I've been lucky enough to never have my accounts be hacked. i hope I'm not inviting some malicious users into my world by posting this, but I'm curious who is getting hacked. I know a few people that have had the unfortunate experience, but all those users have used a power leveling service or purchased the toon. Has anyone on this board ever been hacked and been on the straight and narrow the entire time? I know I'm getting the Blizzard authenticator soon. I don't have any assets to protect, but I don't want all my time to be wasted either.

Never have, but just like in Batman the bad guys are adapting and compensating for the new protection and user awareness out there. They're getting sneakier and you won't be able to identify them from Sex Legs anymore.


Yes, i totally cited Batman there. :thumbup:

I've been playing MMO's since 1996... in that 12 years I've had exactly zero accounts compromised.

A good friend had his account violated twice in that same time. Both times the issue was that his son had shared the account info. (Of course he had shared the info with his son in the first place.)

A guildy of mine in WoW had his account hacked 5 times just before TBC launched. These were separated out a little bit, but in the end I'm confident that the hackers utilized a brute force attack for the last two. The first one he had shared his password with a malware that had a keylogger built in. The second and third happened and we are fairly certain it was because the malware had rootkitted the machine and kept reinfecting.

The fourth and fifth however we had reformatted his machine, from scratch. Updated anti-virus, malware, anti-spyware software and updated his password to a 10 digit mixed case alpha numeric with symbols password... yet his account got violated twice more (with a full reformat in between).

Blizzard refused to change his account name, which is all thats required for a brute force attack. So he bought a new account, setup a 10+ digit name that looks a lot like a password, setup a 10+ digit password with the same standards mentioned above, and has been secure ever since. I'm not sure if he ever picked up an authenticator.

Really though, for $6 you can't beat an authenticators protection.

I've had a virus that no matter how many times I formatted my drive it came right back. I ended up tossing the hard drive. Those sonsofbitches need a pineapple sodomy.

Turn on an authencators ASAP -- it doesn't really matter anymore how good your account name/password is, there are programs that basically can spend 24 hours a day, 7 days a week trying millions of passwords on millions of account names. And I'm sure there are farms and farms of PCs around the world doing just that, whether its against WoW accounts or bank accounts. Its actually pretty scary when you stop and think how much of your information is out there, and how shitty our security really is. Most people sadly use trivial names for their bank/broker/mail/etc accounts, and a hackers farm of computers can sit there forever trying to crack em.

The really scary thing is too that in a couple years PCs will be powerful enough to even brute force through stuff like the blizz authenticator, we really do need to move to some sort of universal, world-wide DNA fingerprint authenticator for all web sites. But then someone will come and chop off your fingers to hack in :(

You would think that WoW would block ip addresses that tried unsuccessfully to log in to your account that are obviously not even close to where you live... but then I guess they would just spoof their ip address.

Not to mention some people travel cross country to visit relatives and still want to play WoW while they're there.

I've been playing MMOs since the day ultima online came out and have never been hacked. HOWEVER, I still spent $6.50 for a WoW authenticator "just in case". I mean come on, most of us here pay $45-$75 a month to play WoW, a one time fee of $6.50 to guarantee you'll never be hacked is a no brainer, especially since you can use that 1 device for all 5 of your accounts at the same time.

the type of account name and password you choose no longer matters.
ie:
username: joe$bob^biggs
password: l1v3@th3beach!

yes, that is secure against a dictionary attack and most brute force... but the pros have moved to keyloggers and are putting out software that gets into the box and watches for you to enter a password somewhere. then it'll send a message to some irc chat room where itself and thousands of other virus bots are logged in. end result, no amount of username/password gymnastics can save you from a keylogger... and it's only a matter of time before explorer gaffs at some animated gif or xml overrun and allows one onto your box. even anti-virus software doesn't protect you from NEW viruses/keyloggers.

the ABSOLUTE best solution would be a revolving RSA key... which is what the blizzard authenticator is based on. get it. get it today. have zero fears.

http://solidice.com/keyclone/images/blizzard_authenticator.jpg ('http://www.blizzard.com/store/details.xml?id=1100000182')

the type of account name and password you choose no longer matters.
ie:
username: joe$bob^biggs
password: l1v3@th3beach!

yes, that is secure against a dictionary attack and most brute force... but the pros have moved to keyloggers and are putting out software that gets into the box and watches for you to enter a password somewhere. then it'll send a message to some irc chat room where itself and thousands of other virus bots are logged in. end result, no amount of username/password gymnastics can save you from a keylogger... and it's only a matter of time before explorer gaffs at some animated gif or xml overrun and allows one onto your box. even anti-virus software doesn't protect you from NEW viruses/keyloggers.

the ABSOLUTE best solution would be a revolving RSA key... which is what the blizzard authenticator is based on. get it. get it today. have zero fears.

http://solidice.com/keyclone/images/blizzard_authenticator.jpg ('http://www.blizzard.com/store/details.xml?id=1100000182')

The authenticator is wonderful for one account. Any tips how how best to manage five or more accounts with an authenticator? Seems like it would be a very painful process just to be able to log in, or if you game on the road taking 5 authenticators with you is very annoying and increases the potential for misplacing one.

afaik, you can associate the same authenticator with multiple accounts... mine will be delivered shortly and i'll be able to give first hand knowledge. until then, maybe someone else will chime in

I just said in my post above that 1 authenticator works with all accounts you link to it.

