After 18 years it finally happened... I was hacked

The security system is a bit more than that. Change in IP, esp a major location change, change in major hardware, etc. Those can also trigger an Authenticator request. That is the point of the system, to keep outsiders off your account.

If someone does not have an Auth on the account, those conditions often trigger an Account Lock instead. To resolve that a person has to change their account password from the new IP location or hardware. Eventually the system learns that “trusted” new info and does not lock the account.

An Auth prevents the lock, but not the security challenge.

Anyway,

sets out coffee, tea, cookies, and bamboo

Even if I did share my login info, without getting any auth requests they still got in.

And even if I wanted to share my account login, when I went to change my password today it asked me for my old password… which I had long forgotten. Even when I went into my Edge settings where it stores passwords, the password it had stored was not even the right one.

The last time I updated my password for possibly the same reason, because I forgot it and I did not have Edge update my password to my new password, the one stored on my browser isn’t even the right one, I had to use the forgot password option and have a code sent to my email address to even change my password.

Cloning my phone, no chance. The only times I leave home these days is to go shopping or out for dinner and the last time I went to work in the office was about a month ago, where my phone never leaves my side.

As for the restore code, if they find it can I have it? I never wrote it down anywhere, why? Because I assumed unless I break my phone completely, I won’t need it and I don’t trust having this kind of info even written anywhere to begin with since I can remove access when I upgrade and reinstate access on my new phone. And worse case, provide all my personal info to Blizzard to have it manually removed, which you said has not happened.

Locks are only good when used properly, Akapally.

If you lock your door, and make up keys and hand them out, they aen’t going to do their job.

The single drawback of a mobile authenticator is it CAN be duplicated. That is intended for YOU in case you get a new device, but if you share that info with anyone it’s the same as if they had the phone in their hand. Either intentionally - or if someone got into your phone and took the information.

The only way that happens, is if the device and location were already known to the system and had been approved by your Auth code before. It would have learned that was a safe location/device and not to challenge it.

Or this, but you would have to give them the serial number and restore code from your app in order for them to install the app on another device and put in your auth info.

Than can we get the old physical keyfobs back?

And as I said, even if I wanted to share my account info, I didn’t even know my own password to do a password reset, I had to do a forgot password option, I didn’t even know my own password to share.

And yet when I done a password reset today it prompted my auth and asked for access, on a known and approved system in a safe location.

Yes, because you did a password change That is how it is supposed to work! Password changes are a big deal. If you have SMS Protect set up it should have also sent you a text message about the password change.

Yeh I got that for my own password change I done.

But it still makes little sense, if as you are saying the auth will not trigger when I log in from a known location, since I have never logged in anywhere outside of my own home, it should have triggered than.

Just touch on this: Blizzard didn’t made them, a 3rd party did and the two agreed to stop making them a number of years. There isn’t much one can do besides maybe try finding some of the leftover keyfobs. Even then, they’re not going to last forever.

Technically we should be able to use any keyfob right? Maybe? Does anyone even make them anymore?

Continuing with this tangent, an old computer that didn’t have it’s programs and information wiped is a possibility. A new/old phone situation may be another, but that would only get around having the authenticator, and I assume there would have been email notification for new device/location access.

The old keyfobs are long deprecated.

As I said, this is a HIGHLY unusual situation. Your ticket is in, should be worked before terribly long.

I’m seeing several locations here - two very different ones in your own country - and two different access points outside your country. This is just very odd all the way around.

Just remember, there are reasons we have rules against sharing accounts. Once ANYONE else accesses it - you are then dependent on THEIR security habits.

It makes total sense. You changed your password. Of course it asked. I gave you two security conditions that will cause it to ask for the Auth. I did not give you ALL the conditions that trigger it. They periodically have it ask even if you have not changed anything.

What does your login history for the account say? Do you recognize anything unusual? You can check some of that yourself in Account Mgt.

https://account.battle.net/security#recent-activity

Oooh… yeah that is really unusual, esp with an Auth on it. VPNs could cause that though right? I prob should not ask about hardware info and what Blizz can see.

