I think this is a great service that will hopefully improve response times - it has to be quite a difficult task to support this large a user-base.

I've been hacked some months ago (more than 1 year ago probably) and I still don't have a clue how.

I consider myself a pretty competent IT user. I'm 28 years old and I've been using computers since the Spectrum and so on. I'm a Computer Engineer, I do some programming, use constantly more than 1 OS (Windows 7 right now and several versions of Linux since Mandrake was still alive), don't use iE for years since version 5 (currently using Chrome and Firefox sometimes), always use a Antivirus on Windows Systems (Microsoft Security one right now) and even so I was hacked. Don't have a clue how. Never bought gold. Didn't give my password to no one. My WoW password changes from time to time and it's not equal to any other password I use anywhere. It has several type of chars and numbers. I only go to common websites like MMO-Champion, WoWhead, Curse and WoWInterface. I had upated some addons from Curse the day before I was hacked. Was that it? Will never know...

After that I go an authenticator, was before Blizzard started offering the pet as a reward for having one. But in that week I took noticed of several people I know that was also hacked.

So calling someone stupid for being hacked don't knowing how and taking all security measures one can is offensive. After I was hacked I did an Internet AntiVirus scan, scanned with several searching tools, including spybot, adware, malbytes, etc, etc, no results.

Bought an authenticator and since then had no problems.

My case took about 1 week to get solved. Recovered everything at least. But scared me a bit.

That's the thing, Neverg, you just never know what type of vulnerabilities out there that those keylog creators are taking advantage of. Adobe Flash is just one I can think of off the top of my head. Not to mention advertisements.... I hate ads to the point that I'm anal about it. I've got ads blocked so I don't see a single one. Not one. Sad thing is, some sites need the cash flow that advertisements bring, but on the other hand none of those ad companies can promise that a keylogger or other form of nasty will never get in. Better to be safe than sorry and just block them all. Sorry, I'm rather passionate about the subject... /end rant.

On another note.... a keylogger will be on your machine for weeks, sometimes even months, before the attacker actually goes into your wow account. Having said that, I doubt you got anything nasty from Curse. I think they are just as picky about what gets uploaded to their servers as the great people here at WoWI.

No offense, but I find it kinda sad that people still wait until after they've been hacked to purchase an authenticator. I was one of those idiots that kept the wow authenticator store page open in my browser for days, and kept hitting refresh until they were restocked lol. Got mine within the first week after they were announced.

I feel you and went through the same. You did nothing wrong. Something slid in via Flash most likely. I have not had the problem either since I turned on the authenticator on my phone. The key-fobs tend to die, and after 6 months Blizz makes you buy a new one, so be warned. i was unlucky, plenty of people have been lucky and theirs is working fine after a year or more. I have reimaged my machine and will most likely ONLY visit wowwiki and other info sites now from a virtual machine as I believe it was one of those info sites that had the offending flash for me. Even with the authenticator I don't want the code lurking - my brother turned his off for 1 day yo transfer his authenticator from iPhone to another phone - he got hit while it was turned off!

I'm not saying it was curse, it just the last thing I remember doing before I was hacked. Went to bed, the next morning I couldn't access my account anymore. It was blocked because it was probably used by the hacker to advertise gold or something.

I never bought an authenticator because didn't find it necessary since I considered myself someone responsible. And the only ones available were the normal ones, after the mobile ones appeared I bought one right away. :)

I don't have a clue how they did it, bruteforce was not for sure, because I Don't think Blizzard allows that anyway. Most probably it was some kind of add or flash like you said. Can't see anything else.

Anyway, I have one authenticator on one of my Mobiles, a Sony Ericsson, but it's even available for Android now, so I'm set, even tho it's not 100% secure even with an authenticator.

No matter how smart or computer savvy one might be, zero day attacks are a threat to everyone -

http://en.wikipedia.org/wiki/Zero-day_attack

These will often go undetected and when your security software finally issues an update after it has been discovered, the attack could have deleted itself by then. Some of these viruses are smart. They will often only be active while wow is running or even delete themselves when they get the job done, so as to make it harder to follow the forensics.

The days of it being just basement dweller just messing around with computer attacks are over. Many of these newer attacks are very sophisticated and some even have certain sovereign nations backing up the research financially on these attacks. Not because the nations want WoW accounts, but stealing something that is "inconsequential" is good "war games" practice.

If you get your account stolen and/or never find the source, it is hardly because of stupidity. Phishing scams are one thing and can be attributed to not being savvy enough to identify them, but other attacks are just downright amazing in their sophistication. Some Zero Day attacks can exist for a long time before being discovered by the security community.

We are. The server does its own virus-scanning, but Ackis and I still manually check anything that's an executable and we require source code as well.

This is a awesome move by Blizzard, I myself have YET to have my account hacked (im not naive enough to say it will never get hacked) and I dont use a authenticator. because I scan anything I download and i run regular virus scans of my PC.

And in regards to the post about the authenticators, while they are a good safe-guard they are not full proof, I remember reading a post about people with them getting hacked.