Fact is, there is as yet no confirmation of any kind of security leak on Blizzard's side. If they announce they found one, fine. Until then, it's all speculation, and I frankly expected a bunch of hacks to happen to no-authenticator people.
If it was nearly as widespread as some here claim, then at least one of the ~300 people in my friends list would have been hacked, and at least 100 of them have played public games daily since launch. Again, no hacks.
In lack of any evidence, I can only conclude that istreamer is overstating the issue. I'll believe it when Blizzard comes out and says it. Until then, it's the same as the stuff from the last 5-7 years where people hacked blame Blizzard and were wrong. Also, as far as what could create an incident of this size that isn't server-side? Simple. The launch of the game itself. The hackers can read calendars, too, you know. They're stockpiling gold to sell on the RMAH and other channels, and may very well have had a lot of machines compromised waiting for that very event. They just waited five or six days for people to build up gold so they could steal it.
I find that every bit as plausible as Bnet having a security hole that only affects D3, and doesn't bother WoW or SC2. The public game D3 session ID one is plausible, but then explain the no-public-game hacks, and also convince me of the scale of it. Again, I'm just waiting for Blizzard to look it over and tell us what they found. I imagine even if Blizzard has the public game issue, that a ton of the hacked have nothing to do with that issue, and are not Blizzard's problem.
I think if Blizzard truly had a security hole on the scale some insist, then we should see 5% or more infected with it, and then you're looking at 50K per million users, and we're not seeing that, either.
What are you talking about? Nobody said there is a security hole and that 5% of people are infected with it. What is being reported by users through social media is that there is an exploit which allows hackers & want to be hackers to discover your unique gaming session number, log in using your session ID, you get logged out, and during that time, they transfer all of your items and gold to a mule account.
The similarities in the global conspiracy to make the non-diablo fanboys believe there is hacking include:
1. Only the character which played in a public game got hacked, while the other characters in the same account were untouched.
2. Their auction house stash and recent purchases (which could have been sent to their characters stash) remained untouched. This adds credibility to that only the public session ID was compromised and explains why the hackers did not have access to the full account (other characters and auction house).
3. People's accounts have been hacked indiscriminate of whether they have an authenticator or not.
4. The hacked accounts often have new "friends" (presumably used to transfer their items to).
It is a fact that there is a torrent of recent discussion about accounts being hacked. However, the fact that one of your 300 friends has not been hacked is not proof that there is no hacking going on. There are MILLIONS of people playing the game, the chance of one of your friends being hacked is less than one in 10,000. We are just blades of grass, there is a whole lawn full of targets. If not corrected, the exploit will continue to grow and grow as more people learn how to do it. However, what we can do is make fun of people who have been victimized, that will quiet them down and then the problem will go away.
OR, as protection you can
1. Avoid public games.
2. If you do play in public games, I would not use the shared stash which can get looted. I would create a new character who is in charge of holding valuables, including backup armor and weapons. This will not protect your gold, but will help you get going again.
I don't expect to change anyone's minds on this. As some have stated, they will only listen to people who type in blue.
Diablofans.com is an AWESOME website, and I've learned a ton on how to create the best builds for my Demon Hunter and Witch Dr. But the forum is also filled with people who are super emotionally attached to Blizzard and do not want to hear that they can do anything wrong. In fact, Blizzard hasn't done anything wrong. It's how a company reacts to a problem which shows its strength. At the end of the day, none of us KNOW if there is an exploit or not. However, it certainly sounds feasible. Especially since there are numerous accounts of people who have similar reports. Perhaps, a bunch of people coordinated these stories across a myriad of websites and made sure that their stories had enough similarities to make it look like there is a pattern. Or perhaps, if a person's account got raped and pillaged, then it was because her skirt was too short, her underwear was infested with malware, and didn't use an authenticator for protection. Over half the people on this thread have voiced the latter and blamed the victims.
"an exploit was discovered by duplicating a session ID
basically, if you join a public game with people, they can view your session ID and spoof it to login as you without need for a password or email or anyting
if you play with people, try not to play in public games bro, only with people you know"
A FB friend that enjoys forums where people like to hack video games, decided to tell me. If this is possible try to figure out how to put an end to it.
