#87 - May 4, 2010, 6:43 p.m.
Is account compromise an epidemic? No. Contrary to popular belief, it only affects a small portion of the WoW population. Is account compromise a notable issue? Yes. The effects of compromise can be devastating, both for the individual account holder and the community.
Moving forward.
Battle.net is a perfectly fine platform. It is not less secure. It is not responsible for the compromise of your account. I repeat: Battle.net has not been compromised and is not responsible for the compromise of your account or your guild mates' accounts. Can Battle.net accounts be compromised? Yes. They can, if the proper precautions are not taken. Is it impossible to secure a Battle.net account? No, it is not. There are many ways to protect oneself against compromise.
In order for an account to be compromised, its login information must be learned by an unauthorized party. This can happen in multiple ways. It's possible that a computer from which you accessed your account (at any time) possessed a latent infection. It's possible that you accidentally responded to a malicious phishing scam or visited a website which contained embedded malware. It's also possible that your registered email address was compromised separately, opening a doorway to your Battle.net account. Because of this, I would encourage you and your fellow guild mates to ask yourselves the following questions:
- Do you and your guild mates visit the same websites? Download AddOns from the same source?
- Do you or your guild mates ever access (or have you ever accessed) your accounts from a different computer? If so, could those computers perhaps be at risk? Remember that each of you will need to examine all computers from which you've logged into the game client, the World of Warcraft forums, and/or Battle.net Account Management. All three of these locations require an account name and password.
- Do your or your guild mates use your account name and/or password as your login credentials for any other website? Perhaps a networking site like Facebook or Twitter or MySpace? Or a guild website? If so, this could have lead to your compromises.
- On a similar note, is your registered email address publicly available? Are your guild mates'? A quick way to check is to plug your address into any online search engine. If the search returns results, then it's probably a good idea for you to update that piece of your contact information. Instead of simply using a different email address, though, my advice would be to set up a completely new address. When creating this new address, make sure that the username and password are unique. Don't use a username (e.g. character name, IM screen name, profile tag) or password that you already use online.
Now, I know it's much simpler to point the finger at Blizzard Entertainment than considering the above possibilities. It's important that you come to terms with them, though, because if you deny personal responsibility, you may neglect to take key steps that can bolster your account's security. In the end, accepting that compromises occur client-side is the first and most important step to protecting your account.
As always, we'll be happy to help you reclaim your account (if necessary) and recoup any losses your characters may have suffered as a result. All that we ask in return is that you focus on securing your computer, account, and registered email address to help prevent repeat compromise. This is something only you can do. It sounds like you're already taking the appropriate steps, but here's some additional resources just in case:
Some other points I'd like to address:
Q u o t e:
But let us assume that this huge spike is, in fact, our fault. Blizzard still should be doing more to rectify the issue.
If you have any thoughts for how we might do so, please let us know. :)
Q u o t e:
And an authenticator at my expense is not the answer. I will not accept them profiting even more from this situation.
Blizzard Entertainment does not make a profit from the sale of Battle.net Authenticators. We sell these on the Blizzard Store at cost. We also offer Mobile Authenticators, and for many mobile devices this application is free.
Q u o t e:
Let us assume that the compromises in all of our securities is coming from our end. We have some keylogger living undetected on our systems, or our firewalls are not nearly as robust as we believe. If that is the case, then how come none of us have experienced any other form of identity theft? How come my bank account is not being accessed and drained?
While I can't speak on behalf of those who commit such theft, there are a number of factors to consider. First, the theft of real world currency can bear severe real world penalties. Second, compromising a game account is very profitable due to the demand for purchased virtual currency. This creates a perfect combination of low risk, high yield for the unscrupulous to take advantage of. Third, it may very well be that your real world information has been gleaned as a result of a keylogger, Trojan, or other malware.
Q u o t e:
Why are they not aggressively prosecuting these hackers and gold farming sites?
This is ultimately a legal matter, one best addressed with our Legal Department. Suffice it to say, Blizzard Entertainment has successfully battled and will continue to battle against companies that attempt to exploit the game and its players through any means available.
Q u o t e:
Why are they not ensuring the names match the account when an authenticator is purchased so people cannot get their account back sooner?
Do you mean when an Authenticator is purchased from the Blizzard Store, the name on the purchasing Battle.net account must ultimately match the name on the account to which that Authenticator is attached? It's important to remember that many individuals purchase Authenticators as gifts or will associate the same Authenticator with multiple different accounts (for example, a single family that plays together might only require one Authenticator). Also, not all Authenticators acquired by malicious parties are purchased from the Blizzard Store.
Q u o t e:
Why are they not increasing their customer service so people are not waiting to the point of frustration?
We're currently hiring, and have been for several years. If you know someone qualified who's interested, please refer him or her to this online application:
I know this must have been a very troubling time for you, Damaskus, and for that I am sorry. If you have any questions or concerns, please let me know and I will be happy to assist in any way that I am able. :)
