Debunking another hacked authenticator story

Updated Mon, Feb 8, 2010, 10:00 PM·5 min read

One of our readers, Bill, sent us a tip about a WoW account issue on The Consumerist. It seems that the ownership of Anonymous's friend's account is under dispute and Blizzard won't let him use it in the meantime. The ownership became disputed after the account was allegedly hacked, even though there was allegedly a mobile authenticator on the account. His friend has given up on the account, complete with Val'anyr, and has created a new one.

We can't confirm any of the facts in this case. I am willing to believe that Anonymous is truly upset and believes the story he tells to be true, even though he is posting anonymously. There are some serious red flags, however, that seem to point to Anonymous not having all of the facts:

There are no confirmed cases of an Authenticator being removed from an account by a hacker.

The code from the Authenticator is based off of the serial number of the device or app and a date/time stamp. Because of this, a code is only good for ~~about 30 seconds~~ for a short time and can only be used once. (After a few comments I tested the duration and the codes definitely last longer than 30 seconds. But they don't last hours, nor can they be used in a jumble. For the results of more testing, please see the link on the word Authenticator above.) In order to remove an Authenticator from an account, without actually having the authenticator in-hand, Blizzard requires that you fax or snail-mail documentation proving that you are the owner of the account. Otherwise, following are the steps to remove an Authenticator online:

Enter username and password at the account management login screen.
Enter the current Authenticator code before it expires.
Navigate to the Authenticator removal screen.
Enter the new current Authenticator code.
Enter the next Authenticator code, approximately 30 seconds later.
Press the remove button.

The timing and number of codes required for the above procedure make it impossible to remove an authenticator online without real-time, extended social engineering. It would require slightly less effort to just log on to WoW with account info and an authenticator code acquired within the last minute for a quick cleaning out of the account, but no authenticator removal, password changes or another login would be possible.

Account thieves steal accounts for gold because it is time-efficient.

Goldsellers used to just roll hunters and farm their gold. But stealing accounts, stripping them bare and then using them to steal other accounts is much, much faster. Getting around an Authenticator is far too time consuming to be efficient and there are so many players without them. Rather than spend time that could be spent cleaning out another account, thieves will just skip over any accounts that have the extra protection.

Buying gold and/or accounts and getting hacked is embarrassing.

The other hacked authenticator story in this link ended up being debunked later by Blizzard. The victim in question had removed the authenticator in order to share his or her account. Sharing accounts is not only a big no-no according to the TOS, but also makes your account vulnerable to the practices of the people with whom the account is shared. It just isn't smart, unless you have complete control of the environment of your fellow account holder, such as within a family household. It also isn't smart to open up your account info to power-levelers and account sellers. Falling for scams does nothing to make you feel intelligent either and really, no one likes to be thought dumb. So people you normally would trust may be hiding a not-so-bright move solely due to embarrassment.

Blizzard restores accounts to account owners.

They may offer care packages to make the process easier for them; but if you are the account owner, and haven't done anything to get banned, you will get your account back. Now, you may get banned because you have a trojan, which isn't entirely your fault. (Tips for keeping your account safe are at this link.) But Blizzard will either ban you and tell you the reason or refuse to give you your account back because it wasn't originally your account. If Anonymous's friend purchased his account from someone else or was found to have bought gold, then Blizzard will not restore the account. If the friend is banned due to a program that is against the TOS, Blizzard may restore it after it is removed, but not before. And if the friend is banned for some other reason he would rather not divulge, Blizzard will not restore the account. It is not in their best interests to prevent paying account owners from continuing to pay and play.

You don't own anything on your character.

Amy Schley will be delving into this kind of thing in her new column, The Lawbringer, but the TOS clearly states that we don't actually own anything we have on our character. Even though we spend hours and hours acquiring really cool stuff, we don't have the same rights to it as something we go into a physical store and buy.

I am all for consumer advocacy and calling businesses out when they don't treat their customers as they should. But it would seem more on the side of consumers to encourage Authenticator use rather than post unsubstantiated stories such as this one. I invite Anonymous and his friend to contact me directly at Robin at WoW dot com with more details so that I can investigate further.

Please remember that account safety and computer security is your responsibility! While WoW.com has provided you with resources to additional information, do your homework and make sure you know what you're doing before installing any antivirus or other software. And if your account does get stolen, please see our guide on what to do next.

