Ya so they are experiencing an upswing because a shit ton of their accounts got compromised. LOL
We don't care what they are doing about it, we want to know how it happened! It's disturbing to me that my account has been secure for 4 years and suddenly it is accessed by CHINAFUCKSTICK and is raped of all gold and items.
Yea my account got hacked like 2 years ago after it was inactive for like a year. The hackers even upgraded it to burning crusade o_o. I dunno how thats possible.
happen to me just less then week ago if your have your email and security question. you can get the athenicator removed. like i have but my account is still oddly suspeneded its been well over the time they said in the email. took only 3 days to get a reply iam sure they are probly trying to look into the accounts to see what they may all have in common and trying to figure out how this happened
Ya so they are experiencing an upswing because a shit ton of their accounts got compromised. LOL
We don't care what they are doing about it, we want to know how it happened! It's disturbing to me that my account has been secure for 4 years and suddenly it is accessed by CHINAFUCKSTICK and is raped of all gold and items.
People can also brute force passwords if they know your username. I doubt most people use random letters, numbers, and symbols as their password, and so most passwords that are related to words or probably less than 9 characters can probably be brute forced without too much difficulty.
Yes I agree that most people probably use a dumb fuck password and it is easily guessed, but I did not because I am really really smart.
So I'm still wondering how my account got compromised, I guess maybe there was a keylogger on my machine, or a trojan horse!
People can also brute force passwords if they know your username. I doubt most people use random letters, numbers, and symbols as their password, and so most passwords that are related to words or probably less than 9 characters can probably be brute forced without too much difficulty.
Yes I agree that most people probably use a dumb fuck password and it is easily guessed, but I did not because I am really really smart.
So I'm still wondering how my account got compromised, I guess maybe there was a keylogger on my machine, or a trojan horse!
So... my account got hacked some how, but here's the weird thing - I haven't played in over a year. I read somewhere that someone said they could've grabbed it at any time, but I never used any executables when I played WoW, and only typed it into Blizzard websites (or the game). I know for a fact that no one could brute force my password, because i developed a program that randomly generated my password every month or so. I'm not computer n00b when it comes to shit like this. I take care of my accounts and passwords.
I'm pretty sure it's something on Blizzard's side. I have 100% assurity, that there's NO way anyone can guess my password. I'm not saying Blizzard is 100% to blame, but I think someone at their company is stealing accounts, cause there's no way someone could've guessed my password.
Accounts are compromised through two main avenues. Keylogging, and sharing details with family or friends. In some cases, although the account details have been shared, it is a friend logging onto the account from an unsecured or infected computer that then causes the account to be compromised through the first method.
The rationale for hacking the account is twofold:
1) the stripping of the account for gold which is then sold to another player
2) the use of the account for advertising gold sales
In order for the account to be worth something, there has to be a player wishing to purchase gold on the same server that the hacked account has gold. At that time, it then becomes desirable to access the account, strip it and send the stuff to the purchasing account. The use of the account at this time for the secondary purpose becomes attractive, as it has very limited worth to the hacker once the gold is removed.
Most gold companies advertise the speedy response by which they can provide gold once an order is received. It must therefore follow that they have access to sufficient quantities of hacked accounts to ensure that they can meet the anticipated demand for gold sales. That is - accounts which are active, have gold on them on that server, and can be accessed by the hacker.
In order to set this up, it stands to reason that accounts are compromised, assessed, and then left dormant with no further damage done until needed again by the hacker, once an order for gold has been made which can be met by the hacked account, or a combination of hacked accounts.
As someone said, if your account is hacked on Friday, it doesn't mean that they keylogged you on Thursday. And an inactive account is not going to be flagged as a problem by the owner. Hence it is not in the best interest of the hacker to make their access of your account obvious early on. Leaving the account compromised and dormant is the absolute best scenario.
With regards to the battlenet conversion - anecdotal evidence does not mean causality. I have received a total of three spam emails since opening my accounts in 2005. Two were received before the battlenet conversion, and one email was received after the conversion. Anecdotally, I cannot correlate a rise in attempts on my account since the conversion.
