Skip to main content

Blizzard Responds To Diablo 3 Session Spoofing, Says Public Games Are Safe

Confined to a forum thread, a Blizzard staff representative responded to the article we recently ran about the dangers of joining a public game in Diablo III. According to Blizzard, public games are safe. Session spoofing is "technologically impossible" and authenticators are the best bet to safety.

The original article covered the topic regarding many claims of individuals being hacked or having their accounts compromised after they mentioned that certain nefarious individuals were either on their friends list or in a public game with them. The names are as follows: “leyiong”, “Nevin”, “SBJunkie”, “luckllezz”, “McLeast”, "lukas", "Morfeas". There are additional individuals to watch out for in public games, but the entire list is a little lengthy.

Other gaming journalists from Eurogamer, Examiner and Ars Technica (to name a few) have also had their accounts infiltrated in a similar manner, in addition to countless players who are laying out complaints faster than Blizzard can clear them off the forum boards.

What's more is that two out of the three journalists attribute their account hacks to them being irresponsible consumers and not having authenticators beforehand. I mean, isn't that what we always think about when playing a single-player game? "Oops, I forgot to install an authenticator on my account."

Anyways, Blizzard rep Lylirra, on a forum thread no less, addresses the session spoofing and says everything is fine and dandy and public games are safe, as quoted below...

We've investigated several reported claims of "session spoofing," as discussed both in these forums and elsewhere on the Web. We treat these kinds of reports very seriously -- however, to date, we have yet to identify a single case of compromise that was the result of a player joining or participating in a public game.

Lylirra goes on to explain what Blizzard means about the technical impossibility of session spoofing, or man in the middle attacks, or whatever it is you want to call them, breaking down Blizzard's own terminology with the following statement...

For clarity, when we say "technically impossible" it means we determined (after many, many days of research) that session spoofing, as described in the claims we've seen, cannot occur within Diablo III. To avoid confusion, read "technically impossible" as "technologically impossible."Even so, we're continuing to investigate related reports. If you believe you possess solid evidence of some sort of "hack," then please relay that information to our support representatives as soon as possible, or email In the meantime, if you don't possess such evidence, we ask that you please refrain from spreading hearsay.

It's interesting how carefully worded that response is " described in the claims we've seen" or "...we have yet to identify a single case of compromise..." suggesting that it's an on-going thing and a rather vague measure of uncertainty looms in the air.

Someone also recently recorded a video of hackers taking looted goods from a number of different individuals and trading it in, the video is here but it's kind of stupid. The main idea is that if account breaching is happening as frequently and as fast as that video depicts, then this is basically a full-time job for gold farmers.

Lylirra provides a final piece of advice to protect yourself from said farmers, mentioning that...

We've stated this several times, but in all of the individual Diablo III-related compromise cases we've investigated thus far, none have occurred after a physical Authenticator or Mobile Authenticator app was attached to the player's account.While no security method is 100% fool-proof (even Authenticators), please note that it is possible that players reporting to have been compromised while an Authenticator was attached to their account may have been using the Dial-in Authenticator. The Dial-in Authenticator does not provide the same level of protection as the Authenticator or Mobile Authenticator app, and -- more importantly -- is not currently supported for Diablo III.It's important to remember there is no "silver bullet" guaranteeing complete protection against account compromise. The Authenticator offers players a highly valuable layer of added protection, but is not intended to replace the need for end-user computer and network security.

Blizzard fanboys are probably rejoicing "Whoa, Blizzard debunked spoofing, hacking and everything else. Get an authenticator noob!"

Whoa, whoa, whoa...slow down there Poncho. We still have the most glaring problem ahead of us: Blizzard claims this is not what's happening, so what is happening? It's one thing to stand by and say "This is not happening", all right then. So what is happening, Chief?

According to Blizzard's own Game Master Cerville regarding an account infiltration case, he mentions that...

I got your forwarded report about the recent losses in Diablo III, and checked into this, but we weren't able to find the malicious access. For cases where we *can* find a malicious access point, we'll happily restore the Diablo III progress back to the way it was before the intrusion.That said, if the intrusion isn't visible to us, all we'll see are your normal logins, and we won't be able to distinguish one from the other (and won't know which of them has your progress and which of them doesn't).

So if session spoofing did happen, how would they or wouldn't they know if they can't find a malicious access entry point? In that regards, it could be anything.

Ars Technica writer Aurish Lawson received a similar response, and despite blaming himself for his account being hijacked he tried to pressure Blizzard into revealing how his account was penetrated. They gave him the same response as quoted above.

Blizzard has been quoted for saying that these account infiltrations are happening via "traditional methods", but if they are traditional then why can't they find the malicious access? Why can't they determine in some cases how accounts are being hijacked?

It's nice Blizzard is continually reiterating what's *not happening* but we really need to know what *is happening*. That's not to mention that all these PR-safe responses from Blizzard's staff are not helping and it's about the equivalent of a police officer walking out of a cafe that's filled with blood and dead bodies, and the bodies just keep piling up moment after moment, and the officer says "All right, folks, listen up there has been no murders, none at all." the obvious question is if it isn't murder then what is it, how did it happen and why does it keep happening?

Note: We still have no confirmation from Blizzard of what is actually happening, so join public games at your own risk.

Image courtesy of Kotaku

Will Usher

Staff Writer at CinemaBlend.