#0 - Feb. 3, 2009, 10:21 p.m.
Since posting, I have looked into it and it looks like I am far from the only person who this happened to on the same exact day. Other people who have posted about their account being compromised on Feb 1st / 2nd:
<Links removed>
I'm sure there are others as well, but this is just to name a few that I have found.
In a few instances, the victim was up-to-date with their anti-virus and anti-spyware programs, and had nothing that could be considered malicious on their machines. I know that on my machine, there was nothing at all that would have been able to collect my password, not to mention any other viruses, trojans, or keyloggers. I scanned it just to be sure using MacScan, and it was confirmed that my machine was clean. I am a Power User, I have had PCs and Macs and know my stuff with both systems. I don't share my information with ANYONE.
Another person who was hacked (in the link to Teravastl's post) was not even playing after the point that they had been hacked the first time when they were hacked a second time. This means that there was definitely not a keylogger involved.
The point is this: I DO NOT HAVE A VIRUS. I DO NOT HAVE A KEYLOGGER. This was not a security issue on my end AT ALL. Something is going wrong somewhere else.
The thing that I really don't understand is why there is a "Change Email" through the World of Warcraft web site. You don't even need to log into your account to change the email. The only place that you should be able to change your email is within the account management or over the phone with Blizzard.
The email address was changed on my account. At no point did I receive an email telling me that it had been changed. The email had to have been changed before the password was changed because they used the password retrieval page and I never received an email about that either.
On the web site, to change an email, you simply need to enter your account name, current email address, and the last six characters of your WoW key, which can be brute forced. They don't even have to answer the secret question.
I really think that Blizzard needs to step it up a few notches with security. Implementing captchas and other things that might slow down hackers that are trying to brute force the system might help. In the rare instances that someone needs to recover their password, I'm sure they wouldn't mind going through a few more steps to make sure it is secure. And in the VERY rare instance they would need to change their email, they should do it through their account (logged in), or over the phone with Blizzard. It also would probably be nice if Blizzard implemented a few more security questions (like three per account).
Falrinn @ Turalyon talks some more about securities and brute force in his post here: http://forums.worldofwarcraft.com/thread.html?topicId=14697555206&postId=146959637850&sid=1#11
Login attempts should definitely be limited, and players should be able to change their account name at will. As I said in my post, I do not feel comfortable having an account that has been compromised. Since it has the same account name, it can be targeted again, and entry can be gained through brute force.
Yes, there is the Blizzard Authenticator, but why do we need to spend more money to have security, which should be provided with a service we are already investing >$100 initially and $15 per month thereafter. Blizzard could provide these at purchase, or when someone has paid for 6 months of play time. If Blizzard doesn't want to give the Authenticator to everyone, they could at least give them to those whose accounts have already been compromised.
They also need to make strong passwords. I tried to add a symbol to my password but Blizzard did not allow it. They also do not use case-sensitivity, which would help improve the strength of the password and make it more difficult to get in to accounts.