Adventurers in the online game "World of Warcraft" generally have to worry about bandits and dragons, but their most dangerous threat this week comes in the form of gold-hungry hackers. By exploiting the Web and mobile applications for the game's Auction House (which allows players to buy and sell items), malefactors have stolen millions of gold pieces, but players who use two-step authentication are relatively safe.
For those who have somehow avoided almost every form of pop culture for the last decade, "World of Warcraft" is a massively popular online game from developer Blizzard that casts players as heroes in an intricate high fantasy world. As players complete quests and triumph over mythical beasts, they gather in-game gold pieces, which they can use to buy supplies and equipment.
The issue came to light on June 22, when a user named "Abidah" realized that almost 200,000 gold pieces had disappeared from his account for three unauthorized purchases in the game's Auction House,. He posted his plight on the Blizzard forums, where other users shared similar experiences.
Blizzard investigated, and discovered that while "World of Warcraft" itself had not been compromised, its Web and mobile Auction House apps had. On June 23, Blizzard acknowledged the hack.
"We have taken the Web and Mobile Auction House offline to perform an emergency maintenance," wrote a customer service representative on the forums. "Unfortunately we can't provide an ETA as to when they will be brought back online."
Blizzard is still not sure how hackers compromised the Auction House apps, but a number of users tell similar stories: After using the Auction House apps, they logged in a few days later to find tons of gold missing from their accounts, often exchanged for absolute junk.
In order to steal gold, the hackers put common, almost worthless items on display at the Auction House. Using players' compromised accounts, they then bought the item for exponentially more than its in-game worth (a block of wood, for example, is not really worth 50,000 gold pieces).
In all likelihood, the hackers do not want in-game gold for its own sake, but rather want to sell it online in exchange for real money. The only problem with this plan is that Blizzard will usually restore players' gold if they lost it to a hack. In a large-scale hack, this will essentially duplicate the server's gold supply, causing massive deflation. Selling gold for real money becomes a profitless endeavor. [See also: 13 Security and Privacy Tips for the Truly Paranoid]
The Auction House Web app is now up and running again, but the mobile app remains offline. "At this time we have no reason to believe that accounts currently using an authenticator are at risk," wrote Blizzard in its latest forum update.
An authenticator is a piece of mobile software that users can install to give their Blizzard accounts two-step verification. Each time a user attempts to log into a Blizzard game, he or she must fill out a secondary code that gets sent to a mobile device.
Even this measure may not protect the Auction House hack victims, though. Abidah was quick to point out that he did use an authenticator, and still lost hundreds of thousands of gold pieces. However, his settings required secondary authentication only once a week instead of for every login.
The mobile Auction House should be back up within a few days, users lost no real money and Blizzard will probably restore players' lost gold. As hacks go, this was on the fairly harmless end of the spectrum, but if hackers have figured out a way around two-step verification, "World of Warcraft" may be in for bigger problems in the future.
Copyright 2013 LiveScience, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.