Follow Slashdot stories on Twitter


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Blizzard's Warcraft servers compromised by hackers ( 1

Phil Duffy writes: "Blizzard's Warcraft servers compromised by hackers

Blizzard's World of Warcraft servers have been compromised by hackers and are allowing users' accounts to be logged into and modified without the owner's authorization. This is a repeat of the issue that Blizzard's Diablo II servers experienced in December 2000. Accounts are logged into, characters are stripped of their items, used to farm gold, and are even deleted. Through the experience related below as well as others posted on the official World of Warcraft forum (, it is obvious that this is a security issue originating with Blizzard and not with the end user.

When contacting Blizzard's account support for assistance on resolving the issue, players are constantly pressured to buy a Blizzard authenticator for their account. However, various players' experiences have proven that this authenticator can be removed by social engineering. Game Masters (in-game assistance) are slow to respond and can do little to resolve the issue and prevent the account from being logged into once hacked, regardless of account name change, password resets, booting the hacker from the server, etc. Account support has been able to track the IP of a hacker and yet still been unable to prevent reconnection.

These hacking incidents seem to initiate when the player's account is merged into a account without their permission. The account setup and merge process is inherently insecure and allows account modification without the confirmation of the account owner via the original email address. A standard security feature for most sites is that any account modification must be confirmed through the registered email. Even Youtube is superior to in this respect. If you try to log into Youtube and have forgotten your password, you may initiate a password change request which is then sent to the registered email address. Once the email is received, a link may be selected within it to return the user to the Youtube password reset screen. However, if you forget your account, or feel like hacking into one, you may initiate a password change request on the site and are immediately prompted to answer your security question. Once the correct answer is entered, a new password may be chosen. The only verification required is the answer to the security question. And let's be honest, it's not too difficult to figure out a mother's maiden name. Also, submitting the answer may be attempted any number of times. The only notification the owner receives in their email, is a message stating that the password was changed and that they may contact account support if they did not initiate this change. Given this standard procedure Blizzard has chosen, their only responsible course of action is to provide 24-hour account support. However, Blizzard Europe does not provide evening or weekend support. For a company that receives over $190 million per month in subscriptions, their account support center is either severely understaffed or simply does not choose to provide adequate account support and security.

Even for accounts that are originally hacked through an end user's compromised computer, such as through a keylogger, the user is unable to resecure their account once they have regained access to it and resolved their computer's security problem. This is because even once they have regained access to their account, unmerged it from the unauthorized account, removed any added Blizzard authenticator, and changed their email and/or password for it, they are unable to change their security question and answer. Once you obtain the security answer for an account, you may always reset the password for it. This feature is another indication that this current security breach is on Blizzard's end. As seen from the experience related below, the account password was never changed by the hacker. If the hacker was using a keylogger and/or had access to the user's personal system, they could have easily locked the user out of their account.

Below is a post from the official World of Warcraft — Europe forum. It is referenced with the writer's permission. It was submitted to the forum on September 4, 2009. At the time that this story is submitted to the media, there has been no forum response from Blizzard to the request for assistance, although multiple players have responded that they have experienced a similar situation. The original post and responses is located at

______________________ / Login servers Compromised

Early this week, I posted regarding this issue, and my post was deleted. I'm now posting again hoping that Blizzard might actually deal with a problem that is very real.

Two of my accounts were hacked on Sunday, Aug. 30th. The hacker bound my account to a account. I scanned my PC with AVG, Spybot and Avast, which all came back clean. I called Blizzard on Monday to have my account unbound.

So, Blizzard unbinds my account, resets my password, and when I try to log in with the new password, the hacker is still on my account. I log into my 2nd account, contact a GM, the GM kicks the hacker offline, and then I log in as well as change all my passwords. Within 1 hour the hacker is back on my account. Then I bind my account to my own account, change the passwords etc, and within minutes the hacker is back on the account. At this point I call my wife who is at her office. I give her the passwords to my and email and ask her to change them from her work. She works in IT support; her system is on a secured network and has never had Warcraft run on it. Within 2 minutes the hacker is back on my account. Throughout this time I've been logged into my 2nd account watching him, and at this point I've given up.

