After 18 years it finally happened... I was hacked

I wasn’t going to respond again, but just wanted to highlight a couple points. The MOMENT a device (especially mobile, like a phone or tablet) connects to the internet, it is vulnerable. These programs/scripts/etc are not intended to be detected. There’s no popup that asks your permission to get onto your device.

Again, is this the attack vector used? Perhaps not. But if it was, and you stubbornly won’t address it, then they will continue to use it.

And if there is a keylogger or something even worse on your computer, you are giving them the new password every time.

That’s why it’s so baffling as to why you wouldn’t take steps to clean your devices. It may not help, but it certainly doesn’t hurt. But your choice is your choice.

For the last time, we all understand the issue. No one is saying this didn’t happen. We are all giving you suggestions to make 100% sure everything is secure on your end.

You are the one ignoring those suggestions. You are the one who isn’t understanding that they have your info, regardless of how they got it. Ok, fine, they got every piece of information directly from Blizzard. Someone hacked in and stole your info. That means they have your info, and you need to take steps to change the info so what they took from Blizzard is now irrelevant.

Something that just occurred to me. Did you perhaps take a screenshot of your restore code and serial number? If so, that screenshot could be made public accidentally if your device uploads photos from your photo library to something like iCloud, Google Drive, or something similar.

I had that happen once where I didn’t realize I changed privacy settings for the photo gallery on my phone, but luckily I caught it before anything happened.

if they did this and loaded the wow account page on the net it might not ping your phone or ask for a login. not sure offhand if the system requires that to get in. but who knows

And this is what should have been reasoned out two days ago in this thread and ended the conversation here. Nothing else can be done on our end, nor do the discussions here help anything.

We all need to take what you said into account and let Blizz do what they need to do now without the bickering back and forth between ourselves.

Highly unlikely unless I accidently went to the wrong website, but I also barely do anything outside YouTube, these forums and some sports websites. Anything I do outside these websites are almost always the same thing on the same sites, not adult related, but I don’t want to divulge my personal life here.

Point is, if one of the sites I frequent has had a problem and that’s what has caused this, it’s a new problem because I cannot recall ever browsing anything here that is dodgy enough to have broken in to my PC.

And on top of that, what are the chances the other person who posted about a breach past the auth has visited same or similar websites? And what are the chances there are not other people in the same boat that have just not posted about this? Only a very minimal number of people who play a game will frequent any sort of forum and even make posts.

I never said I didn’t or don’t clean out my devices, I have my degrees and diplomas in the field of computing, I know what to look for and how to clean out a computer even if my firewall and virus scans don’t pick up anything.

And if there was a keylogger, why just my WoW gold? Why did the other guy have only his gold taken? There is far more at stake than just some gold in an online game, they would have access to my banking details, they would have access to the other guys banking details, and it’s been 6 months for them at least with no mention here of anything other than just their gold being taken.

I’ve never said I am ignoring any suggestions, aside from wanting to move this to the CS forum because I know nothing was ever really going to come from that. But so far not even a single person has acknowledged, addressed or even attempted to answer this; If they had a duplicate auth and were able to use that to log in, why was my auth never pinged? How did they manage to ping their auth and not mine?

The only way to log into the game without an auth is to manually type in the details into the game and not the launcher, it allows you to type in the auth code and not get a ping, which should be changed because that’s bad.

Not that I remember doing, I don’t even remember writing down the restore code, and when I reinstalled the auth it did not even give me a restore code, it’s all stored on my account.

So they can log into the game without an auth ping, but the only way to duplicate my auth is to access my account, which first and foremost pings your auth and then gives you an option to type in the code from the auth, you cannot log into someone’s account to duplicate the auth without an auth ping to begin with.

The forgot password option pings your auth, the forgot email address needs and SMS code, the remove authenticator needs an email or SMS code and it has been confirmed my auth was never removed, and the locked Bnet option, that still requires you to log in.

