Blizzard Admits Accounts With Authenticators Have Been Hacked

So, you know how there was this whole thing about having an official Blizzard authenticator meant you weren't going to get hacked? Well, turns out you can still get hacked even with an authenticator.

Originally, Blizzard mentioned that accounts they investigated that had been hacked/infiltrated/compromised did not have authenticators attached beforehand. This led many in the forums to post rebuttals that most of the hacking occurring was due to player negligence and that they were not properly protecting themselves.

Well, today it turns out that some of the accounts that have been infiltrated did have authenticators attached and that there was a bit more to it than just an extra layer of password protection required to protect the user.

The news comes courtesy of a reader who tipped us off to a forum thread about a potential refund, one that finally indicates what the results were of an account that did have an authenticator that managed to get infiltrated.

An angry forum poster notes that he was still hacked even though he used a dial-in authenticator and SMS authenticator to protect his account (although it turns out that it has been confirmed neither have a high percentage of protecting against account infiltration). The typical user responses were that he should have paid $6.50 instead of relying on the dial-in authenticator and that it was his fault for not properly protecting himself.

Interestingly enough, a support agent named Kaltonis responded with the following statements...

The "hacking" ("compromising" is probably a better word, since no real "hacking" is going on) being seen in D3 is no different than what World of Warcraft players have been seeing for five years or so. The sad thing is, if no one bought game currency (gold, credits, whatever) from these third-party companies, then essentially no account compromises would be occurring. Compromises not done by gold selling companies are very rare indeed. They strip one player to sell to another, because it's much more efficient than "farming" gold. They still farm some of course, but they do it purely with compromised accounts.If you have the physical or mobile authenticator (both of which major banks use and charge $30+ for) the chances of you being compromised are very, very small. I've personally examined the MSInfo files of nearly all of the handful of WoW players who have actually been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling. Probably not coincidentally, these same people were also running a disturbing number of file-sharing and download programs, including ones which are commonly known to not be safe.

Ohhh, those are fighting words.

So here's the thing, if you want to play Diablo III don't use file-sharing programs, they might be harmful to your PC...and for that matter, make sure you also use Spybot, Doctor Spyware, Windows Defender, Super Anti-Spyware, Spyware Begone and the most expensive version of Norton available, because otherwise it'll be your fault if you get hacked trying to play Diablo III. Oh yeah, and don't join public games, don't let anyone know your account name and make sure you have a mobile and key-chain authenticator, otherwise it's your fault for getting your loot, gear and items stolen in Diablo III. Also, never use your real name in public. Don't ever give out your personal info on any form. Don't talk to strangers. Never shake anyone's hand. If you go on a forum board only use simple non-specific words, otherwise hackers might find out who you are and come to your house, ring your doorbell and then punch you in the face for being a noob, because, well, it's your fault. That's right...your fault.

From the outside looking in, if you can't see the absurdity of it all I almost feel sorry for you.

I think this goes back to the other point, if Diablo III had an offline mode any player who didn't plan to play online (when the servers were up) would instantly be out of harm's way, this is not to say that online players would be any safer. Still, there would be no need for dial-in this, keychain that, mobile here, SMS would only need to further protect yourself if you chose to play online, which is not the case with the single-player in Diablo III. No matter what you do, anyone who plays Diablo III is at risk. Period.

As for the authenticators...if you have one, good. If you have a mobile phone you can grab an authenticator for free, and even if people with authenticators are claiming to be hacked, the extra protection never hurts if you still plan to play Diablo III.

What's more is that according to one reader, there were about 128 unique claims of account infiltration over the course of 14 hours. That could potentially equate to over 500 claims every two and a half days. So don't assume that just a few forum threads and reddit rants means that it can only happen to them and not you. The complaints are ramping up rather quickly.

This also segues into an even bigger issue: how secure are you and your finances if hackers get a hold of accounts with real-money attached? I'm sure there are a lot of technical hurdles in place to prevent hackers from making off with your life savings, but with real money on the line due to the (indefinitely delayed) RMAH, I simply cannot imagine that hackers would be less vivacious about cracking accounts and selling goods for real money.

You can check out the entire thread (before Blizzard has it closed/deleted) by visiting the forums.

Will Usher

Staff Writer at CinemaBlend.