Blues, assemble =\
Hey guys,
We are very aware of these reports and are taking them very seriously. Please keep an eye on the General Discussion forums as Community members will be posting something soon.
If you have been hacked, please contact Customer Service as soon as you can. In addition, using an Authenticator can help secure your account even more.
As Istreamer mentioned, if you look around Diablo fan sites/reddit, there are a lot of people reporting hacking. And a lot of them have been long time members of the community with lots of previous posting activity before they got hacked, which adds credibility.
Unfortunately, no, it doesn't add credibility.
There are Diablo Fans on this site and there are Diablo Fanboys on this site. There are people who love the games Blizzard makes and there are people who say the sky is only blue if Blizzard tells me it is.
If somebody has built up a reputation over time, they are more credible than somebody who makes his very first posting and has no history. Do you trust somebody more on ebay who has sales under their belt or if it is their first auction? One has a reputation, the other does not.
There are in depth questions and answers with numerous people on other sites who have been hacked and here is the synopsis, based upon multiple q&a with hundreds of people who have been hacked:
Latest update regarding this is that public games have a vulnerability which allows others in the game to snatch a session id and use it to access your account, but there is no official word yet, but I guess you'd want to stay away from public games in the meantime.
Some of the Q&A showed people with multiple characters, but only the characters who played in public games got hacked. There will be more clarity over time, but this is the latest information for now. And having an authenticator made no difference.
Please explain how suddenly tens of thousands of people are being hacked, even those with authenticators, in a very short window, can all be attributed to individual cases of user error.
Few theads on BNET forums = tens of thousands of people apparently.
Blizzard's official position is don't post these concerns in public, please privately e-mail us.
This is from a Blue Poster in response to someone complaining about their account getting hacked.:
5]The forums really aren't the proper place to discuss these concerns; please contact Customer Support.
As Istreamer mentioned, if you look around Diablo fan sites/reddit, there are a lot of people reporting hacking. And a lot of them have been long time members of the community with lots of previous posting activity before they got hacked, which adds credibility.
Yes, they can be lying about the authenticators, but there are a lot of them. And it is interesting how many people insist it is key loggers at work, well then why the sudden influx of hacked accounts? I really doubt the organizations that installed keylogger programs are more interested in stealing your video game gold than your real banking information.
Someone just tried to hack my account just a few minutes ago. I immediately changed my password. Thank God I did it quick enough and signed back on, none of my things are missing. Someone random was added to my friend's list. I reported them and removed them.
Watch out people! I haven't bought any gold or anything else from anywhere, and the only website I've been to D3 related is this one and the official one. So Blizzard needs to check their servers!!!!
I'd recommend removing your B-Net Username from this forum. A hidden door stays locked longer.
If somebody is using an authenticator and they still got hacked, it is a server side issue.
The chances of hacking an account with an authenticator are very, very small. It is possible, but extremely small because the code timeframe is just a few seconds. Let's say you were browsing sites you shouldn't be browsing, and all of a sudden lost your account later that day.. What would you tell people, or tell Blizzard? You are going to say you have an authenticator of course, so that you get the sympathy or empathy you are looking for, and not being ridiculed for trying to download a bot or look at a site with known bugs/hacks.
If Blizzard came out and said that their databases have been compromised and that authenticators no longer work because of it, I'll quit D3 forever and eat crow from you all to the point of no returning to DFans. It's worth betting that the kids with compromised accounts do not have authenticators.
I agree. The only evidence we have is somebody said they were using an authenticator and there is motive to lie, embarrassment. I'd put the odds at 80% in Blizzard's favor that the servers are safe, because there is no proof of server side hacks. Reason for 20% doubt is because credit card companies, credit beareaus, and Sony have all spent more $ than blizzard on cyber security and still have had their data compromised
Pretty crazy though that stuff is getting stolen now, before there is a real $ auction house. I wonder if each item has a unique ID and can be tracked which accounts have "owned" it. Or if Blizzard can find the "mule" account which logged into the compromised account's game to steal its items. Hopefully the Auction house makes Blizzard a lot of money so they have an incentive to play Cops.
