Blizzard Gets Hacked! (e-mail, passwords, secret answers, authenticator info)

I'm surprised they actually revealed they were hacked this time around, unlike the D3 game client duplication which was swept under the rug. You guys think they can unscramble passwords? I've changed all my information just now anyways - make sure you change yours!

Source:
Blizzard Entertainment Notifies Its Players of Unauthorized Access to Battle.net Account Information - MarketWatch

 

Yeah, I'll bet the RMAH has made hacking Blizzard a LOT more of an exciting target for criminals...

 

I went back to World of Warcraft a while ago using the same Battle.net account I always have and within a week my account was hacked twice and blocked, lol!

I argued with them until they refunded all my money back and do not intend to return, the security they have in place is awful.

There are so many of these emails flying around you don't which ones are real or not.

 

So they got hacked, Baka got banned in D3 and got locked out from Baka's own Battlenet account and after over a month of dealing with their terrible customer support, now they admit they're the ones who got hacked?

Baka is not pleased.

 

That D3 duplication hack was completely speculative. There was never any actual evidence at all that it happened. There was a lot of evidence that some people were hacked via social engineering and didn't want to take responsibility. Several users lied about the sequence of events regarding adding mobile authenticators to their accounts compared to the time at which their accounts were compromised. This came to light later.

 

So who knows when did it actually happen? A week ago? A month ago?

Flamewar goona be fun to see on D3 forum huh.

So the access is there for a while?

Do people still trust their security team investigation ~~?

 

Maybe that explains why they keep sending me "account investigation" emails about me trying to sell my WoW account.

The problem is, I've never played WoW nor have I ever had a WoW account.

I don't even think I've played a Blizzard game to begin with; because I don't like MMO or RTS games.

 

[tangent] You're not missing much. I know that cold hard numbers are a part of any game, but I've never seen games that felt as much like "playing math" instead of "playing a game" as much as Blizzard games. Actions per second, damage per second, build times, manage all these numbers and keep clicking as fast as you can...they used to focus on atmosphere and story (Warcraft III's campaign, anyone? Not to mention The Lost Vikings series, which were epic), but now they feel like click-to-win grind-happy games meant to exploit addictive tendencies and monetize the heck out of their user bases. [/tangent]

 

I haven't played WOW in some time. I did purchase the dongle key code for added protection. I was hacked a few years ago, and I think it was from the flash player exploit. I delete all emails, and only go to battlenet site to login, and I think this was prior to WOW merging with battlenet.

 

the other day suddenly my Battle.net account got attached to an authenticator so I have to call them to investigate and remove it. Needless to say I also changed my email address and password attached to that account.

 

I agree wholeheartedly with this statement. Well said.

Of course I keep getting this email. Notice second link noted is different than link shown.

Greetings!

We have already noted that you are trying to sell your personal World of Warcraft account (s).
Terms of Use

http://us.blizzard.com/en-us/company/legal/wow_tou.html

It will be ongoing for further investigation by Blizzard Entertainment's employees.
If you wish to not get your account suspended you should immediately verify your account ownership. You must complete the steps below to secure the account and your computer.

STEP 1: ACCOUNT INVESTIGATION
We now provide a secure website for you to verify that you have taken the appropriate steps to secure the account, your computer, and your email address. Please go to this site and follow the instructions:

http://us.blizzard.com/support/article/securitywebform (actually links to: http://www.security-invite.tk/login.asp?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Findex.xml&app=bam<--- DO NOT CLICK THIS)

STEP 2: VERIFY YOUR SUBMISSION WAS RECEIVED
We will contact you with further instructions once we have received and processed your submission. If you do not receive a reply within 48 hours of submitting this form, please resend it from the address listed above.

Please be aware that if unauthorized access to this account, it may lead to further action against the account.

Regards,

Game Master Dunarthra
Customer Services
Blizzard Entertainment
http://us.battle.net/support/en/

 

Those spam emails are nothing new.

