Find content
Not Telling
Display name history
Blizzard
From Bashiok:
Quote
We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.
If your account has been hacked, please view the previous post for information on contacting our support department.
If your account has been hacked, please view the previous post for information on contacting our support department.
http://us.battle.net...846?page=29#571
----------------------------------
Apparently, there is a wave of account hacks going around for Diablo 3. Thieves are taking control of characters, looting all equipment, and stealing all their gold. Account stealing is old news with WoW, but it appears that there is more going on than just stolen passwords. Some are saying that it may be a session ID hack or a server-side hack.
Hacked users log in to find their items looted and mysterious entries on their recently played list.
Warning! Spoiler inside.
Here are a few examples of game reporters getting hacked.
http://www.eurogamer...nd-items-stolen
http://www.examiner....diablo-3-hacked
Quote
This reporter, after having her own account with authenticator hacked, firmly believes this is a serious security breach on Blizzard’s side, though they either do not want to admit it, or are still unaware of the problem. Many who have had their account on Diablo 3 hacked were logged in at the time of the hack and support staff tells them there was no evidence of their account being hacked. That indicates there is an exploit in the system being taken advantage of.
Here's a link to a massive thread on Blizzard's website:
http://us.battle.net...49008518?page=1
People are reporting that they've been hacked even though they have an authenticator and a secure password.
People are reporting that they were hacked even though they only played single-player.
Here's some theorycraft on Session ID Theft.
http://us.battle.net...8518?page=8#156
Quote
You make a credential handshake once in the entire session. This happens at the time of login and this is what gets logged (IPs, account IDs, etc.).
At this point only session identifiers get transferred back and forth for each transaction. A transaction is whenever the state on your account changes. This could be anything from making an AH purchase to picking up some uber sword, or completing a quest, etc..
If I steal your session identifier and send that instead of mine, then I now have access to your account and I completely bypassed the need to login. This could happen in real time. It's possible Blizzard made the system spaz out when it detects multiple detections from the same account ID, so it keeps the most recent one logged in and kicks the old one.
The tools to do this might have also allowed the malicious user to change credentials on the fly. The game client assumes it's not hacked and the session is legit, so it makes the changes live.
At this point only session identifiers get transferred back and forth for each transaction. A transaction is whenever the state on your account changes. This could be anything from making an AH purchase to picking up some uber sword, or completing a quest, etc..
If I steal your session identifier and send that instead of mine, then I now have access to your account and I completely bypassed the need to login. This could happen in real time. It's possible Blizzard made the system spaz out when it detects multiple detections from the same account ID, so it keeps the most recent one logged in and kicks the old one.
The tools to do this might have also allowed the malicious user to change credentials on the fly. The game client assumes it's not hacked and the session is legit, so it makes the changes live.
NOTE: I'm not a security expert. I have not had my account hacked.
