I’ve been a huge fan of the Diablo series since the first installment and was happily installing my copy of Diablo III the day after launch. Because I had my copy shipped and started playing the day after the official launch I didn’t face the login nightmares that many others did. I was able to play right away and spent about 30 hours engrossed in the D3 universe over the next week.
On the 24th I logged in to find that all of the items in my stash were gone, along with my gold. I didn’t notice it at the time, but I also had a new friend in my Social panel. I thought that there must have been some kind of glitch with an update that Blizzard applied. No problem; I’d just open a ticket and they could restore my lost items. So I opened a support ticket and waited.
A day went by and I didn’t hear anything from Blizzard. I logged into my account again and found that the clothes my character had been wearing had now been stolen as well. So I went a’Googling and found that many, many other people have been logging in to find their items missing and that this was no glitch – it was good old fashioned thievery. I updated my ticket and explained that I believed my account had been compromised and asked Blizzard to look into it and restore my character, as is their policy.
Another two days passed and still I hadn’t heard anything. I opened a new ticket, this time using the pre-defined “I think I got hacked” subject line, and was surprised to find my character restored within three hours. I’ve since changed my password and added an authenticator to my account, but Blizzard has some serious explaining to do. In no particular order:
- If Blizzard’s security is so abysmal that they don’t trust their own login systems and have to rely on authenticators, shouldn’t they be up-front about that? I certainly wasn’t told that having an authenticator attached to my account was the only way to ensure any level of security. It was news to me when I read over at Cinema Blend that Blizzard is telling customers that authenticators are recommended. Why didn’t Blizzard send the authenticator to everyone who purchased the game, or better yet, just secure the damned login system itself?
- Not only are they recommended, but Blizzard is taking things a step further by telling customers that if you don’t have an authenticator setup, you’re basically asking to get hacked. Unfortunately they have only been telling people this via the forums, which are visited by only a small percentage of the gaming community and even then you have to know where to look to find the thread. Why is Blizzard using such a small microphone to tell everyone about the security risks present to millions of their customers?
- When Blizzard finally replied to my ticket requesting my account be restored, they didn’t answer my question asking how my account was compromised. Instead, in a separate E-Mail they stated “Please be aware that your computer may contain a malicious software program, such as a keylogger, or the account information and password may have been shared with others.” I have never shared my account information with anyone else and malicious software seemed unlikely, since I’m in the IT industry and keep my computer properly protected at all times. Just for kicks I ran three different scans using three different anti-malware utilites and guess what? No keyloggers found. Other popular excuses given by Blizzard as to why accounts are being compromised include purchasing gold and other items on the black market and phishing scams via E-Mail, all of which I haven’t been a part of. Blizzard is quick to point the finger at the customer, blaming us for our accounts being compromised, but what they seem unwilling to do is accept responsibility for an insecure authentication system and a complete inability to stop the attacks from happening, Why can’t Blizzard admit that there is a larger problem at hand and that it goes beyond the customers who inadvertently give their credentials away?
- What seems obvious to me and thousands of others in the forums is that if a third-party is able to brute force a password, Blizzard isn’t doing something right. How are they circumventing the systems that lock you out after a number of incorrect password attempts? How are they able to continue to attack Blizzard’s servers without their IP addresses being tracked or banned? Most people report that they have new “Friends” after being compromised. These are usually level one characters clearly created for the purpose of transporting stolen gold and items. This should make it even easier for Blizzard to track down and ban the culprits. Is Blizzard’s network operations team completely inept?
- If the thieves are actually obtaining our passwords through any means, then we need to know it. After all, they’ll have at the very least our E-mail address and password. Many people use the same information for countless services from online banking to Facebook. So far I haven’t seen Blizzard come out and say exactly what information the hackers typically gain access to. This information is vital for the consumer. It’s one thing if the bandit uses some kind of login spoofing technique to hijack an account temporarily and steal your goods. It’s quite another if they are logging thousands of E-mail addresses and passwords which could instantly be used to cause endless headaches for all involved. When will Blizzard be forthcoming with how the attackers are accessing our data and how much of it they were able to obtain?