new hack involving un-merged (bnet) accounts

[Stabface]

I'm not sure yet how it's being done, but there is some way that people are re-activating old accounts that are not merged to b.net.

I know because I had the very creepy experience of seeing one of my very own alts (a L20 Warlock) from an account that's been inactive since late 2008 appear as logged in on my friend's list last Thursday morning. I didn't even know who it was at first, then a huge holy shit!! moment and realized it was MY character. They stayed logged in for around 15 minutes then logged out. Filed a GM ticket, called customer support and got the account temp banned for compromise investigation. I just got off the phone with Blizzard and I've gotten the account ownership reestablished, the account un-merged from the hacker's bnet account, the password reset, etc. I haven't logged in yet to see what they've done, I can't yet actually as it has to be merged with a b.net account to login. And of course the Customer Support person wouldn't tell me what had gone on other than the obvious : someone compromised the account, and merged it with a b.net account. There was absolutely nothing to steal on the account but maybe they left some goodies, I'll find out tonight I guess, going to create a new b.net account and merge all my abandoned accounts with it.

Details from my end:

It was a Classic account I'd abandoned in late 2008 and never merged to b.net.
I have not logged in to the game, the forums, or account management with that account since late 2008.
After a very exhaustive scan, I do not have any known virus, trojan, keylogger, rootkit, etc. on any of my computers.
None of my other accounts were targeted, including 2 other abandoned accounts I abandoned at the same time with sequential naming. e.g. account, account2, account3, only 'account' was hacked.
The email address tied to the account (gmail) has not been accessed by anyone other than me.
I don't reuse account names elsewhere or share my accounts with anyone. Well, my girlfriend does know my account names but does not know passwords, and hasn't done anything that could cause this old account to get hacked.


Something's up, that's all I know.

[DLoweinc]

thanks for the tip.

Glad it was an old account with nothing on it

[Zub]

since it's an old account, maybe you used it sometime in the past at a friends place? or in a game center or something?

[Overpowerdin]

Before the "Blizz can't be hacked" band wagon jumps on board. I would like to throw this out there.

There are a large number of accounts (with and without authenticators) that are canceled/frozen that are being enabled and used by gold farmers. They are using these account to pillage your belongings for gold, and if you have 80s, they are farming them out or transferring the toons to sell. They use stolen credit card info and game cards to reactivate the account. The email address that was tied to your account may not be hacked, but it will be on their list and you may or may not start getting spam that is identical to blizz's own account info emails that a person normally can get, and the only way to tell them apart is to trace the IPs of the email servers the message came through.

Blizzard will tell you (along with the majority of users in the mob mentality that believe blizzard is the only company in the world that can't be hacked) that your account was compromised and its all your fault, you must have logged into a Trojan infected PC with your account info at some point in your life. I honestly believe after several weeks of research that there are one of two things going on here.

1. Someone (or a group) in Blizz's customer service department is compromising the accounts or selling the info.

2. Blizz's authentication servers have been compromised.

I really think option one is what is happening. A lot of the accounts I have looked into have been in canceled or frozen status or recently canceled with game time still left active. Only someone with access to customer service could know this info, a hacker would have to guess your security answer after brute forcing your password. Someone at customer service can also easily change your password as well.

[Stabface]

since it's an old account, maybe you used it sometime in the past at a friends place? or in a game center or something?

Nope, I don't log in on other people's PCs.

I merged the account with b.net last night, sent it a scroll of resurrection and logged in. It's as I left it to the best of my memory : a bunch of naked L20 Warlocks with a handful of soul shards.

[Velassra]

1. Someone (or a group) in Blizz's customer service department is compromising the accounts or selling the info.

2. Blizz's authentication servers have been compromised.

I'd be more likely to believe it's number 2 rather than 1. I'm sure if it was someone at Blizzard, that someone would leave traces as to accessing or manipulating the information for the account that was comprimised and that one person or system would be attacthed to a much larger share of them. I'm sure it's something Blizzard would have considered and maybe even planned for.
Whereas #2.....did the IMF and Worldbank suddeny realize their servers had been comprimised and re-arranged for easy access to Data.....and everyone suspected China was behind it? Sometime last year I think? If they cn do that, I don;'t think Blizzard is any safer.

(Anyway, I merged an account that was inactive for over 2 years, didn't have an 80 on it, but it ws still untouched.)

[zenga]

First off, the gold market looks like 'delivery on demand' to me. There is little to no reason as far as i can see why those 'companies' should have shitloads of gold in stock. I guess they have more or less an idea how much gold approximately they need per day/week and restock without drawing attention. But i'd be surprised if there wasn't some system where they login to compromised accounts whenever they got a new order. Which means that whenever they receive your info, you are just added to their queue. Now given the amount of people that get infected by viruses outside of wow, i can only imagine that the numbers within the wow population won't be far off those. Meaning that there queue of usable accounts might be pretty big.

