This really concerns me Blizz!

#0 - June 29, 2010, 6:29 p.m.
Blizzard Post
Hi Blue Post People,

I am currently an officer for a progression guild on the Gorgannash server as such I spend a lot of time recruiting players to help us through the content. My biggest problem however is NOT people leaving the guild of their free will it's because of account hacking!

It seems 1 out of 5 people I recruit get their accounts hacked within the month or sooner! Not only do we seem to be a targeted guild but now I feel like I should be making some sort of commission on the number of Authenticators I have sold for you. Seriously!?

I also suspect accounts are being compromised on your end and through your system because majority of the response I hear from the user getting his account back is "I didn't do anything" in anycase I think it's fair for me to expect you to keep your PAID Subscribers Safety your number one priority unless you of course intend to pay me for selling your merchandise.

I'm tired of recruiting players only to have to replace them the next day. I would appreciate a response to this matter and possibly action taken to secure our guild further this is just ridiculous.

Thanks for your time,

- Paid Subscriber
=============================
ps. to clarify, I just don't care one way or the other what your point of view is (ppl), being that I'm not convinced any of you are experts on this matter. Unless of course you have worked for Blizzard on their Authentication Servers. However, constructive advice I am always interested in and I have taken some of the better posters ideas to add to the security of our guild.

please continue, seems obvious this is a pretty hot topic and it does amuse me while our server continues to be offline.

Thank you Blue Poster(s) for your input on this matter, for the moment I'll simply continue to advertise and sell your product for you being that theirs really no alternative at this time. I would however like to see a better future for Blizz security.

From another topic I read where someone was actually hacked today a guy responds to a comment which I thought sums everything up nicely:

Statement:
Most companies today just tell the customer "tough luck" it was your job to secure your computer. Blizzard does require two login technology a username AND password.

Quote Response:Treazure
"That may be true of gaming companies, but I would really love to see your reaction if your bank account was drained and your bank told you "too bad, it was your fault." Won't happen. And a username and password is not double login technology. Google it. "
#16 - June 29, 2010, 6:57 p.m.
Blizzard Post
Q u o t e:
Hi Blue Post People,

I am currently an officer for a progression guild on the Gorgannash server as such I spend a lot of time recruiting players to help us through the content. My biggest problem however is NOT people leaving the guild of their free will it's because of account hacking!

It seems 1 out of 5 people I recruit get their accounts hacked within the month or sooner! Not only do we seem to be a targeted guild but now I feel like I should be making some sort of commission on the number of Authenticators I have sold for you. Seriously!?


I'm sorry to hear that your members seem to be getting compromised. There are a variety of reasons why this may be the case, but it would be wise to point your guild members to our sticky on the topic of account compromise for further guidance about security:

Account Hacked? Security Issue? Look Here!
http://forums.worldofwarcraft.com/thread.html?topicId=24702231244&sid=1

There are a number of possible sources for a compromise, but amongst the more common is phishing. These phishing attempts have become more and more sophisticated over time, and even savvy players can fall prey in a moment of inattention. Are your guild members posting email addresses publicly, or furnishing them to an agency? If so, then they might be targets of phishing emails for that reason.

Q u o t e:
I also suspect accounts are being compromised on your end and through your system because majority of the response I hear from the user getting his account back is "I didn't do anything"


No. To date, there is no compromise on our end, and if you and your guild members are to take the necessary steps to ensure appropriate account security, it is crucial to recognize that the source of a potential compromise is within your domain. As mentioned above, if there is no trace of malware on a system scanned with appropriate software, then the likely culprit is a phishing attempt.

Q u o t e:
in anycase I think it's fair for me to expect you to keep your PAID Subscribers Safety your number one priority unless you of course intend to pay me for selling your merchandise.


We do take account security quite seriously, but please understand: Blizzard Entertainment is not in a position to force our players to keep their accounts secure. We go to great lengths to increase awareness, and we've made the Authenticators available as well, in addition to other steps. Ultimately, the responsibility for account security rests squarely and solely in the hands of the account holder.

I would also like to remind you that there is a Mobile Authenticator which is free of charge (or carries a very low cost) for those with compatible devices:

Mobile Authenticator FAQ
http://us.blizzard.com/support/article.xml?locale=en_US&articleId=26109

Mobile Authenticator Compatibility Page
http://mobile.blizzard.com/support-compat.html/

Q u o t e:
I'm tired of recruiting players only to have to replace them the next day. I would appreciate a response to this matter and possibly action taken to secure our guild further this is just ridiculous.

Thanks for your time,

- Paid Subscriber


I recognize that you are frustrated, but we are not in a position to secure your recruits' systems for them. We are unable to seal lips to prevent the sharing of account information. We cannot see through their eyes to shield them from phishing attempts. We will not log into their systems to install and run an appropriate suite of virus and spyware scans. If this have been a consistent issue, then increasing awareness on the part of your recruits, ensuring that they know how to recognize phishing attempts, and advising them of appropriate malware scans would be a good first step.

Truly, I wish you luck.

Q u o t e:
have a 16digit mixed password copy and pasted isn't enough.


It isn't =/. This will, quite literally, do nothing to protect you from the average keylogger.
#79 - June 29, 2010, 9:22 p.m.
Blizzard Post
Q u o t e:
And I am gonna quit now...before I anger the Blues.


Thank you =)

Q u o t e:
Sure they do, it may be stored as a MD5 hash, or some form of encryption but its there. 128 bit encryption was broken the week it was released...so no amount of encryption will truly "hide" your password.


Just for the record, your passwords are inaccessible to us. This is also part of the reason why a Blizzard Entertainment employee will never ask for your password.

Let's please turn down the hostility and allow a little civility into this thread. I'd prefer not to lock it unless that proves necessary.
#93 - June 30, 2010, 12:27 a.m.
Blizzard Post
Q u o t e:
Weve all had to make new accounts and buy all the expansions all over again. Is this a money making tactic by blizzard?


What on earth? You didn't need to make new accounts nor purchase expansions. While it carries its own costs, we are happy to help our players recover from a compromise whenever we can. It should have been possible to contact our staff for assistance, if these accounts were registered to you.

For the record, as of this moment, no: we have not been compromised, nor are we somehow responsible for the compromise of a player's account. That your accounts were compromised after merging into a Battle.net account is the product of an unfortunate coincidence, though it may be attributable to increased efforts to compromise accounts that these agencies have moved toward in recent days.

Q u o t e:
Is this a money making tactic by blizzard?


Nope! In the vast majority of cases we assist our players with recovery, which carries its own costs. More unfortunate, some players don't understand that there is help to be offered and abandon their accounts and World of Warcraft rather than asking for assistance.

The idea that we would intentionally allow such a thing is somewhat beyond ridiculous. It literally defies logic.
#95 - June 30, 2010, 12:31 a.m.
Blizzard Post
Q u o t e:
A blue told me in another thread to spam call the support line (lol) but that hasnt worked ever.

I to buy new expansions if i cant access my old account....


That's one of the best ways to get through, it's true. Still, we may be able to assist via another channel, such as email. Have you read our sticky on the subject of account compromise?

Account Hacked? Security Issue? Look Here!
http://forums.worldofwarcraft.com/thread.html?topicId=24702231244&sid=1