Diablo III Accounts Getting Hacked, Gold And Items Going Missing

More troubles are plaguing Diablo III.

A report on Eurogamer relates one incident when staffer Chris Donlan's account for playing the hit action RPG was accessed by someone who claimed to have bought it. On the official Diablo III forums, other users are also reporting instances of illicit access and gold theft . Apparently, the hackers are finding a way around the added security provided by Blizzard's Mobile Authenticator, as well, according to forum posts.

First, the long-awaited hack-and-slash suffers a terribly crippled launch week that leaves thousands of players unable to play the game they waited 12 years for. Then they announce that the game's ballyhooed real-money auction houses have been indefinitely delayed. If the hacking of user accounts becomes widespread, it'll be the ugliest setback yet for a game whose always-online connection was supposed to protect players from the worst realities of PC gaming.

Kotaku has reached out to Blizzard for comment and will update this story as needed.

If you've run into this kind of thing — or haven't — chime in in the comments.

Diablo 3 accounts hacked, gold and items stolen [Eurogamer]


Comments

    Good going Blizzard hows your drm treating you now..... So much for not been able to keep your items safe roflmao.

      Dear Mr Smack,
      An account being hacked is not related to DRM in any way or form.
      DRM - a method used by a publisher in an effort to deter, minimise or eradicate unlawful copying or distribution of their products
      Account Hacking - done by several methods, including phishing, key-logging, actual hacking of servers & various other methods.

      The only method mentioned above that would be the fault of Blizzard would be if their servers had been hacked. Every other method is a result of end-user negligence or misfortune.

      Now, if Bliz had been hacked, the proportion of users having account theft issues would be far higher & Blizzard would have almost certainly sent notifications to its users advising of a password change. As this has not happened, we should conclude that any account theft is being done by other means, ie phishing etc. & is therefore no fault of Blizzard.

      tl;dr This has nothing to do with DRM. Totally unrelated.

        Oh & PS : I've reported your stupidly offensive comments below.

          This comment has been reported for inappropriate content and is awaiting review.

            This comment has been reported for inappropriate content and is awaiting review.

              Dear Richard,
              While I am very much a man of the 'do not feed the troll' mentality I am uncertain why you are intent on making every person on Kotaku AU an enemy with your poorly thought out jibes and self-proclaimed 'trolling' (by the way, it's not actually trolling if you admit it yourself - especially when it's used as an excuse to be poorly insulting with ill-contrived attacks against other members).

              Kotaku AU contains one of the few communities of members where we are friendly, nice, kind, and support each other as gamers. We are an enclave fighting against the 'entitled gamer' mentality - one that you seem intent in prolonging with your childish posts.

              So on behalf of the intelligent, considerate, kind members of Kotaku AU, either show some maturity and post like an adult, or stop posting here entirely (and I guarantee you, the latter WILL happen if you keep this up whether you want to or not. We have the report button and the editors monitoring the system for a reason).

              Regards,
              - Pez

        People seem to forget that DRM stands for Digital Rights Management.

        Sir Shoggoth,
        While rude Mr. Smack is correct, the DRM (the unconventional method of 'always online') is the cause of the account hacking, if the game wasn't online it couldn't be hacked in this manner.
        You account and gold is being stolen and sold to willing buyers.

        In this case the account hacking is related to the DRM, because anyone with the credentials of the hacked account can play the game for free.

        It is a clear demonstration of the failure of these kinds of measures to do what they claim.

        DRM forces you to be tied to an online account, if you could play your single player characters offline this would never be an issue for you.

      Good to see someone understand what DRM is... /sarcasm

    No wonder Diablo 3 will be going for $20 on catch of the day at some point.....

    Even at that price i'm still not tempted to get this game with issue after issue. Might wait 6 months for shit to settle.

      This comment has been reported for inappropriate content and is awaiting review.

        Why? Is it because you can't pirate it?

          This comment has been reported for inappropriate content and is awaiting review.

            Ohhhh and lets not forget been told i can't play a single player game due to server maintenance yeah thats awesome as well...

            I'm in the same boat. Hardcore is nearly impossible with this lag.

              Get better internet? Don't blame Blizzard.

                It's Blizzards fault for delivering an unstable product that's prone to these faults.

                Oh I love people white knighting companies.

          Actually a pirated version of the game has already surfaced.

            This comment has been reported for inappropriate content and is awaiting review.

              The pirated version is online only as well, but doesn't use battle.net. From what I can tell, players create an account on the pirates site, and then use that account to log into the server they've created.

              Though given how quickly this surfaced it probably wont be long before an offline version is created and this always online DRM will look even dumber than it does now.

    Get an authenticator app on your phone, is the best way to prevent this.

