Blizzard's World of Warcraft servers have been compromised by hackers and are allowing users' accounts to be logged into and modified without the owner's authorization. This is a repeat of the issue that Blizzard's Diablo II servers experienced in December 2000. Accounts are logged into, characters are stripped of their items, used to farm gold, and are even deleted. Through the experience related below as well as others posted on the official World of Warcraft forum (forums.wow-europe.com), it is obvious that this is a security issue originating with Blizzard and not with the end user.
When contacting Blizzard's account support for assistance on resolving the issue, players are constantly pressured to buy a Blizzard authenticator for their account. However, various players' experiences have proven that this authenticator can be removed by social engineering. Game Masters (in-game assistance) are slow to respond and can do little to resolve the issue and prevent the account from being logged into once hacked, regardless of account name change, password resets, booting the hacker from the server, etc. Account support has been able to track the IP of a hacker and yet still been unable to prevent reconnection.
These hacking incidents seem to initiate when the player's account is merged into a Battle.net account without their permission. The Battle.net account setup and merge process is inherently insecure and allows account modification without the confirmation of the account owner via the original email address. A standard security feature for most sites is that any account modification must be confirmed through the registered email. Even Youtube is superior to Battle.net in this respect. If you try to log into Youtube and have forgotten your password, you may initiate a password change request which is then sent to the registered email address. Once the email is received, a link may be selected within it to return the user to the Youtube password reset screen. However, if you forget your Battle.net account, or feel like hacking into one, you may initiate a password change request on the Battle.net site and are immediately prompted to answer your security question. Once the correct answer is entered, a new password may be chosen. The only verification required is the answer to the security question. And let's be honest, it's not too difficult to figure out a mother's maiden name. Also, submitting the answer may be attempted any number of times. The only notification the owner receives in their email, is a message stating that the password was changed and that they may contact account support if they did not initiate this change. Given this standard procedure Blizzard has chosen, their only responsible course of action is to provide 24-hour account support. However, Blizzard Europe does not provide evening or weekend support. For a company that receives over $190 million per month in subscriptions, their account support center is either severely understaffed or simply does not choose to provide adequate account support and security.
Even for accounts that are originally hacked through an end user's compromised computer, such as through a keylogger, the user is unable to resecure their account once they have regained access to it and resolved their computer's security problem. This is because even once they have regained access to their account, unmerged it from the unauthorized Battle.net account, removed any added Blizzard authenticator, and changed their email and/or password for it, they are unable to change their security question and answer. Once you obtain the security answer for an account, you may always reset the password for it. This feature is another indication that this current security breach is on Blizzard's end. As seen from the experience related below, the account password was never changed by the hacker. If the hacker was using a keylogger and/or had access to the user's personal system, they could have easily locked the user out of their account.
Below is a post from the official World of Warcraft — Europe forum. It is referenced with the writer's permission. It was submitted to the wow-europe.com forum on September 4, 2009. At the time that this story is submitted to the media, there has been no forum response from Blizzard to the request for assistance, although multiple players have responded that they have experienced a similar situation. The original post and responses is located at http://forums.wow-europe.com/thread.html?topicId=10711183739&sid=1.
Battle.net / Login servers Compromised
Early this week, I posted regarding this issue, and my post was deleted. I'm now posting again hoping that Blizzard might actually deal with a problem that is very real.
Two of my accounts were hacked on Sunday, Aug. 30th. The hacker bound my account to a battle.net account. I scanned my PC with AVG, Spybot and Avast, which all came back clean. I called Blizzard on Monday to have my account unbound.
So, Blizzard unbinds my account, resets my password, and when I try to log in with the new password, the hacker is still on my account. I log into my 2nd account, contact a GM, the GM kicks the hacker offline, and then I log in as well as change all my passwords. Within 1 hour the hacker is back on my account. Then I bind my account to my own battle.net account, change the passwords etc, and within minutes the hacker is back on the account. At this point I call my wife who is at her office. I give her the passwords to my battle.net and email and ask her to change them from her work. She works in IT support; her system is on a secured network and has never had Warcraft run on it. Within 2 minutes the hacker is back on my account. Throughout this time I've been logged into my 2nd account watching him, and at this point I've given up.
I wait till the next day as Blizzard phone support is closed for the evening. Tuesday I call Blizzard again. I get the same person on the phone as on Monday. This person was no use at all. When I ask her why this is happening, she can't give me an answer other than "buy an authenticator". Then she says she only works in Billing. I ask to speak to someone in technical support; she refuses to do that, but she asks for my contact number and says she will have technical support call me. So I give her my number and wait for technical support. What a surprise... no phone call.
So I call them again. This is now Wednesday, and I get someone who seems to actually know something. He checks IP logs. At first he can't see anything, but just then the hacker logs onto my account. I tell him "He is on right now", so he contacts a GM. I tell him everything that's happened. He finds it hard to believe, so he sets up a new battle.net account for me on his PC. I make a new email address, the GM kicks the hacker and all seems well. He also suggests that the only thing to do is to format the PC and get an authenticator if this happens again. Well, within an hour the hacker is back on again.
At this point I am really tired. I log onto Blizzard's store, and I try to buy 2 authenticators. They are sold out, so I drive to Best Buy and I buy one new 500g SATA drive and one brand new Laptop. I disconnect my desktop, I unplug both of my old SATA drives, I put in the new drive and I format it and install windows XP. On my new laptop, I make a new email address, and I change my passwords and email address for my battle.net account. I download WoW while Windows is installing on my desktop. 3 hours later it's downloaded and installed. I log on, and the hacker is on my account. He gets disconnected several times because I'm also connecting. He seems to give up and logs off. Thursday goes by and there's no sign of the hacker on either account. I check Blizzard's website, and they have authenticators back in stock. I order two. Today comes, I wake up, I log on and guess what? Hacker's back on my account farming again. I try to call Blizzard, this time very angry, and phones are closed early since it's Friday. And, of course, down all weekend.
Now, I have worked in IT support for Morgan Stanley. I have a CCNA. My wife works in IT support for a major pharmaceutical company. We are hardly IT illiterate. I have never in all my years and experience seen anything like this. What this tells me is that Blizzard's database on their login server or another area has been compromised. I would like some kind of response if anyone, particularly Blizzard, can give a straight and honest answer about this issue."