It was 4am on a Saturday in 2013 and I was sleeping. My iPhone was sitting on my bedside table, plugged in in silent mode. It buzzed once. I probably didn’t hear it. A few minutes go by and it buzzed again. I stirred, glanced at the lock screen dimly lighting my room — an email. Not important, it could wait. I closed my eyes again fully intending to continue snoozing. The phone buzzed again. This time I looked at it in a bit more detail.
Your Battle.Net password was successfully changed.
Suddenly I was a wide awake. How was my Battle.Net account password changed? I noticed the badge on my Mail.app — hundreds of emails. That was strange, and stranger still, they were all in Chinese from random email addresses. Then came another email:
Your Battle.Net Account has been suspended.
I was confused, dazed, still sleepy. Then it happened. I haven’t felt truly fearful many times in my life, but I can honestly say this was one of those times:
Your iCloud password has been successfully changed.
That was it. I sat upright, my wife pulled the duvet over her face disapprovingly. How in the hell has someone managed to reset my password?
It was probably less than ten seconds and I was out of bed, downstairs in front of my computer trying to figure out what the hell was happening.
The iCloud email stating that my password had been reset showed the originating IP address. A quick IP lookup showed it came from somewhere in China. It would seem that black-market WoW gold sellers will do a lot to get their hands on some gold to sell.
I was panicking, my iCloud account is probably the single most important account I have — my email, my devices, my developer account… it contains my saved bank and debit/credit card details for use with the App Store. If they wanted to, they could go into the Find My iPhone website and click the convenient buttons to remotely wipe every device I had signed into iCloud. My iPhone, my Mac, my iPad… If they had done that I would have lost all access.
I needed to start damage control. First thing I did was reset my iCloud password using the security questions and the recovery email that I had set to a Gmail account.
Almost immediately after I reset the password, I got another email saying it had been reset again. These people meant business.
So I tried again; I reset the password using the same method; but this time, as fast as my internet connection would allow me, I changed the security questions, birthdate and recovery email. False information for all of them.
I waited for what felt like the longest few minutes of my life. No email. Ok. Good.
The Battle.Net account was still an issue, so I checked up on it. Blizzard had locked it due to “suspicious activity”. If only Apple had done the same?
What Went Wrong?
It was a rookie mistake which I will never make again — using the same password across multiple accounts.
The only thing I can trace this back to was when I logged into my Battle.Net account on a public wifi in a pub a few days earlier — probably a victim of a Man-in-the-middle attack.
The hackers used the password to get into my Battle.Net account to steal all my gold. (I had no gold anyway, so jokes on them).
Once the Battle.Net account was locked, they used the same password to get into the email account linked to the Battle.Net account.
It seems the first thing they did in both cases was to reset the password to prevent me from locking them out. Blizzard did the right thing and locked the account to prevent further damage. Apple seemed less inclined to lock the account.
I now use 1Password to generate and safely store different passwords for each site I use. Sometimes it can be a little more inconvenient, as I now don’t actually know any of my passwords and need to retrieve them from 1Password when I need them. The browser plugins and the app help in this regard.
I also use 2 factor authentication wherever possible.
I would definitely recommend 1Password to anyone looking to increase their online security.