I wait till the next day as Blizzard phone support is closed for the evening. Tuesday I call Blizzard again. I get the same person on the phone as on Monday. This person was no use at all. When I ask her why this is happening, she can't give me an answer other than "buy an authenticator". Then she says she only works in Billing. I ask to speak to someone in technical support; she refuses to do that, but she asks for my contact number and says she will have technical support call me. So I give her my number and wait for technical support. What a surprise... no phone call.

So I call them again. This is now Wednesday, and I get someone who seems to actually know something. He checks IP logs. At first he can't see anything, but just then the hacker logs onto my account. I tell him "He is on right now", so he contacts a GM. I tell him everything that's happened. He finds it hard to believe, so he sets up a new account for me on his PC. I make a new email address, the GM kicks the hacker and all seems well. He also suggests that the only thing to do is to format the PC and get an authenticator if this happens again. Well, within an hour the hacker is back on again.

At this point I am really tired. I log onto Blizzard's store, and I try to buy 2 authenticators. They are sold out, so I drive to Best Buy and I buy one new 500g SATA drive and one brand new Laptop. I disconnect my desktop, I unplug both of my old SATA drives, I put in the new drive and I format it and install windows XP. On my new laptop, I make a new email address, and I change my passwords and email address for my account. I download WoW while Windows is installing on my desktop. 3 hours later it's downloaded and installed. I log on, and the hacker is on my account. He gets disconnected several times because I'm also connecting. He seems to give up and logs off. Thursday goes by and there's no sign of the hacker on either account. I check Blizzard's website, and they have authenticators back in stock. I order two. Today comes, I wake up, I log on and guess what? Hacker's back on my account farming again. I try to call Blizzard, this time very angry, and phones are closed early since it's Friday. And, of course, down all weekend.

Now, I have worked in IT support for Morgan Stanley. I have a CCNA. My wife works in IT support for a major pharmaceutical company. We are hardly IT illiterate. I have never in all my years and experience seen anything like this. What this tells me is that Blizzard's database on their login server or another area has been compromised. I would like some kind of response if anyone, particularly Blizzard, can give a straight and honest answer about this issue."


Journal Journal: Slashdot port scanning

My logs today revealed the following two port scans.

Fri, 2009-09-04 15:24:10 - TCP Packet - Source: Destination:X.X.X.X - [PORT SCAN]
Fri, 2009-09-04 15:24:12 - TCP Packet - Source: Destination:X.X.X.X - [PORT SCAN]

So I left wondering why slashdot is port scanning from


Submission + - Inside Mac OS X Snow Leopard Exchange Support (

imamac writes: Apple Insider has an interesting perspective on the MS Exchange support built into Mac OS X 10.6 and how it essentially frees Apple from all things Microsoft.

Windows Enthusiasts like to spin Apple's support for Exchange on the iPhone and in Snow Leopard as endorsement of Microsoft in the server space. From another angle, Apple is reducing its dependance upon Microsoft's client software, weakening Microsoft's ability to hold back and dumb down its Mac offerings at Apple's expense. More importantly, Apple is providing its users with additional options that benefit both Mac users and the open source community.


Submission + - Warns of Active Worm Hacking Blogs (

Erik writes: "Wordpress, the popular open-source Content Management System (CMS) for many thousands of bloggers worldwide, is under attack from a "clever" worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can. Today, Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process, however newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at are also apparently immune."

Submission + - Is a CS PhD worth it ?

An anonymous reader writes: I am CS grad working in a startup. The job is pretty enjoyable and the people around me are great. However, thinking of life beyond this startup scares me, since most job postings seem to be full of buzz words (SOAP/XML/RoR etc) and my current job involves none of these (one of the reasons which makes it fun). For a long time, I have been thinking whether I should chuck it all and go back to school for a PhD. I am extremely passionate about CS and can pretty much imagine myself working in CS-related areas for the rest of my career. The problem is that I am not sure whether the 4 year or so effort is worth it.
Is finding a challenging CS related job really difficult for a guy with just an MS degree ?
Do PhD holding/about to acquire slashdotters have any regrets about getting it ?
More importantly in these times of economic hardship, does it make any sense to chuck a high paying job for 4-5 years of almost no earnings and uncertain future?

Slashdot Top Deals

Mathemeticians stand on each other's shoulders while computer scientists stand on each other's toes. -- Richard Hamming