29 thoughts on “The Factions of WoW Account Hacking

  1. Kethro

    I got hacked before I got my authenticator and I consider it my own fault. You don’t have to have an authenticator but if you don’t its much easier for hackers to get you. All I did was visit a website i thought was the official armory, acquired a key logger in the process and the next time i logged in, bam they had my account.

    Account security rests with the account holder, apparently I sucked at it so I got the authenticator as a backup.


  2. Winged Nazgul

    I put the blame and the fault squarely on the hackers themselves.

    It’s a radical idea, I know, but I can’t help but feel that if it wasn’t for them, we wouldn’t have this problem.


  3. Keen

    I’m somewhere between “it’s your fault” and “it’s complicated”.

    To a certain extent, it has to boil down to the individual. Did you use the same password for multiple things? Did you log in at a friend’s house or on a computer that you do not have SOLE CONTROL over what websites it visits? Do you block scripts on websites and java?

    There are also the people who get hacked even with authenticators and who, supposedly, are very strict about their security habits. To those people I would just say “sucks to be you” and shrug. Something must have happened — you just don’t get hacked for no reason, even if it’s out of your control.


  4. wraith808

    @Winged Nazgul – Exactly! It’s the fault of the hackers, not the hacked. This trend of blaming the victim or the provider is the exact same as if you were dealing with a non-gaming account- fallacious.


  5. Wilhelm2451 Post author

    A Wraith and Nazgul agree. There has to be a joke in there somewhere.

    The problem with blaming the hackers is that there is not much you can do to stop them, unless you’ve come up with an amazing new idea, because I’ve got nothing.


  6. Para

    I totally agree that it isn’t your fault or blizzard’s. Before I played wow, the only multiplayer games I played were console games sitting next to my friends, then later on, fps and rts games using steam and battlenet. It is still hard for me to wrap my head around how gaming has lost it’s innocence.

    Now that I play Wow, I have to be careful when I check my email, when I use google, when I send text messages or use friend’s computers. I have to carry an authenticator when I travel. For most folk, this sounds like maintaining a bank account, and that’s asking too much.


  7. dorgol

    I’m with Keen – between “your fault” and “it’s complicated”. With a very heavy bias towards “your fault”.

    Despite not having an Authenticator for years, despite never changing my password, despite even sharing my acct info once (way back in Classic). Despite not having an anti-virus and even using IE as my web browser for years… I was never hacked.

    Partially I was lucky. But mainly, I’m a smart internet user. I don’t go to sites I don’t know. I don’t click links without checking where they go.

    You and Tobold talk about getting WoW-spam, but I don’t. Ever. My Gmail account (used for posting in blogs) gets zero messages. My actual email address gets ZERO spam. I don’t even get “Viagra” and “wealthy foreigners” spam.

    I have an Authenticator now, because it was free for my iPod Touch. If I didn’t have that iPod – I probably wouldn’t run an Authenticator still. 95% of the “zomg I r hacked” “victims” are victims of their own ignorance (a better word than stupidity).


  8. Thomas

    I have noticed the fake beta invites keep getting more & more “real” looking. If they were not full of links, I might fall for it.


  9. wraith808


    *grin* – I hadn’t noticed that!

    As for the rest, the problem isn’t to stop the hackers, it’s to place the blame where it is supposed to be. Instead of vilifying the victims or the providers, why not place the blame directly on the hackers, instead of giving borderline trollish remarks towards either of the other parties? True, the resolution isn’t going to come from the other end, but rather than a holier-than-thou approach, a more reasoned approach towards solving what we can would be better for those of us that live on this side of the law, IMO.


  10. Igor

    I don’t think you can stop bad guys, as long as it’s financially worth them doing so. Main problem here are gold buyers. No buyers, no business, no stolen accounts. This problem can be tried to get fixed (at least to some extent) by hitting on gold buyers and trading channels. It seems that for some reason Blizzard doesn’t do enough in that area. They do ban gold buyers (at least they say so), but frequency is far too low to be a good threat to potential buyers.

    Than what about channels. One specific gold selling site is still in business, though they were advertising in the game itself. Can’t Blizzard shut them down or they just don’t bother to (too expensive to sue or something /from their point of view, of course/)?