I'm using an authenticator with 5 accounts - I load keyclone, load my 5 WoWs, type my password in and it prompts all 5 for the authenticator code - I then enter the authenticator code once (which types on all 5 windows) and hit enter and I'm in.

I registered my (recently acuired) autenticator against all my 3 accounts.

Not attempted to log in to all 3 accounts at the same time using the authenticator yet though, so I don't know how 2 (or more) simultaneous logins are affected by the authenticator.

But you will not need 5 different autenticators for 5 accounts, you only need 1.

Edit: beaten to it.

oh yea... and blizzard (or anyone doing authentication) should block an ip address FOR AN HOUR if they blow a password more then 10 times in a row. this would kill the brute force attackers

I'm using the authenticator w/ 5 accounts. Keyclone method could work, but since I have numbers in my username and password both it's a little bit of a pain to use it during the login process. You have a fudge factor of a minute or two to use the key before it's no longer valid and I can usually log all 5 sessions independantly and manually using the same key as the first time I press the button even if the number on the authenticator has changed by the time I get to the last one. I though tit would be a big headache using it w/ 5, but it doesn't even phase me.... I had my authenticator for the longest time and didn't activate it until my account was in the middle of being compromised. Someone had changed the email address associated w/ one of my accounts. Before they could use that to do a password reset, I was able to login and add the authenticator and then called blizz to get the email address set back.

I have 5 accounts tied to 1 authenticator. I fire up keyclone, I fire up all 5 wows. I place the cursor in the password field on each window. I enter the password and it appears in all 5 wow windows (yarly). I hit <enter>. I get prompted for my Authenticator code. I enter the 6 digit code and it appears in all 5 wow windows (inorite). Then I go melt faces feeling very secure that my EPIX won't be sharded.

Why do numbers in your username/password make things problematic?

FWIW this is another reason why I like using 5 wow folders for my 5 accounts. My login names are just saved for each account so all I have to do is type my password (which is the same on all 5 accounts of course) followed by the authenticator number.

Also I have to use my hotkey for do not pass so it will pass EVERY key I push during login, otherwise some letters in my password that are on my do not pass list don't get sent to the clone windows - I bound ctrl+pause for DNP (and just pause for mute).

I have 5 accounts tied to 1 authenticator. I fire up keyclone, I fire up all 5 wows. I place the cursor in the password field on each window. I enter the password and it appears in all 5 wow windows (yarly). I hit <enter>. I get prompted for my Authenticator code. I enter the 6 digit code and it appears in all 5 wow windows (inorite). Then I go melt faces feeling very secure that my EPIX won't be sharded.Why do you click on the password box on all 5 windows? On my WoW, the cursor is already in the password box on all 5 windows when WoW fires up. I don't have to click at all on any of my WoW windows until after I've completely logged in and am in-game.

I have 5 accounts tied to 1 authenticator. I fire up keyclone, I fire up all 5 wows. I place the cursor in the password field on each window. I enter the password and it appears in all 5 wow windows (yarly). I hit <enter>. I get prompted for my Authenticator code. I enter the 6 digit code and it appears in all 5 wow windows (inorite). Then I go melt faces feeling very secure that my EPIX won't be sharded.Why do you click on the password box on all 5 windows? On my WoW, the cursor is already in the password box on all 5 windows when WoW fires up. I don't have to click at all on any of my WoW windows until after I've completely logged in and am in-game.Old habits hard to break. I have different wow folders with different settings, so some of them have the account name saved, some don't so I'm always checking and making sure where the input goes.

You know you can configure keyclone to automatically type your login name in when you open WoW right? ;) Just go to your keyclone program settings and set each WoW window profile to have the login name typed in for you, then you only have to worry about the passwords.

You know you can configure keyclone to automatically type your login name in when you open WoW right? ;) Just go to your keyclone program settings and set each WoW window profile to have the login name typed in for you, then you only have to worry about the passwords.Yah when I'm using keyclone I have that configured. But when I'm using IS I don't have the account names saved because I don't have the virtualization of the configs done yet. So when IS runs my 3 wows on my desktop, they run of the same folder atm.

