Diablo III Accounts Getting Hacked, Gold And Items Going Missing

Diablo III Accounts Getting Hacked, Gold And Items Going Missing

More troubles are plaguing Diablo III.

A report on Eurogamer relates one incident when staffer Chris Donlan’s account for playing the hit action RPG was accessed by someone who claimed to have bought it. On the official Diablo III forums, other users are also reporting instances of illicit access and gold theft . Apparently, the hackers are finding a way around the added security provided by Blizzard’s Mobile Authenticator, as well, according to forum posts.


First, the long-awaited hack-and-slash suffers a terribly crippled launch week that leaves thousands of players unable to play the game they waited 12 years for. Then they announce that the game’s ballyhooed real-money auction houses have been indefinitely delayed. If the hacking of user accounts becomes widespread, it’ll be the ugliest setback yet for a game whose always-online connection was supposed to protect players from the worst realities of PC gaming.

Kotaku has reached out to Blizzard for comment and will update this story as needed.

If you’ve run into this kind of thing — or haven’t — chime in in the comments.

Diablo 3 accounts hacked, gold and items stolen [Eurogamer]


  • Good going Blizzard hows your drm treating you now….. So much for not been able to keep your items safe roflmao.

    • Dear Mr Smack,
      An account being hacked is not related to DRM in any way or form.
      DRM – a method used by a publisher in an effort to deter, minimise or eradicate unlawful copying or distribution of their products
      Account Hacking – done by several methods, including phishing, key-logging, actual hacking of servers & various other methods.

      The only method mentioned above that would be the fault of Blizzard would be if their servers had been hacked. Every other method is a result of end-user negligence or misfortune.

      Now, if Bliz had been hacked, the proportion of users having account theft issues would be far higher & Blizzard would have almost certainly sent notifications to its users advising of a password change. As this has not happened, we should conclude that any account theft is being done by other means, ie phishing etc. & is therefore no fault of Blizzard.

      tl;dr This has nothing to do with DRM. Totally unrelated.

          • This comment has been reported for inappropriate content and is awaiting review.

          • Dear Richard,
            While I am very much a man of the ‘do not feed the troll’ mentality I am uncertain why you are intent on making every person on Kotaku AU an enemy with your poorly thought out jibes and self-proclaimed ‘trolling’ (by the way, it’s not actually trolling if you admit it yourself – especially when it’s used as an excuse to be poorly insulting with ill-contrived attacks against other members).

            Kotaku AU contains one of the few communities of members where we are friendly, nice, kind, and support each other as gamers. We are an enclave fighting against the ‘entitled gamer’ mentality – one that you seem intent in prolonging with your childish posts.

            So on behalf of the intelligent, considerate, kind members of Kotaku AU, either show some maturity and post like an adult, or stop posting here entirely (and I guarantee you, the latter WILL happen if you keep this up whether you want to or not. We have the report button and the editors monitoring the system for a reason).

            – Pez

      • Sir Shoggoth,
        While rude Mr. Smack is correct, the DRM (the unconventional method of ‘always online’) is the cause of the account hacking, if the game wasn’t online it couldn’t be hacked in this manner.
        You account and gold is being stolen and sold to willing buyers.

      • In this case the account hacking is related to the DRM, because anyone with the credentials of the hacked account can play the game for free.

        It is a clear demonstration of the failure of these kinds of measures to do what they claim.

      • DRM forces you to be tied to an online account, if you could play your single player characters offline this would never be an issue for you.

  • No wonder Diablo 3 will be going for $20 on catch of the day at some point…..

    Even at that price i’m still not tempted to get this game with issue after issue. Might wait 6 months for shit to settle.

    • This comment has been reported for inappropriate content and is awaiting review.

        • This comment has been reported for inappropriate content and is awaiting review.

          • Ohhhh and lets not forget been told i can’t play a single player game due to server maintenance yeah thats awesome as well…

          • It’s Blizzards fault for delivering an unstable product that’s prone to these faults.

            Oh I love people white knighting companies.

          • This comment has been reported for inappropriate content and is awaiting review.

