I really don't see how people can defend Blizzard. Yes, I would say that at lest half of the accounts been access are down to the player. But then there's a number of people, whom have taking every precaution under the sun and still their account gets broke into. So either it's somebody at Blizzard, whom is not who they appear to be, or Blizzard's own system as been leaking. Either way somebody should be investigating, instead of trying to deny there's no problem.
Once more for those that missed it. Symantec recently located and mapped an illicit server in china that was recieving keylogger information from trojans and malware, validating the information and providing a clearing house for hackers. They found 3 servers but where only able to map 1 of them to see what was on it. What they saw was user account information for 44 MILLION MMO accounts spread over 18 games including World of Warcraft. In this case this server mainly held info doe asian games and or asian game servers for western games, but it was pretty clear that there are other similar servers dedicated to North America and Europe.
So yes there is a tremendous volume of keyloggers out there. They are currently evolving very fast, in many cases faster than the comercial security products can react or update. And they are compromising your information much faster than they used to, In the past it would take several weeks between a keylogger getting your info and a hacker making use of it to steal an account. The current turn around time can now be under 48 hours.
Trust me I do do this sort of analysis and consulting in the real world. I don't have any great love of Blizzard nor am I slavishly supporting or defending them. I just don't see a valid attack vector directly against Blizzard that would result in the patern of hackings that we see. A Blizzard employee leaking information is beyond unlikely to be pretty much impossible. As I said above they have outright admitted that the database will not display or provide such information to any employees. The core database software just does not permit it. So at best an employee could only sell a list of e-mail addresses. They could never see or record the passwords. While I do not simply take Blizzards word for it, this is inline with most modern enterprise level server and database suites, so I really see no reason to doubt it. They would have had to go out of their way to deliberately engineer this security hole in. So once again, unlikely.
A possible attack vector against Blizzard is their forums, and the fact that they share login information with the game accounts. We have witnessed more than enough various forum security compromises that I can willingly believe this is a possibility. But then the patern of attacks doesn't quite correspond to what would be expected. We would be seeing a much greater volume of hacks (believe it or not, what we see is reasonably small all things considered). And we would pretty quickly see a direct correlation between "do you ever post on the WoW message boards?" to who gets hacked.
Some compromise such as a worm or trojan on an internal Blizzard system? Once again not likely. Either it could no more see the information in question than the Blizzard employees (the more likely scenario), or they would be able to see everything.
So it brings me back to the most likely, and preferred attack vector, given that these hackings are part of a comercial enterprise, is the use of automated keyloggers and trojans to go after the individual end user systems. And we know that there are some scary powerful tools out there right now to do just that. Those toolsets developed by the peoples Republic of China in order to snoop on Google and GMail. They're in the wild now and being used in much scarier ways. And they seem to be insanely good at avoiding detection.
Today I received an E-mail from Codemasters (Lotro etc) about a forums security update. They wrote about how they experienced some attempts to hack their forums in the past days. Now if the hacking guys were more successful at other forums/websites, this would explain, where they do have all the email addresses from for the phishing mails.
Today I received an E-mail from Codemasters (Lotro etc) about a forums security update. They wrote about how they experienced some attempts to hack their forums in the past days.
Now if the hacking guys were more successful at other forums/websites, this would explain, where they do have all the email addresses from for the phishing mails.
If you use an email address to sign up to any video game website/forum you are pretty much guaranteed to end up on a phishing mailing list. It does not even have to be WoW or MMORPG related.
Today I received an E-mail from Codemasters (Lotro etc) about a forums security update. They wrote about how they experienced some attempts to hack their forums in the past days.
Now if the hacking guys were more successful at other forums/websites, this would explain, where they do have all the email addresses from for the phishing mails.
If you use an email address to sign up to any video game website/forum you are pretty much guaranteed to end up on a phishing mailing list. It does not even have to be WoW or MMORPG related.
Surprisingly, there are people who have created new email accounts solely for their Battle.net account, and nother else, yet still managed to get spammed with phising emails.
