I got an emails from Blizzard, for all 5 of my accounts, stating that they had evidence that I had a trojan/virus/keylogger. Double checked all the links, raw headers, etc - apparently legit. Their action was to de-activate all the accounts for 24 hours (which I guess means adding an authenticator to the account which doesn't exist - because now it asks for one).

Question is: how do they determine that I'm compromised? Even though there is zero evidence that I'm compromised (other than Blizzard's little warning email, nothing has happened), I ran anti-virus anyway - found nothing. I'm assuming Warden doesn't magically find malware that modern anti-virus can't. Could this simply be triggered by someone trying to log in from another country, or a false alarm?

Anyone else had something like this happen, or know what it's about?

If the account is now asking for an authenticator and you didn't add one to it then you have been compromised, whether the email is legit or not.

Get ready to call up billing and have a boatload of details ready to get the auth taken off, and have either a physical or mobile one ready to go and add to your account as soon as you get it back.

Ah yeah, I was afraid of that. I thought maybe Blizzard's way of deactivating an account was some kind of hack job that just put a non-existent authenticator on it.

So if the accounts were compromised, I still wonder, how the hell would Blizzard know that my PC was compromised, especially if AV shows no evidence. Could they have just guessed? Honestly I could really care less about the accounts, I play about 30 minutes a week, and I know they'll just restore all my stuff and I'll end up with more gold and items than I started with.

Sounds like you got tricked bro. Those emails can look very real sometimes but never ever ever follow any links in your email from someone claiming to be Blizzard. They also don't scan your PC for virus.

Scenario probably goes. You got the email- followed the link- got keylogged and they added an authenticator while they clean you out.

Customer service is open 24hrs I think. Sooner you get on it the better!

Sounds like you got tricked bro. Those emails can look very real sometimes but never ever ever follow any links in your email from someone claiming to be Blizzard. They also don't scan your PC for virus.

Scenario probably goes. You got the email- followed the link- got keylogged and they added an authenticator while they clean you out.

Customer service is open 24hrs I think. Sooner you get on it the better!

I seriously doubt that; I'm a security analyst by profession and have done phishing campaigns myself. I loaded the emails in a VM and inspected the headers and links which all pointed to the official Blizzard sites - they would've had to have spoofed the content client-side via a rootkit level proxy, DNS or some other method. The accounts were locked out before I even read the emails. If they managed to trick me, honestly, they deserve it.

Sounds like they got you bro.

No way blizzard would add an authenticator -- then they would have to make sure you got that *ONE* authenticator. I know other friends of mine who have gotten hacked, have had the same scenario happen.

Blizzard also does not scan for viruses, or trojans, or anything else really. Not even warden scans that crap.

Not sure on the validity of this claim, but one guy in trade chat was going on yesterday.

Basically said he had been hacked in the past, talked to billing on the phone.
And had them allow his account to be logged in from one of two IP addresses.
But made it impossible to log in, from any other IP.

Not sure if Blizzard has anything like this.
But if they do, that would be the ultimate in security.

1. Detected a virus, lolz? Well assuming that it did, I would think that the warden found that secureid snooping program running. Even if your not using the secureid authenticator warden would still be looking for it. I would assume warden wouldn't give you any specifics at all ever.

2. Yeah, you don't want to be logging in from two different ASN's at the same time. Possibly don't want to be logging yourself out from a different ASN either. You want to rethink having people use your account if that is going on.

3. I would advise not having your battle.net id be the same that you are using on various forums/blogs that you post as about wow or other geeky stuff. You will just get a steady stream of emails about your warcraft account being hacked / under investigation, password change request, etc etc. I would use a plus hack (http://www.lifeclever.com/two-gmail-hacks-for-fighting-spam/)on gmail since it supports it "crypticthinghere+yourgmailhere@gmail.com" will go your account 'yourgmailhere' account. Or similar, since nobody should be using your "crypticthinghere".

Launcher contains a very crude trojan detector. I know that upon startup it looks for a limited list of trojans and might prevent you from starting the game until you do some sort of cleaning. I didn't know it could send a signal to Blizzard thus allowing them to automatically deactivating an account and sending emails. Maybe a recent improvement ?

I seriously doubt that; I'm a security analyst by profession...

Maybe your machine is clean but they detected some dodgy access your account from elsewhere and sent out the "you've been compromised" email, thus leaving your reputation intact :)

There was a story a couple of days ago about 44mm game accounts, including some number of warcraft accounts, that were found on a chinese server. Maybe it had something to do with that?

http://news.techworld.com/security/3224918/world-of-warcraft-accounts-stolen/?olo=rss

If you don't want to click the link you can google 'stolen warcraft accounts' and it'll be the top couple of stories.

This is unfortunate, however there is a silver(gold) lining.

I made out like a bandit when my accounts go hacked @6 months ago - pre authenicator. At the time I had about 160k gold and just a ton of other items, mostly enchanting,jewelcrafting mats on bank mules etc. These hackers pretty much cleaned me out and transfered alot of my characters to different servers.