    It is complicated. Security awareness of majority of the users is too low (security software: why to use, what to use, when to use and how to use it) and insecurity of internet raises. Problem is generated by users taking a path of lesser resistance. Those with money and not willing to invest effort (“why should I bother grinding something, when I can simply buy it”). Companies (Blizzard in this case) not seeing further than the length of their nose and introducing things that lower security even more. I can only guess that they don’t care much. It’s cheaper for them to fix someones account than to go and change everything to make it more secure (which they can’t know; they needed unique identifier for all this ID bull and email was perfect choice; too much effort invested to throw it through the window). At least for now. We’ll see what future will bring.


  11. Wilhelm2451 Post author

    @Wraith – Okay, I get what you are saying and am mostly in agreement. There is, in my mind, a threshold of security awareness below which you’ve failed to secure your own best interests.

    I linked that Grass Valley post, with a list of people who had things stolen from their unlocked car in a single day, as an illustration. Yes, the thief is the bad guy, but it is hard to feel sympathy for somebody who left valuables sitting in an unlocked an unattended vehicle. But I have also worked in areas where leaving anything in your car (like spare change visible) was an apparent invite to smash your window, so it is somewhat situational.

    Now what that threshold is for a WoW account I am not sure. Somebody will say “authenticator,” and having one gets you brownie points for going all the way, but should people have to do that? And how do you fault somebody who never got a phishing email and used a very strong password?


  12. Julie Whitefeather

    We are constantly inundated by phishing attempt – some obvious, some not. It is the obvious one that has engendered our rule that whatever the message it is fake until proven true. This means we verify everything by contacting the source directly ourself.

    In the end it is a mistake to find someone to blame. It is far more productive on how to prevent.


  13. PeterD

    It’s definitely complicated. Things like requiring our userids to be an email account (/facepalm) reduced account security, and that’s Blizzard’s fault. Blizzard also needs to do a better job of policing blizzard related urls. I’ve had phishing e-mails that actually led to pages with a blizzard.com suffix. Really? Come on now.

    On the other hand, people should never ever ever ever enter their account info into a linked page. Always type in the base worldofwarcraft or battle.net url and navigate from there. That sort of thing makes it the individual’s fault.

    To the no authenticator, no sympathy faction, get bent. You should always feel sympathy for a hacked fellow gamer, even if they did something stupid, but especially since, believe it or not, it’s entirely possible they did nothing wrong and still got hacked.


  14. Brian 'Psychochild' Green

    I’ve been on both sides of the issue: a developer who had to deal with “hacked” accounts and someone who had my WoW account compromised. The reality most certainly is “it’s complicated”.

    People want simple answers, and there are none here. I heard just about every variation of every possible story about why a person’s account got hacked. Although Meridian 59 accounts weren’t valuable, most of the time the only excuse someone could come up with about why they broke the rules was that their account was “hacked”. Of course, most of the time their story didn’t agree with the logs. But, I heard everything from “I was playing on a computer at the library” to “I’ve only ever given my password to my boyfriend, and he wouldn’t do anything like that!” (Yeah, a learning experience for the young lady in that last example.)

    That said, some stories did check out, so it’s not always the case that someone’s lying. And, as I mentioned, my own WoW account got compromised. I’m experienced with internet security, I don’t follow phishing emails, and I run more trusted security software than most people even know about. When my WoW account got hacked that was actually a pretty minor inconvenience. My bigger worry was that I have a lot more sensitive information on my computers than my WoW password. So, I spent a lot of time making sure I didn’t have a keylogger or rootkit on my system. I’m still not 100% sure what happened, but I believe that someone compromised the ancient Hotmail account that I use to catch spam (and used for my WoW account) and just happened to find an old WoW email to find out my WoW info. My fault? Perhaps you can try to pin some blame on me for using webmail, but I’m not sure that’s fair.

    And, as people have pointed out, the real culprit here are the people who do the hacking: gold sellers, vengeful significant others, etc. Even the best security can eventually be compromised by someone if there’s enough profit in it.

    My thoughts.


  15. Ngita

    I am with others between your fault and complicated. Blizzard could do more, failed log in attempts and the whole useing your email as your username is just DUMB. On the otherhand I took it on myself to get a new email address to resolve that.