Today I received an E-mail from Codemasters (Lotro etc) about a forums security update. They wrote about how they experienced some attempts to hack their forums in the past days.
Now if the hacking guys were more successful at other forums/websites, this would explain, where they do have all the email addresses from for the phishing mails.
If you use an email address to sign up to any video game website/forum you are pretty much guaranteed to end up on a phishing mailing list. It does not even have to be WoW or MMORPG related.
Surprisingly, there are people who have created new email accounts solely for their Battle.net account, and nother else, yet still managed to get spammed with phising emails.
That's the head scratcher.
who do you think have a bigger vest interest in selling the new email account ID? blizzard or the email server?
who do you think will invest more to protect the email accounts? free service providing email servers, or blizzard who have $15 a month to earn from each account?
In every game that I have played I have heard of people getting their accounts hacked. In Everquest, EQII, Eve Online, Age of Conan, Aion, etc. Every single one of them has had customers come to them saying that their account has been compromised so this is not solely a problem with Blizzard.
It is a numbers game and in Eve online which has 330,000 players if you assume that 1% get compromised that is 3,300 people which is a lot but fairly easy to handle if spread out over a period of time.
Blizzard has 11,500,000 players or around that and with a 1% you end up with 115,000 players which seems much worse but isn't really. Add to the fact the large number of younger players and perverts playing WOW then the idiots that fall for phising spam could be as high as 10%.
Okay, the insults to wow players is unfair but never the less Blizzard has a vested interest in keeping their game and player information secure which is why they introduced the authenticator and other technologies to help prevent accounts from being compromised. The gold sellers who need these accounts have a vested interest in getting them and using them. Finally, if someone out there could just hack an account out of thin air with no information then no account would be safe and the number of accounts that would be compromised would be huge and the same would be the case if inside information was being stolen from Blizzard. There is no honor amoung thieves you don't think that after having sold the account data to one reseller they wouldn't sell it again and again as often as they could until every account they sold was in use?
Blizzard could be the source of the account data but the patterns and the number of accounts being hacked does not indicate that to be the case. On the other hand it does fit perfectly the typical virus and phising patterns. And the people saying they haven't fallen victim to it are numerous and certain that it isn't their fault. Even the OP of this thread started out that way only to later recant.
It's not Blizzard but you who can't keep it from happening. Since you are so resistant to common sense that you obviously fail to understand the basics I won;t even go into details.
I have been playing since easly beta ( mind you off and on ) and nothing ever happened. Many of my friends had theirs "hacked". Some open idiotic e-mails and end up loging into fake battle.nets without even knowing it ( they are that good ). Some use bots and other programs with trojans and spyware. There is 1000 silly things that people do.
Funny how it is NEVER your fault, I mean, how could it be...
Thousands of silly things people do must be the answer since one disgruntled Blizzard employee is so far fetched.
It happened at SOE back with EQ, and people are OK with believing that as truth.
But to besmirtch the Blizzard name by saying that it can happen there as well is 'BS'....
I'll never understand fanboys.
Fact is that if something can happen, then it is more then likely that it already has happened, is happening and will continue to happen. Just because some people choose to believe that it isn't happening or cannot happen just shows that there are a lot of niave people in the world.
That explains a lot. I asked on another of these threads what that attitude would be if it was SOE, Funcom or some other not so popular company dealing with massive amounts of hacks. Now I understand why I never got a reply.
There is no reply to you b/c you are talking faith. You have faith that some where some how some time a disgruntled blizz employee of unknown ranks and with unknown rights to access crucial database will for unknown reasons steal some usernames and passwords and hand them to hackers or hack them.
Since that is your faith, all based on unknowns, which you do not care to find out more details, what can we reply.
Yes we all bow to your inevitable truth, which is all based on unknowns.
1-Dont answer to any E-mails saying your account has bin compromised, given a bonus item or anything at all!! those are phishing mails. The only time you will enter your login/password is on wow's website that your have wrote the adres yourself into the adress bar or to log into the game.
