They also recommend you change your email password which you did, though it was still working fine. I did anyway just in case.

Also going to add the authenticator to help prevent this from happening again. Sheesh. They say to wait before playing as someone is checking my account for anything done. (how much can someone do in 5 minutes? Hard to say.)

*edit*

Added the authenticator and mobile alerts in case I'm not around. Still waiting to open D3 though. This will be fun to talk about on the podcast tomorrow

[Kilvain]

Hmm... the guy over at GameBanshee had a similar experience.

Quote

...while playing at approximately 12:30am CST in the wee hours of the morning, I was booted off with a message that someone else had logged into my account. Thinking it was just a misreported crash error, I logged back in, only to be booted again - and this time the hacker changed my password. In the time it took me to use the account recovery process on the Battle.net website, the hacker managed to get my gold (over 100k), all my gems, and several items from my stash. Fortunately, I managed to kick them out before they were able to get everything from my stash and the items my level 53 wizard was actually wearing. So even though I use a different password for everything I log into, and I use tough alphanumeric passwords that aren't based on dictionary words, some bastard was able to make me experience my first account hacking in over 25 years of online gaming.

To be fair to Blizzard, one thing I wasn't doing was using their authenticator or Battle.net SMS protection options. But since I'm not a World of Warcraft player and have never experienced any sort of online hacking attempts in the past, it never dawned on me that these were a necessity. You can bet that I'm now using both, and I have to wonder why these aren't a requirement for everyone given the mass exodus or PR nightmare that widespread hacking could cause for the company.

[Wumpus]

That about sums up what happened to me. Never had an issue before in some 20 odd years of gaming, and the first time it happened was with my level 53 wizard. Same as that guy. Pure coincidence or are they targeting Wizards?

I checked out of curiosity, and a few things were missing from my stash (nothing important) and all my gems were there, but my character was stripped clean of all gear and gold. From what I understand Blizzard can/will restore that.

[Matt Diamond]

The obvious question is how they are getting these passwords. While the speculation above about sniffing packets or cracking the database still seems unlikely to me, assuming Blizzard is using industry standard encryption and authentication, I can totally see now why people are assuming a lapse on Blizzard's end.

What if thieves got access to a Blizzard moderator account? Would that let them access other accounts? (Seems like that activity would be logged though.) Or maybe one of Blizzard's thousands of employees is dirty and has opened up a hole.

Looking forward to hearing all about it one day. In the meantime, I'm not even going to start playing without an authenticator.

[Wumpus]

Matt Diamond, on 26 May 2012 - 09:58 PM, said:

Looking forward to hearing all about it one day. In the meantime, I'm not even going to start playing without an authenticator.

I saw on Twitter that you ordered it and chose the slowest shipping speed possible

And yeah, I would highly recommend any and all to play with an authenticator. They offer two different one's, plus SMS alerts of any suspicious activity or password change. I never thought it would happen to me, and an hour after writing that first post, poof, I got hacked. Better safe than sorry and go through the hassle of getting stuff restored. I'm craving to play but I can't, probably for a few days at least or more, I don't know.

[Matt Diamond]

It's almost like they make a point of hacking people who talk about it online.  

[the Battle Cat]

Matt Diamond, on 27 May 2012 - 12:25 PM, said:

It's almost like they make a point of hacking people who talk about it online.  

I am not!!  Why that's preposterous!

[Tesseract]

Matt Diamond, on 26 May 2012 - 09:58 PM, said:

The obvious question is how they are getting these passwords. While the speculation above about sniffing packets or cracking the database still seems unlikely to me, assuming Blizzard is using industry standard encryption and authentication, I can totally see now why people are assuming a lapse on Blizzard's end.

Indeed. If they're using SSL and all the usual precautions like exponential backoff on the allowed rate of login attempts, it's hard to see how anyone could be sniffing or brute-forcing passwords, at least not fast enough for it to be useful.

It would be very interesting to see what the affected users' passwords were. If they're not all "abc123" or something, then you really have to wonder if (a) Blizzard just fails at implementing a secure login system, or (b) someone on the inside leaked the password file, whether deliberately or by being infected with malware.

In any case, multi-factor authentication is of course still a good idea…

[Janichsan]

Tesseract, on 29 May 2012 - 12:39 AM, said:

It would be very interesting to see what the affected users' passwords were. If they're not all "abc123" or something, then you really have to wonder if (a) Blizzard just fails at implementing a secure login system, or (b) someone on the inside leaked the password file, whether deliberately or by being infected with malware.

Well, (a) at least seems to play an important role. As it turns out, Battle.Net passwords aren't case sensitive. That does not really speak for a well implemented system...