          • The pirated version is online only as well, but doesn’t use battle.net. From what I can tell, players create an account on the pirates site, and then use that account to log into the server they’ve created.

            Though given how quickly this surfaced it probably wont be long before an offline version is created and this always online DRM will look even dumber than it does now.

    • This comment has been reported for inappropriate content and is awaiting review.

    • This looks like a session hijack attack. The server generates your game a session ID when you log in, which is associated with your character, current randomly generated zones etc. If a hacker duplicates your session ID they can basically take control of that session. Most likely they’re joining people’s open games and getting the session off there, waiting for that player to log off then hijacking the session and stripping the character of their loot. This is why the action house items aren’t touched, as that requires account-level access rather than just access to the session. Either that or they’re simply guessing them. Most likely also the session isn’t destroyed at Blizzard’s end for a while after disconnection, to allow people time to reconnect after a crash or disconnect.

      Session hijacking like this is a really common website attack. I’ve seen many examples (I work in computer security), it’s very common. An authenticator will not protect you against this attack, nor will a strong password, the attack bypasses all authentication. You still should be vigilant with your account details, but if you see your characters being exploited like this, ring or email Blizzard’s customer support ASAP.

  • This comments section. Brought to you by Richard Smack Version 2. Twice as Richard as Version 1.

      • This is an awesome game that has a sometimes frustrating layer over the top. 99% of the time it is working. Sitting in this article and hitting F5 so you can spit bile at people like Ynefel below is hardly getting your point across well. There are real concerns to be raised over how Blizzard have handled this, but you’re not going about it the right way.

      • Don’t worry Richard, I believe that it hurts you to attack Blizzard like this. Like a stab in the heart. Or a really nasty rash or something.

        • That said, there are creams for rashes.
          Not so much for heart stabbings.
          But what do I know! I am not a doctor.

          • It’s all good, I’m a witch-doctor.
            I can fix you up with a quick jar-o’-spidahs.

  • A friend of mine gave me a guest pass and I am getting ‘disconnected from server’ messages every few minutes while playing single player… While I loved Diablo2, I can’t see myself buying Diablo3 at all.

  • I don’t see what this has to do with DRM. It’s what happens to WoW, SWTOR, Runescape, every other game that requires an online login. Don’t blame DRM, blame people that either stupidly give their account details away, fall for dupe emails, or are not exercising good practices with regards to antivirus, malware, etc. The greatest security in the world won’t help when someone has your login and password. Use some common sense, people.

    Use the Blizzard Authenticator, which is freely available as an iOS or Android app, and you won’t have these problems.

      • The authenticator app is free. It’s also not Blizzard’s fault if you give your details away or get keylogged. The authenticator is an extra, FREE layer of protection that’s simple to setup.

        • Their is reports the authenticator is not keeping people safe from getting hacked ffs…. IMHO blizzard should get a hammering from this

          • Authenticator’s (which I have) are no protection in this case – according to many posts on the Diablo forums at any rate. Will be interesting if and when Blizzard make comment on this issue – it seems to be gaining a lot of traction

      • wow, you really are angry about this…

        I would advise a chill pill, walk away from Diablo in general and just move the fuck on, it’ll save you having a stroke in the next few weeks.

          • Yes delivering your opinion in a concise way to try and make others see your view is of course being a sheep. Where as swearing and carrying on is clearly much cooler and better way of doing things.

      • Richard take a chill pill
        1. Swearing and carrying on to prove a point does the opposite
        2. You are allowed to have a different opinion other than yours
        3.Your constant barrage of people defending a game they like is just a bit childish

        You are allowed to be vocal about your opinion, you don’t have to be insulting in the process.

    • ‘It’s what happens to WoW, SWTOR, Runescape’….are these not MMO?
      How can you compare these to a single player game? The cluster fuck that is caused by the constant online connection to play a single player game is the issue here, this includes the theft of their gold and posessions which would not occur if not for Blizzards insistence on the afore mentioned connection.

          • Just want to let you know I’ve some of your comments.
            Play the ball, not the man.

            Geez. Let’s try to be a little friendly.

          • This comment has been deemed inappropriate and has been deleted.

