Account security for World of Warcraft

[Rahl Windsong]

I thought I would post this because this just happened to my long time gaming friend, his WoW account has been wiped clean, years of work down the drain. Here is how they did it...

these are his words on the subject...

"This morning I was playing wow I saw the notice of server restarts at 5:00am PST and at 7:00am I got logged off. So figuring it was the rolling restart went to have a shower and get ready for work

Around 7:20 I'm sitting down have breakfast, and I check my email, and there is an email sitting there from 7:02 saying I changed my password.

??? What

I try and login nope can't log in. I do a password recover, and reset my password, and login. I'm sitting at the Farstriders selection screen, and low and behold all but one charchter is gone. Just wolivere is showing there with about 1/2 his armor.

SO I log on, and I find my self in a group in Shadow Laybrith, and I am immedietly punted from the group and I am stuck in a free fall with the charchter not able to move log or do anything.

I log another charchter on another account and run to check the Phoenix Elements guild bank... stripped.

I log my main account back in and check the other servers I am on.. sisters of elune..etc..etc.

Nope everything is fine there.

So then I was sitting there thinking how did they get my password. Then it clicked they did not get my password they reset my password.

To be safe I ran scans of my system nope nothing. In fact this Vista 64 rebuild was only done 2 nights ago, and there is virtually nothing on the coputer except WoW and warhammer.

So I start googling and within in minutes I find out how these guys do this. I won't get into the details but this is a wow issue.

When they find your email address, all they need to do is send it to a wow recover bot on the server facking the return EMAIL address and within a few minutes they have your account name and password.

I'm feeling exhausted now, all my lvl 70's are toasted....I am now waiting till 10am PST to talk to wow about the issue."

then later he posted this...

"After some digging I figured out how this all works.

Blizzard has some major weak security.

All it takes is to spoof an email to the recovery email account at blizzard. The Recovery account will send the account name and temp password to the email that spoofed the email.

Now the real email adress used will not get a notice it will only go to the spoofed address.

Once you have this email you follow the link, and you use the temp password to reset to the new password.

When you make this reset, an email is sent to the registered account holder.

But by the time they get the email check your account verify you can't get in, then innitiate your own recovery. They have 5-10 minutes in your account which is all they need to strip it down and email all the goodies off.

I am sort of shocked at how bad Blizzards security on this is."

So now you can see how easy this is and its all from your own attempt to change your password, which is something Blizzard says you should do on a regular basis.

[Daemon Lord]

Thanks, did help a bit!

[LJonesy]

I wish Blizzard would do something about that, they might have already.