Since i can't imagine someone is logging in by hand is faster / more effective than a bot, it's not that odd that they would reactivate an account with fraudulent credit cards. If that account turns out to be crappy, they just have bad luck and move on to the next one.

I think this scenario is more realistic tmho than their servers being compromised or it being an inside job.

So yeah being in their "queue' for so long seems very likely to me.

[Ughmahedhurtz]

Your arguments don't pass the smell test.

Skip to the bottom for the TL;DR blurb.

Before the "Blizz can't be hacked" band wagon jumps on board.

along with the majority of users in the mob mentality that believe blizzard is the only company in the world that can't be hacked

These sorts of "if you don't agree with me you must be stupid" editorials do not reinforce your point. They simply make you look like a royal asshole who thinks he knows better than anyone else. Furthermore, misrepresenting peoples' arguments via the strawman fallacy also makes you look like someone who's trying to bullshit your way to a bigger e-Peen or influence someone else's opinions and/or behavior for personal gain.

There are a large number of accounts (with and without authenticators) that are canceled/frozen that are being enabled and used by gold farmers. They are using these account to pillage your belongings for gold, and if you have 80s, they are farming them out or transferring the toons to sell. They use stolen credit card info and game cards to reactivate the account. The email address that was tied to your account may not be hacked, but it will be on their list and you may or may not start getting spam

Blizzard will tell you that your account was compromised and its all your fault, you must have logged into a Trojan infected PC with your account info at some point in your life.

These are facts we have all known for quite some time now. What I'm not seeing is what bearing they have on who the "enablers" are if, as you claim, it's an inside job.

you may or may not start getting spam that is identical to blizz's own account info emails that a person normally can get, and the only way to tell them apart is to trace the IPs of the email servers the message came through.

Uh, unless you're seeing something the rest of us aren't seeing, there is ALWAYS a way to tell the emails apart. Or do you have an example email that is a perfect forgery except for the originating IP/sendmail server? It might be worth noting that most of the "spam" emails you get (even the forged ones) are the kind of emails that direct you to a link to a server that is either A) hosting a trojan or B) hosting a fake logon server that saves your login credentials for later nefarious usage. I have yet to see a single email that was a perfect forgery of a blizzard email because there is absolutely no money to be made in telling you to go to the official site and login to verify your account.

I honestly believe after several weeks of research that there are one of two things going on here.

Weeks of "research," eh? Care to share your methodology and empirical data? Otherwise, it's just an opinion. Possibly a well-informed opinion but we really have no way to know that based on you having 9 posts here and providing no correlating data.

1. Someone (or a group) in Blizz's customer service department is compromising the accounts or selling the info.

2. Blizz's authentication servers have been compromised.

I really think option one is what is happening. A lot of the accounts I have looked into have been in canceled or frozen status or recently canceled with game time still left active. Only someone with access to customer service could know this info, a hacker would have to guess your security answer after brute forcing your password. Someone at customer service can also easily change your password as well.

Did you really think this through? Why would someone need your secret answer? I've changed credit cards and passwords several times, and even changed my mailing address of record and I never ONCE had to provide my secret answer. Including when I merged accounts and added/removed my authenticator. The only time you need it is when you're attempting to recover an account. If you already know the password/authenticator info (which advanced trojans can easily get, without your knowledge, regardless of how secure you think you are), you can do just about anything you'd like to an account.


TL;DR = nothing new to see here. If you ask a better question rather than jump right in with the BS, you might get some folks to explain why your two possibilities (only two, right? Not more than two, surely) have been rather exhaustively debunked. There are other possibilities but I'm just one of the mob mentality so I might as well not even bother, AMIRITE?

[Knytestorme]

Unless Blizzard did something very stupid then either having someone in the CS able to look at your info or having the database compromised is infeasible.

If you are storing passwords in a database you encrypt them with an md5 hash, kerbose, etc which means that the password is obsfucated to hell and back as a string of random characters that aren't what the user types in (unless you have no idea what you are doing, and as much as some of their decisions such as case-insensetive passwords make no sence, I don't see Blizz not understanding this part).

IF someone had access to the database they'd also have to know what hash method was used to encrypt the user password and then spend time doing bruteforce attacks on each password in the database by passing the attempted password through the hash and comparing it to the data in the database. Given that a password could be 20 characters long with each one of those characters being a-z, 0-9 and all the punctuation characters I'm sure you can see how time intensive this would be for even one password let alone bunches and bunches.

Occam's razor in this circumstance falls on the side of people being flawed and not wanting to admit or accept they fucked up in all cases of getting hacked. I have only been hacked once, and that was when I used a http tunneling service so I could log on from work now and then so I could run around claiming that I run a secure pc and thus could never be hacked but doesn't make it not my fault now does it?

[moosejaw]

If it was an un-merged account all they needed was the account name to create/merge it to a battlenet. Hell they could be running a random account name generator to scoop up un-merged/dormant accounts. The OP may not have done anything wrong at all.