        • This guy dosn’t let anyone posts their own thoughts, ideas, opinions on anything. Haters gonna hate (everything in this matter).

      • Diablo might be a single player game, but there is a very heavy focus on the 4 player co-op and the item trade market that was there in Diablo 2.

        regardless of how you might play it (singleplayer or multiplayer) hacking is a very major issue for those that only play it on online.

    • Guys, don’t forget there is a report button.
      Richard is entitled to his opinion, but not when it is blatantly insulting others.
      Serrells asks us to use the report button for this reason.

    • Unfortunately the grim reality is that accounts can be hacked with an authenticator, like any online system if someone gives it enough time and motivation any exposed system can be compromised. Unfortunately with the Real Money Auction house there is a lot of motivation to hack into and compromise accounts for actual profit.

      Not to mention they have had a lot of practice with the system since it’s been implemented in WoW and Starcraft II for some time now.

    • Just a quick point on the authenticators, not all of us have a smart phone to download the free app. I could order a physical one from Blizzard, but considering it’s about $30ish to do so with shipping, I think I can live without.

    • Good suggestion! I’m feeling pretty safe with my level 15 Barbarian who has 450 gold in the bank 🙂

  • Authenticator’s (which I have) are no protection in this case – according to many posts on the Diablo forums at any rate. Will be interesting if and when Blizzard make comment on this issue – it seems to be gaining a lot of traction

    • I wonder if this has to do with the ‘authentication to IP’ so you don’t have to re-enter to authentication code each time you log in unless your IP changes. If that is the case, revert that change so you DO have to enter the authentication code each time.

      • From what I read from others (so no idea on accuracy) it may be an exploit that negates or bypasses the authentication process entirely. Who knows. I do know that if I get hacked and loose stuff that’ll be it for me.

      • I did think that the whole point of an authenticator was neglected when they introduced the IP thing. Sure it was annoying to enter it in every time you long in, but that’s the price you pay for security. Seems a bit strange to implement something then take it away (I know it’s not actually taken away, but the level of security is different)

    • Blizzard reps have stated on the forums that not one single case has been reported where an authenticator was attached to the account at time of compromise, even the instance linked to by this post has been locked with a message stating the authenticator was added after the compromise. They have also stated that the compromises aren’t based on session ID and all reported have been tracked to traditional compromises, namely hackers getting the password.

  • They are also saying Roll Backs are expected and the owner of eurogamer got hacked as well so i doubt this is a small issue roflmao

    • Rollbacks ain’t going to happen. Maybe a restore for those who appear to be legitimately hacked.

      But rolling back the entire server on a game like this is going to cop way more flak than someone getting hacked.

      Oh Jim got hacked so we’re rolling back 10 hours. But in the last 10 hours I got one of the top 5 gear drops for my class will I get to keep it. Nope because Jim got hacked

  • Richard Smack patch notes for v2.0
    – Increased coarse language by 840%
    – Removed social skills
    – Reduced Likeability from 0.3 to 0.01 Fonzies
    – The ‘Spelling’ perk is now optional
    – Lowed ‘Persepective’ trait. Will now react disproportionately irate to every issue
    – Raised self-importance
    – Lowered actual importance

    Please stay tuned for a list of features we’re hoping to implement in Version 3, including the most frequently requested function – a mute button!

  • You know Blizzard does not care at all, the amount of people who have complained rang up submitted a ticket, via there support services and got nothing except a character with no gear in a nightmare or hell. Is beyond a joke take one look at the Euro and Aus/NZ forums and you can see for yourself. Not sure about the American forums but we are getting ignored and shat on.

    Anybody who talks about going to the media is banned and there post deleted good work blizzard i still call you money grubbing arsehats. I still hate you as much as i ever did but i love diablo series go figure.

    • CAlling a company money grabbing is kind of a bit rich. I really did wish they would fix there support stuff up, but saying that they are only in it for the money is %100 right. Just like when corporations give money to charities. Its not a donation, it is a investment. Because they do it people use that business more.

      • “Calling a company money grabbing is kind of a bit rich.”

