Fortunately it wasn’t my account.
Nor was it any of the accounts of the regular instance group.
One of our friends, who rolled up a character and started playing about the time we switched over to horde (because isn’t that how it always goes?) and kept playing on Eldre’Thalas in our guild while we were off to Lightninghoof, his account was compromised.
Among the things assaulted was our guild bank, to which he had full access.
I would not have even noticed this except that Blizzard sent me an email this morning about the guild bank.
Recently one of the members of your guild was the victim of an account compromise, and during the course of our investigation it was discovered that items were removed from the guild bank while the account was out of the control of your guild member. The items have been returned to you as attachments to an in-game mail. We sincerely apologize for any inconvenience this has caused.
So I logged in to WoW and, sure enough, there were 7 in-game messages waiting for me, all with attachments.
I’m not sure we would have missed a lot of the stuff that was taken. According to the bank log, it all went out the door at least 11 days ago, and it might have been a lot longer before any of use took note of our own accord.
Of course, our guild bank wasn’t exactly a Fort Knox of treasure.
There were a few minor valuables in guild bank. They took all the elixirs, all the primals, all the eternals, a pile of Northrend herbs, some potions, some imbued netherweave.
But they also took a bunch of crap. Netherweave bandages? Two Scrolls of Intellect III? A copper modulator? Health and Mana injector kits? All four stacks of pygmy oil? Really?
And the crap list is made more amusing by the list of stuff they left behind. That stack of khorium ore which was next to the copper modulator. A quarter of a bank tab of enchanting materials. All the motes and crystallized materials that could have been turned into primals and eternals. Heck, they even left behind a Scroll of Intellect VII, preferring the III instead I guess.
But we have it all back now. And I was prompted to kick a few really old accounts from the guild, lest we find out that their accounts got phished and reactivated.
More tales of accounts being hacked and Blizzard having to retrieve things.
The Ancient Gaming Noob 
As I understand it, the only ways an account can be phished is to visit one of those gold sites, or to click on a link in an email. Is there any other way?
LikeLike
When my account was compromised, I noticed that they did leave some stuff behind. I imagine the gold farmers have an automated system that grabs most things. Grabbing everything probably raises red flags on the server side, so they leave a few random items behind and hope not to trip the detection.
Note that they’re just interested in selling the items. Therefore, all the enchanting materials would be worthless because you can’t vendor them. They probably don’t expect to be around long enough to actually sell them at auction. As I understand it, they will compromise accounts and then wait for an order to arrive before doing the smash and grab.
Ahnog wrote:
As I understand it, the only ways an account can be phished is to visit one of those gold sites, or to click on a link in an email. Is there any other way?
I think you’re using imprecise terminology here. Phishing means someone sending you an email hoping you’ll share information (or click on a harmful link). Getting phished only requires an email address. Tobold’s recent post talks about how he gets phished on his well-known email address all the time.
Getting your account compromised doens’t require going to a gold seller site, either. When I got my account compromised, I hadn’t bought any gold. I’m pretty paranoid about computer security, given that I develop games for a living. As far as I can tell, the weak point was the email account I had associated with my WoW account. I used a pretty lame password for it, since it was mostly a throwaway account I use on occasion; that, and Hotmail isn’t exactly known for being super-secure.
So, it can happen to just about anyone unlucky enough. It can be a real pain in the ass. :P
LikeLike
The same exact thing happened to us about 4 or 5 days back. We are a very closely-knit group of players who have been playing for 5+ years. There are no officers or ranks, everyone is equal, and everyone as access to the gbank.
We might want to revisit that last bit after one of us got his account hacker, and the hacker cleaned out the bank!
LikeLike
Many guilds are going to a ‘No Authenticator, No GBank Access’ rule. It’s sad that things have come to that.
LikeLike
They sell everything and anything they can. If it will sell they vendor it, if you can shard it, be sure they will.
Mine was stolen recently and they dressed me up in my fire festival garb, spammed gold adverts and had me beside a mailbox. I assume they were in the process of trying to mail off what they had sold and disenchanted. The cleaned out my bank selling everything I had stuff restored I didn’t even remember having.
