A staff writer for website Eurogamer had his Diablo III account hacked and sold to somebody else over the weekend. Since then, a number of people have reported the same thing happening to them, and there’s a thread on the Battle.net forums that’s full of people complaining about the issue. On top of having accounts hacked, many people are reporting that their gold and items are being stolen.
It’s been suggested that this spate of hacks and account thefts coincided with the lengthy down-time of the EU servers on Sunday. Blizzard has not confirmed or denied that the hacks resulted in them taking the EU servers offline.
To make matters worse, many of the accounts that were hacked were owned by users who made use of the Battle.net Authenticators. It’s been suggested that the hackers gained access to accounts by “hijacking session identifiers” in public multiplayer games. This would then allow hackers to gain control of the victim’s account without gaining the attention of the Battle.net authentication servers.
Upon learning about this, website Kotaku emailed Blizzard asking for clarification. They got this response:
Battle.net® Account Security & Diablo® III
We’d like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game — such a World of Warcraft® expansion — will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their Battle.net accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well. You can read about ways to help keep your account secure, along with some of the internal and external measures we have in place to help us achieve our security goals, at our account security website here: www.battle.net/security.
We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect™, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever important changes occur on your account.
For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq
For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq
For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect
We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior — such as logging in from an unfamiliar location — we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.
As always, if you think you’ve been the victim of an account compromise, head to the “Help! I’ve Been Hacked!” tool at http://us.battle.net/en/security/help for assistance.
It’s perhaps a little disconcerting that Blizzard claims this sort of thing happens with their games quite often. Although, they are insinuating that it’s the account holder’s fault that things like this happen. That, obviously, runs contrary to what has been suggested regarding hackers gaining access through session identifiers.
Blizzard has begun restoring lost accounts by providing users with “compromise restorations”. These are once-off, Diablo III account resets that will restore user accounts to a point in time just prior to the hack. Obviously some progress will be lost, but at least gold and items should be returned. It’s worth noting that once a compromise restoration has been activated, the user account will have restrictions placed on it when using the Diablo III Real Money Auction House; that account will need to get an Battle.net Authenticator attached to it before those restrictions are lifted. If the account is hacked a second time, then access to the Real Money Auction House will be permanently revoked. Diablo III Forum user Gorguzz posted Blizzard’s official explanation regarding the compromise restorations; you can read the whole thing right over here.
Whatever the case may be, hopefully this won’t happen to you. If you’re at all worried about it then maybe stay out of public games for now? Also, get an Authenticator or download the free app for iPhones and Android devices. It seems like you can never be too cautious.