      This comment has been reported for inappropriate content and is awaiting review.

        Are you on crack? DRM has nothing to do with hacking accounts...

          This comment has been reported for inappropriate content and is awaiting review.

            I like fructose.

              Isn't that a type of shampoo?

                In some shampoos but it's fruit sugar really...
                also the LAG sucks, i dont want to think about how hard the higher levels are going to be (and im playing single player)
                not happy JAN.

      This looks like a session hijack attack. The server generates your game a session ID when you log in, which is associated with your character, current randomly generated zones etc. If a hacker duplicates your session ID they can basically take control of that session. Most likely they're joining people's open games and getting the session off there, waiting for that player to log off then hijacking the session and stripping the character of their loot. This is why the action house items aren't touched, as that requires account-level access rather than just access to the session. Either that or they're simply guessing them. Most likely also the session isn't destroyed at Blizzard's end for a while after disconnection, to allow people time to reconnect after a crash or disconnect.

      Session hijacking like this is a really common website attack. I've seen many examples (I work in computer security), it's very common. An authenticator will not protect you against this attack, nor will a strong password, the attack bypasses all authentication. You still should be vigilant with your account details, but if you see your characters being exploited like this, ring or email Blizzard's customer support ASAP.

      As of now, Diablo III doesnt even ask you to authenticate at any given time.

    This comments section. Brought to you by Richard Smack Version 2. Twice as Richard as Version 1.

      This comment has been deemed inappropriate and has been deleted.

        This is an awesome game that has a sometimes frustrating layer over the top. 99% of the time it is working. Sitting in this article and hitting F5 so you can spit bile at people like Ynefel below is hardly getting your point across well. There are real concerns to be raised over how Blizzard have handled this, but you're not going about it the right way.

        Don't worry Richard, I believe that it hurts you to attack Blizzard like this. Like a stab in the heart. Or a really nasty rash or something.

          That said, there are creams for rashes.
          Not so much for heart stabbings.
          But what do I know! I am not a doctor.

            It's all good, I'm a witch-doctor.
            I can fix you up with a quick jar-o'-spidahs.

    A friend of mine gave me a guest pass and I am getting 'disconnected from server' messages every few minutes while playing single player... While I loved Diablo2, I can't see myself buying Diablo3 at all.

    I don't see what this has to do with DRM. It's what happens to WoW, SWTOR, Runescape, every other game that requires an online login. Don't blame DRM, blame people that either stupidly give their account details away, fall for dupe emails, or are not exercising good practices with regards to antivirus, malware, etc. The greatest security in the world won't help when someone has your login and password. Use some common sense, people.

    Use the Blizzard Authenticator, which is freely available as an iOS or Android app, and you won't have these problems.

      This comment has been deemed inappropriate and has been deleted.

        The authenticator app is free. It's also not Blizzard's fault if you give your details away or get keylogged. The authenticator is an extra, FREE layer of protection that's simple to setup.

          Their is reports the authenticator is not keeping people safe from getting hacked ffs.... IMHO blizzard should get a hammering from this

            Authenticator’s (which I have) are no protection in this case – according to many posts on the Diablo forums at any rate. Will be interesting if and when Blizzard make comment on this issue – it seems to be gaining a lot of traction

              From a post below :D

        wow, you really are angry about this...

        I would advise a chill pill, walk away from Diablo in general and just move the fuck on, it'll save you having a stroke in the next few weeks.

          This comment has been deemed inappropriate and has been deleted.

            Yes delivering your opinion in a concise way to try and make others see your view is of course being a sheep. Where as swearing and carrying on is clearly much cooler and better way of doing things.

            Your not an intelligent person.

        Richard take a chill pill
        1. Swearing and carrying on to prove a point does the opposite
        2. You are allowed to have a different opinion other than yours
        3.Your constant barrage of people defending a game they like is just a bit childish

        You are allowed to be vocal about your opinion, you don't have to be insulting in the process.

      'It’s what happens to WoW, SWTOR, Runescape'....are these not MMO?
      How can you compare these to a single player game? The cluster fuck that is caused by the constant online connection to play a single player game is the issue here, this includes the theft of their gold and posessions which would not occur if not for Blizzards insistence on the afore mentioned connection.

        This comment has been deemed inappropriate and has been deleted.

          This comment has been deemed inappropriate and has been deleted.

            Just want to let you know I've some of your comments.
            Play the ball, not the man.

            Geez. Let's try to be a little friendly.

              This comment has been deemed inappropriate and has been deleted.

          This guy dosn't let anyone posts their own thoughts, ideas, opinions on anything. Haters gonna hate (everything in this matter).

