account locked, then hacked without resetting the password

[drtrann]

sooo this is a rather bizarre situation that can't really be explained any other way than that blizzard has a vulnerability in their servers. Now I'm not a doom sayer, I know how authentication systems and servers work and I have a pretty good handle on how blizzard operates, so I can prove that there was no vulnerability on my end and that they were somehow able to access my account AFTER blizz had already locked it, without resetting the password.
to start of, heres the inbox I just logged into
http://imgur.com/MXqozk1
notice how all the transactions take place after my account has been locked. also notice that I never got the email you usually get After you reset your password (pat on the back and how to avoid getting hacked in the future).
now I know your going to say "well then they hacked your email you noob, GASH".. well gmail has this handy feature that tells you who has accessed your email and from where, it also provides a pretty little map off to the side that points to the city you live in.... this is mine
http://imgur.com/LZUyodH
as you can see all those access are mine, none of which took place between the account being locked and the transactions on my account.
the only conclusion is that blizzard has a major flaw in the security (or google does, but i trust google more).
/tinfoil hat boys

edit: for clearification because apparently I didn't make it clear. I doubt someone has direct access to blizzards servers or anything like a mass hack coming, but I believe their is an exploit in the authentication system that allowed someone to login both the battle.net website and my account while my account was locked (and yes I had SMS protect).

[Serissa]

notice how all the transactions take place after my account has been locked.

I always receive these mails 1-2 hours after transaction. Never saw it instantly. And I use gmail also.

[Deleted]

You can use the mobile security feature to bypass lot of security features if it is left blank, it auto confirms any action and has a multitude of liberties with what it can do in itself. They only need to get in once and then i'ts a hassle to get it back.

[drtrann]

I always receive these mails 1-2 hours after transaction. Never saw it instantly. And I use gmail also.

but how were they able to transfer my characters with my account being locked (its still locked BTW).. since i tend to travel a lot, blizz locks my account literally every time I login to the game or website, so why is my account locked, yet they are still able to muck around with it?

[Lefeng]

The transactions (5:15, 5:15, 5:15, and 5:05) were made prior to the times indicated. The chronology on the emails does not indicate the chronology of the actual events, as Serissa says. Here's what I think happened.

1) Some time in the past your password was keylogged or otherwise obtained. Maybe you shared your account password with a friend who then was careless with it.

2) The person with access to your account made three transactions and most likely also had some sort of suspicious activity in-game.

3) Blizzard locked your account when they detected suspicious activity.

4) Blizzard closed your account to prevent the perpetrator from gaining access to the account again.

They didn't need to access your email to get access to your WoW account. Contact Blizzard and explain to them what happened. After jumping through some hoops you should have your account back. When that happens, immediately get an authenticator.

[drtrann]

The transactions (5:15, 5:15, 5:15, and 5:05) were made prior to the times indicated. The chronology on the emails does not indicate the chronology of the actual events, as Serissa says. Here's what I think happened.

1) Some time in the past your password was keylogged or otherwise obtained. Maybe you shared your account password with a friend who then was careless with it.

2) The person with access to your account made three transactions and most likely also had some sort of suspicious activity in-game.

3) Blizzard locked your account when they detected suspicious activity.

4) Blizzard closed your account to prevent the perpetrator from gaining access to the account again.

They didn't need to access your email to get access to your WoW account. Contact Blizzard and explain to them what happened. After jumping through some hoops you should have your account back. When that happens, immediately get an authenticator.

as I mentioned before, because I move a lot, my account is locked EVERY time I login, so my password is never the same for longer than a week. at this point I basically mash fist on my number pad in the windows calculator, then convert the decimal to a hex number, which gives me a 10-20 digit/alphabetic code that I write down only on paper, and I highly doubt my roomate who is in a different country figured it out. (security is not a new thing for me)

the important question is: how are they able to access my account at all? the account is still locked, it it gets locked as soon as you attempt to login, so how the hell did they even get to the transfer screen unless there is a vulnerability that allowed them to bypass the account lock all together. (and yes from AMPLE experience, the account is locked the second you attempt to login on the website or the game, doesn't matter if i've logged in 100x from the same location/computer I need to reset my password EVERY...FUCKING...TIME (part of the reason I don't login much)

[Lefeng]

First, I'm suggesting that the account was locked AFTER the transactions occurred. The emails simply weren't sent to you in chronological order. Further, they didn't need to log in to the game (which probably would have locked the account) to make transactions. They could have been made by intercepting your current password and using it on Battle.net, which would not have locked the account.

I don't know the content of the emails, so I don't know what kind of transactions took place, I'm just suggesting my interpretation of the events as you have reported them. If you're looking for advice, be more forthcoming with details. If you're reporting a vulnerability in Blizzard's security, tell Blizzard and not a fan site. If it is truly a security flaw then it will quickly spread and we'll know more soon. If it was an isolated incident of someone intercepting your login credentials (and I think it was) then just call Blizzard and get your account back. That's all you can do.

You haven't said anything about having an authenticator. Do you have one? I truly am not asking to be an ass, I'm just asking for more details.

[drtrann]

First, I'm suggesting that the account was locked AFTER the transactions occurred. The emails simply weren't sent to you in chronological order. Further, they didn't need to log in to the game (which probably would have locked the account) to make transactions. They could have been made by intercepting your current password and using it on Battle.net, which would not have locked the account.

