Account repeatedly hacked: Trying to get to the bottom of this

[david0925]

Hi all, sorry if this is the wrong place to ask, but after looking through all the other forums and stickies, it seems like this is the most relevant place to ask

To keep my story short.

1. One day ago I was hacked the first time. The hacker made numerous attempt to move my battle.net account to a different email. The request was granted: the account was moved off my original email account and most characters were stripped of their gold. Luckily a GM fixed it. I did not have Authenticator at this time

2. I attempted to install authenticator but it did not work well, so I went to bed and decide to put it off. 30 minutes afterward I went to bed, I was hacked again. My account was not moved off to a different email this time, but all characters were stripped again. I went on a different computer to change my email and battle.net passwords. And I got Authenticator to work. Afterwards I requested for a restoration on my account again.

3. I was hacked again this morning, and my authenticator had no notification of login. My account remained on the same email, but characters were stripped again.

Does anyone have any idea of what's going on? Currently, my account has been restored and is locked until I do more scans on my computer, but this is getting frustrating and if I don't know how they are getting access to my account despite having authenticator protection, then it will just keep happening again.

I have already performed scans using the following program, and none of them had positive results
1. Windows Defender
2. Trendmicro anti-virus
3. Malwarebytes
4. Avast

If anyone has any thoughts about how the hacker is still getting my information and how I can prevent it, please let me know. I do plan on doing factory reset on my phone and reformat my laptop as a last resort this weekend if necessary, but I would like to avoid that if possible.

Thanks in advance

[chazus]

So the authenticator is on your phone, correct?

I would ask Blizzard customer support why it was not triggered (specifically, why it didn't trigger from somewhere else, or if it triggered from your location and that is why)

I'd also request that they remove all active/confirmed locations from their database.

[david0925]

So the authenticator is on your phone, correct?

I would ask Blizzard customer support why it was not triggered (specifically, why it didn't trigger from somewhere else, or if it triggered from your location and that is why)

I'd also request that they remove all active/confirmed locations from their database.

Yes the authenticator was installed on my phone. That is also the reason that I wanted to reset my phone just in case, as having authenticator on a compromised device defeats the purpose.

I am planning on contacting blizzard once i get home today and do more research before I request them to unlock my account since the last thing I need is ask for a 5th restoration in 2-3 days.

When you mentioned "I'd also request that they remove all active/confirmed locations from their database.", what does that mean?

make new email only for wow account

I understand the logic behind this, but this wouldn't be useful if my WoW computer is keylogged right? I do thank you for the advice, but I'm trying to see if I can find out what the issue is rather than trying to dodge it without understanding (if possible).

My issue right now is that my E-mail password and B.net password are so different. Even if they have my email password after I reset it somehow, they shouldn't be able to change my B.net password without going through Authenticator, right? That's what I'm trying to figure out.

Thanks to both of you

[Tack980]

When they logged in without the authenticator, their ip was registered as a confirmed location, and they never directly logged off, where they can reload back in without input. Request blizz kill all active locations and set your account to require full access every reconnect attempt

[Blueobelisk]

The only way someone can log into your account without triggering the authenticator request is if it's from a known computer. Which means your computer is compromised.

I would reinstall Windows, personally.

Post a screenshot of the list of programs on your computer.

[Tack980]

The only way someone can log into your account without triggering the authenticator request is if it's from a known computer. Which means your computer is compromised.

I would reinstall Windows, personally.

Post a screenshot of the list of programs on your computer.

Or the hacker's computer is considered a "known computer" . Can be either

[david0925]

When they logged in without the authenticator, their ip was registered as a confirmed location, and they never directly logged off, where they can reload back in without input. Request blizz kill all active locations and set your account to require full access every reconnect attempt

I see what you are saying. I will ask the GM to do that. But shouldn't they get kicked off that location when I changed my password, and they needed to put in the new password? And even if he guesses/knows my password, would that still bypass Authenticator? I'm asking this because after I unchecked "remember me on this computer" on my WoW computer, my own logins triggered Authenticator request as well. I have the option "Enter an authenticator code every time I type my credentials in a game client or the Blizzard Account desktop app" checked in my Battle.net account

The only way someone can log into your account without triggering the authenticator request is if it's from a known computer. Which means your computer is compromised.

I would reinstall Windows, personally.

Post a screenshot of the list of programs on your computer.

I will do so when I get home. Do I just go into task manager and just screenshot the list of processes running?

[Saluna]

If you are unsure if your computer is safe. Reformat it. Clean install.

During that time, call Blizzard and make sure they wipe all "Safe location" (like you can do in Steam)

[Blueobelisk]

When they logged in without the authenticator, their ip was registered as a confirmed location, and they never directly logged off, where they can reload back in without input. Request blizz kill all active locations and set your account to require full access every reconnect attempt

Ahhhh is that really true? You would think that adding the authenticator would make it so that every device that asks to log in to the account has to be authenticated if they've never been before.

I only play Hearthstone now but anytime I log in from a new device, even from my home IP address or if I've used the device before, asks me to authenticate.

[oakley1261]

If he changed the password, and added an authenticator that will auto-wipe the safe locations. The issue here seems that someone may potentially have remote access to your desktop. That would bypass the check as it would indeed be coming from a safe location. There are many trojans out there that would allow people to do so.

If you are going to do a fresh install of windows, you will want to make sure to install a real Antivirus program to keep things clean, and especially before you plug ANY other device into the computer that has been plugged into it previously. (Storage wise, thumb drives and external storage devices)

If you are not using Windows 10, I would strongly suggest it, or at least Windows 8.1 from a security standpoint. For antivirus software, I would suggest Norton at least. Symantec's AV product currently is one of the best out there, tho it does cost money. On the plus side, a lot of ISP's offer Norton for free to customers, like Comcast.