There is absolutely no reason why using an email address should make an account more vulnerable than using a userid, unless that email address is listed in the public domain and the userid is not. The rise of information sharing applications such as twitter, facebook, myspace and forums which require the creation and propagation of personal information, including the use of both userids and email addresses, may be the cause of the increased account compromises.
It is far more likely that a determined hacker would break into a forum environment than attempt a breakin on Blizzard's servers. Forum userids may or may not match the account ids, and likewise with forum email addresses, which are all stored in the account profile, but either way, accessing the user accounts of a site like this is guaranteed to yield some results simply because you are already targetting a group of people who play MMOs and are thus likely to have a WoW account. As opposed to randomly hacking email accounts. I suspect that forums and other such sites have less IT security measures attached to them than Blizzard's account servers. The financial stakes for Blizzard are considerably higher, and they know it is in their best interests to protect their servers.
In order for a Blizzard employee to successfully obtain and then sell your account detail, they would have to get access to it. Not all Blizzard employees will have access to all of the information required, let alone the capacity to interface with the authentication servers and pull that kind of information off them. And if they were going to do that, wouldn't the GM accounts be first to go, seeing as they have the capacity for creating unlimited gold, and therefore only one account compromise is needed in order to set up a gold selling company for life. Selling user account details would be ridiculously inefficient.
There are two things that the community must do in order to address the issue of compromised accounts, and Blizzard can address only one of these.
Firstly, the use of authenticators. The authenticators themselves are already discounted by Blizzard, and as someone pointed out, the back end required by the authentication servers to accommodate that is likely not included in the price. Blizzard has borne some of that cost. It would be almost impossible for Blizzard to make these compulsory for the simple reason that the playerbase would not accept this, even were they provided for free.
This is because an authenticator prevents an account from being shared outside one physical location, or powerlevelled. Some players are simply not going to put an authenticator on an account because they wish to participate in either of these activities, and believe it is their right to do so, should they choose.
So if a player wants to ensure that their connection to the authentication server is protected, they can use an authenticator. Requiring players to secure their own side of that transaction is not unreasonable, nor is the cost of the authenticator prohibitive. Arguing that you should not have to buy one to secure your account, is similar to arguing that you shouldn't have to use antivirus or firewall software. This is true - in an ideal world. But we're not in that world.
Secondly, the entire reason behind the massive scale hacking of accounts is for access to in-game gold which is then sold to players. While there is a market for this gold, it is economically desirable for hackers to continue to find ways in which to obtain account details and take their contents. This is why there was a widespread move away from gold selling companies buying accounts and farming gold, and towards simply taking gold from one player to sell to another player. The cost to the gold selling company in that transaction is almost nothing, which yields more profit.
Simply put - if no one bought gold, what reason would there be for hacking the accounts? None.
The ultimate solution to the widespread hacking of accounts across all MMOs is for players to stop purchasing gold. The painful truth is that the players buying gold see their short term gain as more important than the grief caused to their fellow gamers.
(this may have changed since the last time I was checking password change/retrieval functions, in which case, please ignore)
In order to change a password through Account Management, it is only needed that the person logging have the email address used as the account ID, and the password. These are picked up by the keylogger. They do not need to know the secret question and answer.
In order to reset the password without logging into Account Management, because the password has been lost or stolen, the person requires the email address and the secret question and answer. They do not need to know the current password.
Hence in order to compromise an account, you need:
1. Email address and account password (not secret question and answer)
Additionally : (this may have changed since the last time I was checking password change/retrieval functions, in which case, please ignore)
In order to change a password through Account Management, it is only needed that the person logging have the email address used as the account ID, and the password. These are picked up by the keylogger. They do not need to know the secret question and answer.
In order to reset the password without logging into Account Management, because the password has been lost or stolen, the person requires the email address and the secret question and answer. They do not need to know the current password.
