How am I just now noticing that D3 password isn't case sensitive?

[Treesh]

Glancing through the whining and crying posts about being hacked, something caught my eye. One of the posters said that password isn't case sensitive for D3. I simply couldn't believe that was the case so I tried it. Sure enough, it's not case sensitive. I swear it was in WoW though, unless I just never bothered to check. =) Of course, even on battlenet and resetting the password, it doesn't specifically say it's case sensitive either. I guess I'm just so used to passwords being case sensitive I just assumed it was for bnet too.

[Mavfin]

Glancing through the whining and crying posts about being hacked, something caught my eye. One of the posters said that password isn't case sensitive for D3. I simply couldn't believe that was the case so I tried it. Sure enough, it's not case sensitive. I swear it was in WoW though, unless I just never bothered to check. =) Of course, even on battlenet and resetting the password, it doesn't specifically say it's case sensitive either. I guess I'm just so used to passwords being case sensitive I just assumed it was for bnet too.

Never has been for bnet. WoW was, pre-b.net accounts, but not since b.net merge.

The posters talking about it were basically looking for someone to blame for hacks again. Passwords aren't being brute-forced anyway, just stolen the same way WoW passwords have been stolen for 5+ years.

[Treesh]

Never has been for bnet. WoW was, pre-b.net accounts, but not since b.net merge.

Aha! I thought WoW was and I think I played more before the merge than after. At least that part of my memory wasn't completely wrong. =)

And really, I'm not concerned about it. I didn't get hacked in WoW; I doubt I'll get hacked in D3. Never did anything stupid either and don't plan on doing anything stupid (with regards to account security anyway ) in the future. It was just one of those "Wait, what? Has it always been that way?" deals.

[Archon_Wing]

While it definitely may be a bunch of people getting phished, I can't really say I have too much faith in Blizzard keeping the servers secure from bad experiences in d2 and the servers for d3 feel pretty shoddy atm. And as usual support has their head in the sand, so my faith isn't very high.

The thing that increases my suscpions is while this is a common event, there seem to be fairly widespread, and I know a few of my friends have been affected and they're generally not hack users or click on random email links.

Regardless of whose fault it is, I am temporary not using the auction house. I feel that the market soon may be flooded with items obtained by ill-gotten means and I'd rather not buy anything like that.

[Mavfin]

The authentication system used to log into D3 is the same one that's been used for WoW and SC2 for the past 5+ years, so people are getting hacked for the same reasons, and by the same methods, that they've been being hacked all that time. Blizzard can't save everyone from themselves.

I believe that there's just a bunch of new to B.net people that bought D3, didn't have authenticators, and weren't as careful as they thought they were, and the hackers had a field day. Of course, I would figure the hackers can read calendars, too, so they've been gathering data for a while, then hit a bunch all at once, too.

My anecdotal data in support of this is that generally the WoW and ex-WoW players who bought D3 have not been having any hacking issues, because they're already either very careful, or have authenticators, or both. You can give that as much or as little weight as you want.

Or, you can believe all the people on the official forums who are looking for someone to blame, of course, if you have an axe to grind with Blizzard.

[Archon_Wing]

And my ancedote has people getting hacked with it. Who knows. I've never been hacked before in any game or any account, but I'll buy an authenticator so we won't have that excuse anymore if it happens.

[Mavfin]

See, this is why you're seeing things about people being hacked with an authenticator. They get hacked, *then* add one, and then go crying to Blizzard in public, trying to find someone to blame.

http://us.battle.net/d3/en/forum/topic/5235710977#1

http://us.battle.net/d3/en/forum/topic/5235710977#9

In the first one, he claims to have been hacked with one. Blizzard looks it up, and says, um, no, you added it 4 hours after you were compromised.

[NiteFox]

I'm not sure if this is available for US accounts, but there's an additional SMS alert option on my EU account that should send out alerts for when any security options are changed on your account whether or not you made them yourself.

I'm not sure how much help it would be use in an actual case of account hijacking, but at least it's there and enabled on my account the second I noticed it.

[Treesh]

I'm not sure if this is available for US accounts, but there's an additional SMS alert option on my EU account that should send out alerts for when any security options are changed on your account whether or not you made them yourself.

I'm not sure how much help it would be use in an actual case of account hijacking, but at least it's there and enabled on my account the second I noticed it.

It's available for US accounts as well.

[Ruvanal]

I'm not sure if this is available for US accounts, but there's an additional SMS alert option on my EU account that should send out alerts for when any security options are changed on your account whether or not you made them yourself.

I'm not sure how much help it would be use in an actual case of account hijacking, but at least it's there and enabled on my account the second I noticed it.

Yes it is available on accounts here. And unfortunately a lot of players are thinking that this counts as having added some form of security for their account and are reporting that they have been 'hacked' when this will not have helped stop it.

[Mavfin]

Yes it is available on accounts here. And unfortunately a lot of players are thinking that this counts as having added some form of security for their account and are reporting that they have been 'hacked' when this will not have helped stop it.

Yeah, it'll just give notice that someone's already unlocked the barn door.

[Tris]

While I have been hit with viruses a couple of times (thank you file sharing with office and my fault for using the same AV software), never had any of my accounts hacked that I know of. Of course, if somebody really wanted to be me, they could have my student loan debt ;P

[Kylearan]

Hi,

heh, I got hacked too. It probably happened a week or so ago already and I only noticed it yesterday, as I hadn't been playing my first character (a softcore barbarian, level 31, who had just finished normal difficulty) for some time now. But I had noticed a "Recent Player" in my social tab who I had never heard of - I never joined any public games, and only once played together with a friend I personally know. So that "RapHackerZ" dude (Monk lvl 1 called Kis) in the "Recent Players" list must be the one used in transferring the items and gold from my barb. That doesn't mean he's the hacker; maybe they use other hacked accounts for that, too. Curiously, I still have all my gems and two rares, one in my stash, and one in my inventory.

I'm 99% sure malware isn't involved. I use the PC almost only for gaming. Additionally, I work as a malware researcher and know where to look. I can't rule it out completely of course, but I'm pretty sure.

It wasn't a session hijack, either. I didn't get booted out of an ongoing game when the hackers took over, as others have experienced. Instead, it looks like they stripped my character naked while I was *not* logged in. Thus, no session for the hackers to hijack.

I haven't used my battle.net password anywhere else. *However*, the password was a simple variation of a password I use for some forums, most notably in a forum that got hacked two years ago (rootkit.com). So if the hackers use stolen passwords from other sites and try to vary them a bit, this might be the way they got in. This leaves the question of how often Blizzard allows you to try to log into an account - does anyone know? A simple measure would be to lock the account for a couple of minutes after 3 unsuccessful attempts.

It still could be an exploit, as some people like clan_iraq claim. I doubt it, although it's of course a possibility.

Anyway, I didn't care much about my lvl 31 SC barb and his items, I'm glad they didn't got to my HC witch doctor. I have changed the password to a "more" unique, stronger one, but won't use any authenticator. I don't care for my virtual items enough, and I'm kind of curious if I'll get hacked again - because then I'd know some form of exploit is used.

-Kylearan