2-Use crapcleaner/spybot or any malware remover you have just before you log into your account (either on wow website or into the game itself)
3-Do not share your account.
4-A page that looks like wow's page aint wow's page unless you have checked the adress in your adress bar (digit by digit).
5-No GM will ask for your password either online or offline, they just dont need it. If someone ask for it online, report him, hes a hacker.
6-Do not buy gold, it makes you an target for future hacks.
7-Do not accept real id from someone you dont know.
If you follow those easy rules your about 95% safe. But a carefull maintenance of your computer is also recommended ( full antiviruses scans to start with).
"The most basic reason there is. No Blizzard employee can actually see the information we are talking about. None. Not some mysterious contractor, not a CS drone, no the server admins, and not the developers."
Tell me how they recover hacked account? Yes that method can be used to "compromise" accounts as well.
they recovered hacked account by system generating a new password which is sent directly by the server to the email address obtained by talking to you, having you sent them photocopies of ID and what not.
the new password is still encrypted in the server, the customer service rep does not have it and will not read it to you
I've had a wow account since day dot. I've never had my account compromised. I dont use any authenticators and my password has changed once in all that time.
Learn how to use the internet and protect your PC from malware, viruses, trojans, spyware etc. Dont click links that are pretty obviously dangerous. Dont let people use your pc that are clueless. Nobody but me uses my PC, not my mrs, my kids, my mates...NO ONE!
It's true about u'r system protection...I almost lost my account when the spam wave started and i think i was among the first that informed Blizz on this. Now i still get various spams, even in games which i don't own, with fake info regarding my account. U should keep in mind that everytime u have a suspicion about the e-mail, u should never follow that link in that e-mail...just log to ur account normaly via the official site. At this moment i use avast! antivir proff and a anti-malware program - in 99% of cases those two blocks the acces to those links instantly and in 100% cases it won't let me send info or retrive from untrusted and suspicious sites. Indeed, u'r system protection is not the Blizz's job and not their problem at all. Actualy they helped me very eficient and very fast back then when i had this problem. So quit accusing blindly!
It's true about u'r system protection...I almost lost my account when the spam wave started and i think i was among the first that informed Blizz on this. Now i still get various spams, even in games which i don't own, with fake info regarding my account. U should keep in mind that everytime u have a suspicion about the e-mail, u should never follow that link in that e-mail...just log to ur account normaly via the official site. At this moment i use avast! antivir proff and a anti-malware program - in 99% of cases those two blocks the acces to those links instantly and in 100% cases it won't let me send info or retrive from untrusted and suspicious sites. Indeed, u'r system protection is not the Blizz's job and not their problem at all. Actualy they helped me very eficient and very fast back then when i had this problem. So quit accusing blindly!
Another way is to set up 2 clusters of PCs with 2 different isp/routers.
One for browsing and let them hack all they wish, they can steal my MMORPG account.
the other for loggin on to games and only a couple sites vital for the game, like bnet.com
Naturally the usernames and passwords used to register forums in system 1 above would be totally diffferent from system 2.
I really don't see how people can defend Blizzard. Yes, I would say that at lest half of the accounts been access are down to the player. But then there's a number of people, whom have taking every precaution under the sun and still their account gets broke into. So either it's somebody at Blizzard, whom is not who they appear to be, or Blizzard's own system as been leaking. Either way somebody should be investigating, instead of trying to deny there's no problem.
Sorry mate, with a post like that full of horrible grammar and spelling, I doubt you're the right 'champion' to defend the 'number of people, whom have taking every precaution under the sun and still their account gets broke into'.
If you don't have proof implicating Blizzard, stop barking up the wrong tree, mate.
And i would add that i don't understand how some fanboys can keep on saying that it just cannot be on blizzards end and that it's always on the consumers end. Blizzard is a company and cannot be 100% safe from employees doing illegal things, a buttload of companies have employees leaking information.
