Over the last 4 days my World of Warcraft account got hacked 5 times. I still don't know how it happened in the first place. As far as I can tell there's still nothing wrong with my email account or with my computer, and he only gets to repeat the account hack because Blizzard has done a poor job of securing my account on their end. This is a bit of a serious accusation, but I feel like I can back it up.
Hack #2, the attacker likely got in by using the SMS service he set up on my account during the first hack. Or by using the secret question he set up on my account during the first hack. Neither were removed by Blizzard when they restored my account the first time, even though I explicitly noted the SMS service had been added by the hacker. After this hack I made sure they removed the SMS.
Hack #3, the attacker certainly got in by asking nicely.
Note that before I could get my account back in the first place I had to provide photo ID. This guy did not need to attach ID. Heck, the GM who let him into my account didn't even bother to fill out the madlibs form properly, unless somehow my name is NAMEHERE and my issue was ISSUEHERE. This time the hacker changed my account email address.
Hack #4, the attacker likely got in using the secret question. The GM who helped me out this time couldn't do much, and had to leave my account locked while a restoration team guy worked on the account. He didn't have any new suggestions for securing my account, but what I did on my own was got my sister to let me use her cell phone as the SMS thing. I assumed this would be good enough, but it was not.
Hack #5, the attacker likely got in using the secret question. The GM this time suggested the secret question as a potential vulnerability and had me change it. They also had me change the email address associated with the account. Both of those changes seemed reasonable, and it surprises me in retrospect that none of the other GMs suggested it. Frankly, those seem like much more reasonable things to suggest than getting me to change my email password a second time. (The first time seems quite reasonable.) This GM was helpful in terms of helping secure my account but he failed when it came to restoring my account. He said he'd done it, but my character had no gear and almost all the money was still missing.
So tonight after getting Sceadeau and Elaine to start playing I went and opened another ticket, this time to get my stuff restored. The GM this time around took her sweet time looking into things, which is just fine. An earlier GM had just mailed me 404k to fix the problem and get me out of his hair and I'm more than happy to have someone sit down and restore what I should have. This GM did a restoration, but it was not anywhere near correct. I ended up with 114k total gold when it's obvious that at least 404k was stolen from the guild bank log. I'm pretty sure the total amount is more like 534k. Anyway, I explained a bit of the math behind how I arrived at my number. She went away for a while longer and then came back saying my account had to be locked because of how many times I was hacked.
If this was standard policy given how many times I'd been hacked I'd be bitter but could understand it as a stance they'd take. Especially if nothing new had changed. Repeating the same action over and over is just feeding the hacker 534k gold every time and I can see not wanting to do that. So if that's what the guy this morning had said instead of offering 2 new things to try, so be it. But that's not what happened. (Especially if Blizzard can't track down the gold that gets stolen and just makes new gold to give to me, the hacker is making almost $400 each time he hacks me. I can see why he keeps doing it!)
I'm especially pissed because the number of hacks is being used against me when at least one and probably 4 of the 5 hacks can be attributed not to my actions, but to Blizzard's actions. If the first guy had removed the SMS the hacker added and also realized the secret question was added at the same time and had that changed as well we'd probably be free and clear. Certainly the time when a GM let the hacker in has to be on Blizzard! I feel like too many of these GMs have reacted in a way to speed up getting a fix out instead of making sure the fix was the right one and it probably sped up their individual call response times but is jamming the system in general.
This GM said the only way to unlock the account was to have an authenticator mailed to me and used. But she couldn't get them to mail one express before I move, so I'm looking at not being able to play for a couple weeks. And since now is when my friends have started playing that's not really a good option. I also wanted to use this time before the expansion hits to play. Oh, and I'd bought the expansion and the game time last week because I was going to play this month. So I asked for a refund and was denied.
I pressed some more, and eventually she caved. But not to unlock my account. Not to send me an authenticator quickly. Not to run a test to see if changing the secret question and the email address were good enough to secure the account. No. She refunded my expansion purchase. Not my gametime purchase, which I can never use because they locked my account, just the expansion. So they gave me back $50, but not the extra $42 for 3 months of gametime. I'm going to have to yell about that one way or the other too.
I fully intend to open a new ticket tomorrow morning to see if things won't change when I get a different rep. If this experience tells me anything it's that the reps are not consistently trained, so there's a decent chance I get someone else who just lets me in and mails me 404k again. Of course this all depends on not losing my Battle.Net account again overnight. We'll see if the question and email changes are good enough.
But if they aren't, or if Blizzard doesn't let me back in... I'm probably done with WoW. Which sucks, because I was having fun playing and because I'd convinced Sceadeau and Elaine to start playing too.