Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you: No adverts like this in the forums anymore. Times and dates in your local timezone. Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance. Email notifications for threads you want to watch closely. Being a part of the oldest wargaming community on the net. If you are already a member then feel free to login now.

Has anyone else gotten their account hacked? This is the second time it has happened, and quite frankly think Blizzard is doing a rather crappy job with account security. Not to mention their customer support is ridiculously bad.

No...
Then again i wouldn't notice if it was hacked...
I think i gave it to my brother who started levelling some of my old characters purely 'cos he got bored...

Have you got an authenticator?

Avatar 720 wrote:Have you got an authenticator?

I had one at one point, but I forgot what happened to it. All I know is I lost it, and than canceled it so I could play Starcraft 2.

Sad to hear it bombboy, although I have two queries.

1. do you have an authenticator?

2. are you using your main email as you login name? By main email I mean the one you use here, possibly other forums, facebook etc.

If you awnsered no and yes, I suggest you rectify both as soon as you get your account back. Having the authenticator makes it nigh impossible for you to get hacked, someone tried mine and all I had to do was relog into battlenet and restart my account as they had failed the authenticator password too many times.

I then figured the only way they could have figured out my username was via my email. When we had unique usernames I never had any trouble as I never mentioned it anywhere. So I created a unique hotmail account I only use for WoW, and never had another issue since in nearly three years.

My main email however, often gets phising emails for my WoW account. The unique hotmail one that has no internet footprint has never had one.

bombboy1252 wrote:Has anyone else gotten their account hacked? This is the second time it has happened, and quite frankly think Blizzard is doing a rather crappy job with account security. Not to mention their customer support is ridiculously bad.

Trust me, if you have ever tried other MMO's out there it makes Blizzards CS seem amazing.

A proud WoW player 7 years and still going

Tips for not getting hacked from WoW....

1) Dont visit illegal sites

2) Dont DL illegal hacks ( or they HACK YOU )

3) Dont click random FAKE blizzard emails asking for your account and password ( they told you over and over again, actual employees will never ask for those )

Chances of hacker actually hacked Blizzard to get your info? 0.00000000001% , chances of you getting yourself hacked 99.99999999999999%

Got my account hacked twice. 1st time I didn't really care as I wasn't planning on going back (obviously I did anyway), and when I did, I had all my gear plus it was being used to ore farm, so I had a crap ton of gold and ore to sell. 2nd time, I didn't lose much as I noticed almost right away. Both times I had it back within 48 hours of me reporting, that's pretty good all things considered.

After the 2nd, I just got an authenticator. If you've got an Android or iOS phone, it's free, and probably won't get lost.

EDIT:

I did none of those 3 things. Viruses and keyloggers happen. Especially if you use a 3rd party mod of any kind, which I think everyone who plays WoW does.

LunaHound wrote:Tips for not getting hacked from WoW....

1) Dont visit illegal sites

2) Dont DL illegal hacks ( or they HACK YOU )

3) Dont click random FAKE blizzard emails asking for your account and password ( they told you over and over again, actual employees will never ask for those )

Chances of hacker actually hacked Blizzard to get your info? 0.00000000001% , chances of you getting yourself hacked 99.99999999999999%

I didn't do any of those things.


Automatically Appended Next Post:

Morathi's Darkest Sin wrote:Sad to hear it bombboy, although I have two queries.

1. do you have an authenticator?

2. are you using your main email as you login name? By main email I mean the one you use here, possibly other forums, facebook etc.

If you awnsered no and yes, I suggest you rectify both as soon as you get your account back. Having the authenticator makes it nigh impossible for you to get hacked, someone tried mine and all I had to do was relog into battlenet and restart my account as they had failed the authenticator password too many times.

I then figured the only way they could have figured out my username was via my email. When we had unique usernames I never had any trouble as I never mentioned it anywhere. So I created a unique hotmail account I only use for WoW, and never had another issue since in nearly three years.

My main email however, often gets phising emails for my WoW account. The unique hotmail one that has no internet footprint has never had one.

So if I change my email to my second email address, I have less of a chance of being hacked?

I've been hacked twice. Once in vanilla once in WOTLK. I've never given out my password and got an authenticator right when they offered them.

Heard some nasty rumors it was done internally from blizzard... course that is just rumors, but makes you wonder how can somebody get into your account when you have an authenticator. Happened to our guild leader as well and he has an authenticator and our guild bank was cleaned out.

Authenticators aren't flawless, no security system is, but saying Blizzard did it themselves is a ludicrous statement.

If you want flawless security, you're going to be waiting a hell of a long time, since right now the security industry spends its time one step behind hackers. The anti-virus software you have was only able to reach the levels of protection it is at because a hacker managed to breach it and reveal an otherwise unknown flaw.

If your authenticator is bypassed once by a single hacker out of several thousand, if not more, then surely that's a world better than an unprotected account being compromised on a regular basis by multiple hackers.