Engadget
Boeing’s Starliner spacecraft may finally take its first crewed flight next week
Boeing's Starliner crew capsule is scheduled to launch from Cape Canaveral Space Force Station’s Launch Complex-41 in Florida on Monday, May 6. The launch window opens at 10:34PM ET. Astronauts Butch Wilmore and Suni Williams will be on board.
6m ago
Engadget
Google says Epic’s Play Store demands are too much and too self-serving
Google has filed an injunction telling the court that it will not give Epic what it wants without a fight, because the company's asks "stray far beyond the trial record."
2h ago
Engadget
The best gifts to upgrade your grad’s tech setup
College grads are probably using the same tech they started out with four years ago. Here are the best gadgets you can get them to upgrade their kit, including laptops, headphones, monitors and more.
a year ago
Engadget
Boom's XB-1 supersonic jet has been authorized to break the speed of sound
Boom's supersonic XB-1 test jet has received Federal Aviation Administration (FAA) approval to fly past Mach 1.
2h ago
Engadget
The Morning After: Peloton's grim post-pandemic reality
The biggest news stories this morning: Huawei has been secretly funding research in America after being blacklisted, The best noise-canceling earbuds, Olivia Rodrigo, Drake and other Universal artists return to TikTok.
3h ago
Engadget
Engadget Podcast: Kill the Rabbit (R1)
The Rabbit R1 is finally here, and it's yet another useless AI gadget.
4h ago
Engadget
The best password manager for 2024
Remembering dozens of passwords can be difficult for anyone. These are the best password managers you can use to keep your information safe and secure.
5 months ago
Engadget
Ubisoft's first-person shooter XDefiant is launching on May 21
Ubisoft is releasing the free-to-play first-person shooter on May 21 for the Xbox Series X|S, the PS5 and PC through Ubisoft Connect.
6h ago
Engadget
X is changing how the block button works
X is changing how blocks work on its platform, though it’s (for now) stopping short of Elon Musk’s wish of nuking the feature entirely.
15h ago
Engadget
Microsoft’s latest Windows security updates might break your VPN
Microsoft says the April security updates for Windows may break your VPN. Oops!
18h ago
Engadget
Audible is testing a cheaper plan in Australia
Audible is testing a cheaper subscription tier in Australia that sounds like an answer to Spotify’s audiobook push. The service’s new Standard plan gives you one free title per month, but your credits don’t roll over.
19h ago
Engadget
Two of our top Anker power banks are back on sale at all-time low prices
Two of our top Anker power banks are back on sale at all-time low prices, including the 20,000mAh Prime portable charger. The sale extends to the Nano charger.
19h ago
Engadget
Huawei has been secretly funding research in America after being blacklisted
Huawei has been secretly funding research in America after being blacklisted. The company has been funneling money through a Washington-based foundation and a research competition at universities.
20h ago
Engadget
Amazon CEO's anti-union comments broke federal laws, labor judge rules
A NLRB judge ruled this week that Amazon CEO Andy Jassy broke federal labor laws by suggesting employees would be less empowered and better off without unions.
21h ago
Engadget
You can finally use passkeys to sign into your Microsoft account
Microsoft is celebrating World Password Day by helping to kill them. The company has finally launched consumer passkey support for Microsoft accounts, nearly two years after Apple and Google.
22h ago
Engadget
Peloton’s pandemic-era fairy tale is officially over
Peloton is struggling, as it is laying off 15 percent of its workforce. The CEO is also stepping down.
23h ago
Engadget
The best noise-canceling earbuds for 2024
Active noise cancellation is a big feature on most wireless earbuds now. These are the best noise-canceling earbuds you can get today.
23h ago
Engadget
Over 200 militia groups and users are using Facebook to organize nationwide, new report states
Extremist militia groups are using Facebook to spread conspiracy theories and organize.
1d ago
Engadget
Apple discounts MLS Season Pass to $69 for the rest of the season
Apple is now selling the pass, which typically costs $99, for $69 for the remainder of the 2024 season
1d ago
Engadget
Bose's SoundLink Max is its largest portable Bluetooth speaker with 20-hour battery life
Bose's largest portable Bluetooth speaker is built for the outdoors.
1d ago

Debunking another hacked authenticator story

Latest Stories

Boeing’s Starliner spacecraft may finally take its first crewed flight next week

Google says Epic’s Play Store demands are too much and too self-serving

The best gifts to upgrade your grad’s tech setup

Boom's XB-1 supersonic jet has been authorized to break the speed of sound

The Morning After: Peloton's grim post-pandemic reality

Engadget Podcast: Kill the Rabbit (R1)

The best password manager for 2024

Ubisoft's first-person shooter XDefiant is launching on May 21

X is changing how the block button works

Microsoft’s latest Windows security updates might break your VPN

Audible is testing a cheaper plan in Australia

Two of our top Anker power banks are back on sale at all-time low prices

Huawei has been secretly funding research in America after being blacklisted

Amazon CEO's anti-union comments broke federal laws, labor judge rules

You can finally use passkeys to sign into your Microsoft account

Peloton’s pandemic-era fairy tale is officially over

The best noise-canceling earbuds for 2024

Over 200 militia groups and users are using Facebook to organize nationwide, new report states

Apple discounts MLS Season Pass to $69 for the rest of the season

Bose's SoundLink Max is its largest portable Bluetooth speaker with 20-hour battery life

About

Sections

Contribute

Buying Guides