Blizzard Responds to Diablo 3 Account Hacks

On Tuesday Diablo 3 community manager Bashiok hit the forums and responded to numerous complaints about the loss of gold and items due to account hacking. In short, Blizzard is blaming the problem on passwords that aren't backed up by an official authenticator.

"We've been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring," Bashiok writes. "Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password."

But Bashiok also verifies that the authenticator isn't a 100-percent guarantee of account security. "We have yet to investigate a compromise report in which an authenticator was attached beforehand," he adds. "If your account has been hacked, please view the previous post for information on contacting our support department."

As pointed out on Monday, Diablo 3 players are reporting hacks on both sides of the authenticator fence. They have also been able to watch the hacking take place in real time while taking screenshots in the process. Even Examiner journalist Tara Swadley saw her gold and character items drained after using a authenticator.

"This reporter, after having her own account with authenticator hacked, firmly believes this is a serious security breach on Blizzard’s side, though they either do not want to admit it, or are still unaware of the problem," she writes. As hanted to on Monday, there's speculation that this flood of hacking is just a prelude to what's to come once Blizzard launches the real-money auction house next week.

In addition to Bashiok's forum post, another lengthy statement was issued around midnight EST. Blizzard says it isn't uncommon to see increased reports of hacking when a new game or expansion pack is released. Users are suggested to check out the company's new SMS Protect which allows customers to use their text-based smartphone to modify their account.

"Historically, the release of a new game -- such as a World of Warcraft® expansion -- will result in an increase in reports of individual account compromises, and that's exactly what we're seeing now with Diablo 3," Blizzard states. "We know how frustrating it can be to become the victim of account theft, and as always, we're dedicated to doing everything we can to help our players keep their accounts safe -- and we appreciate everyone who's doing their part to help protect their accounts as well."

"We also wanted to reassure you that the Authenticator and Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them," Blizzard adds.

Currently one hacking theory suggests that an exploit allows for session hijacking. "You will lose connection to the game," reports Frobozz as he describes what will happen when the account is hijacked. "This can result in just the 'Lost connection to server' error message or no message at all."

"A good sign that the connection loss is a hijack attempt and not just a server error is if you are also having trouble surfing the web (i.e. slow connections, or can't load pages)," he continues. "People are reporting that their IP is getting DDOSed to prevent them from relogging into Diablo 3 and thus getting a new session and stopping the attack."

Create a new thread in the UK News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • l1nks
    That picture looks exactly like someone i know lol
  • contrasia
    "Despite the claims and theories being made, we have yet to find any situations in which a person's account was not compromised through traditional means of someone else logging into their account through the use of their password."

    Maybe the password is automatically resent when the person reconnects, if this is the case then perhaps the hijacker is taking advantage of that fact by making it look like they're the user reconnecting, so regardless if they have the password or not they gain access and the logs will state the password was used.

    I've been disconnected before, and I never had to type my password in to reconnect. I simply clicked a button and it reconnected everything. I was hosting the game, but the game acted like I never DC'd, no msg as I entered and my friends were already there. I use a 100Mbit line so it'd be hard to DoS my connection.

    Obviously the system is flawed, especially since someone using the authenticator still got hacked. Instead of saying you can't figure it out and say they're using our passwords, maybe you should look into how you're analysing the data, how reconnects or disconnects are done, or even what happens when another person attempts to login at the same time. Maybe you should automatically have these flagged, so the instance it occurs the person logging at the same time gets kicked instantly as well.

    In fact why don't you just do what steam does. If a person logs in with a different MAC address or IP address, make them type a code in that was sent to their email address to verify it was them. MAC address is preferable, since then it'd be each new machine, but these days I don't suppose a persons IP changes that often too, so that could work as well.