They even sold off my bags.. lol. I suppose it really comes down to who gets their hands on it. Glad you got your stuff back! I was very glad to get mine restored. Two pages of items in the mail… they did some damage.
LikeLike
This happened to our guild – twice – in about a month’s time. The first time we noticed someone logging on who hadn’t been on in ages, and he said nothing to anyone. Next thing you know the guild bank’s been cleaned out.
We called out GM and he logged in and busted that toon and all his alts to a rank that only had window shopping (and depositor, of course) access. One of the officers sent a petition and within a day we had all our stuff back.
The second time the GM got everything mailed back before we even knew there was anything missing – about 75 pages of mail.
Blizzard is on top of everything, in my opinion.
And me, being the rule and discipline loving person that I am, strongly urged the GM to make that ‘no authenticator, no bank access’ rule.. He refused, but I had to try.
LikeLike
Instead of investing in things like authenticators, I’d like to see Blizzard take some simple steps to increase their accoutn security. Just like banks do, couldn’t they ask a random simple question such as your mother’s maiden name, first school, dad’s first name etc? That would really help with issues regarding password security.
LikeLike
If Blizzard is going to increase their security by asking for input at all, why not make it for something very specific, that is different every time – like a randomly generated number displayed on the free (iPod app) or cheap (via mail) generator?
I, for one, don’t think simple questions such as your mother’s maiden name, father’s middle name, etc. are as secure as randomly generated numbers and am quite happy to take an extra three seconds and enter my authenticator number. Why are you opposed to it, We Fly Spitfires?
LikeLike
As someone who has just had their account hacked (just got my stuff back today) and also someone that does not just go around clicking on anything, I’m really starting to believe account hacks are less and less to do with the account holder, and more to do with security on Blizzards end.
Of the thousands of people whose accounts are getting hacked (and the number is steadily increasing), do you honestly believe everyone of them clicked on a stupid link or typed in their password to a fake site? Something smells fishy here and it’s not last night’s dinner.
Blizz needs to step up and do something about account security from their end. And I don’t mean putting a money making authenticator on the list of must do’s.
One of the best suggestions I think, woudl be if you received a code when you bought your game that automatically locked your account if you entered it into the blizz site. No more staring from another account as you see yourself running around naked back and forth between the bank and the mailbox. The ability to lock your account straight away, and let blizz give you the couple things you did lose in that 2mins back later. I’m pretty sure if they couldnt get any gold off your account, hacking would quickly decrease.
Or perhaps a scramble pad on login (like online banking) might help.
Instead they add another item for sale to their store and give us a speel about how our account security is the account holders sole responsibility.
What is the point of me locking all my doors if Blizz keeps leaving the windows open?
LikeLike
Charlie – how would they implement a scramble pad? Who would pay for that? I bet it would cost more than an authenticator.
I don’t know what all the resistance is to an authenticator. You can get one FREE for your iPod or phone. If you don’t have one of those devices, you can pay the ridiculously expensive amount of SIX DOLLARS AND FIFTY CENTS to get a little plastic thing in the mail.
C’mon. That’s roughly the price of two energy drinks, and who among us is resistant to paying for a nice gullet full of AMP or Red Bull or Monster or Rockstar?
LikeLike
@Charlie – I have to say, if you think Blizzard is making a lot of money off of authenticators, you are wrong. At $6.50 a pop, that is probably a revenue neutral line at best.
And, yes, Blizzard could have gone for a cheaper method, like the bingo card route, which is essentially a paper authenticator, and dropped one in every box. And maybe they will with Cataclysm. But that train has already left the station since most of us already have accounts and are unlikely to be buying a new box any time soon.
But to Piacenza’s point, you can get a free authenticator if you just have a somewhat recently made cell phone. You do not need an iPhone, Blizzard has authenticator apps for dozens of phones. Go look at Blizz’s site.