Why do numbers in your username/password make things problematic?
Since it's a mix of letters and numbers and my keyclone is set up not to pass letters I need to put in the username/passwords separately and when I do, other windows I have open will take the number portion of the username and password and keyclone that, but not the letters. I don't like the idea of having 5 different folders and saving the username and I don't mind much logging in 5 times manually. What I do is log into one session completely and leave it on the character screen and log into the next session. It works for me. I know there are faster ways to do it, but that's the way that works for me. Old dog and all... :thumbsup:

See my earlier comment about the do-not-pass override. In the keyclone settings you can set up a hotkey to enable/disable do-not-pass. One button push disables it so you can then type your password and have all keys passed correctly, then you push the button again and it goes back to normal settings. This is invaluable for passwords and other things (such as purposefully wanting to say something on all 5 characters at the same time, etc).

I then enter the authenticator code once (which types on all 5 windows) and hit enter and I'm in.Oh man, that rocks. I've never had account problems (and rarely virus/spyware problems) but if it's that easy to use even with a multiboxed setup, it sounds very worthwhile. Thanks for posting this.

The authenticator is wonderful for one account. Any tips how how best to manage five or more accounts with an authenticator? Seems like it would be a very painful process just to be able to log in, or if you game on the road taking 5 authenticators with you is very annoying and increases the potential for misplacing one. No problems at all here.
afaik, you can associate the same authenticator with multiple accounts... mine will be delivered shortly and i'll be able to give first hand knowledge. until then, maybe someone else will chime inYou most certainly can. I have 7 accounts, 1 authenticator. I have account names saved across the board, I have the same password on all 7 accounts. Broadcast 1 click to the password box (this is generally not necessary) and broadcast the password to enter it... hit the authenticator and braodcast the number when it asks, and your logged in. Honestly I don't even bring my authenticator with me when I travel, of course I don't wow when I travel either.

Me=1 authenticator+12 accounts=sleep well at night!

If someone put a key logger into your computer wouldn't they steal bank passwords and credit card numbers before wow log in infos?

If someone put a key logger into your computer wouldn't they steal bank passwords and credit card numbers before wow log in infos?You would think that.

Let me ask you two questions:
1 - Is it a federal felony to steal a persons banking information and credit card info and use it?
2 - Is it a federal crime to log into an account and sell items/gold to other players for US$ after pillaging the account?

On one hand, I see great potential for short term profit and long term jailtime.
On the other hand, I see great potential for profit and in the long term, an injunction at best, maybe a fine?

RMT is a MULTI MILLION dollar business. And the traders have found it's better to steal the gold, liquidate the assets and sell their pillage than it is to hire someone to farm the gold for them. You hire somone, their account gets banned. You hack someones account, who cares if it gets banned, in fact, COUNT on it. They'll appeal, get restored, and if you have a plan to crack that account a 2nd time, you make money twice.

Unfortunately for me prior to multi-boxing I had my single account taken. Most likely was a key logger, it happened about 1 week after the authenticator came out. It was taken by a kid who ended up just playing my account for a weekend. He did nothing really malicious outside of somehow tossing off 2k gold. Which was returned upon gaining control of my account again. Bought the authenticator the day it happened and now I'm security nut.

Unfortunately for me prior to multi-boxing I had my single account taken. Most likely was a key logger, it happened about 1 week after the authenticator came out. It was taken by a kid who ended up just playing my account for a weekend. He did nothing really malicious outside of somehow tossing off 2k gold. Which was returned upon gaining control of my account again. Bought the authenticator the day it happened and now I'm security nut.See this situation doesn't make sense to me for a keylogger. Did anyone else have your password? Would they have been stupid and shared it? I've had guildmates give me their passwords left and right, I always tell them not to do that and that I don't A: want it or B: need it.

strange, i never had to override my keyclone when typing in passwords. some keys on my password IS on the donotpass list.

Nope never shared my password, which led me to think key logger. Nothing else really adds up. I'm pretty sure this was a kid because after my account was compromised I had my friend talking to him trying to get information in which he spoke English well but seemed to be under the impression that he had gotten a hold of an account that he was going to keep and have payed for by somebody else. This tells me either kid or very ignorant person.

I should straighten this out, my account was not directly hacked but my email was. According to the person they had come across my email and password on a warez site in which they started to go through my email seeing I had a WoW account logged into my account and changed the password. They never changed my email password and they had deleted the pages that are sent when you change password and/or account info. Once again kinda leads me to think kid who got lucky on warez site. With this I literally spent the next week changing dozens upon dozens of passwords and creating a new email account unlinked to my old one.

If someone put a key logger into your computer wouldn't they steal bank passwords and credit card numbers before wow log in infos?

Simply having access to a bank account or credit card doesn't mean they will pay off. Banks and CC companies have entire departments dedicated to fraud protection, and you leave a very obvious electronic trail if you try and utilize those sources fraudulently.

WoW accounts on the other hand, are a real store of value (no matter how much Blizzard or anyone else tries to say they are not), and there is very little Blizzard can do to stop some kid in the philipenes from logging in to an account that doesn't belong to him and slashing and burning his way through it. Thing is, foreign police aren't likely to take charges of fraudulently logging in to someone else's computer account seriously. Its entirely unenforcable on several levels.

