Proof That Public Accounts Can Be Hacked : Diablo 3 General Discussions

This is pretty big. Cinema blend did a big story on how you can spoof session ids to hack accounts. Its what many people thought and all you do is join a game and open up a trade for the best bet. Then you can look at the session ids and spoof someones session which will boot them from the game and put you in control of that account. Then just mule the items to your other accounts.

I think people should just get the authenticator...you will never have to worry about your account getting hacked...unless they have your cellphone or authenticator lol.

WEll it shows that doesnt matter. Thats the problem. Because the authenticator stops people from logging into your account. The article says that your account is not technically being logged into it. They are just tricking the server to think that its someone elses account logged in because of how session ids work. Thats the scary part, now this might prove to be false, but it seems pretty believable.

Here is a story they posted on a staff member getting his account hacked.

it happened to me they cleaned me out blizzard didnt question anything on the roll back surpisingly i had just sold all my gold so i got to double my money in a sense they helped me out in other words at 4 am when i woke up i shaat all over myself first time in my life of gaming i got hacked i dont add any friends to my list and i block all communications with people when im done playing with them lol

The session ID gives you access to the character they played with and all your gold (because gold is shared). I know its possible to execute something like this but the question is retroactively fitting people with all their gold is fine but the problem is does this use up one of your two strikes against RLAH?

ie. I understand that once you get compromised twice you are disabled from accessing the real life auction house.

There is an alternative theory. However either is plausible. Most of the people who have been hacked, in fact all that I know of, had pre-purchased WoW's 1 year sub, to get the free copy of D3. Those are the only ones I have heard of getting hacked. Which implies that when Blizzard was DDOSed, and their Database hacked, that Blizzard lost passwords to upgraded accounts. AFAIK those are the only accounts which have been hacked. Of the 8 accounts we are farming gold on, that was the only account which was hacked as well.

So, if you bought the 1 year of service and got the Free D3 attached to your account - change your password.

I do agree with the article, Blizzard will downplay anything, in order to keep their money flowing.

Yea thats another big idea too. However if that was the case wouldnt authenticators top that? The big thing is how a respected game writer had an authenticator and got his account hacked, which gives more validity that authenticators arent stopping whatever is going on.