I went thru the procedure and it took about 12 days to get my stuff back and when I got it all back I was blown away. I got around double my gold back and got about 3 times in mats back. My warrior had thunderfury from back in the day and when I logged him on he had his original equipped and another in his bags.

I seriously doubt that; I'm a security analyst by profession and have done phishing campaigns myself. I loaded the emails in a VM and inspected the headers and links which all pointed to the official Blizzard sites - they would've had to have spoofed the content client-side via a rootkit level proxy, DNS or some other method. The accounts were locked out before I even read the emails. If they managed to trick me, honestly, they deserve it.

Just saying it happens to the best of us man. Luckily hasn't happened to me -knock on wood-. Even MMO champion got hacked, Curse gaming, etc... People were getting things from those sites. You may have had something hiding for a while and they just now decided to take advantage of it.

Wishing you all the best!

Blizzard would not automatically apply an authenticator to your account. You somehow lost control of the accounts and the new owner has put an authenticator on them.

it's bogus. i've gotten that kind of email in the past (if not exactly that) stating my account has been disabled as well (on top of getting password changes, violation of eula, blah blah blah). If i didn't filter my inbox, I would be getting at least 5 wow phishing emails a week. Never really clicked a single link on it (sometimes I'd inspect the headers and view the message as text to see the src links for kicks).. Oh well, with an authenticator thank Elune I haven't been compromised yet. If you're not so sure about your account status - you can always log into battlenet and check if they are truly disabled. Otherwise, 99% of these emails are scams.

Edit: I assume you don't have an authenticator?

Blizzard does scan your system while you are playing wow, and if they detect a virus, they have been known to shut down your account till you get it fixed if you do not have an authenticator. They do this because if your account becomes compromised, its more work for them to fix it.

However, if you clicked a link in an email from blizzard, (real blizzard emails wont have a link for you to follow in it), and now your account has an authenticator on it, you've been tricked.

To get an authenticator removed from your account, and get it restored, since its definitely been wiped clean by now by the botters, you have to call them direct. When I had to remove my mobile authenticator after my phone died, they simply asked for things like the product key on one or two of your wow accounts or upgrades.

After the authenticator is off tho, you'll still need them to do a restore on your account; before which they'll have to do a lot of research, x5 accounts, which means you might be out of wow for a week or two.

Here's a simple fucking rule for WoW: if an email tells you that your account is compromised/banned don't even fucking read it. Scan for a Trojan if you must, but I've ignored every email from blizzard and have not been "hacked."

Your accounts were prolly flagged by reports in game. People see you sharding and vendoring all your gear and stripping naked and large gold transfers.

Since no one has spelled it out, here is likely what happened:

1. Your accounts got hacked, your computer got hacked, or you password got guessed/stolen from another site.

2. Hacker adds authenticator to your account.

3. Hacker did something stupid, or got detected by IP range. Blizzard maintains IP ranges of common pirates and power-leveling service and will ban accounts if there is enough activity from these IPs.

4. Blizzard sends out a form email telling you that your account has been hacked and that you likely have a virus and that your account has been frozen.

While things might be different, this is a common pattern and the result is the same, you need to call up Billing, 800-592-5499 and politely explain the situation and provide the information they need to validate your account. Generally they will not do item/gold/character restoration until you have regained your account and had a chance to loot through things. Restoration is usually done in-game and via email with a group that handles that specifically. Do not accept the care package instead; wait for your stuff.

As another poster mentioned, you can stand to make some decent gold out of the whole thing. Just make sure to get an authenticator.

- Souca -

Here's a simple fucking rule for WoW: if an email tells you that your account is compromised/banned don't even fucking read it. Scan for a Trojan if you must, but I've ignored every email from blizzard and have not been "hacked."

The accounts were compromised Before I read the email. If it was fake, I don't see the purpose of it considering it had no malicious links - it went directly to the Blizzard site.

I tend to agree with the logic posted by Souca - account was compromised beforehand by some means, blizzard sends out generic email saying I probably have a virus. I don't think the email itself compromised me.

I'm just happy that they didn't get anything else. I kind of doubt my actual machine is compromised, but I am very curious as to how accounts get stolen when: your machine isn't compromised, you don't use the same password/email on your bnet as you do anywhere else, your wireless is encrypted, etc. I almost wonder if they're able to sniff traffic at some core router on the Internet far outside of my control. I've known a few people who were totally secure on their end yet their accounts were compromised. It's a damn good technique, whatever they're using,.

r, if you clicked a link in an email from blizzard, (real blizzard emails wont have a link for you to follow in it), and now your account has an authenticator on it, you've been tricked.
The text in bold is incorrect. Real Blizzard e-mails can contain links in them.

Here is the real Blizzard email I got about my account being hacked. This is from 2008, so it's likely they have changed since then. This is just for comparison and to get an idea of how vague they really are.



An investigation of World of Warcraft account XXXXXXX has found strong evidence that the account has been accessed by someone who is not allowed to use it. While you work to regain sole and secure access to the account, we have temporarily disabled access and all billing methods that are associated.

Please keep in mind that if your account is not secured, it may be disabled again after retrieval - because of this, we strongly recommend you follow the below steps very closely.

