Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Is this one a Blizz email or phish?

Forum Avatar
Tamboree
#0 - May 26, 2010, 7:57 a.m.
Blizzard Post
I received this email on May 16th....which as it turns out was also the day my account became compromised and 2 of my characters stripped.

Q u o t e:

====================
Subject Battle.net Account - Password Reset
From Blizzard Entertainment <[email protected]>
Battle.net Account - Password Reset

We have reset the password for the Battle.net account associated with this email address. To choose a new password, please click the following link and follow the instructions:

https://us.battle.net/account/support/password-reset-confirm.xml?ticket=[ticket #s edited out]

If you did not request the reset, it is possible that this Battle.net account has been accessed by someone not authorized to do so. If you notice issues with the Battle.net account or associated games after logging in with your new password, please contact the appropriate support department for assistance immediately: http://us.blizzard.com/support/article/30791

Please remember that it is your responsibility to keep your login information confidential. You may not share access to the account with anyone who is not expressly permitted in the Battle.net Terms of Use and the Terms of Use for the games you play. You are also responsible for every use of your login information, whether you have authorized it or not.

COMPUTER AND ACCOUNT SECURITY:

Account compromises can occur when a player shares login information with an unauthorized third party or plays on a computer that has a virus, Trojan, or keylogger. In a case where you believe your account has been accessed by an unauthorized party, we would like to suggest that you review the following pages for various security awareness tips (as well as how to recover in-game items or characters) before you log back into the account:

- Security Checklist: http://us.battle.net/security/checklist.html

- Types of Account Thefts: http://us.battle.net/security/types.html

- Account and Computer Security: http://us.blizzard.com/support/article/30794

- What to do if the Account has been compromised: http://us.blizzard.com/support/article/30796

- Account Security and Recovery FAQ: http://us.blizzard.com/support/article/30791

- Email Address Security: http://us.blizzard.com/support/article/30814

We highly recommend adding a Battle.net Authenticator to an account as it is the highest level of security we currently offer. For more information, please visit: http://us.blizzard.com/support/article.xml?tag=BLIZZARDAUTH.

Billing and Account Services can be reached directly at 1-800-592-5499. Players in Australia and Singapore should call 1-800-041-378 and 800-2549927 respectively if unable to connect via the first number. Our representatives are available seven days a week, between 8:00AM and 8:00PM Pacific Time. Alternately, our support team can be reached via email at [email protected].

Thank you,

Blizzard Entertainment
=======================================


The source/header info says return path/sender is battle.net, and the mail trace includes worldofwarcraft.com and wowadmin.net servers, so I assume it's a valid Blizz email. *I* did not initiate this password reset.

What concerns me, however, is that this email format DOES NOT MATCH the email *I* received when *I* used the password recovery function on the battle.net website (which I assume is the same method the hacker used to change the password on the account).


That email looked like this:
Q u o t e:

========================================
Subject Battle.net Account - Password Recovery
From Blizzard Entertainment <[email protected]>


We've received a request to reset the password for this Battle.net account. Please click this link to reset your password:
https://us.battle.net/account/support/password-reset-confirm.xml?ticket=[ticket #s edited out]

If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.

If you have any questions regarding your Battle.net account, click here for answers to frequently asked questions and contact information for the Blizzard Billing & Account Services team.

Sincerely,
The Battle.net Account Team
Online Privacy Policy
======================================


The email headers show this email to have originated with battle.net, and was also routed through worldofwarcaft.com and wowadmin.net servers.


The ticket links in both emails were to us.battle.net addresses.


Are both "real" Blizz emails??

I am assuming whomever gained access to my account used the "forgot password" link to perform the password reset, just as I did to regain access to the account. So why the 2 different formats??

If one IS a fake....how are they able to show official servers in the mail route??


If they had performed a simple change of password....this would have generated an entirely different email.
Forum Avatar
Orlyia
#1 - May 26, 2010, 8:06 p.m.
Blizzard Post
I believe these are legitimate, Tamboree.

The one from the 16th we initiated after seeing something suspicious.

I see several more password change requests - but they all seem to have been initiated by you.

There are several avenues this can be done, both from the player's side...and ours.

The nature of the emails may be slightly different depending on the source. It is ALWAYS wise to question any email that says it's from us - that is a good thing.
Forum Avatar
Orlyia
#3 - May 26, 2010, 8:27 p.m.
Blizzard Post
Hmmm, not sure about that.

You may actually want to contact Billing and follow up on that part. Better now, than have it come back to haunt the account later.