Passwords are encrypted in Blizzard's own database. The only one who knows it is the user who made it. Employees, not even devs, can access passwords in anything but their encrypted form, and even the most basic encryption methods used for a half-decent password would throw any brute force attack out of the window, so there's not much those employees could get for giving out encrypted passwords.
The problem is definately not on Blizzard's side.
Thing is that people don't like to admit when they've done something stupid. Most phishers copy the Blizzard pages directly to a URL that resembles an official one, and add a little bit of their own code to it. When you log in you're redirected to the actual site, but by that time it's already too late.
How exactly authenticated accounts can be stolen, i'm not sure, but with some clever MITM stuff you can probably remove an auth from someone's account. For example, you have a trojan on your PC which intercepts your auth codes. This sends the code to an automated process "somewhere in China", where it uses the code to log in to your account page, when you try to log in to the game. The code hasn't actually been sent to Blizzard from your PC but to the hacker's PC, so it's still valid when they try to use it.
The automation would probably count on you trying to log in 2-3 more times before you're going to start suspecting something, which is enough codes to remove the auth from your account.
Hence, knowing a bit about PC security is paramount. Too many people think that PC's are ultra-safe when they pay Norton for their sub-par AV and firewall solutions, and they can dick around however much they want.
Newsflash: Even though your car has an airbag and crumple zones, it doesn't mean you don't have to drive carefully - You *will* crash.
And i would add that i don't understand how some fanboys can keep on saying that it just cannot be on blizzards end and that it's always on the consumers end. Blizzard is a company and cannot be 100% safe from employees doing illegal things, a buttload of companies have employees leaking information.
Passwords are encrypted in Blizzard's own database. The only one who knows it is the user who made it. Employees, not even devs, can access passwords in anything but their encrypted form, and even the most basic encryption methods used for a half-decent password would throw any brute force attack out of the window, so there's not much those employees could get for giving out encrypted passwords.
The problem is definately not on Blizzard's side.
Yeh it can't be Blizzards fault, it's not like people figured out how to do this.
Comments
Once more for those that missed it. Symantec recently located and mapped an illicit server in china that was recieving keylogger information from trojans and malware, validating the information and providing a clearing house for hackers. They found 3 servers but where only able to map 1 of them to see what was on it. What they saw was user account information for 44 MILLION MMO accounts spread over 18 games including World of Warcraft. In this case this server mainly held info doe asian games and or asian game servers for western games, but it was pretty clear that there are other similar servers dedicated to North America and Europe.
So yes there is a tremendous volume of keyloggers out there. They are currently evolving very fast, in many cases faster than the comercial security products can react or update. And they are compromising your information much faster than they used to, In the past it would take several weeks between a keylogger getting your info and a hacker making use of it to steal an account. The current turn around time can now be under 48 hours.
Trust me I do do this sort of analysis and consulting in the real world. I don't have any great love of Blizzard nor am I slavishly supporting or defending them. I just don't see a valid attack vector directly against Blizzard that would result in the patern of hackings that we see. A Blizzard employee leaking information is beyond unlikely to be pretty much impossible. As I said above they have outright admitted that the database will not display or provide such information to any employees. The core database software just does not permit it. So at best an employee could only sell a list of e-mail addresses. They could never see or record the passwords. While I do not simply take Blizzards word for it, this is inline with most modern enterprise level server and database suites, so I really see no reason to doubt it. They would have had to go out of their way to deliberately engineer this security hole in. So once again, unlikely.
A possible attack vector against Blizzard is their forums, and the fact that they share login information with the game accounts. We have witnessed more than enough various forum security compromises that I can willingly believe this is a possibility. But then the patern of attacks doesn't quite correspond to what would be expected. We would be seeing a much greater volume of hacks (believe it or not, what we see is reasonably small all things considered). And we would pretty quickly see a direct correlation between "do you ever post on the WoW message boards?" to who gets hacked.
Some compromise such as a worm or trojan on an internal Blizzard system? Once again not likely. Either it could no more see the information in question than the Blizzard employees (the more likely scenario), or they would be able to see everything.