Whilst they can log in without an auth ping, there is no way to duplicate the auth without logging in to the site and THAT gives you an auth ping.

So to recap:

There is no way they could have duplicated my phone and if they did, why only my WoW gold? They took at most $100 AUD of WoW gold they can sell on a third-party website.

They cannot get into my account to duplicate my auth without an auth ping to begin with, and if they did, that’s a problem, as far as I am aware the restore codes are only found on your account, and again I reinstalled my auth and it did not give me any restore codes during the install or when I re-enabled the auth app on my account, you need to click the restore code button on your account.

If they managed to hijack my PC and take personal details, why only my WoW gold? Plus, if they had my details, they STILL cannot get into my account to duplicate my auth without an auth ping.

Even if I am lying through my teeth about all my security and someone hijacked my PC and took my details and even if I did personally provide all my log in details to someone, even if I listed all my details here now, my email, password, even if I posted publicly a photo of my drivers license and told you all right here and now all my personal details about my entire life, the one thing for sure is that that should have happened, the absolute only way to duplicate an auth is to get into an account, and to get into an account that still has the auth attached? Yeh, you need the auth code to begin with.

That’s not correct though. If someone has your serial code and restore code f(both can be stored on paper or via a saved screenshot), then anyone with that information can duplicate your code without any warning to you.

They do not need access to your e-mail, phone, computer or anything if they have access to those two codes. They do not require access to your current authenticator either.

If someone has those two codes, they simply create a new authenticator on whatever device they have and it will instantly match the one on your device.

Theoretically, if they did this and also had your login details (email and password) they can 100% access your account without you knowing. They would revive the same authenticator request and could approve themselves and even if it initially showed on your device, it would likely disappear once they approved the login from their device.

I’m not speculating that this is what happened, just making sure people understand that those two codes can absolutely be used to completely bypass your security if they are not kept safe.

Try to be kind. No one knows what actually happened here. Inquiring minds want to know how the heck someone got past the auth, so I’d like this thread to remind open and the OP not be accused of random things for so long they don’t return. I doubt we’ll ever know, but if there’s anything to be learned from it, I want to know what that is!

No one is going to post that information nor would the SFAs know about it.

All this thread has turned into is a circular argument where the OP feels they need to defend themselves. Nobully was correct:

They will investigate and do what they can to fix security holes. But we will never be told what those are.

Yes but how do you get those codes to begin with? I have never written them down and when I installed my auth again yesterday it did not give me any codes. Unless I went into my account or app, wrote down the codes or took a screenshot, that’s the only places the codes are.

And who even needs them? If you are changing devices you can log in and press the restore button and get the restore code, and if you lost your auth you can have it removed using an email or SMS code and using an email or SMS code login and get a new one attached.

Up until yesterday I didn’t even know that’s where the codes where, or I forgot, I legit thought when you installed and connected the app it gave you some secret squirrel code that could not be found anywhere else. Only since this attack happened I realised I could find the codes on my account and on the app.

Even with the restore codes, is there a way to link that to an account? I am looking on the app now and I cannot see anything that shows what account that even belongs to. So if the codes leaked they would need the email address of my bnet that it is attached to, then they would need my password.

I did have that popup on my Edge telling me my passwords have been leaked, but looking through the list of sites, last I checked none are for anything important and when I checked today, and clicked the button that tells me what the password that was leaked is, it is a very, very old password, one that only contains letters and numbers, all my passwords for a long time now include a symbol, which most sites now require. And when I press the scan now button on my passwords, it tells me nothing is leaked, maybe because some of my passwords stored in Edge are not even correct.

Assuming the worst, myself and the other guy that was attacked had an old screenshot of our auth restore codes we forgot about, somehow they were leaked and someone managed to link those to the correct email address for Blizzard AND knew our passwords, and only took our WoW gold? The leaked SS, a possibility, I doubt anyone can remember everything over a 5 year period. Linking a leaked photo of an auth to my Gmail? I don’t even think that’s possible, from what I am reading only photos you shared by yourself can be seen outside of your own account and only with people you shared them with. I have 19 albums or photos that have been shared, none of which have any personal details.