However, suggesting that security is somehow being compromised at Blizzard’s end… you’re going to have to sell me on that one a little more. My wife and mother-in-law both end up with malware crap on their computers which I have to then eradicate, but both swear that they never click on any links from strangers in email and they never visit any dubious sites.
And while I am trying not to take a “blame the victim” stance here, there is a level of responsibility we have to take for our accounts. I don’t think a lot of people realize how much cash value their accounts represent, at least in the eyes of the bad guys.
Read Psychochild’s story of getting his account compromised. There was somebody as careful about his account security as one could be who still ended up getting taken via a back door route.
LikeLike
Have any of you actually BOUGHT a physical authenticator? One that isn’t an app? Although the pricetag says $6.50, for people in Aus (where i am) they actually work out to be $26US. I imagine they probably cost 50c to make.
There are alot of people that don’t have phones that can run the app so assuming the majority can is a pretty big assumption.
@pia – i didnt mean a physical one. i meant online when you login. surely of all the things blizz has created, they are capable of making an online scramble pad.
@ willhelm – i do realise there are some people that swear black and blue that they never click on links etc, but honestly… every single account hack? There is too many.
I will admit I was not sold on this theory till recently. I had started to think it was getting sus, but hadnt really gone too far down that route. but in the space of a week 4 people i know all got done and i just dont believe its always the account holders fault like everyone believes. Dont get me wrong, there are some that go to gold sites or click on links in whispers, but I really don’t think that accounts for every instance.
There are articles out there about the increasing number of account hacks and blizzard’s security.
On a side note, my wow remembers my username so i havent typed it in probably since i bought wrath. I do type my password every time. Even if i DID have a keylogger, how exactly do you think it gets my username to couple with my password if it’s not typed in?
LikeLike
@Charlie – I have purchased two, one for my account, one for my daughter’s.
The authenticators are actually precision instruments and have to keep time better than your digital watch, since if they drift they cease to work. They are primarily made for financial institutions and other industries that require high security for remote access. I had about a dozen on in my desk at my last job for customer sites.
And if I go trolling around for VASCO Digipass Go 6 replacement units, because that is what the Blizz authenticator is, I find them going for $20-40 new. So the whole “Blizzard is gouging me because the damn thing only costs fifty cents” complaint looks like an exercise in pulling numbers out of ones ass.
As for the price in Australia, what isn’t more expensive there? Are you telling me that Blizz has decided to specifically gouge people below the equator? Or does Aus have some tariff to protect an indigenous network security industry?
On the subject of phones, I previously had a five year old phone that was the cheapest I could find on the cheapest plan and service I could find, and there was a version of the authenticator app for it! I hadn’t bothered to even check and bought the Blizz authenticator instead. Basically, there are damn few phones these days that cannot run some apps or games, and if they can do that and download ringtones, there is probably an authenticator app for it. So I am not assuming the majority can, I actually have some proof rather than your handwaving assumption. As I said, go visit the authenticator download site and check out what they support. It is a lot of phones.
Finally, your account name. It is an email address, right? For most users I am going to guess it is their main email address. Are you telling me you never type your email address anywhere, that it isn’t embedded as your return address in your email application? POP is crap for security. I used to pull people’s password off the network at the office with a packet sniffer.
Or do you have a Facebook account? Do you use the same password for Facebook as the email address you have associated with your account? The guys at Facebook don’t encrypt that stuff from themselves. They’ve been caught accessing people’s email, and while they swear they’ll never do it again, they are not exactly the most moral group in the book so far when it comes to user privacy.
So, yes, you could keep a tight enough rein on your account that it would be unlikely to get hacked. And maybe you are. But there are a lot of doors into your information, and just because you didn’t visit a gold seller site or click on a phishing email, doesn’t mean it must be Blizzard’s fault. Blizzard does not have to be lax in security for people to find ways into your information, and I do not believe that they are. Being so is counter to their interests. Selling authenticators is a business that they would rather not be in I am sure.
Again, read the story linked in the comment above by Brian “Psychochild” Green. He didn’t get phished of have a keylogger, but still got hacked.