Just for peace of mind - I’d like you to check something.

On your PC - do you have ANY remote control access software installed? Some popular ones are Anydesk, Teamviewer, Ultraviewer - and there are dozens of others.

Also, if you open up services, make sure nothing is running there that looks like access software.

Ditto for your phone - make sure you have zero remote access software installed.

This may not be applicable at all, but something worthwhile taking 5 min to check.

I know this isn’t necessarily relevant to the main topic, per se. But just for reference’s sake (because let’s be real. People necro the most random threads, or the most random of threads are what turn up in browser searches), there has not been an active line to call in many, many years. So whatever that case is that you’re referencing, that wouldn’t have happened as that person is telling it. No one can just call Blizzard and do anything of the sort, let alone just give X information to hack someone’s account without any verifiable proof of account ownership.

Again, sorry for breaking into the main back and forth, folks, but I did want to hit on that.

OP, good luck to you. If it’s got Orlyia perplexed, this one is a doozy.

I would assume so to, and the last emails prior to this issue I have received from Blizzard are “Amazing Prime” and “Diablo IV” and all my support tickets for item restoration. No emails either telling me about any access requests or logins from unknown locations.

Any chance you can tell me where?

For reference I don’t even have a passport, and as you can see the login locations you should be able to easily piece together this; I log in daily (maybe I shouldn’t admit that) from the same location every day and have been doing so for years.

Today (yesterday for me) I logged in in another country? And than proceeded to login back in my home country on the same day, that makes no sense and is physically impossible.

I know third party sights offer services where they login and do things for you, like using your account to do the mage tower challenges (we all know what happened back in SL), but that would require something to be done, in this case I lost all my gold.

Question though, wondering if you guys can see when the auth requests get pushed through? Is it possible to see when someone logs in from another location if the auth ping happened or not? Like I know if someone logged into my account in China and farmed a mount or KSM for me you would see that, but what actually happens, do you see the person with the auth giving access?

Question really is, can you see how they got in?

For the rest of you assume what you want, I don’t have any real PVP achievements, I get KSM and AOTC every season, I don’t have CE at all and have never cared for it, and I have over 830 account wide mounts, I don’t even have a reason to pay someone to log in and take control of my account.

Only what is installed with Windows.

The only apps on my phone that have any sort of remote capabilities is MS Teams and Zoom, which are only there in case I need them for work, they are not even signed in, and I have Webex that I use with my work account.

I have used Teamviewer in the past to help my dad, but that was on my old PC, maybe 18 months ago since I built the one I am now using.

Either way, even if I did have dodgy software installed, even if I did give out my password, even if I insert excuse here, how is it possible to login without the auth asking for access? This part makes no sense. I can honestly say the last time I logged into a PC that was not mine with my Bnet account was when I had my last account, which was back in vanilla days.

EDIT: Yes, I did go through my phone and my installed programs on my PC to see if anything made it’s way in without me knowing.

There may be ways to see that - but not at a normal support level, Akapally.

We really can’t get into more access details than I already have - and we don’t normally even share that. Let’s just say, this got passed around a LOT very recently.

What I’d recommend once this gets sorted, wipe out your current authenticator (after removing it) and reinstall a new one. That will provide a totally fresh restore and serial number, effectively being a new authenticator.

In case no one mentioned it yet, you should also check your email security as well, that there is no unusal forwarding set up on your email account.

They don’t send emails about that. You only get an email if the account gets locked for security reasons. Gmail does send emails, but Blizz just sends the Auth request to your device. Password changes do get an email, same with changing the email on the account.

It would be smart for Blizz to do the same thing as google, providing the IP address and location of the device that’s attempting to log into your account.

I am not against that at all. I like more info when it comes to security vs less.

They do sort of have something like that though. Under account management > security. I viewed mine but it seems to only update new ones? I have “recent logins” as very old logins … now they have not changed so I guess that means it does not update?

https://account.battle.net/security#recent-activity