-oak

[Blueobelisk]

I will do so when I get home. Do I just go into task manager and just screenshot the list of processes running?

Well. Yeah I suppose that's fine. Make sure you click a detailed view.

It would be nice to also see a list of installed programs on your computer. (Click the W10 search bar and type "add or remove program" and click the best match.)

-----

This may seem like a stupid question, but did you let anyone use your computer or give anyone your WoW login? Or done something stupid like posted a video of you logging in or anything like that?

It's hard to identify what the problem is based on what you said, but it's a bigger problem if your online passwords are stolen more than it is for some dumb WoW account.

[Deleted]

You can choose an option to always be prompted for an authenticator code in the security options of your blizzard account. That is the first thing you should do.

[Blueobelisk]

The issue here seems that someone may potentially have remote access to your desktop.

Yeah that's why I want to see a list of programs, to see what remote access programs he has installed.

[Logwyn]

Yeah that's why I want to see a list of programs, to see what remote access programs he has installed.

These may need to be show a list of services running and not just programs.

I wonder if they have their password written down on the desk and someone or his dog is logging it..

[david0925]

Well. Yeah I suppose that's fine. Make sure you click a detailed view.

It would be nice to also see a list of installed programs on your computer. (Click the W10 search bar and type "add or remove program" and click the best match.)

-----

This may seem like a stupid question, but did you let anyone use your computer or give anyone your WoW login? Or done something stupid like posted a video of you logging in or anything like that?

It's hard to identify what the problem is based on what you said, but it's a bigger problem if your online passwords are stolen more than it is for some dumb WoW account.

No, I am the only person that has only touched that computer, and I have never given my wow access to another person. I don't do videos so that's not possible either.

-----

Thank you everyone for your suggestions and thesis. It lets me sort out the possibilities .

You can choose an option to always be prompted for an authenticator code in the security options of your blizzard account. That is the first thing you should do.

That is currently checked for my account, and the biggest reason that I found the latest hack to be so frustrating.

[oakley1261]

Well. Yeah I suppose that's fine. Make sure you click a detailed view.

It would be nice to also see a list of installed programs on your computer. (Click the W10 search bar and type "add or remove program" and click the best match.)

-----

This may seem like a stupid question, but did you let anyone use your computer or give anyone your WoW login? Or done something stupid like posted a video of you logging in or anything like that?

It's hard to identify what the problem is based on what you said, but it's a bigger problem if your online passwords are stolen more than it is for some dumb WoW account.

I would suggest more than just an output from Add and remove programs (you can also get there by WIndowsKey+r and running appwiz.cpl) As most malware won't list in the installed program list. A full list of Task Manager items would be more beneficial. You could also try running Malware bytes, and see if it picks up anything as a quick test and possible resolution.

-oak

[Tack980]

Ahhhh is that really true? You would think that adding the authenticator would make it so that every device that asks to log in to the account has to be authenticated if they've never been before.

I only play Hearthstone now but anytime I log in from a new device, even from my home IP address or if I've used the device before, asks me to authenticate.

You would think that, but at least when i first put authenticator on, that was still possible. Not sure about now.

[Vulcanasm]

Hi all, sorry if this is the wrong place to ask, but after looking through all the other forums and stickies, it seems like this is the most relevant place to ask

To keep my story short.

1. One day ago I was hacked the first time. The hacker made numerous attempt to move my battle.net account to a different email. The request was granted: the account was moved off my original email account and most characters were stripped of their gold. Luckily a GM fixed it. I did not have Authenticator at this time

2. I attempted to install authenticator but it did not work well, so I went to bed and decide to put it off. 30 minutes afterward I went to bed, I was hacked again. My account was not moved off to a different email this time, but all characters were stripped again. I went on a different computer to change my email and battle.net passwords. And I got Authenticator to work. Afterwards I requested for a restoration on my account again.

3. I was hacked again this morning, and my authenticator had no notification of login. My account remained on the same email, but characters were stripped again.

Does anyone have any idea of what's going on? Currently, my account has been restored and is locked until I do more scans on my computer, but this is getting frustrating and if I don't know how they are getting access to my account despite having authenticator protection, then it will just keep happening again.

I have already performed scans using the following program, and none of them had positive results
1. Windows Defender
2. Trendmicro anti-virus
3. Malwarebytes
4. Avast

If anyone has any thoughts about how the hacker is still getting my information and how I can prevent it, please let me know. I do plan on doing factory reset on my phone and reformat my laptop as a last resort this weekend if necessary, but I would like to avoid that if possible.

Thanks in advance

This might be a strange question but it's worth asking: are you running any cracked or otherwise non-OEM programs that are Java-based?

[david0925]

This might be a strange question but it's worth asking: are you running any cracked or otherwise non-OEM programs that are Java-based?

not to my knowledge. We will find out when I go home in 2.5 hours and post my processes.

[Vulcanasm]

When they logged in without the authenticator, their ip was registered as a confirmed location, and they never directly logged off, where they can reload back in without input. Request blizz kill all active locations and set your account to require full access every reconnect attempt

I will confirm that this is not only true, but it's happened to me. Someone at Blizzard repeatedly removed my authenticator because of this, even after my account was flagged for what they called the "highest possible security" protocols. All it took was some asshole opening a petition with "lost my phone lol". Literally, "lost my phone lol". The GMs didn't even ask questions.

I didn't even realize that there was an option to kill active locations. Is that a new capability?