Buying a boost or a gold delivery is a time-for-money trade, not a reason to hand over the keys to your account. The good news: nearly all the real risk comes from a handful of specific mistakes, and almost every one is avoidable. Here is exactly how account protection works on a modern WoW account, what a legitimate service actually needs, and the precise list of things you should never send to anyone.

How Battle.net protection actually works

Your WoW account sits behind a Battle.net login, and three layers decide whether it stays yours:

  • Password — the thing everyone obsesses over, and the least important once the other layers are on.
  • The Battle.net Authenticator — a rotating code (or one-tap push approval) generated inside the free Battle.net mobile app. This is your real second factor.
  • SMS Protect — a separate phone-linked feature that lets you unlock, recover, and approve sensitive changes by text. It is not the same as 2FA, and you want both enabled.

With the Authenticator active, an attacker who somehow has your password still cannot log in, because they cannot generate or approve the second factor from their device. That one feature blocks the overwhelming majority of account theft. If you take nothing else from this article: install the Battle.net mobile app, enable the Authenticator, and turn on SMS Protect. It takes about four minutes and it is free. As a bonus, an attached Authenticator also gives you a small permanent bag-slot reward in-game.

The things you must never share with anyone

No legitimate booster, no “Blizzard support agent” in your DMs, and no friendly Discord stranger ever needs the following. When someone asks for one of these, the request itself is the red flag:

  • Your live Authenticator code or push approval. That six-to-eight digit number is the entire point of 2FA. Anyone asking you to read it out, or telling you to “approve the prompt” you didn’t trigger, is trying to log in as you right now.
  • The Authenticator serial and restore code. These two strings let someone re-attach your Authenticator to their own phone. They are even more dangerous than a single code because they hand over the second factor permanently.
  • Your SMS Protect / one-time recovery codes. Same logic: these bypass the phone-based lock entirely.
  • Your email login. Whoever controls the email on file can reset everything else. Your Battle.net email and its own password must never go to a booster.
  • Secret answers, government ID photos, or full card numbers. Blizzard never asks for these over chat, and no boost requires them.

A simple mental rule covers all of it: a code or recovery secret is single-use armor against theft. The moment you transmit one, it stops protecting you and starts protecting whoever received it.

Self-play vs. account-sharing: pick the safer lane

Boosting services come in two flavors, and the safety difference is large.

Self-play (piloted-with-you) and gold delivery never touch your login. For Mythic+ key runs, raid spots, rated PvP carries, or a straight gold purchase, a booster simply groups with your character in-game or trades you gold at a meeting point. There is no password, no Authenticator, nothing to share. This is always the safer choice, and for most buyers it is the only one worth considering. A reputable store will offer self-play on any content where it is technically possible.

Account-sharing (piloted) means someone logs into your account to play it — sometimes the only option for things like a long leveling grind or content that can’t be group-carried. If you ever choose this route, understand the trade clearly: you are accepting more risk for more convenience. Do it only with an established service that has a real refund and insurance policy, never with a random seller in a trade-chat whisper or an unsolicited DM.

If you do allow a login, here’s how to do it sanely

Account-sharing is the genuinely useful time-for-money case — you’re busy, the grind is long, and a piloted run clears it overnight. If that’s worth it to you, lower the blast radius instead of trusting blindly:

  • Change your password to a fresh, unique one immediately before the service starts, and change it again the moment it ends. Never reuse a password you use anywhere else.
  • Keep the Authenticator on your own phone. A legitimate piloted service handles the prompt with you in real time on a scheduled handoff; it does not ask you to detach or transfer the Authenticator. If they want the serial and restore code, walk away.
  • Confirm the work happens on a clean session and ask whether they use a VPN region close to yours — a sudden login from a far-off country can trip Blizzard’s own lock, which is annoying but is the system working.
  • Buy through the store’s on-site checkout, not a side-channel crypto transfer to a personal wallet. On-site payment is what gives you chargeback and dispute rights if anything goes wrong.

Spotting the scam patterns

Most account losses tied to boosting aren’t the booster — they’re an impersonator riding the demand. Watch for these:

  • The fake support ticket. An in-game whisper or email claiming your account is “under investigation” and you must verify by clicking a link and entering your login. Blizzard handles all of this inside the official Battle.net app and your account page, never via a chat link.
  • The “free gold/mount” site. Any page asking you to log in with your real credentials to claim a reward is a credential-harvesting phish. Bookmark the real site and only ever type your password there.
  • The too-cheap gold seller who wants payment in an irreversible method and rushes you. Suspiciously cheap gold is often duped or stolen, and accepting it can get your own account actioned.

The honest bottom line: keep the Authenticator and SMS Protect on, default to self-play and gold delivery so your login never leaves your hands, and treat any request for a code, recovery string, or email password as an attack — no matter how official it sounds. When a carry genuinely saves you a tedious weekend, that’s a fair trade. Your second factor is not.