I was in a hotel this weekend, and decided to quickly pop into WoW to manage my auctions. Fortunately, like many hotels, this one had wireless. 15 minutes, and I was out. The rest of the weekend was unconnected, until Sunday morning, where I saw this in my Inbox:

World of Warcraft - 5/25/2008 Character Transfer Complete!

Sure enough, when I tried to log in, the password had been changed. I changed my password, and sent off an email to Blizzard, and hit the armory to see to my characters. The character that had been moved (to Bladefist, for the curious) was gone. Not just gone from the server, but gone-gone. One of my other 70s was now nekkid, and left without his hearthstone, deep in Ogre territory.

Another had his body left in a dungeon, his spirit deep in a river half a map away. Again with very little equipment, and having his professions deleted. Banks of course had been emptied. I'm not that good or active a player, so there were only a few blues, and mostly greens, but I think it's the principle of the thing.

What's to learn from this little adventure? Well, I guess it's my fault for using a public Wi-Fi network. I only want to warn others so that it may not happen to you. Don't log in while you're on an unprotected network, or perhaps run a NetMon scan to find out if anyone is listening for passwords.

To whoever did this: Congratulations. You pwned me, you are so l33t. I bow to your superiour abilities to run WireShark and/or NetMon. You must be proud.

Just in case anyone at Microsoft reads this, and you have contractors who are staying at the Homestead Inn on campus this weekend (May 24, 2008). Do me a favour and ask them if they like to grab passwords from the WiFi, I'd really like to thank them in person.

Updates to come, if Blizzard ever replies...

Update 2008-06-02: Well, after getting nailed with a 72 hour suspension for whatever else they did (fortunately, I only suffered through 48 or so of the hours), I got my stuff back. Gold came a few days later, but it all came at once, to my first character on that server. Unfortunate as I have characters in both the horde and alliance and my main is still cashless. I still had to do a couple of corpse runs (they had destroyed my hearthstones), and one character is currently profession-less. Ah well, it certainly could have been worse.

Brian pointed out that I may have been wrong and that it may have been the current Flash exploit. So, if you haven't yet, download the current version of Flash to save yourself.