Blizzard Addresses Diablo III Account Hack Complaints

It’s not been a good launch week for Blizzard’s newest game, Diablo III. First, the servers melted completely with the onslaught of users trying to release 12-years worth of click-click-clicking. Then, there was a game breaking bug involving the Demon Hunter and Templar early on into the game, which left many users kicked out of the game and unable to enter. Then, there were problems with the game not being able to recognize quest  trigger points, leaving users(including me) losing achievements.

The latest egg in the face quite possibly be the most serious one – Blizzard forums are full of complaints from users about their accounts being hacked into, the items and loot being stolen. Rock Paper Shotgun mentions that Eurogamer’s Christian Donlan had a first-hand experience of this hack. The reason for this is not very clear, but some speculation on Reddit suggests that the sessions are being hijacked, giving the hacker full control of the accounts.

Diablo III

Even though Blizzard had two-factor authentication for logins, reports around the forums suggest that even people with two-factor authentication enabled have had their accounts broken into. I took a quick glance into my account this morning and thankfully, as of now, there has been no break-in.

Bashiok makes it clear that there have been no session-hijacking exploits that are in the wild:

We’ve been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password.

Though that still doesn’t say about how people with two-factor authentication have had their accounts accessed. Another speculation is that the two-factor authentication was enabled after the break-in.

Blizzard’s response has been fairly generic, attributing it to new game release. Quoting Lylirra, the community manager:

Historically, the release of a new game — such as a World of Warcraft® expansion — will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well.

We also wanted to reassure you that the Authenticator and Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called SMS Protect, which allows you to use your text-enabled cell phone to unlock a locked account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the SMS Protect system to send you a text message whenever unusual activity is detected on your account, keeping you aware of important (and possibly unwanted) changes.

For more information on the Authenticator, visit

For more on the Mobile Authenticator, visit

For more on SMS Protect, visit

Blizzard also mentioned that users may be prompted with additional security questions, if the user is logging in from a previously unknown location

We also have other measures built into to help protect players. Occasionally, when detects unusual login activity that differs from your normal behavior — such as logging in from an unfamiliar location — we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.

Blizzard has asked the users to contact them via their “I’ve Been Hacked!” tool, if the user believes they have been a victim of an account compromise.

If you have had an account compromise in Diablo III, do leave a comment mentioning the details and the extent of losses.

NBC News Twitter Account Hacked – Posts False Ground Zero Tweets

Two days before the 10th anniversary of 9/11, the NBC News account (@NBCNews) was hacked and false information has been spread about Ground Zero being attacked by Flight 5736.

NBC News Twitter Account Hacked

The account seemed to be hacked around 15 minutes ago and tweeted 2 Ground Zero attacks tweets and also changed the DP in one of the tweets. The fourth Tweet said that

NBCNEWS hacked by The Script Kiddies. Follow them at @s_kiddies!

This is definitely sick and scary at the same time. Hopefully, the people behind this stupidity will have some more sense. The folks behind NBC are aware of the issue and are fixing it. We have reached out to them for more information.

Story developing..

Update 1: The s_kiddies account has been deleted by Twitter, however, the NBC News hacked tweets have not yet been deleted.

NBC News Hacked Twitter Description

Update 2: The hackers have now updated the description and URL of the NBC News account.

Update 3: Twitter has suspended the @NBCNews account for now. Ryan Osborn, the directory of Social Media at NBC has tweeted that NBC are aware of the issue and are working to resolve it.

TimesofMoney/Remit2India Database Hacked Through SQL Injection – HDFC Bank Vulnerable Too

Update – August 4th 2011: TimesofMoney contacted us with an update saying that this breach does not exist and will be sending us a statement regarding the same shortly.

In this day and age of technology, it does not come as a surprise that websites are frequently hacked. Groups like Anonymous and Lulzsec have been creating havoc on the internet, however, there are other cases too where security teams hack several websites to show them how insecure they are.

One of the most common way of hacking websites is by SQL injection. Ironically, was also hacked using an SQL Injection attack a few months back.

Today, zSecure Team has found a vulnerability in a very popular digital payments site called TimesofMoney which provides online remittances, fortified domestic e-payment mechanisms and facilitated remittance solutions of banks. The company is behind products like Remit2India, DirecPay and Times Card.

The zSecure Team claims that there exist a critical SQL Injection Vulnerability in the TimesofMoney website using which an attacker can gain access to the site’s entire database which contains the huge amount of customers confidential information.

This vulnerability may prove to be very critical for the company because TimesofMoney is India’s one of the leaders in e-payment system. Existence of such a critical flaw in company’s web may cause huge to the existing market reputation of the company concerned.