    • I daresay, given the fact that real money will be involved and they are probably inundated with things to fix/correct after a poor launch they are likely under the pump to fix a whole raft of issues before real monetary value is involved. Anecdotally I know that in WoW friends who had their accounts/guilds hacked and gear stolen had it all replaced, so I am assuming something similar is in place for D3 and they are simply just too swamped to really attend to things properly at the moment.
      That being said I feel for you and it makes me a little nervous about playing right now. They’ve had quite a shaky start.
      I’m not a lawyer, but I imagine they are aiming to have things fixed before the real money auction house, hence the delay. Implications may occur if people’s items (that are worth real coin) are stolen/accounts hacked/etc.

        • Because I need tips on how not to screw it up myself, and those detailed police reports come in handy.

  • To be honest I think this may be a bigger problem than is being reported; one of my friends was hacked last night, a guy who lives in Perth WA, not having crazy high character stats or anything… quite a worry

  • I was keen to read these comments and weigh in – but all I see is Richard Smack making a fool out of himself and it kind of turns me off, normally I love KotakuAU Comments.

    Thanks for ruining that for me Richard.

    It’s like going into a shop to purchase something/check out the goods and seeing a child flailing about on the floor screaming because it didn’t get its way – Avoid like the plague and don’t make eye contact.

  • I was keen to read these comments and weigh in – but all I see is Richard Smack making a fool out of himself and it kind of turns me off, normally I love KotakuAU Comments.

    Thanks for ruining that for me Richard.

    It’s like going into a shop to purchase something/check out the goods and seeing a child flailing about on the floor screaming because it didn’t get its way – Avoid like the plague and don’t make eye contact.

    • I had quite a few issues with WoW and getting my account hacked, then got my authenticator and didn’t have any problems since… but after reading this and hearing that authenticators don’t seem to add much protection its made me worry about the safety of my 16 monk :'(

    • Err disregard that, I missed the part about how they found a way around the authenticator.

      But if you’ve given blizzard the permission to text you when suspicious activity is seen on your account (logged in somewhere else etc) couldn’t this be stopped as soon as you have access to a internet connection?

  • Below is a true story that happened to me.

    I logged in Sunday night to find my Level 50 Wizard had no gear, no gold, no inventory, and most of my stash was gone.

    I rang them up on their 1800 number on their website, which they explained to me that it appeared my account was hacked. They recommended that I change my Battle.net password, and my email password, and get an authenticator.

    They take a snapshot of your account once every 24 hours, with all the info of your account. Characters, Gold, Inventory, Auction House, Quest progress. My account was reset to it’s previous state at the latest snapshot they had.

    When I logged on in on Monday Morning, I was back to a level 48, but I had all my gems/items/gold back. It was very good customer service. (according to emails it took about 2 hours for them to do, but the guy on the phone said normally it’s quicker, but they’ve been busy)

    No neeed to get angry at companies just because they are big. They provided great customer service for my own stupidity of not changing my passwords often enough (I had the same password for 5 years…….)

    • Oh, and they said that because of this, I could not use the RMAH unless I had an authenticator put on my account, which seems like a very reasonable proposition.

  • Classic case of company security > customers security. Blizzard losing points all over the place.

  • Let me explain the authenticator issue. By default, you only have to enter in your code once a week. Knowing your email and password can allow a hacker into your account within that week period considering the code for that week has already been entered. If you have your authenticator to be asked everytime you login, this issue won’t exist, apart from those people that have those more complex keyloggers that get your auth key + time stamp so your authenticator algorithm can be hacked.
    SET YOUR AUTHENTICATOR TO ASK EVERYTIME, and L2be better at security, aka good passwords, no shady sites, and firefox with noscript and adblock plus.

  • I love that the morons in this thread think it has to do with client side, and spout the same ‘lolzdontgoonpornhaha’ line. I havent been hacked, but it’s pretty clear that it IS a problem and that it is NOT based on client side security – there’s a unpatched hole that’s allowing hijacks of session information without authentication.