Hence in order to compromise an account, you need: 1. Email address and account password (not secret question and answer) or 2. Email address, email password, secret question and answer (not account password)
and since Battlenet has now conveniently made these account id's (email addresses) so conveniently available, the job of the hackers just got made easier, at least now they dont have to go to all the trouble of finding your login name. no matter how the password is discovered (trojans/keyloggers etc) the fact is that if thats all they need, then that is a layer of protection that was removed from the games security, it is without doubt, the main reason, why account compromisation is on the increase. and no matter how much spin is put on the subject, the increase in spam emails relating to WoW is probably just for that reason, not everyone will fall for the bogus emails, but probably enough people will to make it viable, and with it, their passwords are compromised, the conversion to battlenet accounts with a email login, in one stroke, gave away not only the accounts login name, but also the primary tool in obtaining the password necessary to use it. How many accounts have been compromised in this fashion remains to be seen, but this could well go down as one of the biggest debacles in MMO game security. And while the authenticator is a useful tool for maintaining account security, a significant proportion of the WoW playerbase does not have access to one, these are the players who pay for the game by buying gametime cards, and are ultimately left out of the loop with the authenticator system.
and since Battlenet has now conveniently made these account id's (email addresses) so conveniently available,
Sorry I must have missed this - where is battlenet publishing your email address?
i think the point is that battlenet doesnt need to publish them. once the login name was changed to email addresses, it became that much easier to obtain.
Googling my email yields no results. Googling my previous username yields 10 results - all mine. I am confused why this makes my email address less secure than my username.
if you've never received a spam email, then your probably safe, but email addresses are bought/sold on a regular basis, so unless the only people who know your email address are your friends and relatives, then your email address is in the public domain, and accessable. and tbh, even then its still not 100% guaranteed not to be on some spammers list of active email addresses. that is why, by their very nature, email addresses are not secure.
Yes, but a hacker has no way of knowing which of the billions of email addresses which they may have, are actually attached to a wow account. Essentially you're still in part looking at a brute force attack.
It's when those email addresses are associated with OTHER MMO activities like forums, etc, or similar enough to usernames that they become interesting and viable.
Hackers don't start at A and work their way through the alphabet of email addresses. They are looking for the fastest and most efficient way, because they are trying for a profit.
Yes, but a hacker has no way of knowing which of the billions of email addresses which they may have, are actually attached to a wow account. Essentially you're still in part looking at a brute force attack.
It's when those email addresses are associated with OTHER MMO activities like forums, etc, or similar enough to usernames that they become interesting and viable.
Hackers don't start at A and work their way through the alphabet of email addresses. They are looking for the fastest and most efficient way, because they are trying for a profit.
its quite likely that they just spam the whole list, on the offchance that they get a positive hit, its entirely probable that people are receiving emails supposedly from blizzard, when they've never even heard of WoW. you get the same kind of thing with bogus emails claiming to be from Halifax and Barclaycard, you may never have held an account with them in your life, but, suddenly they're contacting you to update your information....
Yes, but phishing emails are entirely seperate from battlenet. Because whether or not battlenet uses your email address or your username, there is still an email associated with the account, so a mass spam to a bought list of email accounts would be just as viable regardless of whether the email address is the userid or not.
Hahaha! Blizzard got pwned! This must have been very well orchestrated!
There is a LOT of money involved in WoW gold and character sales. That is the motivator for these groups to keep coming up with various methods. Its also rumored that various organized crime groups may be involved at this point(yes, the money is getting that big).
Yea my account got hacked like 2 years ago after it was inactive for like a year. The hackers even upgraded it to burning crusade o_o. I dunno how thats possible.
Once they have access to the account details, they just add TBC to the account the same as a player would.
I'm just amused that the last phishing email I recieved about my old wow account was from "ncsoftsupport@ncsoft.com". gotta love when the badly spelled email is from phishers that can't even properly edit their cut and paste scam mail.
Grouping in Old school mmo's: meeting someone at the bar and chatting, getting to know them before jumping into bed. Current mmo's grouping: tinder. swipe, hookup, hope you don't get herpes, never see them again.