        Diablo might be a single player game, but there is a very heavy focus on the 4 player co-op and the item trade market that was there in Diablo 2.

        regardless of how you might play it (singleplayer or multiplayer) hacking is a very major issue for those that only play it on online.

          Yeah and now it's a major issue for those who had no intention to play it online.

      Guys, don't forget there is a report button.
      Richard is entitled to his opinion, but not when it is blatantly insulting others.
      Serrells asks us to use the report button for this reason.

        Already started on that one bro!! But fair point xD

      Unfortunately the grim reality is that accounts can be hacked with an authenticator, like any online system if someone gives it enough time and motivation any exposed system can be compromised. Unfortunately with the Real Money Auction house there is a lot of motivation to hack into and compromise accounts for actual profit.

      Not to mention they have had a lot of practice with the system since it's been implemented in WoW and Starcraft II for some time now.

        Opps I meant "Accounts with an authenticator can be hacked"

      Just a quick point on the authenticators, not all of us have a smart phone to download the free app. I could order a physical one from Blizzard, but considering it's about $30ish to do so with shipping, I think I can live without.

    Do what I do. Level so slow that hacking my account is pointless :p

      Good suggestion! I'm feeling pretty safe with my level 15 Barbarian who has 450 gold in the bank :)

    Authenticator's (which I have) are no protection in this case - according to many posts on the Diablo forums at any rate. Will be interesting if and when Blizzard make comment on this issue - it seems to be gaining a lot of traction

      I wonder if this has to do with the 'authentication to IP' so you don't have to re-enter to authentication code each time you log in unless your IP changes. If that is the case, revert that change so you DO have to enter the authentication code each time.

        From what I read from others (so no idea on accuracy) it may be an exploit that negates or bypasses the authentication process entirely. Who knows. I do know that if I get hacked and loose stuff that'll be it for me.

        I did think that the whole point of an authenticator was neglected when they introduced the IP thing. Sure it was annoying to enter it in every time you long in, but that's the price you pay for security. Seems a bit strange to implement something then take it away (I know it's not actually taken away, but the level of security is different)

      Blizzard reps have stated on the forums that not one single case has been reported where an authenticator was attached to the account at time of compromise, even the instance linked to by this post has been locked with a message stating the authenticator was added after the compromise. They have also stated that the compromises aren't based on session ID and all reported have been tracked to traditional compromises, namely hackers getting the password.

    They are also saying Roll Backs are expected and the owner of eurogamer got hacked as well so i doubt this is a small issue roflmao

      Rollbacks ain't going to happen. Maybe a restore for those who appear to be legitimately hacked.

      But rolling back the entire server on a game like this is going to cop way more flak than someone getting hacked.

      Oh Jim got hacked so we're rolling back 10 hours. But in the last 10 hours I got one of the top 5 gear drops for my class will I get to keep it. Nope because Jim got hacked

    Richard Smack patch notes for v2.0
    - Increased coarse language by 840%
    - Removed social skills
    - Reduced Likeability from 0.3 to 0.01 Fonzies
    - The 'Spelling' perk is now optional
    - Lowed 'Persepective' trait. Will now react disproportionately irate to every issue
    - Raised self-importance
    - Lowered actual importance

    Please stay tuned for a list of features we're hoping to implement in Version 3, including the most frequently requested function - a mute button!

      I swear to god if Kot AU had a +1 button I'd be clicking it madly right now.

        where is that +1 button

      +1

        Looks like what i said is the truth :D it hurts hey :D. Next time pick a better game guys trololololol

          You're not trolling anyone buddy, you're just making a fool out of yourself, and it's bloody hilarious :D

            ^ This.... I'm struggling not to find this amusing though. There's probably a lot of people on my train thinking I'm a freak because I have a smile that goes from ear to ear.

          Sorry, I can't see what you said there behind the hide comment button.

      I love how you measure likeability in fonzies :D

    You know Blizzard does not care at all, the amount of people who have complained rang up submitted a ticket, via there support services and got nothing except a character with no gear in a nightmare or hell. Is beyond a joke take one look at the Euro and Aus/NZ forums and you can see for yourself. Not sure about the American forums but we are getting ignored and shat on.

    Anybody who talks about going to the media is banned and there post deleted good work blizzard i still call you money grubbing arsehats. I still hate you as much as i ever did but i love diablo series go figure.

      CAlling a company money grabbing is kind of a bit rich. I really did wish they would fix there support stuff up, but saying that they are only in it for the money is %100 right. Just like when corporations give money to charities. Its not a donation, it is a investment. Because they do it people use that business more.