So it brings me back to the most likely, and preferred attack vector, given that these hackings are part of a comercial enterprise, is the use of automated keyloggers and trojans to go after the individual end user systems. And we know that there are some scary powerful tools out there right now to do just that. Those toolsets developed by the peoples Republic of China in order to snoop on Google and GMail. They're in the wild now and being used in much scarier ways. And they seem to be insanely good at avoiding detection.
Today I received an E-mail from Codemasters (Lotro etc) about a forums security update. They wrote about how they experienced some attempts to hack their forums in the past days.
Now if the hacking guys were more successful at other forums/websites, this would explain, where they do have all the email addresses from for the phishing mails.
If you use an email address to sign up to any video game website/forum you are pretty much guaranteed to end up on a phishing mailing list. It does not even have to be WoW or MMORPG related.
Surprisingly, there are people who have created new email accounts solely for their Battle.net account, and nother else, yet still managed to get spammed with phising emails.
That's the head scratcher.
who do you think have a bigger vest interest in selling the new email account ID? blizzard or the email server?
who do you think will invest more to protect the email accounts? free service providing email servers, or blizzard who have $15 a month to earn from each account?
that is also head scratcher
Or the warning mail is fake. So you fall for it and go back to log on, I hope you do not follow the link in the mail.
In every game that I have played I have heard of people getting their accounts hacked. In Everquest, EQII, Eve Online, Age of Conan, Aion, etc. Every single one of them has had customers come to them saying that their account has been compromised so this is not solely a problem with Blizzard.
It is a numbers game and in Eve online which has 330,000 players if you assume that 1% get compromised that is 3,300 people which is a lot but fairly easy to handle if spread out over a period of time.
Blizzard has 11,500,000 players or around that and with a 1% you end up with 115,000 players which seems much worse but isn't really. Add to the fact the large number of younger players and perverts playing WOW then the idiots that fall for phising spam could be as high as 10%.
Okay, the insults to wow players is unfair but never the less Blizzard has a vested interest in keeping their game and player information secure which is why they introduced the authenticator and other technologies to help prevent accounts from being compromised. The gold sellers who need these accounts have a vested interest in getting them and using them. Finally, if someone out there could just hack an account out of thin air with no information then no account would be safe and the number of accounts that would be compromised would be huge and the same would be the case if inside information was being stolen from Blizzard. There is no honor amoung thieves you don't think that after having sold the account data to one reseller they wouldn't sell it again and again as often as they could until every account they sold was in use?
Blizzard could be the source of the account data but the patterns and the number of accounts being hacked does not indicate that to be the case. On the other hand it does fit perfectly the typical virus and phising patterns. And the people saying they haven't fallen victim to it are numerous and certain that it isn't their fault. Even the OP of this thread started out that way only to later recant.
Stop playing the victim and protect your system.
There is no reply to you b/c you are talking faith. You have faith that some where some how some time a disgruntled blizz employee of unknown ranks and with unknown rights to access crucial database will for unknown reasons steal some usernames and passwords and hand them to hackers or hack them.
Since that is your faith, all based on unknowns, which you do not care to find out more details, what can we reply.
Yes we all bow to your inevitable truth, which is all based on unknowns.
Here are some tips not to get hacked :
1-Dont answer to any E-mails saying your account has bin compromised, given a bonus item or anything at all!! those are phishing mails. The only time you will enter your login/password is on wow's website that your have wrote the adres yourself into the adress bar or to log into the game.
2-Use crapcleaner/spybot or any malware remover you have just before you log into your account (either on wow website or into the game itself)
3-Do not share your account.
4-A page that looks like wow's page aint wow's page unless you have checked the adress in your adress bar (digit by digit).
5-No GM will ask for your password either online or offline, they just dont need it. If someone ask for it online, report him, hes a hacker.
6-Do not buy gold, it makes you an target for future hacks.
7-Do not accept real id from someone you dont know.