  • Good to see this problem is gaining a big voice blizzard need to see that its too big a problem to just blame the people constantly and something is wrong with their security. I am one of the poor bastards who got hacked and had blizzard just say i must have gone to a dodgy site prior to installation even though due to my Vista being unable to install Diablo 3 i formatted and went back to a new clean computer on XP just before install, my computer had its regular scan in the middle of the week and computer was clean and yet i still managed to have my account hacked and being told it was my fault.

    Blizzard royally screwed up on this one. I seem to have been slightly luckier then others as i only lost 1 act and 2 lvls but in the 50’s thats a good few hrs where as i hear others have lost a couple of days of effort. But to be told if i get hacked 1 or 2 more times i will be permernantly banned because of their poor security is just ridiuclous..


    • A site you might of registered on previously may of been hacked, there are tonnes of ways hackers can get access to accounts. Blizzard have advised that no one with an activator has been hacked in Diablo 3 yet and there is no suspiciousactivity to indicate some kind of exploit. Diablo 3’s auction house makes it a prime target, however it’s your own fault that you were hacked. Change your password to something not used on other sites (password generator maybe?) and attach an activator to your account. You also don’t get banned from 1-2 hacking attempts, you will then need an authenticator to use their auction house again it’s suffering to people being hacked because of their own fault, it would be different if there was a security exploit which there isn’t. Check the forum, one of the Blizzard members has also called out people who said they had authenticator but lied, 100% users fault.

  • Ok so this means that those that play the single player aspect of it are now susceptible to hackers….whereas if they did not have to have a constant net connection, they would not be susceptible to it.

    Diablo was always a single player game with a fantastic multiplayer component (D2 I mean). Why fix something if it was not broken in the first place. I just do not understand how people are still defending this very bad game. I just do not see how.

    I would hate to see anyone at Blizz join the unemployment line. So I hope they fix the bugs and do something about the game soon. But really, poor form is still poor form at the end of the day.


    • It’s not a bad game, it’s just wrapped in a turd at the moment, hopefully they will clean the turd of in the future and we can all be happy.

  • People also need to take notice that for whatever reason Blizzard has NOT enabled case sensitive passwords. So if your password was something not to hard but with capitals to make it difficult then perhaps now is a good time to change them to something totally random and long. Like caketunawheeldog 😉

  • I’m not going to sound off with a ‘I’ll never again but a game with an online requirement’ but this game has shifted my attitude from ambivalent to wary. It’s hard not to feel hard done by with this game. It is an excellent game but they have again given legitimate users a kick in the teeth in the name of ‘fighting the pirates’. I’m genuinely wearied by the ongoing rhetoric about pirates and piracy when it is subsequently used to make life more difficult for consumers. I think I’ll go play Portal 2 – Long live Valve

  • Frankly, the news on Diablo III over the past near-week has served as an excellent warning not only to potential players, but also to other companies.

    Having said that, NO company can protect against user stupidity – like giving account details to non-Blizzard websites, for instance.

    I have not been able to have a proper play session, and news like this doesn’t inspire me – nor does the lack of skills available in-game.

    It’s very pretty though, isn’t it? 🙂

  • Just got hacked as well, logged off at 12pm after doing some whimsy runs, log back on at 1pm, snap.. Everythings gone.

    Sux2bme cant do shit about it….. the quiet victim in the corner.

  • Blizzard have said no breach was made and all the hacking was due to client error. They also advised that none of the hacked members had an authenticator. If you’ve been hacked it’s your own fault. However if you have get in contact with Blizzard to roll back your character.

  • I’ll never buy another Blizzard game. I don’t need to play this outdated junk, Borderlands 2 will be out soon enough.

  • I had a lot of gold and some very nice equipment. I got an email from Blizzard this morning indicating my account was locked due to suspicious activity. I didn’t trust the email at first so to double check I tried logging into my Battle.net account and sure enough my password didn’t work so I followed the instructions in the email to reset my password and am able to log in now only to find all my gold and all my equipment was gone with the exception of a dexterity ring. The wait time to talk to Blizzard support is over an hour. I’m hoping they’ll be able to roll back to get all my missing stuff.

Show more comments

Log in to comment on this story!