I'm hearing rumors of Battle.net accounts being hijacked and stolen in Diablo 3. How can I protect myself?

Blizzard released an official statement about the current situation. Their official statement denies that there are any current exploits, or that Authenticator-locked accounts have been compromised. (We can always trust what a company says about their own security, right?)

However, it also mentions that, if you're concerned about security, in addition to the "authenticator" device, and the "Mobile Authenticator" iPhone/Android app, there's also a service where Blizzard will send you text messages for certain (configurable) account information changes or similar activity. If you don't want to invest in the standalone device, and you don't have an iPhone/Android phone, you may be interested in this third option.

For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq

For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq

For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect

As always, if you think you've been the victim of an account compromise, head to the "Help! I've Been Hacked!" tool at http://us.battle.net/en/security/help for assistance.


It is Blizzard's position that the session ID hijacking claim is bogus. Bashiok stated in his post that thus far none of the compromised accounts they have investigated had an authenticator attached prior to the compromise. A further update specifically asserts that the session hijacking being described is technically impossible.

The advice to use an authenticator was repeated in a cut and paste response a few hours after the original post, and again a day later. The assertion that no authenticator enable account has been hacked was reiterated in a response to a user here.

The Bliz forums are painful to read and it may turn out the some vulnerability will be acknowledged in the future but at the moment the official stance is that an authenticator attached to your account, along with traditional antivirus/firewall protections are sufficient.

There is no acknowledged evidence that public games pose any threat whatsoever. The primary cause of account compromise continues to be compromised passwords (whether by social engineered attacks, weak passwords, keyloggers, etc).


So, with respect to this specific exploit, the most important thing is to stay out of public games, and under no circumstances accept an invitation or join request from somebody who you don't know.

You'll also want to disable Quick Join, and verify that your friends are who they say they are before playing with them as well. Once an account is compromised, it can be used to compromise the accounts of all of that persons friends, i.e. you.

More generally, you really ought to get an Authenticator. Either the physical key-fob variety or the smartphone app. Remember, Diablo 3 is a game with a built in cash marketplace. It is a prime target for unsavory sorts that want to get at your digital stuff and resell them at a profit. While having an authenticator won't protect you completely from this sort of attack, it will minimize the damage a hacker can do significantly by preventing them from changing your password or otherwise locking you out of your own account.