My World of Warcraft account was hacked last night at 5 minutes to midnight. I know exactly when it happened because I was online.
On Wednesday I raided with my guild as per usual. We called things a bit early and I was grateful, I’d been experiencing, as had most of our raid, pretty miserable latency on and off throughout the night.
I’d also disconnected at least 4 times, 3 of those times during our battle against Onyxia.
Usually I’d log off and eat dinner at the end of raid. But not this time. I got talked into running 10 man Ulduar with some mates, who I’ve blogged about previously. Lathere came along too. We jumped on our old guild’s Vent server to chat while we played.
We proceeded through the instance slowly. I disconnected a few more times, although not as frequently as I had in 25 man Onyxia. I was getting pretty annoyed – I usually have no computer problems whatsoever. I remember saying over vent “why does this keep happening to me tonight?” and thinking that perhaps I’d left Photoshop and iTunes running in the background while I was in game (which, I’ll admit, is pushing the capabilities of my iMac just a bit too far).
Then, while buffing for our second attempt at Thorim, I disconnected again. I was so frustrated – we weren’t AOEing or doing anything – I was just standing in a hallway.
But this time I couldn’t log back in.
“Invalid User Data”
I triple checked that I had my username right. I tried again. I tried to type my password more slowly, careful not to skip a key.
One of my friends in the raid tells me over Vent “You’re still online on my screen. You might have to wait until the game realises that you have disconnected.”
Then someone else on Vent makes some joke about rage disconnecting and hearthing to Dalaran. I don’t pay much attention.
But that joke must have sparked a memory because someone else replied with “It was weird that the game ported you to Dalaran. I saw you hearth and everything.”
This makes me stop (I’m still trying to figure out if the light indicator on my Caps Lock key is lying to me).
“Wait. You saw me hearth? You saw me cast the spell?”
The penny dropped. Someone had changed my World of Warcraft password (and therefore must have gained access to my Hotmail account) without my permission and had logged into my account with the new password. I couldn’t log in because I didn’t have the new password.
I fired up Battle.net immediately. I don’t remember Battle.net taking so long to load. But at that moment I would have paid a fortune for the whole site to be plain white with some black text. No pictures, no fancy buttons, no nothing. Just a way for me to change my password, and quickly!
I go through the steps (twice, because the first time I got re-routed back to the start at the Secret Question page) while my friends are giving me a blow-by-blow recount of what Cassandri is doing in game.
“Uh you’re standing by the mailbox now.”
I’m thinking about what I might have access to in the guild bank. I’m 99% confident that I wouldn’t have access to the most expensive and valuable items. But that 1% uncertainty is enough to make me repeat over Vent (what felt like 50 times) “Can you get someone to /gkick me?”.
All up it took me about 10 minutes to regain access to my own account and log back in.
They took all my gold. On all my characters on Barthilas. I found Cassandri standing on the Eventide steps with 34g to her name. I found my Rogue (but I only carry about 1k gold on her anyway) not much further away with less than 10g. Oh yeah, and a small fortune in enchanting mats and consumables.
My bank alt, who holds 3 years of sensible auction house buying and selling, was halfway down the road from Stormwind to Goldshire. With 15 silver.
Fortunately, I still had all my gear equipped. I even had my healing and PVP gear in my bags.
I can only think that the thief took the money and run. Perhaps they traded someone in Dalaran. I’m sure that they met with one of their own people outside Goldshire to trade over my gold. It must be harder for Blizzard to trace items that are traded between players than items that go through the mail system.
I don’t know what, if anything, was taken out of the guild bank.
I do know that I can raid tomorrow night. Even though I haven’t got enough gold to repair my own gear. And I’m grateful. I feel that, compared to other people who have lost control of their account, I was lucky.
Why did this happen to me? I don’t know. But if it happened to me, it can happen to anyone.
I don’t share my account details. I don’t share my email account details. I don’t game at internet cafes or check my email on any computer except my own – the one I’m writing this on right now.
I play on a Mac which is completely free of spy wear or viruses. I updated my Hotmail password only a few weeks ago. I updated my World of Warcraft account to a Battle.net account only 1 week ago.
Is it a coincidence that so soon after changing to a Battle.net account that my account was compromised? I doubt it. I can’t help but believe that the combination of a Hotmail account and changing to Battle.net made me vulnerable.
I’ve raised a ticket with a GM. I’ve yet to hear a reply.
I’d love to get in contact with a GM and have them tell me “thanks to your report we were able to track down the gold sellers responsible and have permanently banned their IP address and all IP addresses that they have been known to use.” But I think that’s highly unlikely. I expect to be told something along the lines of “Well there’s not much we can do. We can look into your account and restore some of your gold. I suggest you get a new email account.”
If you have a Hotmail account, I implore you not to upgrade to a Battle.net account. I know that Blizzard are pushing the changeover, but I think it’s worth considering setting up an email account elsewhere. I’m not confident that Hotmail is sufficiently secure anymore.
And if you have ever, ever, considered buying gold please don’t! The only way to stop gold sellers is to remove their customer base all together. As long as there is a “need” they will keep hacking and trading away other players’ hard earned gold just to turn around and sell it to another player.
As a last step I changed my Hotmail password. For the second time in as many weeks. And in my inbox was a polite notification from Blizzard “Battle.net Account – Password Change Notice”. At 11.49pm. A bit late. I don’t play and read my emails at the same time.
I’d like to see them implement a rule about how quickly you can change your account password and then log in.
If there had been 24 hours notice between the password change request, and implementation, then I would have seen that email and immediately taken steps to secure my account in time.
Or how about a rule that says you can’t change your password while you are currently logged in? I don’t think that’s unreasonable. Although you could argue that your chances of catching your hacker (assuming that any of them are ever caught) are higher if they operate during your play time.
In situations like this the “Talk to a GM” button isn’t really good enough customer service. I’d like a big shiny red button that says “A player’s account is being hacked right this minute – and I’m watching it happen!” that, when activated, sounds an alarm in the Blizzard officers and gains an immediate reply. If we just had some help we could have caught them in the act!
It pains me to say that the hackers have probably already gotten away with it.
*Update* Got my gold and items back! (Sunday 8 Nov)
*Update* Turns out that all my friends who were on Vent with me when my account was stolen were whispering a steady stream of abuse at the hacker while they pilfered my gold. Best thing I’ve heard all weekend! (Sunday 8 Nov)