It’s not been a good launch week for Blizzard’s newest game, Diablo III. First, the servers melted completely with the onslaught of users trying to release 12-years worth of click-click-clicking. Then, there was a game breaking bug involving the Demon Hunter and Templar early on into the game, which left many users kicked out of the game and unable to enter. Then, there were problems with the game not being able to recognize quest trigger points, leaving users(including me) losing achievements.
The latest egg in the face quite possibly be the most serious one – Blizzard forums are full of complaints from users about their accounts being hacked into, the items and loot being stolen. Rock Paper Shotgun mentions that Eurogamer’s Christian Donlan had a first-hand experience of this hack. The reason for this is not very clear, but some speculation on Reddit suggests that the battle.net sessions are being hijacked, giving the hacker full control of the accounts.
Even though Blizzard had two-factor authentication for Battle.net logins, reports around the forums suggest that even people with two-factor authentication enabled have had their accounts broken into. I took a quick glance into my account this morning and thankfully, as of now, there has been no break-in.
Bashiok makes it clear that there have been no session-hijacking exploits that are in the wild:
We’ve been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password.
Though that still doesn’t say about how people with two-factor authentication have had their accounts accessed. Another speculation is that the two-factor authentication was enabled after the break-in.
Blizzard’s response has been fairly generic, attributing it to new game release. Quoting Lylirra, the community manager:
Historically, the release of a new game — such as a World of Warcraft® expansion — will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their Battle.net accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well.
We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever unusual activity is detected on your account, keeping you aware of important (and possibly unwanted) changes.
For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq
For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq
For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect
Blizzard also mentioned that users may be prompted with additional security questions, if the user is logging in from a previously unknown location
We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior — such as logging in from an unfamiliar location — we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.
Blizzard has asked the users to contact them via their “I’ve Been Hacked!” tool, if the user believes they have been a victim of an account compromise.
If you have had an account compromise in Diablo III, do leave a comment mentioning the details and the extent of losses.