If you follow those easy rules your about 95% safe. But a carefull maintenance of your computer is also recommended ( full antiviruses scans to start with).
they recovered hacked account by system generating a new password which is sent directly by the server to the email address obtained by talking to you, having you sent them photocopies of ID and what not.
the new password is still encrypted in the server, the customer service rep does not have it and will not read it to you
Why blame Blizzard for your mistakes?
I've had a wow account since day dot. I've never had my account compromised. I dont use any authenticators and my password has changed once in all that time.
Learn how to use the internet and protect your PC from malware, viruses, trojans, spyware etc. Dont click links that are pretty obviously dangerous. Dont let people use your pc that are clueless. Nobody but me uses my PC, not my mrs, my kids, my mates...NO ONE!
It's true about u'r system protection...I almost lost my account when the spam wave started and i think i was among the first that informed Blizz on this. Now i still get various spams, even in games which i don't own, with fake info regarding my account. U should keep in mind that everytime u have a suspicion about the e-mail, u should never follow that link in that e-mail...just log to ur account normaly via the official site. At this moment i use avast! antivir proff and a anti-malware program - in 99% of cases those two blocks the acces to those links instantly and in 100% cases it won't let me send info or retrive from untrusted and suspicious sites. Indeed, u'r system protection is not the Blizz's job and not their problem at all. Actualy they helped me very eficient and very fast back then when i had this problem. So quit accusing blindly!
Another way is to set up 2 clusters of PCs with 2 different isp/routers.
One for browsing and let them hack all they wish, they can steal my MMORPG account.
the other for loggin on to games and only a couple sites vital for the game, like bnet.com
Naturally the usernames and passwords used to register forums in system 1 above would be totally diffferent from system 2.
use authenticators.
Sorry mate, with a post like that full of horrible grammar and spelling, I doubt you're the right 'champion' to defend the 'number of people, whom have taking every precaution under the sun and still their account gets broke into'.
If you don't have proof implicating Blizzard, stop barking up the wrong tree, mate.
I've had 4 of these emails recently.
I have a habit of giving each and everything I sign up to it's own email address and this address has not been used for anything else.
It just happens to be the email i used to register with this website.
R
Passwords are encrypted in Blizzard's own database. The only one who knows it is the user who made it. Employees, not even devs, can access passwords in anything but their encrypted form, and even the most basic encryption methods used for a half-decent password would throw any brute force attack out of the window, so there's not much those employees could get for giving out encrypted passwords.
The problem is definately not on Blizzard's side.
Thing is that people don't like to admit when they've done something stupid. Most phishers copy the Blizzard pages directly to a URL that resembles an official one, and add a little bit of their own code to it. When you log in you're redirected to the actual site, but by that time it's already too late.
How exactly authenticated accounts can be stolen, i'm not sure, but with some clever MITM stuff you can probably remove an auth from someone's account. For example, you have a trojan on your PC which intercepts your auth codes. This sends the code to an automated process "somewhere in China", where it uses the code to log in to your account page, when you try to log in to the game. The code hasn't actually been sent to Blizzard from your PC but to the hacker's PC, so it's still valid when they try to use it.
The automation would probably count on you trying to log in 2-3 more times before you're going to start suspecting something, which is enough codes to remove the auth from your account.
Hence, knowing a bit about PC security is paramount. Too many people think that PC's are ultra-safe when they pay Norton for their sub-par AV and firewall solutions, and they can dick around however much they want.
Newsflash: Even though your car has an airbag and crumple zones, it doesn't mean you don't have to drive carefully - You *will* crash.
Playing: WF
Played: WoW, GW2, L2, WAR, AoC, DnL (2005), GW, LotRO, EQ2, TOR, CoH (RIP), STO, TSW, TERA, EVE, ESO, BDO
Tried: EQ, UO, AO, EnB, TCoS, Fury, Ryzom, EU, DDO, TR, RF, CO, Aion, VG, DN, Vindictus, AA
Yeh it can't be Blizzards fault, it's not like people figured out how to do this.
http://www.nytimes.com/2008/02/22/technology/22chip.html
Cracking encryption is years old now.