Tuesday, 25 January 2011


"A chain is only as strong as its weakest link"

Despite having a good battle net password, last week my WoW account was hacked. I first noticed some oddness when I couldn't get in via the mobile armory and had to change my password. The next time I tried to get in, I found my battle net password changed again, and my account locked.

It turns out my battle net account password was good enough, but my email had been compromised and then somehow my secret answer had too, allowing the hackers to reset my battle net password and get access to my wow account. The email client even usefully told me it had been accessed from other IP locations, after the fact of course. The accesses came from China, and then a few minutes before I checked, France. Luckily they had not changed the password on my email, so I was able to change it myself and get the account back.

How had they got into my email account? I suspect, from what I've read, they hacked another website which had my email address and a password for the site, my mistake was then to have the same password for my email account. You might assume that a website will store your password in plain text, but in many cases you would be wrong. The recent hack of the Lush website should set off alarm bells if you are registered with them.

How did they get my secret answer? I think because the question asks for a name, this makes guessing the answer easier and hackers can use a "dictionary attack" where they just try a big list of possibilities, in this case a large list of names.

Luckily the Blizzard automated account recovery process is fantastic, I kicked it off at 9am and by midday I had a request for more details so they could change my battle net account. I used their web form to send my passport and the details, and by 4pm my account had been totally restored and working again. I cannot praise Blizzard enough for this, they totally rocked.

Then I added an authenticator to my WoW account.

A number of options to avoid this happening again presented themselves:

  • Have a unique password for all web accounts.
  • Definitely do not have a password for an account which has your email address which uses the same password.
  • Use another password with numbers etc for your secret answer.

Ultimately the best answer is to get an authenticator. Then do the above to avoid your email account being hacked and used to spam.

No comments:

Post a Comment