But getting my password? One that has been incorrectly listed in my saved passwords on my Edge browser? Getting all three correct at the same time? Hell the last time I used my password was in February when I purchased something from the store, so unless they have an old SS I forgot about, my email that those codes belong to and my password all at the same time?

Highly unlikely.

What they should do is patch up the game to force an auth ping when logging in outside the Bnet app, currently you can type in your password and auth code and never be pinged, and if you check your restore codes on the app what they should not do is tell people to save a screenshot of it or write it down, minimise the chances of anything being leaked because you don’t even need the codes, assuming you still have the same email or phone number you can have your auth removed entirely and just setup a new one, or at worst contact Blizzard, the restore codes are not even needed.

Actually if you think about it, the auth isn’t even needed anymore, they should just use an SMS code in its place, far better than some app.

Just to touch on this: This was a thing when they first came out. This annoyed a lot of folks and they devs allowed folks to set how often and when the program should ask for it.

It prompts you to write them down during the installation process. It’s possible that you missed that part.

Anyone who wants to clone their authenticator on multiple devices like a tablet etc.

Those two things are incredibly different. SMS does NOT secure your account.

I’m sorry this happened to you Akapally. It is clear though that you have your own opinions on what you imagine happened despite everything everyone is trying to help you understand.

Best of luck to you.

I can see this isn’t even worth a conversation with you.

we don’t need to know what’s done.

Indeed.

I see this is still rollin. I’ll take another stab at the hypothetical guess game.

Maybe you work from home for someone interesting (you are leaking too much info here btw). Maybe you work in the supply chain for some interesting company. Maybe that gets the attention of those who watch for interesting possibilities. Maybe this group that watches uses groups with some side lines in criminal activity to suppliment income. Maybe this group of youngish men also play video games. Maybe for the laughs and the side line game work, they sell off your gold for a few duckets because whatever, they are sometimes sloppy with important tasks and the gold and bragging rights are useful for their youthful concerns.

I mean who knows? But if you wanted a maybe scenario in the real world, that one fits. And again, it’s all guesses.

If I werre you, after the full resets/lockdowns, and all that stuff taught with the pieces of paper and real world experience, maybe I’d tell my company something interesting happened and maybe they should look at what was done with my access. Maybe I’d tell my company it was sufficently rare and unusual to raise some concerns. Maybe that is a good next step.

Just sayin…good luck.

I may regret jumping in on this, but the mystery is driving me mad. OP, is there any chance at all someone has one of your old computers or other devices? The system asking for an old password made me think of it.

Not attacking or anything, but I wouldn’t rely on your Edge browser for storing your passwords etc, I use a range of Trend micro software which includes ID security, anti virus, networking and password management which are all easily set up, and a hardware firewall.

I am still stuck on only the gold being missing in both of these strange cases. Were there any strange items in the mailbox? As if someone bought an auction?

I ask, because the Mobile AH can be used to buy things from outside the game. That would be a way to transfer gold off the account without accessing the actual characters. That has happened before, but it was long ago and those folks did not have an Auth on the account. https://arstechnica.com/information-technology/2013/06/world-of-warcraft-mobile-auctions-closed-after-rash-of-account-hijacks/

So my question is, was the App somehow used, and if so does it somehow bypass the Auth in some way or under some circumstances?

I am speculating! This is just so very strange.

We had a guild officer get hacked and our GM and the Officer both out in a ticket.
It’s been years later so I’ll say it, they hooked up the GM and the Officer with a set of what was in the bank each.
So for clarity, we got double back, including the gold. Of course this isn’t what happens normally, but rest assured they’ll take care of you.

only problem unless the op solved how they got access in the first place they will be back.

they often wait for your account to be restored and hit again.