LikeLike
@Charlie: To follow up, more as a thought exercise based on what you said than proof either way, but it seems that the likelihood that members of the same guild could have their accounts compromised would actually be higher than random individuals if certain conditions existed.
For example, do people in the guild, and specifically those four members, exchange email outside of the game using the email addresses associated with their accounts?
Does your guild have a forum that allows access to people outside of the guild? Are email addresses visible or available? Is it hosted by one of the guild members or a third party service?
And none of these may apply, but I am just trying to point out that, once you start digging into it, the number of places that people can scoop up your account information is bigger than you think at first glance. You do not have to click on the link in a phishing email or visit some dubious web site.
On the other hand, the more I think about it, the less I like Blizzard’s mandate to change everybody’s account ID to an email address. I was somewhat neutral on it before, having an abundance of such addresses, but the more you think it through, the more you can see that Blizzard made a mistake and is culpable to some degree by simple making it easier for hackers to get the information they need. And don’t get me started on Real ID. That just seems to be an open door to get yourself and all your friends hacked.
LikeLike
I’m just putting my thoughts out there, and just because you disagree or have info that leads you to believe otherwise doesn’t mean it leads me in the same direction.
Whether Blizz gets their authenticators from the CIA or the local cheap shop, I don’t believe they do anything for free. They are in this for the money, remember (the gaming business).
Re. the phones, my phone does not support the authenticator or any kind of application. It’s just not built that way. Yes, I have an old phone. But i like it, and if it died today i would want another one just like it lol. So, it wasn’t an assumption. The list may be long, but it definitely does not cover everyone.
I don’t type my email address in anywhere on the computer I play WoW on, and my battlenet acc doesnt share the same pass as anything. Whether my email can be phished is a different thing, i’m sure it can. My question was more towards (and it is actually a question, not rhetorical) I don’t know how they would phish your email from one place and then be able to link that email account with the password they have gotten from another place? And then on top of it all link it to a battlenet account – there are alot of emails out there that arent.
Of the 4 people that got hacked, none were in the same guild, and as far as I know no emails are passed. Friends list could be a link? I dont know, can they do anything with character names? Then again why not just pick one off the armory.
RealID amazes me… that Blizz could implement something like that with so many fundamental flaws.
LikeLike
@Charlie – You are right. If you’re are determined to claim Blizz is the force behind accounts getting hacked and that they are doing it to drive authenticator sales, there is likely naught I can do to change your mind. I’d be interested to hear who you think killed President Kennedy while we’re at it.
Blizz does stupid things from time to time, and I gripe about them loudly. But as you point out, they are in it for the money so any theory that goes against them pursuing that interest (like, say, endangering a $15 a month revenue stream for a $6.50 one time purchase) rings very hollow in my ears.
LikeLike
You’ve clearly gotten sidetracked from my point.
I at no time said that blizz was hacking accounts to sell authenticators.
What I did say was that I thought they could be doing more to prevent it rather than selling items, and that yes i believe there is some profit to them in authenticators.
Also, if they restore accounts, its not really endangering their monthly revenue.
Each to their own.
LikeLike
But it costs money to restore accounts. Probably way more than the profit they’d make from selling someone a $6.50 item.
LikeLike
Charlie: “You’ve clearly gotten sidetracked from my point.”
Not at all.
You have said that you feel Blizzard is in some way culpable for accounts being hacked based on what I would have to describe as an unsubstantiated feeling.
You have also said you believe Blizzard is selling authenticators as a money making activity.
I drew your argument out to a ridiculous extreme, but even stated as above, my response to the idea remains the same: Blizzard is not going to potentially screw up a $15 a month revenue stream for a $6.50 authenticator sale. They would be idiotic to do so. And, as Piacenza points out above, there is a cost to Blizz in customer service hours to deal with these hacked accounts.
Now, if you can come up with a scenario where Blizzard is both protecting its revenue stream and not actually serious about account security, I’d be glad to hear it. But so far, I’m not buying into your point of view.
LikeLike