The really scary thing is too that in a couple years PCs will be powerful enough to even brute force through stuff like the blizz authenticator, we really do need to move to some sort of universal, world-wide DNA fingerprint authenticator for all web sites. But then someone will come and chop off your fingers to hack in :(I disagree. Mostly because there are too many variables involved the be brute-forced. Also note that many other security methods involved random large prime numbers that would have to be guessed, which has proven never to work.

The really scary thing is too that in a couple years PCs will be powerful enough to even brute force through stuff like the blizz authenticator, we really do need to move to some sort of universal, world-wide DNA fingerprint authenticator for all web sites. But then someone will come and chop off your fingers to hack in :(I disagree. Mostly because there are too many variables involved the be brute-forced. Also note that many other security methods involved random large prime numbers that would have to be guessed, which has proven never to work.PC's can already brute force 6 digit passcodes like the blizzard authenticator.

But can they present 1 million attempts to the server in 60 seconds? That would be one attempted login per 0.00006 seconds, and I can tell you that blizzards servers would simply puke at that. Every time a battle group goes down they get a few thousand logins in a minute and the servers choke...

Brute forcing anything assumes you can even ATTEMPT that many logins...

To brute force the authenticator you'd first have to brute force the user's password (or find it some other way). Only if you get the password right does it even allow you to type in the authenticator code.

I have not tested what happens if you fail typing in the authenticator code however, but the smart thing to do would be lock the account out until the authenticator switches to a new code.

All of this is moot anyway since Theres no way to even send that many "attempts" to the server in that amount of time at all, thats assuming Blizzard even allowed it but I'm sure if you attempt it more than X number of times in X seconds it slows you down or prevents you from doing it again for a period of time - almost every authentication system ever has done that for upwards of a decade.

Authenticator FTW :)

I have not tested what happens if you fail typing in the authenticator code however, but the smart thing to do would be lock the account out until the authenticator switches to a new code.

I've done that a couple of time, dyslexia + fat fingers does that to you :cursing: . it just sends you back to the log in page where you have to start over with the username/password.

Think current brute forcing methods on a standard pc is bad,

http://www.codinghorror.com/blog/archives/000986.html

the above link shows a report on a company in russia using a $800 recoded Graphics card to do the job that a standard pc will take several months to crack they could achieve in 3 days, using this new method they filed a patent on. some 8 letter passwords they were able to crack in 3 days.

sum of the story, long password, or RSA key ftw!

Some people use the FTL system which means when I press 1 on my keyboard the main window hits 1, but the slaves hit "x", for example. This makes passwords a bitch, however keyclone tells me there is a keymap suspend setup (like the DNP suspend), I just havent checked for it yet. I changed my password to something that doesnt use my FTL setup instead, lol. Of course this won't work for the authenticator since I have keys 1 to 6 passing different keys.

Think current brute forcing methods on a standard pc is bad,

http://www.codinghorror.com/blog/archives/000986.html

the above link shows a report on a company in russia using a $800 recoded Graphics card to do the job that a standard pc will take several months to crack they could achieve in 3 days, using this new method they filed a patent on. some 8 letter passwords they were able to crack in 3 days.

sum of the story, long password, or RSA key ftw!

If you read the full article they point out the smartest passwords are actually passphrases. Choose a saying that only you would know, example "imasturbatetwiceaday" it was pointing out that anything above 12 characters would take 62000years to brute force crack. I guess a combo brute and dictionary would be faster, but I really doubt someone will crack that before you are either a. done playing the game forever or b. dead.

To brute force the authenticator you'd first have to brute force the user's password (or find it some other way). Only if you get the password right does it even allow you to type in the authenticator code.This is incorrect. You present username/password - it will always ask for the code next unless it's patch day and you aren't patched.
I have not tested what happens if you fail typing in the authenticator code however, but the smart thing to do would be lock the account out until the authenticator switches to a new code.You go back to logon/password prompt.

The chink in this armor is the wow forums. They don't use the authenticator, only the u/p of the account. So you can brute force the password there assuming they could handle the number of attempts and not get flagged (which I doubt). All said and done, it will take an act of god or raw stupidity to lose access to your account in WoW now.

In fact, I'm so confident in this that I'll post this:

Username: zan6715b
Password: el571ai#7
Current Authenticator Code: 723123

Good for about 45 more seconds, enjoy ;).

Oh c'mon, like I'd REALLY post that as real info.

I've been playing MMOs for about 12yrs now starting with EQ1... Never had any issues with EQ however I have been hacked more than once on WoW. Dec of last year my g/f's account and 2 of mine were hacked with that flash exploit. I have been using Firefox with noscript / noad etc... now days it doesn't really matter if some one is determined they can get your info. With the most recent Wowhead issue they got 2 of my accounts some how ( this is how I know it is a program and not a person). They hacked 2 out of 9 accounts all have similar usernames... but they were all on the same password. This time they actually managed to change my emails, transfers chars off, etc... I really only go to 2 WoW related sites dual-boxing.com and wowhead, but can never be too cautious.

