Skip to Content

WoW Insider has the latest on the Mists of Pandaria!

Posts with tag account-security

The Heartbleed bug and its effect (or lack thereof) on Battle.net

The Heartbleed bug, as it's been dubbed, is certainly hot news lately, with various sites being impacted and password reset advice abounding. But Blizzard has some good news: Battle.net was unaffected. However, the advice is to change your password if you used the same one elsewhere.

This is especially true if you're using the same email and password combination as you use for your Battle.net account on other sites. A big way that players get hacked, especially those without authenticators, is that their guild forums get hacked, or their email gets hacked, or their Facebook. Once those username and password combinations are known, it's possible for hackers to try them in various different places, one of which might be your Battle.net account. So be careful, mix up your passwords, and in light of these recent security issues, consider changing your passwords.

It's also a good idea, again as a general rule, to get into the habit of changing your passwords fairly regularly, for everything. So now might be a great time to start, even though Battle.net is unaffected by the recent issues. Hit the break for Blizzard's full post.

Read more →

Filed under: News items, Account Security

Blizzard update on dangerous Trojan

WoW Insider reported recently on a dangerous Trojan that was, at the time, not removable by any known antivirus program. Vigilance was advised by the Customer Support agents, and logs from anyone who was affected by the Disker trojan were requested. Thanks to the hard work of the Blizzard Support MVPs, a solution has been found.

Kaltonis
Our pleasure!

To summarize for those of you that haven't read the green posts:

-The trojan is built into a fake (but working) version of the Curse Client that is downloaded from a fake version of the Curse Website. This site was popping up in searches for "curse client" on major search engines, which is how people were lured into going there.

-At this point, it seems the easiest method to remove the trojan is to delete the fake Curse Client and run scans from an updated Malwarebytes. Should you still have issues, there is a more manual method that Ressie posted earlier in the thread.

-Thanks to Ressie's efforts, most security programs should be able to identify this threat shortly, if not by the time I type this.

-If you were compromised, follow the instructions here and we'll do our best to set everything right (as we always do).

-For those of you interested in these MitM style attacks, this is the only confirmed case we've seen in several years outside of the "Configuring/HIMYM" trojan in early 2012 that hit a handful of accounts. These sort of outbreaks are annoying, but an Authenticator still protects your account 99% of the time. Stay safe!

Filed under: Account Security

Blizzard Customer Support warns of dangerous Trojan [Updated]

Blizzard Customer Support Agent Jurannok has taken to the forums to warn players of a dangerous Trojan -- a virus that can enter players' accounts even if they have an authenticator. Update -- A solution has been found.
Jurannok
Hello,

We've been receiving reports regarding a dangerous Trojan that is being used to compromise player's accounts even if they are using an authenticator for protection. The Trojan acts in real time to do this by stealing both your account information and the authenticator password at the time you enter them.

If your account has been compromised recently, I'd recommend looking for the Trojan. It can be identified by creating an MSInfo file and then looking in the Startup Program section of that file for either "Disker" or "Disker64". It will usually appear like this:

Disker rundll32.exe c:\users\name\appdata\local\temp\w_win.dll,dw Name-PC\Name Startup
Disker64 rundll32.exe c:\users\name\appdata\local\temp\w_64.dll,dw Name-PC\Name Startup

Read more →

Filed under: Account Security

Resolve to improve your account security in 2014

Blizzard's European Customer Support team has invited players to make a New Year's resolution that we at WoW Insider can definitely support. It's easier than giving up chocolate, and probably more useful than that gym subscription you were planning on getting.

Following the link in the tweet above will take you to their page on account security that is just packed with helpful tips to secure your battle.net account, and your computer. Some of the most common causes of account theft relate to lax security on the side of the user, and following these tips can really help you avoid that.

There's also legitimate links to all the major sources of free anti-virus software, and the article is packed with other tips to avoid things like phishing sites, spyware, and malicious processes. In the absence of physical items on the battle.net store, there's also advice on retailers that can sell you authenticators.

Filed under: Account Security

Heading out of town for the holidays? Don't get locked out of WoW!

Over on /r/wow/, Blizzard CS rep Araxom offers some tips to avoid getting locked out of your WoW account if you're traveling this holiday season. Logging on from a different physical location can trigger some security features on Blizzard's side -- especially for accounts that don't have an authenticator attached. Avoiding holiday account lockouts is pretty simple:
  • Make sure you have an authenticator attached to your account, which makes it less likely your account will get locked for something like this. (And if you use the mobile authenticator app, be sure you have your restore code written down or screenshotted in case you run into issues with your phone.)
  • Enable SMS Protect, which can let you bypass your authenticator using your cell phone if you run into any problems.
Both of these are generally good ideas, but during the holidays having the right security setup can mean the difference between relaxing with some WoW and wrestling with resetting your password -- and we're pretty sure you'd all prefer the former. Not sure where to get started with account security? Check out our security guide for a walkthrough.

