Finally it happened – my account in World of Warcraft got hacked. It was the usual stuff; gold missing, items missing, characters parked elsewhere and even a new level 1 Warrior created with a nonsense name (probably used for selling gold).
I’ve had a World of Warcraft account since I’ve started playing in 2005 as the game was released in Europe and I’ve never been hacked before. Sure, I read a few forum posts about the authenticator but always figured that if I was careful, I would never be hacked. I had AVG installed, scanned regularly, never visited any ominous web sites and never clicked links in questionable e-mails. I wasn’t always subscribing, but when I was (usually for several months after an expansion was released), I never had any problems and trusted my ability to avoid all attempts at keylogging. I didn’t use an authenticator and was confident I would never have to.
And then I got hacked anyway.
After having contacted a GM and replaced my passwords, I started reading various forum threads about other people being hacked. It dawned upon me that the hackers don’t even need keyloggers. I could be clean as a whistle (as described above) and still get hacked. I’m pretty sure I was; I scanned with both AVG 2011 and Spybot and they didn’t find anything at all.
Here are three interesting posts I found in an official US forum thread:
I had my account since the game released, something like 6 years, and was finally hacked this last June. Took them less than a day to strip the account and get it banned for gold selling activities. I did get everything back, but it tooks days to sort out the changes and mess made to the toons, my keybars and bank vault. The hackers even redid my keybinds and stole from the guildbank.
So far as I can tell the hack occured through an update to Adobe Flash with a security loophole that they hadn’t yet released a patch for. Ironically the OLD UNupdated version didn’t have the vulnerability. They apparently accessed my system while VIEWING web pages on the fansite thottbot.com since that’s the only WoW related site I’d visited in over a year.
They were able to disable my updated virus protection and hack my web brower to get my e-mail passwords. From there it was simple to steal the WoW account because of the new battlenet log-ins that use an e-mail in lieu of a separate log in name.Blackflower
You can get your account “hacked” without ever getting keylogged. I was meticulous for 6 years, never visited strange sites, only used links I’d saved in my favorites for official Blizzard sites, it doesn’t matter. There are ways they still compromise accounts. They can use flash banner ads if you have flash allowed in your browser, they also have random password generators they use and other processes of breaking into accounts.
You can’t really avoid getting hacked just by being careful. I used to think people who got hacked were just irresponsible too, then I got hacked myself. I’ve never gotten a single phishing email in my entire 6 years of playing WoW, I’d never even searched the internet or used it to visit sites on the computer I used to play WoW on. I still got hacked. It’s just a matter of random chance it seems.Elrith
And the third:
It took them six years of Everquest one, then five years of this game, but they finally got me.
I took every precaution, did everything right, never even let anyone else use my computer (let alone my account), used firefox with noscript, locked everything up tight, went no where naughty in the first place, only let the scripts run on “friendly” sites which absolutely had to in order to display the site at all (wowhead, etc), did not use a similar login or password for any other site…
Only played in Linux since patch 2.0 or something.
Logged on Monday naked in the Hinterlands, with my gear and 10 K gold missing.
I checked everything afterwards, with every scanner possible and found nothing.Kybeorie
This actually scared me. It felt almost like having my own home robbed. I thought I was being so careful – how arrogant of me. I’m not taking any chances with this anymore. I’ve just ordered an authenticator to be delivered one of these days. I should have done this a long time ago.
UPDATE, February 13, 2011: I found a nice post on Psychochild’s Blog that you may want to read as well, in case you’ve been hacked like I was. Oh, and I received the authenticator about two weeks after I ordered it (I live in Denmark in case you’re wondering).