Both times this has happened Blizz has been really prompt about restoring any damages caused etc... About 2 months ago I think some one attempted a hack on one of my accounts and blizzard detected it. They ban the account for 24hrs to let me secure my computer/accounts etc... They must have been watching IPs or soemthing and when I log in everyday in California... then suddenly in Taiwan I'm logged in they are like ban hammer !

Since then I've ordered 9 authenticators and I need to go buy a labeler lol.You know you can associate a single authenticator with 9 accounts right? no labels, one button, one code...

Since then I've ordered 9 authenticators and I need to go buy a labeler lol.You know you can associate a single authenticator with 9 accounts right? no labels, one button, one code...

Ha no ~ good to know. $7 it is vrs $63

I've been playing MMOs for about 12yrs now starting with EQ1... Never had any issues with EQ however I have been hacked more than once on WoW. Dec of last year my g/f's account and 2 of mine were hacked with that flash exploit. I have been using Firefox with noscript / noad etc... now days it doesn't really matter if some one is determined they can get your info. With the most recent Wowhead issue they got 2 of my accounts some how ( this is how I know it is a program and not a person). They hacked 2 out of 9 accounts all have similar usernames... but they were all on the same password. This time they actually managed to change my emails, transfers chars off, etc... Since then I've ordered 9 authenticators and I need to go buy a labeler lol. I really only go to 2 WoW related sites dual-boxing.com and wowhead, but can never be too cautious.

Both times this has happened Blizz has been really prompt about restoring any damages caused etc... About 2 months ago I think some one attempted a hack on one of my accounts and blizzard detected it. They ban the account for 24hrs to let me secure my computer/accounts etc... They must have been watching IPs or soemthing and when I log in everyday in California... then suddenly in Taiwan I'm logged in they are like ban hammer !Why....why did you buy 9 authenticators? The fact that you can use 1 authenticator on multiple accounts is plastered all over the blizzard FAQ and the blizzard store, and 9 authenticators is no more secure than 1 authenticator.

I work in the enterprise space. Like server 2k3 and stuff has when you open a web browser, it wont go to a site until you enable it on a trusted list. If your this paranoid about your game account, Dont browse the p0rns on that computer! As for the guy who tossed his HDD because of a virus... unplug the nic when you do a reinstall.

the type of account name and password you choose no longer matters.
ie:
username: joe$bob^biggs
password: l1v3@th3beach!

yes, that is secure against a dictionary attack and most brute force... but the pros have moved to keyloggers and are putting out software that gets into the box and watches for you to enter a password somewhere. then it'll send a message to some irc chat room where itself and thousands of other virus bots are logged in. end result, no amount of username/password gymnastics can save you from a keylogger... and it's only a matter of time before explorer gaffs at some animated gif or xml overrun and allows one onto your box. even anti-virus software doesn't protect you from NEW viruses/keyloggers.

the ABSOLUTE best solution would be a revolving RSA key... which is what the blizzard authenticator is based on. get it. get it today. have zero fears.

http://solidice.com/keyclone/images/blizzard_authenticator.jpg ('http://www.blizzard.com/store/details.xml?id=1100000182')

The authenticator is wonderful for one account. Any tips how how best to manage five or more accounts with an authenticator? Seems like it would be a very painful process just to be able to log in, or if you game on the road taking 5 authenticators with you is very annoying and increases the potential for misplacing one.

I use the Blizzard Authenticator on 38 accounts. Just use maximizer from either Keyclone or Octopus or whatever other software that allows start up of the application and keyboard entry to all client applications. Once the same authenticator is associated with multiple accounts, the same number can be entered to all account logins at the same time. Keyclone and Octopus allow that keyboard entry at login so it saves a ton of time logging in any number of accounts at the same time.

I work in the enterprise space. Like server 2k3 and stuff has when you open a web browser, it wont go to a site until you enable it on a trusted list. If your this paranoid about your game account, Dont browse the p0rns on that computer! As for the guy who tossed his HDD because of a virus... unplug the nic when you do a reinstall.The problem I am seeing is with ads that get served from other sites to the site you are visiting. I run Firefox with AdBlock and NoScript, so that nothing runs on a site I visit until and unless I enable the originating sites. Some sites will pull in scripts from more than a dozen additional sites! That's just sickening. You are visiting a site you trust, and you are also "visiting" 2-15 other sites that you have no clue about (and if you're not using some form of tracking, such as NoScript, you're not even aware you are visiting them!). Most of the virus/spyware infestations we get at work are from these ads. It's a real problem these days.

Running the Authenticator on 5 accounts without problems.

Only thing is, You need it for EVERYTHING, me it posting on the WOW forums, or assigning toons to your account on Amory ...

