Diablo 3 Accounts Being Hacked

IBNobody

I try to keep myself amused.
OP
Member
Joined
Nov 16, 2006
Messages
1,145
Trophies
0
Location
Texas, Hang 'Em High
Website
Visit site
XP
925
Country
United States
UPDATE 2:

Blizzard

From Bashiok:


We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn't a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.

If your account has been hacked, please view the previous post for information on contacting our support department.

http://us.battle.net/d3/en/forum/topic/5149619846?page=29#571

----------------------------------

Apparently, there is a wave of account hacks going around for Diablo 3. Thieves are taking control of characters, looting all equipment, and stealing all their gold. Account stealing is old news with WoW, but it appears that there is more going on than just stolen passwords. Some are saying that it may be a session ID hack or a server-side hack.

Hacked users log in to find their items looted and mysterious entries on their recently played list.
suspicioushacker.png

Here are a few examples of game reporters getting hacked.

http://www.eurogamer...nd-items-stolen
http://www.examiner....diablo-3-hacked

This reporter, after having her own account with authenticator hacked, firmly believes this is a serious security breach on Blizzard’s side, though they either do not want to admit it, or are still unaware of the problem. Many who have had their account on Diablo 3 hacked were logged in at the time of the hack and support staff tells them there was no evidence of their account being hacked. That indicates there is an exploit in the system being taken advantage of.

Here's a link to a massive thread on Blizzard's website:
http://us.battle.net...49008518?page=1

People are reporting that they've been hacked even though they have an authenticator and a secure password.
People are reporting that they were hacked even though they only played single-player.

Here's some theorycraft on Session ID Theft.

http://us.battle.net...8518?page=8#156

You make a credential handshake once in the entire session. This happens at the time of login and this is what gets logged (IPs, account IDs, etc.).

At this point only session identifiers get transferred back and forth for each transaction. A transaction is whenever the state on your account changes. This could be anything from making an AH purchase to picking up some uber sword, or completing a quest, etc..

If I steal your session identifier and send that instead of mine, then I now have access to your account and I completely bypassed the need to login. This could happen in real time. It's possible Blizzard made the system spaz out when it detects multiple detections from the same account ID, so it keeps the most recent one logged in and kicks the old one.

The tools to do this might have also allowed the malicious user to change credentials on the fly. The game client assumes it's not hacked and the session is legit, so it makes the changes live.

NOTE: I'm not a security expert. I have not had my account hacked.
 

purplesludge

anyone have any ideas for this space
Member
Joined
Mar 2, 2009
Messages
1,047
Trophies
0
Age
32
Location
wv
Website
Visit site
XP
240
Country
United States
All the stolen stuff doesn't even need to be sold by a third party. Why didn't Blizzard anticipate this when they decided to have the real money auction house?
 

Rasas

Banned!
Banned
Joined
Apr 7, 2010
Messages
643
Trophies
0
XP
132
Country
United States
It isn't that funny but with all the stuff they did to Starcraft 2 and Diablo 3 they had it coming.
They shouldn't charge for a authenticator that offers little to no defense but Blizzard has been going on a downward spiral every since merging with Activision. The DRM preventing single player was a bad idea decreasing sales. We all know hackers will hack it eventually so why hinder your own sales. Also blaming the consumer when you send a ticket when your WoW and Diablo 3 account gets hacked when it probably is a problem with their security is complete BS. Ya, some computers aren't fairly secure but just like MS and Sony they pretty much shift all the blame to you when it might be a security hole on their side when your computer is secure.


All the stolen stuff doesn't even need to be sold by a third party. Why didn't Blizzard anticipate this when they decided to have the real money auction house?
They probably didn't think the numbers would be to high. I'm pretty sure every online service company takes in to mind some accounts being hacked.
 

ferofax

End of the World
Member
Joined
Jan 26, 2009
Messages
2,570
Trophies
0
Age
40
Location
Philippines
Website
nonwhatso.blogspot.com
XP
667
Country
but then again there is such a thing as "acceptable losses". chances are, these players will just have to start over and forget about all those hacked items. i mean, really, relying on session IDs alone?

even I who's not well versed on hacking have a faint idea on how to go about doing it, and I might even succeed with the attempt. I didn't expect things to be this lousy, just because it's a DRM.
 

IBNobody

I try to keep myself amused.
OP
Member
Joined
Nov 16, 2006
Messages
1,145
Trophies
0
Location
Texas, Hang 'Em High
Website
Visit site
XP
925
Country
United States
All the stolen stuff doesn't even need to be sold by a third party. Why didn't Blizzard anticipate this when they decided to have the real money auction house?

They did... But in a poor way.

Note: After the first compromise restoration occurs on a Battle.net account, that account's access to the Diablo III Real Money Auction House will be restricted until an authenticator is attached. If the account is compromised a second time, access to the Diablo III Real Money Auction House will be permanently revoked.

Basically, if you get hacked, you get punished.
 

Sora de Eclaune

Target... Illumiati... All conected...
Member
Joined
Feb 15, 2011
Messages
2,831
Trophies
0
Location
Inside My House
Website
www.youtube.com
XP
1,096
Country
United States
This is why I'm going to wait until there's an exploit to make it possible to play the game offline. I didn't play the first two online, and I didn't have to be constantly connected to the internet to play, so why does this game have to be the odd one out?
 

Satangel

BEAST
Member
Joined
Nov 27, 2006
Messages
10,298
Trophies
0
Age
30
Location
Bruges, Belgium
XP
1,427
Country
Belgium
This is why I'm going to wait until there's an exploit to make it possible to play the game offline. I didn't play the first two online, and I didn't have to be constantly connected to the internet to play, so why does this game have to be the odd one out?
DRM + cloud syncing + other things. Cloud syncing is really something useful IMHO, DRM is just BS.
 