I actually got hacked once shortly after BC came out.

I didn't even notice for a week since I had all but stopped playing then.

Got the account back, had a net gain of like 50g (terrible, terrible gold farmer), a new pair of pants, but the piece of crap sold or deleted my Zandalarian Hero Charm.


Last time I came back to the game I made sure to get an Authenticator.

Moral of the story: Get an Authenticator. Lost your Authenticator? Remove it and get another, I guess.

EDIT: I have a very dim view of ActiBlizz, but I am dubious of any claims that the account hijackings are an intentional inside job.

Okay, I got an authenticator, got my characters and items back, and now I'm trying to change my Email, but it won't let me for some weird reason.

Accounts do not hack themselves, and neither would Blizzard profit in any way - in fact, I'm fairly sure that the recovery of compromised accounts occupies a huge deal of their customer support resources.

Now, you got your stuff back, and you got an authenticator - the latter should decrease your chances of this ever happening again by a lot. However, I'd still suggest locating the security leak on your machine. This doesn't only concern your WoW account, after all - if it was some trojan, people could just as easily steal whatever other information you store on your PC, from credit card data to online banking logins.

I noticed the US CS forum doesn't have a proper guide, but maybe this will help: http://eu.battle.net/wow/en/forum/topic/2226268467

PS: Never got hacked even once. I did get a few phishing mails, but only half a dozen over the course of several years. Even more funny: those mails all landed on an e-mail-account that I have never used as a Battle.net login (this address never received spam since I used it only for WoW). I also got phishing mail for Aion without ever having played it.

Lynata wrote:Accounts do not hack themselves, and neither would Blizzard profit in any way - in fact, I'm fairly sure that the recovery of compromised accounts occupies a huge deal of their customer support resources.

Now, you got your stuff back, and you got an authenticator - the latter should decrease your chances of this ever happening again by a lot. However, I'd still suggest locating the security leak on your machine. This doesn't only concern your WoW account, after all - if it was some trojan, people could just as easily steal whatever other information you store on your PC, from credit card data to online banking logins.

I noticed the US CS forum doesn't have a proper guide, but maybe this will help: http://eu.battle.net/wow/en/forum/topic/2226268467

PS: Never got hacked even once. I did get a few phishing mails, but only half a dozen over the course of several years. Even more funny: those mails all landed on an e-mail-account that I have never used as a Battle.net login (this address never received spam since I used it only for WoW). I also got phishing mail for Aion without ever having played it.

I just got this new computer about a week ago, theirs no security leak

Actually, Blizzard has a major security issue that they are in denial about.

I opened their launcher, opened their web site from there, logged in, was offered some free time (7 days) took the offer. After the 7 days, within 48 hours, my account got hacked and banned for gold farming. This is the second time this has happened under EXACTLY the same circumstances.
Had my system sanitised both times... with no keyloggers, no trojans, no other nasty files found either time.
The person(s) knew exactly when my account was no longer active. Information they did not get from my end.
The only other way anyone could have gotten that information is through Blizzard.

So either their launcher is compromised, their website is or some-one at Blizzard is selling the info.

Yes, changing the email isn't too hard. There is a function for it in battlenet, as that can and does happen on occasion. (Changing email I mean.)

If you change your email to one totally unique, either a hotmail or yahoo will work fine, and have a authenticator, then I doubt you will have a problem again.

After following various info on this, you'll be surprised to what length some of these goldsellers will go to try and track down WoW account info.
Doing a WoW search on facebook for example takes no time at all and will throw up pretty much anyone who has WoW mentioned on their profile, and if your email is not hidden, there is a likely chance you use the same one to log into WoW.
Same if you use popular WoW forums such as guildlaunch.

Alright, I got my Email changed put on an authenticator, and changed passwords. I just need them to unban my account.

bombboy1252 wrote:
I just got this new computer about a week ago, theirs no security leak

just denying every possible problem as it comes up is moronic, obviously you are either wrong, are wrong, or are lying.

1. dont use your wow password for anything else (email, forums, ect.)
2. dont use your battlenet email address for anything else, make a throwaway gmail account and link it to your main one.
3. authenticators are useful but if someone is /really/ trying to hack your account they are fixable
4. dont use your "secret question" as anything someone could facebook off of you by using your email that you use for other things to look you up, as above
5. actually getting tagged by a keylogger is rare, but newer ones inject code right into explorer.exe, once you get one (ever) there's virtually no way of getting rid of it besides reinstalling.

I agree everything should have a separate password, not from the dictionary either. The more complex the better provided you have some sort of way to remember it.

Just as an example:
o10D0e0WH

Might be a bit short but I'd remember it as 1000 ODE, the ODE being my army name Ordo Divinus Ensis. The trick is to make something simple seem complex, then have a mental exercise to make sure you don't forget it.

