Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

The Authenticator and the human element

Forum Avatar
Podric
#0 - Aug. 5, 2008, 2:16 a.m.
Blizzard Post
I have been reading through rather extensive posting on the net in various locations where it is stated one WoW player had an authenticator removed from their account without permission of the account owner, but by a hacker impersonating that account owner.

The links concerned are as follows ... a Blue please edit out if this is felt to be inappropriate

<Only removing to alleviate any specific commentary regarding a third-party source.>

All three links talk about the same incident ... and a google search fails to find any other reported incident of security breach where an authenticator was involved. Plenty of gratuitous remarks about Blizzard in reference to this one reported claim, but nothing else.

Ok, why do I post this ...

I want to provide the opportunity for a kindly Blue here to ( if they are permitted to do so, and I understand they may in fact be specifically forbidden to comment directly on this case ) to ..

1) verify or deny the occurence of this incident where an authenticator was removed from an account without the account holders permission ( ie. a hacker managed to convince Blizzard they were the account owner )

2) if this is verified ... that new procedures are put in place to prevent such an occurence in the future ( or maybe simply ensuring that existing procedures cannot, by human error, be bypassed again )

And a pre-emptive thank you to other posters for not turning this thread into a flamefest.
Forum Avatar
Belfaire
#7 - Aug. 5, 2008, 3:28 a.m.
Blizzard Post
I don't wish to reveal too much about this person's account, but due to the inflammatory nature of the article in question and the linked threads, I really feel the need to clarify the happy-haps.

I personally researched this issue. I can say with 100% certainty that the Authenticator was never removed from the account in question.

Additionally, when the password was first changed to "compromise" the account, Billing requested the serial number, which is located only on the back of the physical Authenticator--and it was provided.

I hope this helps assuage your fears, Podric.
Forum Avatar
Belfaire
#10 - Aug. 5, 2008, 4:02 a.m.
Blizzard Post
Q u o t e:
Why people try and pull a fast one over someone who has all the information in front of them, continues to amaze me. But that's why I hang out here - it's amazing.

Hope your tokens are working out for you Podric, still weighing up if I want to pay the shipping from Europe.


The account was almost certainly accessed by sources besides the normal owner, though I'm afraid the details on that are more than I can provide.

My main point here is that the authenticator was never removed.
Forum Avatar
Belfaire
#12 - Aug. 5, 2008, 4:14 a.m.
Blizzard Post
This is a very, very zig-zaggy "compromise". Pieces are falling into place with my investigation but I think it's pretty safe to say that Blizzard's security nor the security of the Authenticator are at fault.