Yes, but a hacker has no way of knowing which of the billions of email addresses which they may have, are actually attached to a wow account. Essentially you're still in part looking at a brute force attack.
It's when those email addresses are associated with OTHER MMO activities like forums, etc, or similar enough to usernames that they become interesting and viable.
Hackers don't start at A and work their way through the alphabet of email addresses. They are looking for the fastest and most efficient way, because they are trying for a profit.
One of the reasons not to use email addresses is it sets up a perverse incentive. Before, the log in data was only of interest to those who wanted to hack into your game accounts. Making them active email accounts, makes them valuable to spammers and other such slime. They typically have many more resources available for their activities than the much smaller scale game hackers. It also means they have much higher value for internal theft by unethical employees. Believe it or not, roughly 4/5 of business system compromise is an inside job. Either direct employee compromise, or some form of social engineering. I doubt we are seeing that with Blizzard at this point(with such a target rich environment of people who are clueless about effective computer security to pick from), but I'm hoping that Blizzards CSO has given some thought to the matter.
Guys just download the mobile phone Battlenet authenticator - they've got it for just about every mobile out there now and it only costs 50p (hate giving any more money to Blizz but in this case its well worth it.)
To a lot of the posters here pointing the finger at the player being an idoit: As many of us have already said we are in the IT industry and it's damn hard to get into our systems, hate to burst your bubble on your all thinking these gold farmers are 15 year old kids with next to nothing knowlage in IT skills - They have PRO hackers behind them.
Gold farming and character selling is MASSIVE money (hence the reason why it's now 'taxed' in certain parts of the world) they can afford to get the experts in, beleave it or not they don't need to touch your pc at all, with the accounts user id being your email now it's dastrically weakened the account sercurity, all they need is a password which can be obtained WITHOUT the use of a keylogger, all it takes is either they hijack a site (like the resent gmail issue), BUY your account data (not saying it's blizzard selling but from another 3rd party site, where you could be using the same passwords or close to it) or they can just password bomb the login screen until they get a hit.
Like I said in my other post Battlenet is basically idiot proof, at least in the EU version, but I'm assuming the US is the same to install an authenitcator, all you need is three things your email, password and authenticator ID, no other account data is required, not even your sercurity question or even one of your CD keys, which like i said before irrocically you need to report the hack. Even Blizzard didn't opt for the 'are you a bot?' image codes to put up on the web login screen to stop them being bombed, Battlenet's surcurity is extremely weak, even the free to play titles out there are stronger.
The ONLY thing that can protect your battlenet account 100% atm is the authenicator dongle - Blizzard and Activision know this hence the reason why they will only offer 'support', they are currently making money off their own flawed system
Phishing emails, scams and Trojans are just the 'beginners' form of hacking, I really don't think you realise how organised cybercrime is.
Comments
I've never been hacked in any game I play ever that requires some sort of Account login.
Maybe i'm just lucky or careful, I've had viruses before, but still never been compromised.
Hahaha! Blizzard got pwned! This must have been very well orchestrated!
Ya so they are experiencing an upswing because a shit ton of their accounts got compromised. LOL
We don't care what they are doing about it, we want to know how it happened! It's disturbing to me that my account has been secure for 4 years and suddenly it is accessed by CHINAFUCKSTICK and is raped of all gold and items.
Yea my account got hacked like 2 years ago after it was inactive for like a year. The hackers even upgraded it to burning crusade o_o. I dunno how thats possible.
happen to me just less then week ago if your have your email and security question. you can get the athenicator removed. like i have but my account is still oddly suspeneded its been well over the time they said in the email. took only 3 days to get a reply iam sure they are probly trying to look into the accounts to see what they may all have in common and trying to figure out how this happened
Ya so they are experiencing an upswing because a shit ton of their accounts got compromised. LOL
We don't care what they are doing about it, we want to know how it happened! It's disturbing to me that my account has been secure for 4 years and suddenly it is accessed by CHINAFUCKSTICK and is raped of all gold and items.
i concur
Yes I agree that most people probably use a dumb fuck password and it is easily guessed, but I did not because I am really really smart.