Figured out the hard way, when I was @ work without the authenticator :(

BB

Running the Authenticator on 5 accounts without problems.

Only thing is, You need it for EVERYTHING, me it posting on the WOW forums, or assigning toons to your account on Amory ...

Figured out the hard way, when I was @ work without the authenticator :(

BBIt has never asked me for the authenticator to post on US forums.

The authenticator is not used for the forums. Only the account management site.

I recently had the unfortunate occurence of being hacked. Here was the "wierd" part about it: When I found out my account was hacked, I checked my running processes and sure enough I ran across and unknown. I started checking my browser history and went back 3 months. The computer I play WoW on is just that, for WoW. I had been to wow o-boards and allak... and that was it.

So, I either got it from allak OR I got the virus a while back and it took it 3 months before it went into effect.

Something that I want to point out... ANYTIME a major holiday (i.e. Christmas) comes around or other Major Holidays (i.e. Expansion Pack releases), it would be a very good idea to change your password in the weeks leading up to that. Gold Companies realize that blizzard support will be cut back so response time will be slower, people will typically be saving up gold, and the demand for gold will skyrocket.

I have had two friends get hacked as well as myself. I got hit the week before Wotlk came out and my two friends got hit the week before christmas. This has been a trend among others that I have come across.

Blizzard is getting account recovery down to an artform though. My main account got cleaned out pretty badly, but they didn't even make it to the mailbox on my second account before it got slapped with a temp ban. The rest of my accounts didn't get touched thankfully.

All in all, I got the majority of my stuff back that was linked to my character, but my guild was nuked, bank gone and about 5k-6k gold worth of items in the bank non-recovered. This is the second time my bank has been cleaned out by hackers. (First was when my friends got hit, second was when I got hit.) I really wish blizzard would be able to restore those items as well. That's probably 10k gold/items that I've been unable to recover from it.

I got a keylogger through Cosmos many moons ago. I only had one account, but the account name was 'out there' amongst the scrotum munchers instantly. My original account has been compromised 5 times total. Blizz wouldn't transfer my characater and wouldn't change the account name (this was before you could pay to do it). I started another account and leveled other toons. Blizz kept saying that my system was the trouble. I guess they didn't know I had two other accounts at that time that have never been touched :/ It got hit just the other day, but there is nothing on there. I used to use the account for trading stuff between alts, before instant mail came along. It's closed now and I am going right now to order authenicators.

You have all convinced me! Here, let me trot on over to blizzard and buy their authenticator.....oops. SOLD OUT. blizzfail3000.

http://www.blizzard.com/store/details.xml?id=1100000182

... authenicators.Just one.

You have all convinced me! Here, let me trot on over to blizzard and buy their authenticator.....oops. SOLD OUT. blizzfail3000.

http://www.blizzard.com/store/details.xml?id=1100000182Wait, blizzard fails because they made a product that is so popular its selling as fast as they can make it? What world do you live in? Oh and the fact that they're selling it for what could possibly be the most reasonable price in the history of sales apparently makes them fail also? Sheesh.

the type of account name and password you choose no longer matters.
ie:
username: joe$bob^biggs
password: l1v3@th3beach!

yes, that is secure against a dictionary attack and most brute force... but the pros have moved to keyloggers and are putting out software that gets into the box and watches for you to enter a password somewhere. then it'll send a message to some irc chat room where itself and thousands of other virus bots are logged in. end result, no amount of username/password gymnastics can save you from a keylogger... and it's only a matter of time before explorer gaffs at some animated gif or xml overrun and allows one onto your box. even anti-virus software doesn't protect you from NEW viruses/keyloggers.

the ABSOLUTE best solution would be a revolving RSA key... which is what the blizzard authenticator is based on. get it. get it today. have zero fears.

http://solidice.com/keyclone/images/blizzard_authenticator.jpg ('http://www.blizzard.com/store/details.xml?id=1100000182')

The authenticator is wonderful for one account. Any tips how how best to manage five or more accounts with an authenticator? Seems like it would be a very painful process just to be able to log in, or if you game on the road taking 5 authenticators with you is very annoying and increases the potential for misplacing one.

I use the Blizzard Authenticator on 38 accounts. Just use maximizer from either Keyclone or Octopus or whatever other software that allows start up of the application and keyboard entry to all client applications. Once the same authenticator is associated with multiple accounts, the same number can be entered to all account logins at the same time. Keyclone and Octopus allow that keyboard entry at login so it saves a ton of time logging in any number of accounts at the same time.

Hey look its Prepared~! Haven't seen you post in a while, how's your army doing on its leveling?

My personal experience:

Over Christmas, I got an e-mail saying that an account (which simply has about a month left on it, no gold... it was a former RAF account where the RAF time had run out but I had used a gametime card to get an early Zhevra) of mine had been password reset (successfully, by the way... which means they had access to my e-mail). This was the ONLY account to receive this e-mail, and when I password reset it back and got my access back, I didn't find anything changed. To be honest, they were probably disappointed to find some <lvl10 lowbies and no gold or gear to speak of.