But, there needs to also be a trade off, a password doesn't need to be as complex as that and I'd use something as the above for more secure things and ease back on it a little for day to day use. The point is to avoid normal words that could be found in a dictionary.

I have all my passwords in a little red book under my desk. I make all of them unique as there aren't enough memory tricks out there which would help me remember around eighty passwords.

I also figure, I'd have bigger things to worry about if someone managed to take it from me to use it.

Morathi's Darkest Sin wrote:I have all my passwords in a little red book under my desk. I make all of them unique as there aren't enough memory tricks out there which would help me remember around eighty passwords.

I also figure, I'd have bigger things to worry about if someone managed to take it from me to use it.

Ugh. This makes me cry. Get a password vault on your computer if you have multiple passwords you can't remember. Back up those passwords in an encrypted file somewhere. Don't write them down. :(

@OP: I second and third and fourth what everyone has said. There aren't hackers who sit around and actively hack your account. You have to do something to let it happen. Either your e-mail/password is out on the web and gets found that way (Allakhazam got hacked a couple years back and that was a big source right there) or you do something dumb and give it straight to them.

Either way, get a flipping authenticator. It drives the chance of account compromise through the floor.

Inside jokes also make wonderful security questions. Especially perversions of pop culture references or internet memes.

For instance-
Q- Luke, use the
A- pants

Simple to remember if you went through a regrettable phase in high school where you and your buddies modified Star Wars quotes with pants. Impossible to crack if you didn't.

helgrenze wrote:So either their launcher is compromised, their website is or some-one at Blizzard is selling the info.

OR... Simpler answer... You were previously compromised (as you have already indicated) and they just monitored armory data for when your account went back live. It is unlikely that there is a vast Blizzard WOW conspiracy.

Hacking, in reference to MMOs, rarely actually involves hacking. It involves social engineering and people doing things that expose them to risk. I love it when someone tells me that 'their facebook/wow/computer got hacked'. That almost never happens.
No hacker is going to sit down and say 'Today, I'm going to compromise Bob Smith's stupid 5 year old desktop today.'
They do say 'I'm going to put this trojan out there and see how many people are dumb enough to trigger it.'


Automatically Appended Next Post:

Gitzbitah wrote:Inside jokes also make wonderful security questions. Especially perversions of pop culture references or internet memes.

Agreed! Someone can find out your dog's name, mother's maiden, etc, but your weird inside joke? Not likely.

I also approve of passphrases. Many programs allow really long passwords. These can be pretty tough to guess compared to a typical 8 character password.
Example passphrase: Heresy brings only death.
Easy for you to remember but rather difficult to crack. Length is more important than complexity when it comes to passwords.

As long as it is not as simple as that it works. Doesn't matter how difficult it seems to guess if they use a dictionary attack.

n0t_u wrote:As long as it is not as simple as that it works. Doesn't matter how difficult it seems to guess if they use a dictionary attack.

Even if it is as simple as that, a dictionary is not going to guess 'Heresy brings only death.' as that's not a dictionary word. Brute force and dictionary attacks use common passwords and/or combinations of letters to get your password. That's a 25 letter/space/punctuation passphase, chance of brute force picking that up is pretty low. Much lower than the old p4$$w0rd kind of password.

Thanks to Xkcd, awesome comic if you haven't read it.

pretre wrote:
Ugh. This makes me cry. Get a password vault on your computer if you have multiple passwords you can't remember. Back up those passwords in an encrypted file somewhere. Don't write them down. :(

Don't see the issue, the book is not in the open, if someone managed to break in here (in a place with a handful of burglaries in the past ten years, all of which have been open back door oppertunist style) and then somehow luck the book, and then happened to be someone wanting to pull some internet crime on the side of their burglary action, then I seriously have more to worry about.


@Shrike325,

Ah nice, so my random reasoning to use two of three full words and mix in some numbers and capitals as extras etc probably was a good one, and might it explain why I've not see many hack attempts.

That cartoon makes a fair amount of sense but it should be mentioned that hardly anyone tries to brute force a password these days. All the clever hacks are done via keyloggers or social engineering. Any system worth its salt will lock an account out after a few incorrect password attempts, hence why brute force doesn't really work any more.

filbert wrote:That cartoon makes a fair amount of sense but it should be mentioned that hardly anyone tries to brute force a password these days. All the clever hacks are done via keyloggers or social engineering. Any system worth its salt will lock an account out after a few incorrect password attempts, hence why brute force doesn't really work any more.

Except, as the comic mentions, when a system is compromised and you're trying to get individual passwords out of a password file. Ex: Dakka gets 'hacked' and the password file / user database is exposed. Chances are that that file has encrypted/hashed passwords with plaintext usernames or some variant of that. Getting at those individual passwords can require brute force.


Automatically Appended Next Post:
Although a lot of passwd files use hashes, which are a horse of a different color.