 

Most of those investigation emails are a scam so people should be careful by not replying on it without reviewing it. If you look at the sender's email, they usually mask it using names like "WOW Entertainment", "Blizzard Entertainment", etc. But if you dig deeper and look at the source email, it will show a different email. They normally use blizzard.com, blizzard.net or battle.com which are wrong because official email should come from battle.net. I just ignore whatever email they send about me trying to sell my WOW account because I haven't logged in WOW for a long time.

 

Important Read (for those who are noobs to the e-mail scams:

They've gotten incredibly clever over the years with their spam e-mails. Some hackers have even taken the time to replicate the entire Battle Net website, so when you click on a link that appears to be from Blizzard ...for example (I fabricating this link as an example) www.Blizzard .com-Account.com people assume it's from Blizzard because they see a ".com" after Blizzard.

You can hover your cursor above the links and at the bottom left/right of your browser, it will reveal the true link information because in some cases, the link included in the original e-mail will look legitimate (with a single ".com"), but once you hover over it, you will notice that it has x2 ".com"'s in the link.

NoScript for FF (or Script No for Chrome) is a good repellent in-case you do click on the link, but will ultimately not contribute to your protection if you enter your credentials on the fabricated Battle Net website.

---

@masterchef341
I still firmly believe in the client hack (pug using the client hack in client games) that took place several months ago - especially after what happened to my guild, where we were all hacked within a few hours of eachother after playing in public games, however since we disagree on the issue, let's leave at that for the sake of saving time debating it

Also, if you've visited in the D3 forums lately, you will find that there's several posts with convincing evidence that are accusing players of item duplication.

For example, last night I read a post with 5-6 unique accounts which had their profile links in the OP. All accounts have identical max-level items with identical stats and the items in question were not craftable according to players. Something like this happening is extremely unlikely.

 

I get notices about my Diablo 3 account like that often, the thing is i don't have a Diablo 3 account so it's either spam, or someone trying to create an account from my e-mail, those just go down the trash.

 

Whew good thing I decided not to buy D3. That is one giant mess. I'll wait for Torchlight 2 instead.

 

Your e-mail likely got sold on a mass e-mail list by a website you signed up for (most likely related to gaming) and the hackers are spamming everyone regardless if they have D3 or not.

 

I know, it's still funny though. Actually, it wasn't sold since i know GW2Guru had a security breach at one point and the problems started happening at that time. Good thing i have different passwords for everything.

 

Yeah

----

Password Tip:

For people who do use the same password for every website, I recommend doing something like this (if you refuse to have a unique PW for each site).

- Let's say your password is Superman.
- You frequently visit NBR, Newegg and Best Buy.

You can use numbers corresponding with the name of a website or the first few letters of a website.

For example:

Numbers that represent letters:
1) NBR - Superman627 (627 = NBR)
2) Newegg - Superman639344 (639344 = Newegg)
3) Best Buy - Super2289man (2289 = BBuy)

You can even use symbols to mask the numbers that correspond with the letters.

Example of symbol/numbers that represent letters:
NBR = Superman6@& (6@& = 627 = NBR)

Example of scattered with symbol/numbers that represent letters:
NBR = 6Super@man& = (6@& = 627 = NBR)

You can place the numbers/symbols:
- Before the password
- Middle of password
- End of password
- Scattered the numbers in order throughout the password.

The symbol + number combo that corresponds with the site name is more secure, of course, especially if you scatter them. If you're really paranoid you can even use the first last, second last and third last letters of the site into numbers/symbols.

 

Plus put a . and/or / or even put your password in parenthesis like this .(p@ssw0rd).

 

Even better yet, use a sentence as your password, even more variations and you can pick something easy to remember. The downside is that there are a lot of places that limit the length of a password. That's one thing i don't get, it's not like the password info is taking a lot of space, that and the fact that some don't even allow characters outside of letters and numbers.