Alarming Trend

#0 - Jan. 24, 2010, 2:53 p.m.

I am a Moderator on Curse.com and we are now getting dozens of posts stating that accounts have been hacked, and it is somehow Curse's fault. Let me assure you, Curse.com and the Curse Client did not hack your account. There is no malware or key loggers in the CC, and it is impossible for addons to get your account information.

However, reading both this forum and the Technical Support forum here on worldofwarcraft.com, I noticed an alarming trend: people signing up for the first time, or coming back to WoW, activating their battle.net account, and then discovering their game account had been hacked. In most cases, the hackers attached Authenticators, preventing, or certainly making more difficult, account retrieval.

Based on reading multiple posts in both forums, I conclude that the security leak is Battle.Net itself, and not any third party addon updater. I can safely draw this conclusion because not everybody posting on Blizzard's forums is using updaters, yet 100% of them are using Battle.Net.

Furthermore, there is at least one Blizzard CSR that it telling users that these updaters are at fault. This is impossible, as they do not affect the game install files in any way, shape, or form, and in the case of Curse.com, the site is an Official Blizzard Fan Site, and the Curse Client has been vetted by Blizzard as safe, and all updates to the Client itself are digitally signed by VeriSign.

I now hold Blizzard to task for having a security leak, not acknowledging the problem, giving false information to users, and then passing the blame to innocent parties.

Perhaps adding an Authenticator will stop a hacker from using people's accounts, but the fact remains that some people do not have Authenticators, and of the 11 million subscribers, less than 100, 000 use updating software, yet they are still getting hacked.

I am posting this to inform Blizzard they have a leak, advise Blizzard to stop passing the blame, and fix the issue.

Aredek

#8 - Jan. 24, 2010, 3:28 p.m.

The following response was written by one of our new teammates. Because they are still in training and do not yet possess a forum account of their own, they shall be posting via proxy through me.

While I commend your passion towards helping stop the spread of account compromised Myrroddin, I believe there is a bit of misinformation in this thread that I must address. Firstly, the assertion that Battle.net has been compromised or is leaking players’ account information is patently false. I am sorry, but you are wholly incorrect in both your assumptions towards our internal security as well as the reasons players are compromised.

The thought that players are compromised as a result of Battle.net being insecure is like chasing shadows -- an interesting thought but not one that is supported by reality. Truth be told, players are compromised in a multitude of ways, the most common being keyloggers and phishing emails obtained from a variety of third-party sources entirely unrelated to Blizzard or Battle.net. While I cannot speak for the Curse Client, I can most assuredly speak for Blizzard.

Battle.net’s security has not been compromised.
Blizzard is not sharing players’ account information, voluntarily or otherwise.
Every single account compromise has been as result of a client-side security breach.

That being said, our desire is not to cast blame on anyone. We simply want to warn our customers of the dangers that do exist. If you feel Blizzard can do more to help players protect their accounts, you are more than welcome to express your thoughts on our Suggestions Forum.