The group also claims that HDFC Bank’s Website is also vulnerable right now:

We discovered alike vulnerability in HDFC Bank’s Website as well and issued them a similar advisory. But even after couple of weeks of sending our advisory to the bank, the said vulnerability is still open for outside attacks. If the said vulnerability doesn’t get fixed by the bank as an earliest then our next post may disclose that concerned vulnerability publically.We hope that both the companies (TimesofMoney and HDFC Bank) will take immediate actions to fix the reported vulnerabilities

TimesofMoney currently has a SQL Injection Vulnerability which is very high. They are currently running the Oracle Database 11g Enterprise Edition. The vulnerability allows hackers to access the database as well as run a database dump. It also has a possibility of shell uploading.

The security team has also posted images about the hack, which can be viewed below.

TimesofMoney Hacked Database 1

TimesofMoney Hacked Database 2

TimesofMoney Hacked Database 3

TimesofMoney Hacked Database 4

The security team have said that no data has been dumped, but the fact that the attackers can access your financial information so easily is enough to make me cringe. I would suggest that you purge information from the relevant sites, till it is fixed. More information on the vulnerability can be found at zSecure website.

Thanks for the tip Christopher

Simon Pegg’s Twitter Account Hacked

Simon Pegg, described by Wikipedia as an English actor, comedian, writer, film producer and director, apparently got his Twitter account hacked earlier today. The hacker used his account to spread malware to his 1.2 million followers.

Simon Pegg Twitter Hacked

The tweet in question was sent via Twitter for Blackberry, and asked Pegg’s twitter followers to download a screensaver of his latest movie Paul. Thousands of his followers did and many even tweeted Thank youafter installing it. Those who had anti-virus protection installed however were informed of a Trojan horse being found in the ScreenSaver.exe file being linked to. Few hours later Simon posted few messages, indicating that his account was hacked and he did not post any message about a screensaver, and warning followers that they should not download the infectedscreensaver.

Simon Pegg Confirms Twitter Hack 1

Simon Pegg Confirms Twitter Hack 2


Being a Windows screensaver, the file is not believed to be malicious to anyone who is not using Microsoft’s Operating System. Jokingly however, Pegg did have this to say to Apple users:

Simon Pegg Jokes about Apple

He certainly is not the first celebrity to have his Twitter account hacked. Famous accounts like ih8sn0w and Bristol Palin accounts have been hacked in the past.

As always, we recommend you to be cautious while clicking on any suspicious link. WOT can be helpful in keeping you safe.

WordPress Hit With Backdoor Attack, Force Resetting User Passwords

Looks like no one is safe on the internet today, with numerous services being hit with hack attacks and password thefts. Today, it looks like WordPress was also hit with a backdoor attack where users were able to gain access and update some plugins in the repository.

The hackers apparently added some backdoor code to the attack and committed them to the repository, this affected some popular plugins like AddThis, WPtouch and W3 Total Cache. WordPress has managed to rollback those updates, but have also reset passwords for all users. If you use any WordPress related service, you will have to reset your password.

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for and

This is not the first time WordPress has been attacked. Earlier this year, was hacked and code was compromised. Sony has also been hit with several attacks recently where user’s passwords were leaked on the internet. If you have a account make sure to update your password. Also read our earlier article on why it is the right time to update all your passwords.

Also, if you have recently updated any of these plugins, go and re-update them immediately.

More updates to come…

Enable Multi-Touch Gestures On iPhone/iPad Running iOS 4.3 Using Sn0wbreeze

Today morning, iOS hacker iH8sn0w has released an updated version of his application sn0wbreeze which brings some nifty features for iOS device owners.

The latest beta of sn0wbreeze brings with it hosts of performance improvements and bug fixes.

The beta also adds an option to enable multi-touch gestures for iTouch devices running iOS 4.3. Yes, the same multi-touch gestures which were first introduced by Apple in the iOS 4.3 betas, which were seeded to developers.

Below is a video showing the multi-touch gestures :


However, these handy multi-touch gestures were dropped from the final version of iOS 4.3.

sn0wbreeze allows iOS owners to jailbreak their iPhone 3GS, iPhone 4, iPod Touch 4 and the iPad 1/2. Readers can simply download sn0wbreeze from here and follow the on-screen instructions on how to jailbreak their device.

However, the app will only tether’ jailbreak your iTouch device running iOS 4.3, which means that the jailbreak will be lost once a user restarts his iTouch device.

Hopefully, the next major update of the iOS will bring these handy multi-touch gestures to all iTouch devices. Until then, iTouch owners can use sn0wbreeze to activate these hidden multi-touch gestures.

Another Way To Bypass Megavideo Time Limit 72 Minutes

We have written several articles in the past to bypass Megavideo time limit to get over the Megavideo 72 minute restriction. However, it looks like several of those software and tricks do not work any more.