        "Calling a company money grabbing is kind of a bit rich."
        BAD ROCKETMAN
        WHERE IS THE PAUSE BEFORE THE PUN
        WHERE ARE THE SUNGLASSES
        WHERE ARE THE HANDS ON HIPS

          GORRAM IT
          can i do it now, my sunglasses are on and everything:P

            Quick! Report your post and this whole reply chain! It'll be like it never happened.

      I daresay, given the fact that real money will be involved and they are probably inundated with things to fix/correct after a poor launch they are likely under the pump to fix a whole raft of issues before real monetary value is involved. Anecdotally I know that in WoW friends who had their accounts/guilds hacked and gear stolen had it all replaced, so I am assuming something similar is in place for D3 and they are simply just too swamped to really attend to things properly at the moment.
      That being said I feel for you and it makes me a little nervous about playing right now. They've had quite a shaky start.
      I'm not a lawyer, but I imagine they are aiming to have things fixed before the real money auction house, hence the delay. Implications may occur if people's items (that are worth real coin) are stolen/accounts hacked/etc.

        Wait, if you're not a lawyer... why have you been dealing with all my stalking charges?
        :/

          Because I need tips on how not to screw it up myself, and those detailed police reports come in handy.

    To be honest I think this may be a bigger problem than is being reported; one of my friends was hacked last night, a guy who lives in Perth WA, not having crazy high character stats or anything... quite a worry

    Ppl r getting hacked because of too much porn....

    I was keen to read these comments and weigh in - but all I see is Richard Smack making a fool out of himself and it kind of turns me off, normally I love KotakuAU Comments.

    Thanks for ruining that for me Richard.

    It's like going into a shop to purchase something/check out the goods and seeing a child flailing about on the floor screaming because it didn't get its way - Avoid like the plague and don't make eye contact.

    I was keen to read these comments and weigh in - but all I see is Richard Smack making a fool out of himself and it kind of turns me off, normally I love KotakuAU Comments.

    Thanks for ruining that for me Richard.

    It's like going into a shop to purchase something/check out the goods and seeing a child flailing about on the floor screaming because it didn't get its way - Avoid like the plague and don't make eye contact.

    I bet Chris had 50Tb's of Naked Female keyloggers

    First thing I did was set up my authenticator this morning after reading this on GAF.

      I had quite a few issues with WoW and getting my account hacked, then got my authenticator and didn't have any problems since... but after reading this and hearing that authenticators don't seem to add much protection its made me worry about the safety of my 16 monk :'(

    And this is why you should be using an Authenticator kids!

      Err disregard that, I missed the part about how they found a way around the authenticator.

      But if you've given blizzard the permission to text you when suspicious activity is seen on your account (logged in somewhere else etc) couldn't this be stopped as soon as you have access to a internet connection?

    Below is a true story that happened to me.

    I logged in Sunday night to find my Level 50 Wizard had no gear, no gold, no inventory, and most of my stash was gone.

    I rang them up on their 1800 number on their website, which they explained to me that it appeared my account was hacked. They recommended that I change my Battle.net password, and my email password, and get an authenticator.

    They take a snapshot of your account once every 24 hours, with all the info of your account. Characters, Gold, Inventory, Auction House, Quest progress. My account was reset to it's previous state at the latest snapshot they had.

    When I logged on in on Monday Morning, I was back to a level 48, but I had all my gems/items/gold back. It was very good customer service. (according to emails it took about 2 hours for them to do, but the guy on the phone said normally it's quicker, but they've been busy)

    No neeed to get angry at companies just because they are big. They provided great customer service for my own stupidity of not changing my passwords often enough (I had the same password for 5 years.......)

      Oh, and they said that because of this, I could not use the RMAH unless I had an authenticator put on my account, which seems like a very reasonable proposition.

    Classic case of company security > customers security. Blizzard losing points all over the place.

    Let me explain the authenticator issue. By default, you only have to enter in your code once a week. Knowing your email and password can allow a hacker into your account within that week period considering the code for that week has already been entered. If you have your authenticator to be asked everytime you login, this issue won't exist, apart from those people that have those more complex keyloggers that get your auth key + time stamp so your authenticator algorithm can be hacked.
    SET YOUR AUTHENTICATOR TO ASK EVERYTIME, and L2be better at security, aka good passwords, no shady sites, and firefox with noscript and adblock plus.

    Update from Blizzard: http://us.battle.net/d3/en/forum/topic/5149619846?page=1

    aka - not our fault

    I love that the morons in this thread think it has to do with client side, and spout the same 'lolzdontgoonpornhaha' line. I havent been hacked, but it's pretty clear that it IS a problem and that it is NOT based on client side security - there's a unpatched hole that's allowing hijacks of session information without authentication.

    Expect ALOT more of this once the real money Auction House opens...

    WOOT!! hacking account makes me horny

Join the discussion!

Trending Stories Right Now