Change Your Battle.net Password

This is the world we live in now. A world where some service you've signed up with seems to get penetrated every couple of weeks, sending everyone into a password-changing frenzy. I bet the guys selling password-securing apps are stoked. This month's victim of unauthorized access is Blizzard, which disclosed yesterday that someone got into its network on or around August 4 of this year.

So what'd they take? According to Blizzard's FAQ on the matter, players in the North American region--which includes Australia for reasons that I'm sure would make sense if someone bothered to describe it--have the following items to worry about:

• Email addresses
• Answers to secret security questions
• Cryptographically scrambled versions of passwords (not actual passwords)
• Information associated with the Mobile Authenticator
• Information associated with the Dial-in Authenticator
• Information associated with Phone Lock, a security system associated with Taiwan accounts only
• In addition to this list of North American information, all users except those with China-based accounts had their email address taken.

So that means, at the minimum, your email address is out there. If you're part of what Blizzard considers its North American region, the answer to your secret security question is out there, too. Considering the number of sites that don't let you choose what your secret question is (if mine is any indication, Blizzard is among them), this may be an actual concern for you. Anyone that doesn't let you create your own custom secret question is a Bad Person. Blizzard says that an automated process to update secret questions and answers will be available in the near future. In the meantime, if you use the same secret question/answer combo on multiple sites, this might be a good time to tear your hair out and yell at the sky for a bit.

The FAQ goes on to say that the company believes that physical Blizzard Authenticators are secure, but app-based authentication will eventually require an update. For more details on how your password was stored and why it's unlikely that this will lead to your actual password getting out in the open, read the rest of Blizzard's FAQ... after you're finished changing your password, that is.

People are ignorant. I hate hackers :/

Done. