Diablo III is the latest chapter in one of the most popular PC gaming titles out there. Coming out twelve years after the last chapter, Diablo III launched last week to much fanfare and anticipation after becoming Amazon’s most pre-ordered PC game ever.

Diablo III is like many games these days where users have an online account and their characters and inventories are stored online and tied to that account; in this case through Blizzard’s Battle.Net service. Since the launch last week, reports started coming out over the weekend from players saying that after logging in they found their online characters’ gold and inventory was gone.

Yesterday, Blizzard made an official statement about the problem. They noted that what players are seeing is the result of their Battle.Net accounts being hijacked by unauthorized users.

This isn’t the first time players of a major online game have seen their accounts hijacked and their inventories stolen. Account hijackings leading to inventory theft have plagued other games like World of Warcraft (which also uses the Battle.Net service) and Halo 3.

While online account hijackings aren’t uncommon, what makes hijackings of game items interesting is how it translates into real dollars for the criminals. In-game gold and items that are stolen quickly find their way onto a shadowy underground market where the criminals will sell other players’ items to turn online treasure into real money. There have even been reports of organized “gangs” in places like China and North Korea doing this. Particularly unique items, like the “Recon Armor” in Halo 3, have been targeted for their high value.

To Blizzard’s credit, they’ve moved to acknowledge the latest round of hijackings quickly and highlighted tools that players can use to increase security: the Battle.Net Authenticator and Battle.Net Mobile Authenticator. These tools give additional protections by requiring you to enter an additional one-time code when you login to your Battle.Net account.

As Blizzard notes, this isn’t a new problem or unique to Diablo III. It’s one of the risks that players of high-profile online games face these days. The important thing is for players to be aware of these risks and to take appropriate steps to help better protect their accounts.

Christopher Budd is a freelance writer and independent consultant in the areas of online security and privacy, social media, incident response and crisis communications. A ten-year veteran of the Microsoft Security Response Center (MSRC), he combines his prior career as an engineer with his communications expertise to help customers bridge the gap between the technical and communications realms and “make awful news just bad.” Follow him on Twitter and Facebook.

Comments

  • Billg

    Oh no! I lost the golden arrow of internet game playing! Guess I’ll just have to play another 100 hrs to randomly find another.

  • Profalagba

    That’s what happens when you try to monetize games by making real money transactions for in-game gold, instead of leaving that to hardwork and commitment!

  • GJElllis

    I think you miss the point that Blizzard has failed to provide a reasonable level of security for its customers. What other services that use standard user-name/password security absolve themselves of responsibility because their users didn’t use some additional, optional tool? If this tool is needed to make accounts secure, it shouldn’t be optional. Baseed on what I’ve read, it doesn’t solve the problem in any event.

  • Scott Sullivan

    That’s not a fair statement, @9c4c167a19b54141052ce8f73c2c8d06:disqus .  Blizzard probably has plenty of blame to take on, but so do the users themselves.  You ask; “What other services [..] because users didn’t [...]“.  Well, your Hotmail/Live, Yahoo, Facebook, Twitter, … the only service that swallows the hit when the user (their client) fails to reasonably protect their credentials is a bank.  You can do some really stupid stuff, naive mistakes in many cases, where it is totally the users fault.  The bank will just replace the money and handle the fraud investigation/prosecution themselves.

    The truth is that most of the time there isn’t any “hack” or “exploit”, just a script-kiddie and a naive user at the other end.  Not to throw responsibility entirely on the user, but I do want to stress that more than half the time the user could have foiled the criminals attempt if they weren’t naive, to put it as nicely as possible, to the responsibility they were dealing with (i.e. when you handle your credentials) and the consequences of failing to make the right decision.That said, a criminal act is still a criminal act.  I don’t excuse the perpetrators, but consider this: 
      * You lock your house, apartment, or hotel room and don’t give the keys to strangers.
      * You lock your car and would never let a stranger claiming to be from “GM” look at your keys.

    These are apt analogies; the mishandling of physical credentials (i.e. your keys) is like the mishandling of digital credentials.  Blizzard is not to blame for that, but I would cast some blame their way for enabling the black-market.  Other games have gone through this exact same scenario and Blizzard deserves all of the blame for not taking the steps to provide a safe, monitored, and condoned marketplace for trading the games digital goods.  The truth is, it is not in their best interest to squash the black market.  All the players who were affected will cough up more money to get back to the point they were before and Blizzard will happily take that money.  There is a similar slimy-ness with the way cheaters are handled in games.  If Blizzard really wanted to stop cheating they could easily block a credit card number after banning a cheater.  Not the case, they will happily allow the same card to pay for a new account after they have booted a player for cheating.

    Blizzard deserves a kick squa-in-tha-nutz for sure.  They are the aware and capable of fixing several aspects of the defunct digital economy they created, they just refuse to believe that they can/could be more profitable or successful if they acted with more integrity.

  • http://www.shortformvideo.com/blog Laurence Grayson

    From my perspective, being forced into an internet-connected game model when I will NEVER play this game in co-op/online is questionable in the first instance (particularly when Blizzard is often unable to provide me with a service to connect to). Now that my single-player account (which hasn’t even been near an online game, chat room or auction house) has been stripped bare, I find myself wondering how a company that has run the largest MMORPG in the world for the last decade can get online security so utterly utterly wrong, and wasn’t this always-connected model specifically designed to stop this kind of thing from happening?
    The idea that anyone would trust a real-money online auction house when even offline single player accounts aren’t safe is ludicrous, and Blizzard’s “if you didn’t buy from gold farmers, none of this would happen” line leaves me (almost) speechless. I expect better. And the fact that you seem to be joining Blizzard in saying “users are idiots and should have taken more care” is equally insulting.
    As my CV lists a number of senior editorial roles in the IT press, I like to think my credentials as a computer user are fairly sound. Despite all that, my account has been stripped of virtual possessions that represent several hours of effort on my part.
    My fault? Or Blizzard’s? I know what my answer would be.

Job Listings on GeekWork