  • Like
Reactions: 1 person

Seaking

Well-Known Member
Member
Joined
Nov 26, 2010
Messages
857
Trophies
0
XP
191
Country
United States
this is funny because

1. it seems saves are NOT on your local machine, correct? so that would mean its in the Blizzard "cloud" on D3 servers
This is why I'm going to wait until there's an exploit to make it possible to play the game offline. I didn't play the first two online, and I didn't have to be constantly connected to the internet to play, so why does this game have to be the odd one out?

There won't be an "exploit". You'll have to wait until custom servers can get made, if that's ever possible. Everything, right now, is stored serverside, nothing on clientside.


2. what IBNobody pointed out
All the stolen stuff doesn't even need to be sold by a third party. Why didn't Blizzard anticipate this when they decided to have the real money auction house?

They did... But in a poor way.

Note: After the first compromise restoration occurs on a Battle.net account, that account's access to the Diablo III Real Money Auction House will be restricted until an authenticator is attached. If the account is compromised a second time, access to the Diablo III Real Money Auction House will be permanently revoked.

Basically, if you get hacked, you get punished.

its been less then a month and hackers have already found a hole in the security.

being Blizzard, i was hoping this would not happen.
 

GreatZimkogway

Still a Touhou Fanatic
Member
Joined
Jul 21, 2009
Messages
2,141
Trophies
0
Location
Senkai
XP
532
Country
United States
This is why I'm going to wait until there's an exploit to make it possible to play the game offline. I didn't play the first two online, and I didn't have to be constantly connected to the internet to play, so why does this game have to be the odd one out?

There won't be an "exploit". You'll have to wait until custom servers can get made, if that's ever possible. Everything, right now, is stored serverside, nothing on clientside.
 

IBNobody

I try to keep myself amused.
OP
Member
Joined
Nov 16, 2006
Messages
1,145
Trophies
0
Location
Texas, Hang 'Em High
Website
Visit site
XP
925
Country
United States
This is why I'm going to wait until there's an exploit to make it possible to play the game offline. I didn't play the first two online, and I didn't have to be constantly connected to the internet to play, so why does this game have to be the odd one out?

There won't be an "exploit". You'll have to wait until custom servers can get made, if that's ever possible. Everything, right now, is stored serverside, nothing on clientside.

This is true. You can get lag spikes, even on single player. My ping is ~300-500 at times, and I see rubber-banding. There will need to be custom servers set up.


------------------------------------

EDIT: I just updated the OP to indicate Blizzard's initial response.
 

xdmario1

Active Member
Newcomer
Joined
Aug 2, 2010
Messages
43
Trophies
0
XP
103
Country
United States
I fail to see why Blizzard isn't getting hell for this. I may not play Diablo III, but I do know that if this were to happen with any console, Nintendo/Microsoft/Sony would be taking it up the ass for this. Why should a computer be any different?
 

Covarr

Sentient Cash Register
Member
Joined
Oct 21, 2005
Messages
872
Trophies
0
Age
33
Location
Far East of Eden
XP
346
Country
United States
I fail to see why Blizzard isn't getting hell for this. I may not play Diablo III, but I do know that if this were to happen with any console, Nintendo/Microsoft/Sony would be taking it up the ass for this. Why should a computer be any different?
Because Blizzard is the second coming of Christ or something. People will put up with the excessive and intrusive DRM, the horribly broken launch that prevents paying customers from playing, and the accounts being hacked en masse less than a week after release, because in the eyes of the average Blizzard customer, they can do no wrong.

Seriously though, why is it that if EA sneezes the wrong way people throw a hissyfit, but if Blizzard has a whole week of problems nobody minds? I simply don't get it.
 
  • Like
Reactions: 1 person

TwinRetro

Former Staff
Former Staff
Joined
Aug 29, 2008
Messages
6,256
Trophies
0
Age
38
Location
Hiatus Hell
Website
yourmom.com
XP
4,603
Country
Djibouti
I fail to see why Blizzard isn't getting hell for this. I may not play Diablo III, but I do know that if this were to happen with any console, Nintendo/Microsoft/Sony would be taking it up the ass for this. Why should a computer be any different?
Because Blizzard is the second coming of Christ or something. People will put up with the excessive and intrusive DRM, the horribly broken launch that prevents paying customers from playing, and the accounts being hacked en masse less than a week after release, because in the eyes of the average Blizzard customer, they can do no wrong.

Seriously though, why is it that if EA sneezes the wrong way people throw a hissyfit, but if Blizzard has a whole week of problems nobody minds? I simply don't get it.

Have you been living under a rock for the last week and a half? Nobody minds? Error 37 is now a meme. Thousands if not MILLIONS of people have been bitching and complaining (rightfully so) about the abysmal launch that Diablo III had. Why don't you check the archive of any gaming news site and you'll see how "nobody minds".

Nobody has been making a big deal on here because, frankly, Diablo III isn't targeting the average 'Temper.
 
  • Like
Reactions: 5 people

Wabsta

you fight like a dairy farmer
Member
Joined
Apr 25, 2008
Messages
2,495
Trophies
0
Age
31
Location
SCUMM Bar
Website
www.wabsta.com
XP
438
Country
Netherlands
A friend of a friend got hacked, sucked.
The whole forum and subreddit of diablo are full of people complaining about it.. I've seen people reporting websites (diablowiki apperently had a virus warning, and people who went on there have been hacked, for example)..
I've not been hacked myself yet. Not that I would REALLY mind, I'm not that far into the game yet.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: Pop tarts are better cold