I don't know the content of the emails, so I don't know what kind of transactions took place, I'm just suggesting my interpretation of the events as you have reported them. If you're looking for advice, be more forthcoming with details. If you're reporting a vulnerability in Blizzard's security, tell Blizzard and not a fan site. If it is truly a security flaw then it will quickly spread and we'll know more soon. If it was an isolated incident of someone intercepting your login credentials (and I think it was) then just call Blizzard and get your account back. That's all you can do.

You haven't said anything about having an authenticator. Do you have one? I truly am not asking to be an ass, I'm just asking for more details.

your missing the part where even if i try and log onto the website it locks me out... every time.. I said it like 5 times in the above post... the account was locked long before any transactions could have taken place and its still locked without every being unlocked == some how they are initiating a transfer while my account is locked, which probably triggered the ban as even if they wanted to they wouldn't be able to access my characters in-game (which i assume was the point as they didnt transfer my characters to a new account).

[Ausr]

It's Blizzard's fault you for getting hacked because of a security hole on their end but not on yours at all? Yeah... I'm more likely to believe you did something wrong with no authenticator than Blizzard having said security problem.

[drtrann]

It's Blizzard's fault you for getting hacked because of a security hole on their end but not on yours at all? Yeah... I'm more likely to believe you did something wrong with no authenticator than Blizzard having said security problem.

according to my friends they were online AFTER my account was locked, even after I got the "your account have been permanently closed" emails arrive. now how does that happen when my account is still locked?

[Taffer]

sooo this is a rather bizarre situation that can't really be explained any other way than that blizzard has a vulnerability in their servers.

Considering you just gave the whole internet your gmail address (hint: it's in the first picture), I'm more inclined to believe you're somehow misinterpreting the situation and the problem is actually somewhere on your side.

[drtrann]

Considering you just gave the whole internet your gmail address (hint: it's in the first picture), I'm more inclined to believe you're somehow misinterpreting the situation and the problem is actually somewhere on your side.

i particularly don't care about the email. i segregate my accounts and it will be switched out the second I get my account back. Gmails are meant to be throwaways. also why i find this particularly alarming. i dont use that email for anything else, and the password is 25 characters long and unique... its not something you can just guess, and the only time its ever used is when I'm resetting the password, which again hints its not something on my end.

[Taffer]

You having a keylogger on your system sounds way more likely to me than Blizzard having a security breach and you being the only person affected by it.

[Xeraxis]

i particularly don't care about the email. i segregate my accounts and it will be switched out the second I get my account back. Gmails are meant to be throwaways. also why i find this particularly alarming. i dont use that email for anything else, and the password is 25 characters long and unique... its not something you can just guess, and the only time its ever used is when I'm resetting the password, which again hints its not something on my end.

If you only use that email for WoW you may want to stop using the local part of the email as your username in nearly every other website, such as but not limited to your photo bucket account which you've even linked in your sig that gives us your full name. You don't know as much about security as you're letting on.

[drtrann]

You having a keylogger on your system sounds way more likely to me than Blizzard having a security breach and you being the only person affected by it.

except that explains nothing. how are they able to login to my account after its been locked? I would be inclined to agree with you except that they are literally doing something that shouldn't be possible, and yet they can.

- - - Updated - - -

If you only use that email for WoW you may want to stop using the local part of the email as your username in nearly every other website, such as but not limited to your photo bucket account which you've even linked in your sig that gives us your full name. You don't know as much about security as you're letting on.

but that email is not linked to that photobucket.. similar user names != the same.. try again sir.

[Xeraxis]

but that email is not linked to that photobucket.. similar user names /= the same.. try again sir.

Did I say it was? No, I stated that the local part is the same as your username. You think it's that hard to assume that if you use blinky57 as a username it may be attached to an email account as well? Once again you don't know nearly as much about security as you seem to be letting on.

[NMX-]

they added sms protect to your account. they bypassed the security lock the game does when there's a change in ip or computer accessing the game account. by using their mobile phone code, they were able to log into your account. they used a 3rd party's stolen debit/credit card to move characters with a lot of gold around. blizzard locks the account down later, either automatically, or by a Game Master manually.

blizzard's servers have not been hacked since august of last year. question is, why dont you have an authenticator and sms protect?

[drtrann]

Did I say it was? No, I stated that the local part is the same as your username. You think it's that hard to assume that if you use blinky57 as a username it may be attached to an email account as well? Once again you don't know nearly as much about security as you seem to be letting on.

you want to go through all the possible hosts that could ever host emails with that username then guess a 25 digit password, on top of which then somehow break rules of a security system that is meant to deny you access but allows you to login anyway? rather far fetched. they did not unlock the account after the transfers were complete and I've now confirmed that they where on my account over 4 hours AFTER i received the locked notification. I've confirmed that they never reset my password or unlocked my account because I just used the old password reset token to reset my account and gain control of my account. (hint, old tokens expire when a password reset is complete... but please keep lecturing me on internets 101)

- - - Updated - - -

they added sms protect to your account. they bypassed the security lock the game does when there's a change in ip or computer accessing the game account. by using their mobile phone code, they were able to log into your account. they used a 3rd party's stolen debit/credit card to move characters with a lot of gold around. blizzard locks the account down later, either automatically, or by a Game Master manually.

blizzard's servers have not been hacked since august of last year. question is, why dont you have an authenticator and sms protect?

the phone thing is the closest i've seen to an explaination, but I did have SMS protect. not sure if they can remove it somehow but I noticed its missing now that i've got my account back...