Filed under: Account Security

How to secure your World of Warcraft account

Whether you're just getting started or you've maxed out the number of characters on your World of Warcraft account, your account is valuable to hackers. And if they happen to steal your account, it can be a pain -- and a long wait -- to get it back to you. All of this makes securing your World of Warcraft account serious business.

But fortunately, it's easy enough to keep your account under (virtual) lock and key by taking some precautions in advance -- and when we say "in advance," we mean these are things you should do right now. We'll walk you through the very basics of keeping your account secure with a good password and an authenticator. Read on for all you need to know about getting started with good security!

Read more →

Filed under: WoW Rookie, Account Security

Botters, how do they work?

One of the things almost everyone in every corner of our World of Warcraft can agree upon is that we hate botters... with the possible exception of those that bot themselves. Being the inveterate forum watcher that I am, this forum thread caught my attention. Should World of Warcraft have a system built in to randomly confirm that people engaged in excessive gathering or other 'suspicious' activities are in fact not botting? Well, I hope not the one described, a kind of captcha that would pop up a window needed to be typed into with an answer. That would just ruin gameplay for me the first time I had that pop up. Similarly, I have to agree that hiring thousands of staff to simply monitor for bots wouldn't be time or cost effective. We live at a period in the game where the game has automated a great deal of its customer service, after all.

What I really found interesting, however, was Takralus' takedown of a very old argument by players about Blizzard's stance on botting.

Read more →

GuildOx introduces Alt Detection

Guildox introduce Alt Detection
WoW database site GuildOx, which ranks guilds, players and loot from World of Warcraft by reading data via the official WoW API, has introduced a sparkly new service for would-be recruiters.

Thanks to the introduction of account-wide achievements, GuildOx, along with any other site that is smart enough to extract this information from the API, can use the cross-account information to tell you exactly who that new player's alts are that's applying to your guild. So, if someone claims to have amazing gear, and anything else that isn't a linkable achievement on an alt, you can now check it out on GuildOx.

The functionality could allow a guild leader to see if the new person they're picking up is actually the worst trade chat troll on the server, for example. As GuildOx says, this can provide extra insight into applicants when recruiting new guild members. If you think you'd benefit from this, then you can check it out on GuildOx's new service by viewing one of the site creator's characters, and all their alts.

There is, of course, a down side.

Read more →

Filed under: Mists of Pandaria

North American players may now update their security questions

Image
As an update to the security breach last week, players on North American realms will now be prompted to change their security question and answer when logging in to their Battle.net accounts. The security breach included no financial information; however, answers to personal security questions were compromised, as well as some information related to Mobile Authenticators.

In addition to the security question update, players may now also update their Mobile Authenticators as well. Please note, this is only in regards to North American accounts; players in Europe need to do neither of these things. And remember, if you are a North American player and have not changed the password on your account, doing so is an excellent idea.


Nethaera
As a precaution following our recent security update, players on North American servers please take a moment to visit Battle.net account management, where you will be prompted to change your security question as well as update your Mobile Authenticator. There you'll also find helpful tips and an FAQ, as well as instructions on how to add additional layers of security to your account, including the Battle.net Authenticator or the Mobile Authenticator for those that aren't already using one.

Filed under: News items, Account Security

Blizzard security breach, no evidence that financial data was compromised

Important security update from Blizzard
Mike Morhaime, the president of Blizzard Entertainment, reported today in a blog post posted on the official Blizzard website that a list of email addresses for Battle.net users, answers to security questions, and information relating to the Mobile and Dial-in Authenticator program were illegally accessed by outsiders. The security hole has been closed, but Blizzard is officially recommending that all Battle.net users change their passwords immediately. In the coming days, players will be prompted to automatically change their security questions and update their mobile authenticator software. A FAQ is available here.

The full post is below.

Mike Morhaime
Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we've found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime

Filed under: News items, Account Security

Blizzard issues account security alert after Riot Games breach

Blizzard issues Account Security Alert after Riot Games hack
Not the first time we've seen something like this: Nakatoir of the EU community team posted this account security alert after Riot Games' EU branch warned its users that hackers "gained access to certain personal player data contained in certain EU West and EU Nordic & East databases." This information included email addresses and encrypted account passwords, and more than half of the passwords were considered simple and at risk of being cracked.

Blizzard issues its security alert because many players who play various Blizzard games like WoW and Diablo III or StarCraft II also play League of Legends; therefore, if they use the same email address for Battle.net as League of Legends or the same passwords, those Battle.net accounts may also be at risk.

This is not an announcement that Blizzard itself has been hacked, mind you. It's simply a precaution based on the habits of players of many games to use the same passwords and login information for multiple accounts. If you're not a League of Legends player in the affected EU regions, there's no way for this to affect you.

The full announcement is after the break.

Read more →

Filed under: Blizzard, News items, Account Security

You cannot get hacked by playing public games in Diablo 3

Image
After years of keyloggers and trojans from unsafe browsing, unsecured computers, or just plain bad luck, WoW players should be pretty used to the concept of a compromised account and how said compromises happen. Unfortunately, Diablo III players don't appear to be as familiar with them, which has resulted in some pretty maddening discourse on the official forums and across the internet.