So I'm still wondering how my account got compromised, I guess maybe there was a keylogger on my machine, or a trojan horse!
Yes I agree that most people probably use a dumb fuck password and it is easily guessed, but I did not because I am really really smart.
So I'm still wondering how my account got compromised, I guess maybe there was a keylogger on my machine, or a trojan horse!
So... my account got hacked some how, but here's the weird thing - I haven't played in over a year. I read somewhere that someone said they could've grabbed it at any time, but I never used any executables when I played WoW, and only typed it into Blizzard websites (or the game). I know for a fact that no one could brute force my password, because i developed a program that randomly generated my password every month or so. I'm not computer n00b when it comes to shit like this. I take care of my accounts and passwords.
I'm pretty sure it's something on Blizzard's side. I have 100% assurity, that there's NO way anyone can guess my password. I'm not saying Blizzard is 100% to blame, but I think someone at their company is stealing accounts, cause there's no way someone could've guessed my password.
A couple of things you may be interested in:
Accounts are compromised through two main avenues. Keylogging, and sharing details with family or friends. In some cases, although the account details have been shared, it is a friend logging onto the account from an unsecured or infected computer that then causes the account to be compromised through the first method.
The rationale for hacking the account is twofold:
1) the stripping of the account for gold which is then sold to another player
2) the use of the account for advertising gold sales
In order for the account to be worth something, there has to be a player wishing to purchase gold on the same server that the hacked account has gold. At that time, it then becomes desirable to access the account, strip it and send the stuff to the purchasing account. The use of the account at this time for the secondary purpose becomes attractive, as it has very limited worth to the hacker once the gold is removed.
Most gold companies advertise the speedy response by which they can provide gold once an order is received. It must therefore follow that they have access to sufficient quantities of hacked accounts to ensure that they can meet the anticipated demand for gold sales. That is - accounts which are active, have gold on them on that server, and can be accessed by the hacker.
In order to set this up, it stands to reason that accounts are compromised, assessed, and then left dormant with no further damage done until needed again by the hacker, once an order for gold has been made which can be met by the hacked account, or a combination of hacked accounts.
As someone said, if your account is hacked on Friday, it doesn't mean that they keylogged you on Thursday. And an inactive account is not going to be flagged as a problem by the owner. Hence it is not in the best interest of the hacker to make their access of your account obvious early on. Leaving the account compromised and dormant is the absolute best scenario.
With regards to the battlenet conversion - anecdotal evidence does not mean causality. I have received a total of three spam emails since opening my accounts in 2005. Two were received before the battlenet conversion, and one email was received after the conversion. Anecdotally, I cannot correlate a rise in attempts on my account since the conversion.
There is absolutely no reason why using an email address should make an account more vulnerable than using a userid, unless that email address is listed in the public domain and the userid is not. The rise of information sharing applications such as twitter, facebook, myspace and forums which require the creation and propagation of personal information, including the use of both userids and email addresses, may be the cause of the increased account compromises.
It is far more likely that a determined hacker would break into a forum environment than attempt a breakin on Blizzard's servers. Forum userids may or may not match the account ids, and likewise with forum email addresses, which are all stored in the account profile, but either way, accessing the user accounts of a site like this is guaranteed to yield some results simply because you are already targetting a group of people who play MMOs and are thus likely to have a WoW account. As opposed to randomly hacking email accounts. I suspect that forums and other such sites have less IT security measures attached to them than Blizzard's account servers. The financial stakes for Blizzard are considerably higher, and they know it is in their best interests to protect their servers.
In order for a Blizzard employee to successfully obtain and then sell your account detail, they would have to get access to it. Not all Blizzard employees will have access to all of the information required, let alone the capacity to interface with the authentication servers and pull that kind of information off them. And if they were going to do that, wouldn't the GM accounts be first to go, seeing as they have the capacity for creating unlimited gold, and therefore only one account compromise is needed in order to set up a gold selling company for life. Selling user account details would be ridiculously inefficient.
