Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Dear Blizzard: The reason hacking skyrocketed

Forum Avatar
Vestra
#0 - May 15, 2010, 5:12 a.m.
Blizzard Post
I have recently been hacked and am awaiting my characters and items to be returned to me, but had I not been forced to merge my account to a battlenet account this would not have happened.

Quite simply you have made it extremely easy for hackers to acquire logins WITHOUT the need for phising, then allowing them to simply brute force a password unless the account is tied to an authenticator. before battlenet, knowing a player's email did not give you his /her login

They are using the password reset function to see whether or an email is a WOW login and then running a brute force cracker... which is why so many people get requests for password resets.

you need to change the way your website responds to lost password requests so it doesn't verify whether or not there is an account tied to an entered address

P.S. Can a blue please confirm my account is in the queue for reimbursement
Forum Avatar
Aredek
#63 - May 15, 2010, 2:27 p.m.
Blizzard Post
As several players have stated throughout this thread, in order to change a password or request a password reset, one of two things must be true:
  • The malicious party must already know your e-mail address, first name, last name, and secret question & answer.
  • The malicious party must already know your current e-mail address and password

In either of these situations, the malicious party already has an in-depth knowledge of your account details; details which are not made visible on any of our webpages. Furthermore, if someone does not already have access to your account and was able to change your password, they would need access to your registered e-mail address. I realize that placing blame on the use of e-mail addresses for account names can be the easiest conclusion to come to; however, it is not an accurate conclusion whatsoever.

Please be aware that malicious parties do sometimes create phishing e-mails designed to look like password reset requests. As a matter of fact, an example of this can be found here:

http://forums.worldofwarcraft.com/thread.html?topicId=965511383&sid=1&pageNo=4#74

For more information on how to identify and avoid phishing scams, please review the following resources:

How to Identify Fake or Phishing Emails:
http://us.blizzard.com/support/article/25133

Fake E-mails from "Blizzard Entertainment":
http://forums.worldofwarcraft.com/thread.html?topicId=965511383&sid=1

If you do not believe you fell for a phishing scam then it is likely that you have logged into your account from a computer with malicious software installed upon it. Please take a moment to review the following support article for helpful tips:

Account and Computer Security:
http://us.blizzard.com/support/article/30794

Once you've identified the source of your compromise, please let us know so that we may begin the restoration process. A process in which we go through and attempt to restore each and every item, character, and piece of gold you lost as a result of the compromise. For more information, please review the following support article:

What to do if Your Account Has Been Compromised
http://us.blizzard.com/support/article/30796
Forum Avatar
Aredek
#64 - May 15, 2010, 2:43 p.m.
Blizzard Post
For the Real ID discussions taking place in this thread:

Real ID is a system we will be implementing; it has not yet been implemented. We notified our players to give them an opportunity to share their thoughts, concerns, and feedback. As always, we will carefully review the feedback we've received and develop a system that we believe our players will appreciate and enjoy.

Before you make any rash decisions, please give our Community team time to review your feedback, present it to the appropriate parties, and gather responses from those developing the system. This system is being designed for you, our customers, so I can assure you that they're interested in hearing your feedback and developing solutions for the concerns you have shared. Please hold off canceling your account and bemoaning the system as if it has already been implemented.

Also, something that is quite frequently missed is the following portion of the Real ID FAQ:

Q u o t e:
Will parents be able to manage whether their children are able to use Real ID?
We plan to update our Parental Controls with tools that will allow parents to manage their children's use of Real ID. We'll have more details to share in the future.

These tools will be available to all players via our Parental Control feature, not just parents. While we do not have any additional details to provide right this second, there are plans in place to allow some form of management of Real ID as is stated in this FAQ entry. Please keep an eye out for more details in the future.