    But still trust Blizzard itself is safe, I doubt that your mac friend picked up some sort of keylogger as I am involved in that community and their are no hints of any current vulnerability.

    So that leaves the user shared details across multiple sources ie some sort of user community ,

    Or phishing, and Authenticators dont do much for phishing because we have been trained to enter user name , password and authenticator and in 30 seconds that can be entered into live.

    Incidentally last year my old guild the wife of the Guild master was hacked. A few weeks later we had a rash of hackings, DId they get into the guild website? I suspect so.


  16. Ray

    I played WoW before the first expansion came out and before authenticators were around. I got to level 48, then grew bored with it and walked away. I had been away from the game for several months, with my account untouched, and suddenly in the week before I went to re-activate, I got a notice telling me my account had been banned due to someone hacking it.

    How does that work? I played at an Internet Cafe, so it’s possible that someone keylogged me or the like, but if so, they then sat on my account details for weeks without accessing the account whilst I was still. Additionally, they then sat on the details for months without accessing my account, after I stopped playing and stopped subscribing, only to finally access it after nearly 3 months of dormancy?

    To me, that seems more like how events would play out if someone hacked my details from Blizzard directly in the lead up to a new expansion. Of course, the simpler possibility is that it was my fault, but the timing just doesn’t make sense for that, so to this day, I’m still confused as to what actually happened or whos fault it was…


  17. Stabs

    I voted for it’s complicated. There are methods of gaining access to PCs that really aren’t the fault of the ordinary PC user. In fact Windows and IE have traditionally carried an element of openness about them that allows viruses to be written and Microsoft to make lots of money selling essential security patches to companies. A well-written keylogger could be transmitted from all sorts of apparently innocuous methods. I heard one of the Curse addons had a keylogger slipped in at one point, another urban myth that could be true is that at one point an ad on WoWhead could infect you simply if you browsed the page (even without clicking the ad).

    I use Mozilla, NoScript and AVG. The problem with NoScript is you do actually want to see stuff so you end up overruling it most of the time. So it protects you from dodgy sites that your common sense would tell you not to trust but it doesn’t protect you if the virus is somewhere that would seem a reasonable place to trust.

    Having said that I’m sure a huge proportion are just silliness on the part of the user. I get a vast amount of cataclysm beta invites in my spam folder and there’s a part of my brain that always says “it could be genuine, you know”. Fortunately it hasn’t managed to lure me into accepting one of these offers. Yet.


  18. InvisibleMan

    It’s your account details. It’s your responsibility, not Blizzard’s, to ensure that your account details are protected. To use an analogy, it is hardly the bank’s fault if you give your credit card to a shady dealer or leave it in a restaurant.

    An authenticator is not a requirement for security. It’s an added layer which you can choose to use if you are worried about, to use the previous analogy, accidentally leaving your credit card in a public place or giving it to an untrustworthy individual. Should Blizzard give these out for free? That would help, sure, but why do that when the problem is solved by simply being smart with your password? As I said, it isn’t Blizzard’s fault if you do something stupid with it.

    Now, it would be Blizzard’s fault if their account system was actually being hacked. However, it is not. It really irks me when people say that their account was “hacked” when in reality their account details were just found out by someone. That is not “hacking”.


  19. ScytheNoire

    It’s all of the above.

    Users who go to “bad” websites or click links in emails are to blame themselves.
    Blizzard hasn’t done enough to make things more secure. Using emails as log-ins was a horrible idea, among the dumbest ever. The authenticators are okay, but lead to more problems of hacked accounts being locked out with them (now sorta fixed).
    But Blizzard could easily use an on-screen random placement number pad and require clicking in a pin code to log into accounts along with passwords.

    So the blame goes both ways. Dumb users and a company not doing enough. Personally I haven’t had a problem, but then I don’t fall into the first group.


  20. InvisibleMan

    “But Blizzard could easily use an on-screen random placement number pad and require clicking in a pin code to log into accounts along with passwords.” – ScytheNoire

    I need to comment on this… Contrary to popular belief, those are actually not secure. If a program can detect your key presses and log them, they can just as easily do the same for your mouse. Write a little code to detect where the pad is on the screen and it can send that in its report as well. If that doesn’t work, just take a screenshot and send it (compressed as much as possible to ensure it gets through). The point is, if your computer is compromised, anything you do on it is compromised, no matter what security measures you are taking. Now of course, some keyloggers won’t be this advanced, but having a random pad (which is bothersome and annoying for the user) just to prevent those less advanced keyloggers is not really worth it.

