25 March, 2009
Dear MMO letters,
I've read a lot of the stories about MMO accounts, but I never thought it would happen to me. I was logging on my World of Warcraft account when I saw it...
...a female gnome in her underwear. It was at that point I realized that my account had been violated!
So, yeah, my WoW account got "hacked" sometime in the last week. My interest in WoW has been waning for some reason. I haven't logged on much, whatever additional free time I have has been going toward writing and other work. My friends haven't been playing as much lately, either, and the content isn't compelling enough for me to go through solo.
I was logging on to help a friend's alt with a group quest when my password wouldn't work. Uh oh. Heading to the website and resetting my password to something different, I logged on to find the previously mentioned characters in their underwear.
I'm not an idiot... mostly...
Now, I know a thing or two about internet security having been online for longer that some people reading this blog might have been alive. I don't click on suspicious links. I run anti-virus and keep it up to date. I don't use Internet Explorer. I don't re-use the same username/password combos for important accounts.
So, when I saw my account hacked, I was a bit confused as to what happened.
The first step: panic!
My first thought was that I might have a keylogger on my computer. This would be troublesome, because I have things a lot more important on my computer than my WoW account username and password.
So, I went through and made sure that my antivirus was up to date and did a complete scan on both my computers. While that was running, I did some research about the topic, including reading Blizzard's own page about account security. I also downloaded a few rootkit detectors for my computers to make sure there wasn't something really buried. The only thing that came up was that my hosts file was changed. Well, yes, because I had changed it; I did double-check it to make sure nothing had been added or altered. Unfortunately, the software was kind enough to delete the hosts file for me, causing some swearing on my end. Thankfully I had a copy of the file on my old computer.
I also ran some file access and network traffic monitors while trying to log into my WoW account a few times. I didn't see anything doing anything suspicious or out of the ordinary in the dozen or so times I tried. So, I'm reasonably sure my systems weren't compromised; as much as you ever can be.
Solving the puzzle
Now that I wasn't in panic mode, I'm taking a look at some of the details so I can figure out what happened. I'm a game developer, and this is a potentially interesting puzzle to solve.
The first thing I did was considered how someone could have gotten my username and password. I use relatively secure passwords, but they're not as strong as they could be. I also don't always use unique passwords for each site I visit. But, my WoW account username and password was a unique combination not found on other sites.
One possibility that came to mind was a rogue element on the inside. I know we had some problems with the paid CS representatives at 3DO while I worked on Meridian 59, and there were only 4-6 people managed by one of the most capable people I know. Now, consider an operation like Blizzard that has hundreds of CS people and you can imagine someone interested in using (or obtaining) access to account information to make a bit of cash on the side. Perhaps there is some sort of precedent for that type of behavior.
Then I considered that the password had been changed on my account. Why change the password if they have my account password in the first place? This seems like an unnecessary additional step since you can only change the password through the web interface for WoW.
I also discussed the issue with a security expert. We had a little discussion about the problems of automated systems, particularly ones that can reset passwords. That got me thinking a bit more about security while I was filing a CS ticket in WoW.
Oops, they did it again!
I was playing LotRO with my better half when my friend notified me that I had just logged on two of my characters on WoW. Uh oh. That was irritating, seeing as how I wasn't playing WoW and had changed my password. Luckily, they got nothing since I hadn't been reimbursed yet, but the fact that they had my new password made me pretty cranky.
Heading to the website to reset my password, I noticed something interesting: there were two other emails waiting for me in my inbox about the password being changed on my account.
Oh. That kind of narrowed down the vector of attack.
How they probably did it
Heading to the password reset screen, I took a bit more note of what was required. All someone needed to do in order to reset my password is to know my account name, my email address, and have access to that account. Want to change the account? All you need is the old email address and an answer to a "secret question".
The email address for my WoW account is a spam-catching Hotmail account, not exactly a bastion of security. I signed up for it a long time ago, and it's had the same weak password for years now. It's funny because I recently changed it from an old psychochild.org account that I never check anymore due to an overwhelming amount of spam. I wanted to have a valid email address in case I needed CS assistance in the future. I picked my spam-catcher account because I didn't want to get any "special offers" from Blizzard if they decide to start selling addresses for a bit more cash. Since Blizzard sent account updates, with my account name included, to this email address, I assume that's how the hacker got the account name.
Even though they didn't change the email account, my "secret question" has an all-to-common answer, unfortunately. This wasn't something I considered when I filled it out way back when. But, now, there's no way to change the secret question that I could see. So, that could be another vector for attack.
I took some steps on my end to try to avoid the situation. I've changed a bunch of passwords on my accounts, and have come up with a scheme for having unique passwords on sites. I changed my Hotmail account password, obviously. I also increased security on my browser, including installing a plugin that prevents scripts from running on websites. Never hurts to be a bit extra careful.
While researching the issue of hacked accounts, I came across a lot of information. Some stories posted about hacked accounts talked about Blizzard requiring people to get documents notarized before releasing an account. That seemed like a lot of hassle, and probably not something I would go through to keep the account. But, the process went smoothly and I got pretty much everything I cared about back through the in-game mail system. Either this was a surprisingly open-and-shut case, or accounts are compromised too often for them to have to deal with the full song and dance anymore.
I felt a bit under pressure, because I had canceled my account and it was going to go dormant in a few days. Yesterday I got all my stuff out of the mail just before the account was canceled. If I want to play in the future, I'll have my characters ready to go.
Lessons on security
So, what lessons can we draw from all this excitement?
Security is a trade-off with convenience. Being able to reset my password on the site is nifty if I forget my password, but it sucks if someone else manages to figure out how to do it without my permission.
Email isn't a secure medium, especially web mail services. That's a big "duh" for anyone who has been online for a while. Email tends to be a nice way to identify one person for another, but there is no guarantee that each person has only a single address; in fact, I use at least 5 on a regular basis, and could create many more since I own my own domains. But, assuming that sending information to their email account is secure can be a bad decision. Obfuscating some information, such as account names, is also wise.
Being big means being a target. As I mentioned, I play LotRO as well. Those characters weren't touched. Although, I've seen more spam by gold sellers in LotRO lately, so they may be gunning for those next. Luckily, the usernames and passwords are very different; but if they do get hacked, time to scrub the computer clean. But, I figure my WoW account was hacked because it was a WoW account.
Yes, it can happen to you. A lot of responses to people posting about their WoW accounts getting hacked were of the form: "You were stupid and installed a keylogger!" or "You gave your account information to someone who took your stuff!" Neither of these have to happen for you to get your account compromised. All it takes is one minor thing like not worrying about which email account you have your account updates going to.
That doesn't mean people aren't stupid. One time we had an account that was "hacked" in Meridian 59. We asked the customer the standard questions: "Do you have anti-virus?", etc. The telling answer was in response to "Did you give your account info to anyone?" She replied, "Only to my bf, but I trust him." That's not what the access logs say, dear.
What about you? Have you had any experiences with compromised accounts?