There are two things that the community must do in order to address the issue of compromised accounts, and Blizzard can address only one of these.
Firstly, the use of authenticators. The authenticators themselves are already discounted by Blizzard, and as someone pointed out, the back end required by the authentication servers to accommodate that is likely not included in the price. Blizzard has borne some of that cost. It would be almost impossible for Blizzard to make these compulsory for the simple reason that the playerbase would not accept this, even were they provided for free.
This is because an authenticator prevents an account from being shared outside one physical location, or powerlevelled. Some players are simply not going to put an authenticator on an account because they wish to participate in either of these activities, and believe it is their right to do so, should they choose.
So if a player wants to ensure that their connection to the authentication server is protected, they can use an authenticator. Requiring players to secure their own side of that transaction is not unreasonable, nor is the cost of the authenticator prohibitive. Arguing that you should not have to buy one to secure your account, is similar to arguing that you shouldn't have to use antivirus or firewall software. This is true - in an ideal world. But we're not in that world.
Secondly, the entire reason behind the massive scale hacking of accounts is for access to in-game gold which is then sold to players. While there is a market for this gold, it is economically desirable for hackers to continue to find ways in which to obtain account details and take their contents. This is why there was a widespread move away from gold selling companies buying accounts and farming gold, and towards simply taking gold from one player to sell to another player. The cost to the gold selling company in that transaction is almost nothing, which yields more profit.
Simply put - if no one bought gold, what reason would there be for hacking the accounts? None.
The ultimate solution to the widespread hacking of accounts across all MMOs is for players to stop purchasing gold. The painful truth is that the players buying gold see their short term gain as more important than the grief caused to their fellow gamers.
Additionally :
(this may have changed since the last time I was checking password change/retrieval functions, in which case, please ignore)
In order to change a password through Account Management, it is only needed that the person logging have the email address used as the account ID, and the password. These are picked up by the keylogger. They do not need to know the secret question and answer.
In order to reset the password without logging into Account Management, because the password has been lost or stolen, the person requires the email address and the secret question and answer. They do not need to know the current password.
Hence in order to compromise an account, you need:
1. Email address and account password (not secret question and answer)
or
2. Email address, email password, secret question and answer (not account password)
and since Battlenet has now conveniently made these account id's (email addresses) so conveniently available, the job of the hackers just got made easier, at least now they dont have to go to all the trouble of finding your login name. no matter how the password is discovered (trojans/keyloggers etc) the fact is that if thats all they need, then that is a layer of protection that was removed from the games security, it is without doubt, the main reason, why account compromisation is on the increase. and no matter how much spin is put on the subject, the increase in spam emails relating to WoW is probably just for that reason, not everyone will fall for the bogus emails, but probably enough people will to make it viable, and with it, their passwords are compromised, the conversion to battlenet accounts with a email login, in one stroke, gave away not only the accounts login name, but also the primary tool in obtaining the password necessary to use it. How many accounts have been compromised in this fashion remains to be seen, but this could well go down as one of the biggest debacles in MMO game security. And while the authenticator is a useful tool for maintaining account security, a significant proportion of the WoW playerbase does not have access to one, these are the players who pay for the game by buying gametime cards, and are ultimately left out of the loop with the authenticator system.
For your sake I hope your trolling.
It is fake email L2 read idiot. I get like 3 per week.
last one was kinda funny go to www.worldofwarzcraft.com made me lol a little inside on how people like yourself could fall for this. lol
L2 Read its fake end of story
Sorry I must have missed this - where is battlenet publishing your email address?
Sorry I must have missed this - where is battlenet publishing your email address?
i think the point is that battlenet doesnt need to publish them. once the login name was changed to email addresses, it became that much easier to obtain.
Um, why?
Googling my email yields no results. Googling my previous username yields 10 results - all mine.
I am confused why this makes my email address less secure than my username.
if you've never received a spam email, then your probably safe, but email addresses are bought/sold on a regular basis, so unless the only people who know your email address are your friends and relatives, then your email address is in the public domain, and accessable. and tbh, even then its still not 100% guaranteed not to be on some spammers list of active email addresses. that is why, by their very nature, email addresses are not secure.