1.) WHY DID THIS HAPPEN AND HOW CAN I STOP IT FROM HAPPENING AGAIN? (Steps to secure your account)

Account compromises are usually a result of the registered user sharing their account, or playing on a computer that has a virus. Please remember that World of Warcraft accounts cannot be shared with anyone except one minor who you are the parent or guardian of.

To help ensure that no viruses are present that may threaten your account, please keep the following in mind at all times:

-Keep your system up to date with the latest O.S. Updates.
-Make use of protection from firewalls, antivirus and anti-spyware software.
-Be wary of spoof emails and websites.
-Be wary when downloading executables.
-Do not share account information with any unauthorized users.

For details to the above points, please visit ALL of the following links:

- Computer Security: (http://us.blizzard.com/support/article.xml?articleId=21118)
- Account Safety Tips: (http://us.blizzard.com/support/article/20572)
- Unauthorized Access Policy: (http://us.blizzard.com/support/article/20460)

We recommend you regularly scan all computer systems that you use to remove all viruses, including Trojan files, spyware and key loggers. Also be sure to change your account password regularly at (https://www.worldofwarcraft.com/account).

2.) HOW DO I GET MY ACCOUNT BACK? (Steps to recover your account)

To retrieve your account, please send an email to WowAccountRecovery@blizzard.com with the following information:

- Account name:
- First and Last Name of registered user:
- Written acknowledgement that steps have been taken to secure your computer system(s).

Be certain to send this information from the registered email address of the account.

3.) I SENT MY EMAIL, NOW WHAT?

We will contact you again once your submission is received and processed. If you do not receive a reply within 48 hours of sending your email, please resend it to WowAccountRecovery@blizzard.com.

Only Account Administration is able to assist with account retrieval issues. To learn more about how Account Administration is able to assist you, please visit us at (http://us.blizzard.com/support/article/21505).

Thank you for your time and attention to this matter, and your continued interest in World of Warcraft.

Account Administration
Blizzard Entertainment

Makes you wonder how profitable this business is... if they really go to all these great lengths.

I was hacked 3 times after being completely anal about security (to the point of never typing a password and using bio scanners etc) and 100% sure that I was not personally comprimised (clean install no web browsing etc etc). I concluded that blizzards end is not as secure as they claim it is. I have since got an authenticator and have not lost my accounts since. Those of us that are security savvy can minimise the risks but we can not eliminate them completely (even with an authenticator). I consider not using an authenticator foolish.

Makes you wonder how profitable this business is... if they really go to all these great lengths.

These aren't great lengths in any way, shape, or form. Compromising systems is pretty trivial to do, as it's pretty much an automated system once the basic tools have been developed. It costs virtually nothing, when spread out over thousands (or possibly tens or hundreds of thousands) of accounts, to compromise an account, so any money made from it is going to be profit. Figure every 1k gold on an account is going to turn into about 5-7 USD, and any account is going to have at least that much on it by this point.

Going to great lengths would be doing things like calling people by phone, claiming to be Blizzard employees and trying to social engineer account info.

I do admit that I'm somewhat perplexed why a security expert wouldn't have an authenticator on their account in the first place... It costs under 6 bucks (or is free if you put it on your phone) and anyone who works in the industry would surely find that a trivial expense and the time they need to spend rectifying it with Blizzard to be rather more valuable. I am by no possible stretch of the imagination an expert, but this seems to me to be common sense.

I don't run Norton

I don't have an auth.

I dont use firewalls. (without norton or a firewall running I get a lot more speed from my computer)

I have never had any problems. Even with win2000 and win7 which I run exclusivly now is even hard to crack if you keep it updated.

Shut off all remote services. Why they are on by default I have no idea. It is far from trivial to compromise a computer with all remote services turned off, espically a Win7 system.

If the hacker can get around this he not interested in yur lousy 1K gold lol ....

Never open email attachments, ever for any reason no matter who it is from.

Make sure links in emails go to where they say they do.

When you see "Do you trust content from so and so" and so and so you never heard of. Shut the power to your computer immdeatly. Do not close normally shut the power switch.

Back up your whole hard disk with a clone program every week or so.


You can see if your machine is compromised by looking at the auto start registry enteries, there is a microsoft tool that does it easy for you also. Or just get task manager open and check what processes are running.




I know everyone going to start talking about root kits and all that. Look if the hacker is all that competent he is attacking bank accounts or corperate or government systems not your piddly wow account.

Well Sam if the hacker went to your website he'd probably be much too frightened to hack you broham! lol I can just hear the hackers now "Hack him?? That Captain Caveman!" :D

While I agree the hackers want the suckers/easy targets first and they want to put in as minimal effort as possible. I disagree about the authenticator too many advantages to not have one really. Few bucks to add an extra layer of protection protecting is worth it to ME personally. But lets not talk about that because Super will close the thread :D We've all hashed the arguement to death. It's obvious some will never get an authenticator no matter what- that's their business.

True enough although norton (a lot) and firewalls (to a very small extent) lag out your system there is no real reason not to use an authenticator.