    I’ll agree that using your email address as your login ID is not the best idea as far as security goes. But I personally always assume my login ID, no matter what service I am using, is compromised already. For me, it always comes down to protecting my password in as many ways as I can. Keeping your login ID secret is of course another helpful layer of security, but there are few services which completely allow this.


  21. Wilhelm2451 Post author

    @InvisibleMan – The problem with your analogy is that you assume that the person who got their credit card information stolen, or their account hacked by logical extension, did something that a reasonable person would know was obviously wrong.

    I have had my credit card information stolen and used twice in the last decade. Both times the trail lead back to reputable restaurants where somebody on the staff was skimming credit cards and selling the information. Was that an act that a reasonable person would see as an obvious risk, paying a restaurant check with a credit card?

    I cannot buy into the “You got hacked, therefore you did something you knew was wrong” line of thought. You might as well simplify it, as another commenter did on the post I referenced, and declare that if you got hacked, you clicked on a phishing email, end of story.


  22. InvisibleMan

    @Wilhelm2451: It could happen by accident, but that wasn’t the point of my argument. The point is that it is your responsibility to protect that information. The service provider does what it can to prevent account theft (and performs cleanup afterwards if possible), but just like having an authenticator, that should only be a fall-back position. You are the first line of defense.

    Not all service providers will provide adequate protection on their end, but I believe Blizzard is doing what they can.


  23. Kergguz

    I was hacked this weekend, yet I remain in the ‘It’s your fault’ faction. I’m very careful about keyloggers and the like, so the most likely reason for me getting hacked is that I simply use the same password far too often around the net. Sooner or later that info gets into the wrong hands. Have now changed all my passwords to something different and unique, and keep track of them all with a cheap application on the iPhone (good until that get’s hacked too!).

    What was interesting in my case is this- Blizzard had recognised suspicious activity on my accout, locked it, returned my stuff (plus some extra gold) without me even registering a complaint. I changed my password, logged in to discover my toons naked but all their gear waiting for me in the mailbox. Good job Blizz!


  24. Jason

    Put me squarely in the ‘Your Fault’ camp. I’ve played WoW since launch, and have never been hacked. I still don’t have an authenticator. I don’t see a need for one. Are they extra security? Yes, but if you’re lax about security it’s wasted money anyway.

    On the subject of comparing it to CC theft, it’s really not comparable. As Wilhelm points out, CC theft is more likely to be the result of a skim than anything else.


  25. wraith808

    @Invisible Man – it is hacking. Hacking isn’t just something you do at the computer- ask most of the first ‘hackers’. When security was just something that applied to physical barriers, they found passwords by asking questions, digging through trash- all of that is hacking. It’s just social hacking, so the term applies.

    @Jason – Wasted money? You don’t have to pay for it if you get the software so there’s no money to waste. And the point is, you *can’t* be lax about security if you have an authenticator. Unless they actually hack the id servers, there’s no way to be hacked. And as a last point, no matter how paranoid you are about security, you can still be hacked if someone puts their mind to it- never think that *any* security is hack-proof- it’s just a matter of making it as hard as possible so that it makes it not worth the time to do it.


  26. wraith808

    @Invisible Man- just to expand (hit the button a bit too fast), Social Engineering has wider connotations than just hacking. Cracking relates to the strictly computer related methods of getting into a system. Hacking relates to the whole plethora of methods used, including social methods.


  27. Titan53

    I have played since the launch and never been hacked. I do use some simple security measures that help protect me. First, my battlenet account was set up with a separate email address (made just for the occasion) and password that is only used for WoW. Any WoW emails that come to this address are studiously ignored. Second, I never use anyone else’s computer to play on. Third, I never log in with my account email and password. I have them stored in a notebook page and when I want to log in, I copy and paste them (actually faster than typing them in, as my password is a random 17 letter-number combination). On the off chance I get a keylogger, all it will see is crtl-v for both my email address and password. I have decided that I will be getting an authenticator also (can’t be too careful).


Comments are closed.