What are you talking about? Nobody said there is a security hole and that 5% of people are infected with it. What is being reported by users through social media is that there is an exploit which allows hackers & want to be hackers to discover your unique gaming session number, log in using your session ID, you get logged out, and during that time, they transfer all of your items and gold to a mule account.
The similarities in the global conspiracy to make the non-diablo fanboys believe there is hacking include:
1. Only the character which played in a public game got hacked, while the other characters in the same account were untouched.
2. Their auction house stash and recent purchases (which could have been sent to their characters stash) remained untouched. This adds credibility to that only the public session ID was compromised and explains why the hackers did not have access to the full account (other characters and auction house).
3. People's accounts have been hacked indiscriminate of whether they have an authenticator or not.
4. The hacked accounts often have new "friends" (presumably used to transfer their items to).
It is a fact that there is a torrent of recent discussion about accounts being hacked. However, the fact that one of your 300 friends has not been hacked is not proof that there is no hacking going on. There are MILLIONS of people playing the game, the chance of one of your friends being hacked is less than one in 10,000. We are just blades of grass, there is a whole lawn full of targets. If not corrected, the exploit will continue to grow and grow as more people learn how to do it. However, what we can do is make fun of people who have been victimized, that will quiet them down and then the problem will go away.
OR, as protection you can
1. Avoid public games.
2. If you do play in public games, I would not use the shared stash which can get looted. I would create a new character who is in charge of holding valuables, including backup armor and weapons. This will not protect your gold, but will help you get going again.
I don't expect to change anyone's minds on this. As some have stated, they will only listen to people who type in blue.
There are Diablo Fans on this site and there are Diablo Fanboys on this site. There are people who love the games Blizzard makes and there are people who say the sky is only blue if Blizzard tells me it is.
If somebody has built up a reputation over time, they are more credible than somebody who makes his very first posting and has no history. Do you trust somebody more on ebay who has sales under their belt or if it is their first auction? One has a reputation, the other does not.
There are in depth questions and answers with numerous people on other sites who have been hacked and here is the synopsis, based upon multiple q&a with hundreds of people who have been hacked:
Latest update regarding this is that public games have a vulnerability which allows others in the game to snatch a session id and use it to access your account, but there is no official word yet, but I guess you'd want to stay away from public games in the meantime.
Some of the Q&A showed people with multiple characters, but only the characters who played in public games got hacked. There will be more clarity over time, but this is the latest information for now. And having an authenticator made no difference.
Blizzard's official position is don't post these concerns in public, please privately e-mail us.
This is from a Blue Poster in response to someone complaining about their account getting hacked.:
As Istreamer mentioned, if you look around Diablo fan sites/reddit, there are a lot of people reporting hacking. And a lot of them have been long time members of the community with lots of previous posting activity before they got hacked, which adds credibility.
https://us.battle.net/d3/en/forum/topic/5149008932?page=1
Yes, they can be lying about the authenticators, but there are a lot of them. And it is interesting how many people insist it is key loggers at work, well then why the sudden influx of hacked accounts? I really doubt the organizations that installed keylogger programs are more interested in stealing your video game gold than your real banking information.
I'd recommend removing your B-Net Username from this forum. A hidden door stays locked longer.
I agree. The only evidence we have is somebody said they were using an authenticator and there is motive to lie, embarrassment. I'd put the odds at 80% in Blizzard's favor that the servers are safe, because there is no proof of server side hacks. Reason for 20% doubt is because credit card companies, credit beareaus, and Sony have all spent more $ than blizzard on cyber security and still have had their data compromised
Pretty crazy though that stuff is getting stolen now, before there is a real $ auction house. I wonder if each item has a unique ID and can be tracked which accounts have "owned" it. Or if Blizzard can find the "mule" account which logged into the compromised account's game to steal its items. Hopefully the Auction house makes Blizzard a lot of money so they have an incentive to play Cops.