Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

Hacked even though I have authenticator

Forum Avatar
Alachaar
#0 - Aug. 2, 2010, 7:10 a.m.
Blizzard Post
I'm currently in the middle of being hacked. I was in the middle of a raid, got kicked from the server, and now my friends tell me I'm logging onto all my toons, deleting gear, and emptying guild banks. All this even though I have an authenticator.

I'm not sure what to do. I still have full control of my account (I've changed my password, set parental controls to 0 play time), but the hacker's still online, and I can't log on (I assume because he's on).
Forum Avatar
Orlyia
#9 - Aug. 2, 2010, 7:40 a.m.
Blizzard Post
Q u o t e:
I'm currently in the middle of being hacked. I was in the middle of a raid, got kicked from the server, and now my friends tell me I'm logging onto all my toons, deleting gear, and emptying guild banks. All this even though I have an authenticator.

I'm not sure what to do. I still have full control of my account (I've changed my password, set parental controls to 0 play time), but the hacker's still online, and I can't log on (I assume because he's on).


This has been reported, and I don't believe they are still online, Alachaar.

May I ask what type of mobile you are using. If it's an iPhone, is it jailbroken?
Forum Avatar
Orlyia
#12 - Aug. 2, 2010, 7:52 a.m.
Blizzard Post
Q u o t e:


iPhone, and no, it's not jailbroken. It is first-gen (ie not using the latest os) if that makes any difference.


This is very odd since I don't see this taken off.

Jailbroken iPhones can have their security breached (those safeguards are taken off) and they literally 'copy' the authenticator from a backup on your system.

Not sure about 1st gen phones.

If you were online and got booted, this doesn't sound like any kind of man-in-the-middle. Those have to be done realtime as you are logging in.

There really are only two ways I'm familiar with that this can happen, they lifted your authenticator itself from a backup or they were given the sign-in code realtime. I'd check your system for malware. Did you back your phone up to your system (or any PC?).
Forum Avatar
Orlyia
#16 - Aug. 2, 2010, 8:08 p.m.
Blizzard Post
A man-in-the-middle attack has to be done real-time. Those are noticeable because you don't actually get logged in, it's malicious software that mimics the login page and you are actually communicating with the compromiser, not Blizzard.

Actually copying the authenticator (mostly on jailbroken iPhones) actually makes a physical copy of it.

It's like they have it in their hands.

What I'd recommend here is first - remove this authenticator, then very quickly redownload the app so that you get a new serial number and do NOT back it up. Apply that new serial number to the account immediately.

I don't know if there is a vulnerability in 1st gen's, but that would appear to be what happened here. Somehow, they got your backup.

You might want to look into getting a physical authenticator as well. Those aren't vulnerable to this in any way.
Forum Avatar
Orlyia
#18 - Aug. 2, 2010, 8:27 p.m.
Blizzard Post
Q u o t e:
Update: I was finally able to get back on my account. I've been retrying login every 2-3 minutes, and it finally popped...I had changed nothing from previous attempts.

New authenticator is installed and running.

So now it's matter of putting in a ticket for my stuff back and hoping that the new authenticator took care of the issue.

Thanks for the help.


It should - as long as they can't get ahold of it.

I'd continue to scan your system. Something is up - or at least was at some point for them to have been able to get that from you.

Some types of malware can be very difficult to find.