None of my other accounts were hit.

Why?

The RAF account was the ONLY account that wasn't associated with my authenticator. I had just been too lazy to attach the authenticator to that account, and didn't feel there were any valuables on that account that I'd cry over losing. All of my high level characters had already been xfered onto my main accounts (which use authenticators).


What's disturbing?

In order to make a successful password reset, they need access to my e-mail. If they have access to my e-mail, they COULD have just deleted the e-mail notifications from Blizzard and I would've never known anyone had gotten into my account. Furthermore, if they got access to my e-mail/password via a keylogger, they potentially have any information I've ever typed into that computer (think: credit cards? online banking?). Thus far, all I've seen is that one password reset. But I'm keeping a hawk eye on everything else, just in case, and I'm wiping that machine.


The particular machine in question was running vista's UAC, Antivirus, and behind a firewall. However, it doesn't really surprise me that people can still get in. Given enough determination, people can find their way into anything.

It does make me smirk that they wasted their efforts on my relatively worthless former-RAF account, though. ;) Hooray authenticator.

My personal experience:

Over Christmas, I got an e-mail saying that an account (which simply has about a month left on it, no gold... it was a former RAF account where the RAF time had run out but I had used a gametime card to get an early Zhevra) of mine had been password reset (successfully, by the way... which means they had access to my e-mail). This was the ONLY account to receive this e-mail, and when I password reset it back and got my access back, I didn't find anything changed. To be honest, they were probably disappointed to find some <lvl10 lowbies and no gold or gear to speak of.

None of my other accounts were hit.

Why?

The RAF account was the ONLY account that wasn't associated with my authenticator. I had just been too lazy to attach the authenticator to that account, and didn't feel there were any valuables on that account that I'd cry over losing. All of my high level characters had already been xfered onto my main accounts (which use authenticators).


What's disturbing?

In order to make a successful password reset, they need access to my e-mail. If they have access to my e-mail, they COULD have just deleted the e-mail notifications from Blizzard and I would've never known anyone had gotten into my account. Furthermore, if they got access to my e-mail/password via a keylogger, they potentially have any information I've ever typed into that computer (think: credit cards? online banking?). Thus far, all I've seen is that one password reset. But I'm keeping a hawk eye on everything else, just in case, and I'm wiping that machine.


The particular machine in question was running vista's UAC, Antivirus, and behind a firewall. However, it doesn't really surprise me that people can still get in. Given enough determination, people can find their way into anything.

It does make me smirk that they wasted their efforts on my relatively worthless former-RAF account, though. ;) Hooray authenticator.

It isn't necesarily a computer issue. If you use the same password for multiple logins, one of those may get picked up somewhere. For example, you sign up for a guild's private website using the name "jimbobjoe" with password "notmypassword" and set it to the same email that your WoW account is linked to. If the password is the same as your email password, someone just has to get in to the guild's website (including whoever is running the thing), and they have your email and password, at which point, they do a search through your email for anything from blizzard, snag your account name, reset your password, and boom, access. And that's just one scenario.

It isn't necesarily a computer issue. If you use the same password for multiple logins, one of those may get picked up somewhere. For example, you sign up for a guild's private website using the name "jimbobjoe" with password "notmypassword" and set it to the same email that your WoW account is linked to. If the password is the same as your email password, someone just has to get in to the guild's website (including whoever is running the thing), and they have your email and password, at which point, they do a search through your email for anything from blizzard, snag your account name, reset your password, and boom, access. And that's just one scenario.

They are actually all different. ;)

I have billions of passwords in my head between work, wow accounts, email accounts, forum accounts....

My e-mail account password does not match my WoW passwords which do not match my bank passwords which do not match my work passwords.

Furthermore, for my WoW accounts I use an e-mail forwarder on the account admin page that simply forwards to my "main" e-mail account. So they shouldn't have been able to figure out my e-mail address from the account admin page. ;)

Right, but all someone needs is access to your main email account, at which point they can pick up your account name from any non-deleted blizz email, use it to reset your password, and click the link in the email that got forwarded to the account they had access to anyway. And I don't know the specifics of what happened, I'm just airing the concept that, yes, your account CAN be compromised without having a key logger, and I only put THAT out there because there seems to be this idea that if your account was compromised, it was because you got a Trojan without consideration for the dozens of other ways people can figure out your account and password.

Anyone else think it's a bit silly to allow password reset requests without also requiring authenticator codes be entered?

I mean, even if you did forget your password, you still need the authenticator number to log in. I got a nice little wave of e-mails (in my deleted mail box this time) trying to reset my authenticator-passworded accounts.