Yes, but a hacker has no way of knowing which of the billions of email addresses which they may have, are actually attached to a wow account. Essentially you're still in part looking at a brute force attack.
It's when those email addresses are associated with OTHER MMO activities like forums, etc, or similar enough to usernames that they become interesting and viable.
Hackers don't start at A and work their way through the alphabet of email addresses. They are looking for the fastest and most efficient way, because they are trying for a profit.
its quite likely that they just spam the whole list, on the offchance that they get a positive hit, its entirely probable that people are receiving emails supposedly from blizzard, when they've never even heard of WoW. you get the same kind of thing with bogus emails claiming to be from Halifax and Barclaycard, you may never have held an account with them in your life, but, suddenly they're contacting you to update your information....
Yes, but phishing emails are entirely seperate from battlenet. Because whether or not battlenet uses your email address or your username, there is still an email associated with the account, so a mass spam to a bought list of email accounts would be just as viable regardless of whether the email address is the userid or not.
See what I mean?
Hahaha! Blizzard got pwned! This must have been very well orchestrated!
There is a LOT of money involved in WoW gold and character sales. That is the motivator for these groups to keep coming up with various methods. Its also rumored that various organized crime groups may be involved at this point(yes, the money is getting that big).
Once they have access to the account details, they just add TBC to the account the same as a player would.
I'm just amused that the last phishing email I recieved about my old wow account was from "ncsoftsupport@ncsoft.com". gotta love when the badly spelled email is from phishers that can't even properly edit their cut and paste scam mail.
One of the reasons not to use email addresses is it sets up a perverse incentive. Before, the log in data was only of interest to those who wanted to hack into your game accounts. Making them active email accounts, makes them valuable to spammers and other such slime. They typically have many more resources available for their activities than the much smaller scale game hackers. It also means they have much higher value for internal theft by unethical employees. Believe it or not, roughly 4/5 of business system compromise is an inside job. Either direct employee compromise, or some form of social engineering. I doubt we are seeing that with Blizzard at this point(with such a target rich environment of people who are clueless about effective computer security to pick from), but I'm hoping that Blizzards CSO has given some thought to the matter.
Guys just download the mobile phone Battlenet authenticator - they've got it for just about every mobile out there now and it only costs 50p (hate giving any more money to Blizz but in this case its well worth it.)
To a lot of the posters here pointing the finger at the player being an idoit: As many of us have already said we are in the IT industry and it's damn hard to get into our systems, hate to burst your bubble on your all thinking these gold farmers are 15 year old kids with next to nothing knowlage in IT skills - They have PRO hackers behind them.
Gold farming and character selling is MASSIVE money (hence the reason why it's now 'taxed' in certain parts of the world) they can afford to get the experts in, beleave it or not they don't need to touch your pc at all, with the accounts user id being your email now it's dastrically weakened the account sercurity, all they need is a password which can be obtained WITHOUT the use of a keylogger, all it takes is either they hijack a site (like the resent gmail issue), BUY your account data (not saying it's blizzard selling but from another 3rd party site, where you could be using the same passwords or close to it) or they can just password bomb the login screen until they get a hit.
Like I said in my other post Battlenet is basically idiot proof, at least in the EU version, but I'm assuming the US is the same to install an authenitcator, all you need is three things your email, password and authenticator ID, no other account data is required, not even your sercurity question or even one of your CD keys, which like i said before irrocically you need to report the hack. Even Blizzard didn't opt for the 'are you a bot?' image codes to put up on the web login screen to stop them being bombed, Battlenet's surcurity is extremely weak, even the free to play titles out there are stronger.
The ONLY thing that can protect your battlenet account 100% atm is the authenicator dongle - Blizzard and Activision know this hence the reason why they will only offer 'support', they are currently making money off their own flawed system
Phishing emails, scams and Trojans are just the 'beginners' form of hacking, I really don't think you realise how organised cybercrime is.
Bring on the WARRRRGGHH!