Just like WoW accounts, Diablo III accounts are worth real money. Blizzard has had experience dealing with compromised accounts for years. This is why it introduced the Battle.net Authenticator, a second level of security that makes it very, very difficult to get your account compromised. Authenticators don't make it impossible to get your account compromised, but they do make compromising your account much more trouble than it's worth in the face of mass keylogging, which is how accounts are normally stolen.

Some people who haven't had a WoW account before but bought Diablo III were undoubtedly surprised when their accounts were compromised, which is understandable. An editor at Eurogamer had his account hacked and responded with an article suggesting that players were getting their sessions hijacked by joining public games and that people were getting compromised with this method even with authenticators attached to their account. Unfortunately, sites all over the internet picked up the story and also reported the session hijacks and bypassed authenticators as fact.

The problem is that neither of those things were correct. In fact, Blizzard says it's actually impossible to do with Diablo III due to the way the infrastructure is set up.

Read more →

Filed under: Blizzard, Account Security, Diablo 3

Opt-out option incoming for recent authenticator security change

If you follow WoW account security, then you've probably heard about (or personally encountered) a recent change to the way Battle.net authenticator devices work. Basically, when you log into the game, the client attempts to determine if you're logging in from your "home" computer or at least a computer you use regularly. It uses several factors to make this determination, such as your MAC address and your IP address. If the information doesn't indicate that the login is taking place from a safe machine, it'll prompt you for your authenticator code. If it is a safe computer, then you'll only be asked for your code randomly, once a week or so.

The change, aimed to make authenticators less of a hassle for those who log on from the same computer quite a bit, caused an odd uproar on the official forums from players who were worried that this change somehow made their account less secure. Addressing these concerns, Blizzard Community Manager Zarhym announced today that Blizzard is working on providing an opt-out option for this convenience feature.

Details were scarce since, as Zarhym noted, Blizzard hasn't quite nailed down specifics yet, but he assured players that it's something Blizzard's been looking into since the authenticator change was first announced.

The full announcement post and followups are after the break.

Read more →

Filed under: News items, Account Security

Battle.net Mobile Authenticator now available for Windows 7 Phones

Android and iOS device users have had the luxury of using the Battle.net Mobile Authenticator, a software version of Blizzard's downright necessary keyfob authenticator, on their phones or tablets for a while now. As of today, Windows 7 Phone users can also take advantage of the Mobile Authenticator by downloading it from the Windows Phone Marketplace.

At this point, there's pretty much no reason not to have an authenticator -- they're 6 bucks and free to ship for a physical device and no cost at all for a software version available for every major mobile platform. Just get it!

Battle.net Mobile Authenticator for Windows® Phone 7 Devices
The Battle.net Mobile Authenticator, an application for mobile phones that provides an extra layer of account security, is now available as a free download for Windows® Phone 7 devices on the Windows Phone Marketplace. The Battle.net Mobile Authenticator provides a one-time password that you use in addition to your regular account name and password when you log in to a Battle.net account to play World of Warcraft or StarCraft II.
Versions for other mobile devices are also available for download here, or you can purchase a physical Battle.net Authenticator from the online Blizzard Store. Visit the Battle.net Mobile Authenticator FAQ for more information, or head to the setup page to get started after you've downloaded the application.
For additional account security advice, check out our Account Security page.


Battle.net authenticator process updated with smarter log-in detection

A substantial updated to the Battle.net authentication system was announced today. Players will soon notice a change to their authenticator log on -- it just might not appear. Blizzard's login servers and authentication system now intelligently track where your account is logging into the game from and, if you're consistently logging in on your home computer, the authentication servers will let you pass, no code needed.

Blizzard wants make the authentication process less intrusive and this is a first step towards that goal. Right now, having to input a code each and every log in is a pain, sure, but it also makes me feel secure. I'm never going to say no to more security, however, and if the system is something that can accurately figure out where I am and let me on, that's great.

This doesn't take into consideration the circumstance where you use an authenticator to prevent access to WoW, even from the home PC. I know some parents who use a simple password that their kids can remember but use the authenticator as the gate to prevent unwanted play. Maybe there will be an opt-out feature of some kind to always ask for the code.

You can check out the Battle.net account security page or check out the Blizzard mobile site for application information. For more information on this specific change to the authenticator system, follow me after the break.

Read more →

Filed under: Blizzard, Account Security

WoW Insider Show 

Subscribe via  iTunes for our latest show.

Hot Topics


 

Upcoming Events


Around Azeroth

Around Azeroth

Featured Galleries

It came from the Blog: Occupy Orgrimmar
Midsummer Flamefest 2013
Running of the Orphans 2013
World of Warcraft Tattoos
HearthStone Sample Cards
HearthStone Concept Art
Yaks
It came from the Blog: Lunar Lunacy 2013
Art of Blizzard Gallery Opening

 

Categories