Oh, and the strange thing? I had created a trial account so long ago that I don't even REMEMBER it, and certainly haven't logged into it for ages... it's still a trial account (expired)... and they tried to password reset that one... Strange, huh? Means they likely looked in my World of Warcraft\WTF\InsertAccountNameHere folders.

As a scammer/hacker myself, I know that the autenticator will NEVER be hacked, but it's a god send to hackers out there, have a few of those babys laying around and get the accname/pw for a account on like markeedragon, the tie the baby to the account and BAM, email addres, cdkey, secret question, all becomes redundant. So a tip is for everyone to tie on of those to your account and never fear being hacked again!As someone who doesn't "hack" and scam, and as someone who's seen people effected by sleazy people like you, I won't be responding or reading anything you have to say, your opinion is worthless, and I would ask the Mods here to ban you for admitting that you take part in stealing people's accounts or in-game items.

Nilco turned me into a newt! He's a witch! Geet him!

As a scammer/hacker myself ...Epic LOLZ incoming...

Nilco turned me into a newt! He's a witch! Geet him!Looks like you got better.

LOL he was already banned.

I have trouble believing that brute force is a commonly used method to steal accounts from scratch. The number of username/password combinations is staggering even for a supercomputer, and the server would have to respond that a password was incorrect before you could rule any one of those of trillions of possibilities out. Further, you wouldn't guarantee that you even got an account worth anything once you got into one finally. I am sure that most accounts are hacked by someone who already knows some info about the account, like at least the account name, and then 99% I would imagine would be from keyloggers and people being dumb with their information.

I mean even the talk of bank information being compromised in here has me rolling my eyes. I used to work at a bank a year and a half ago, and the FDIC was trying to get people to use online banking because the vast majority of identity theft or check fraud was perpetrated through physical documents being stolen, and of the online identity hacking, almost all of it was through those fake spam e-mails where it asks you for your info, and uninformed people would send it. Hackers brute forcing bank accounts wasn't even mentioned.

Bah.... authenticators are sold out at Blizzard's site.

and of the online identity hacking, almost all of it was through those fake spam e-mails where it asks you for your info, and uninformed people would send itNever ever show your email on wow related sites, if you check mmo-champ forums, all of those who makes posts about "Is this real or a scam?" wondering if they really are banned or if its a scam mail are showing their email address for everyone to see on the forums. Other than that all security software i use is Firefox with noscript, spybot and the windows firewall. Installed nod32 2 months ago to see if i had any viruses but nope, system was clean, even if i hadnt used antivirus software other than spybot for 2 years :)

I recently had the unfortunate occurence of being hacked. Here was the "wierd" part about it: When I found out my account was hacked, I checked my running processes and sure enough I ran across and unknown. I started checking my browser history and went back 3 months. The computer I play WoW on is just that, for WoW. I had been to wow o-boards and allak... and that was it.

So, I either got it from allak OR I got the virus a while back and it took it 3 months before it went into effect.
The particular machine in question was running vista's UAC, Antivirus, and behind a firewall. However, it doesn't really surprise me that people can still get in. Given enough determination, people can find their way into anything.

It could be what I mentioned earlier, that an advertisement that was pushed from another site installed the virus/spyware/trojan. It's a pain to try and keep up with all of the possible vulnerabilities, not just in Adobe Flash or Javascript, but in the browsers themselves. Internet Explorer and Firefox get patched and updated pretty often, usually to shut down security holes. And I think that nowadays, the easiest way to get into your machine is via content that is being pushed to a site that you're visiting. Some sites will pull in data from more than a dozen additional sites! Each of those sites is a potential access point for malware, and your browser doesn't bother telling you that when you visit one site, you are also "visiting" many others.

I browse with Firefox, using both NoScript and AdBlock, and I try to be as aggressive and suspicious as I can with either of them. I have ZoneAlarm installed as well, which is a pretty good firewall and has the ability to block viruses and spyware, but more importantly it will alert me anytime a new program tries to access the internet from within my system. And it uses a checksum-based system, so if a virus tries to replace a legitimate file and assume its filename, that won't work.

I've been playing since 05' and have never been hacked. I have always had multiple accounts and really can't believe I've dodged the bullet for so long. Firefox ftw I guess.

my main account got hacked in the past.

I was posting on a thread on the official WoW Forums and was surfing on other sites when an advertisement which was enbedded into a page crashed my firefox browser.

Due to a security bug the popup was able to grab my account name and my password which I've entered some minutes ago when I logged into the wow forums.

my account got hacked later that night, everything was sold and my chars got deleted.

After about 2 Weeks (sending the key and your personal data to blizzard etc..) I've recieved a mail that I shall contact a GM ingame to restore my chars and my stuff.
The GM restored my lvl 70 chars and put their stuff in the mailbox (armor, weapons ....)

:love: Blizzard GMs :love:


Now I've got the RSA security token. One token for all accounts. I start the wow sessions, activate keyclone and broadcast the current RSA Token Passwort to all sessions at once.

Excellent stuff