Megavideo 72 minute restriction

I just came across another way to bypass the Megavideo time limit 72 minute restriction which I tested and found to work. The new fix is in the form of Mega Skipper ( which allows users to watch videos in Megavideo without any time restrictions.

The Mega Skipper trick currently works only in . In order to bypass Megavideo time limit restrictions you will have to first download a , which can be installed from here.

Once the extension is installed, you will see a new icon in the Chrome toolbar, this icon will change color whenever you watch a Megavideo video. To bypass the message, "You have watched 72 minutes of video today" just click on the extension icon to open the video in a new page.

If you do not have Google Chrome installed, you can easily bypass the 72 minute restrictions in Megavideo by going to and entering the video ID of the Megavideo video.

You can also use a site called to bypass this limit. It has a extension which can be used to bypass the megavideo limit when you are watching a video.

I tested this script out and it seemed to work for me without issues so you should be able to bypass the Megavideo time limit without any problems. Do let me know if you find any other solution to skip the Megavideo 72 minute time restrictions.

P.S. You might be bombarded with a few ads on the site, but eventually you are getting to watch the full video without having to go to those restrictions Smile.

Sony Raids Prominent PS3 Hacker’s House

The Sony PlayStation 3 (PS3) hacker scene got a shock recently when prominent German PS3 hacker graf_chokolo had his house raided by German Police due to a complaint made by Sony. The raid ended up with the confiscation of all his accounts, so to speak, and peripherals that might have been related to hacking the Sony home console. This harsh step up from Sony follows many put-downs of hackers and security researchers who have openly exploited the PS3’s security flaws.


However, graf_chokolo had a ready last line of defense against Sony. The hacker had once claimed that he had quite a lot of knowledge about the PS3’s hypervisor (a virtualization technique), and that if Sony does annoy him, he will release it to the world. He made good on the promise as well by releasing the Hypervisor Bible (HV Bible) to the entire world. Using the HV Bible, other users can reverse engineer the PS3’s internal mechanisms to further open the console to the world:-

Guys, i don’t joke, it’s serious.
And to prove it, i kept my word and uploaded all my HV reversing stuff.
Upload it everywhere so SONY couldn’t remove it easily. Grab it guys, it contains lots of knowledge about HV and HV procs.

It is kind of sad that Sony is doing all of this if only they knew that piracy is not the main reason why these people work on Sony’s hardware; the homebrew scene is where most of their energy is focused. Let’s all hope this drama reaches a peaceful conclusion.

Winamp Database Hacked, Account Information Exposed

The latest target of hackers , after the whole Gawker Media Fiasco, is the Winamp Forums. Hours ago, general manager of Winamp announced that an attack had been detected and blocked targeted towards Winamp Forums database. Winamp, which is owned by Aol, claims that no information other than email addresses were exposed but is still encouraging the users to change their passwords. If you are one of the users, we also recommend you change your password on any other accounts that share the same password.

Sister sites like, dev.winamp,com and Winamp Desktop Media Player were not affected. Additional measures are currently being taken to make the site more secure and protect from similar attacks in the future. Even though, the attach was detected before further damage could be done, the incident shows how vulnerable websites are in today’s age even if they are owned by internet giants like Aol.

[Via DownloadSquad]

Geohot Raps To Sony’s PlayStation 3 Lawsuit

Up until now, Geohot has been known as a very talented hacker who unlocked the iDevices from Apple and hacked the PlayStation 3. However, Sony filed a lawsuit against Geohot at the beginning of this year for jailbreaking the PS3 and also requested for a restraining order (TRO) on the distribution of the jailbreak.

Now, George Hotz a.k.a Geohot has posted an explicit rap on his YouTube account explaining the lawsuit and challenging Sony as well. Readers can watch the video (NSFW lyrics) of the Geohot rap below :

Below are the full lyrics of the rap, for people who were unable to figure out what Geohot said in the above video :

Yo it’s geohot
And for those who don’t know
I’m getting sued by Sony

Let’s take this out of the courtroom and into the streets
I’m a beast, at the least, you’ll face me in the northeast
Get my ire up, light my fire
I’ll go harder then Eminem went at Mariah
Call me a liar
Pound me in the ass with no lube, chafing
You’re f*cking with the dude who got the keys to your safe and
Those that can’t do bring suits
Cry to your Uncle Sam to settle disputes
Thought you’d tackle this with a little more tact
But then again fudgepackers, I don’t know Jack

I shed a tear everytime I think of Lik Sang
But shit man, they’re a corporation
And I’m a personification of freedom for all
You fill dockets, like thats a concept foreign to y’all
While lawyers muddy water and TROs stall
Out of business is jail for me
And you’re suing me civilly

Exhibit this in the courtroom
Go on, do it, I dare you

First the jailbreak for iDevices, then the PS3 jailbreak and now this rap. Geohot sure is a talented guy!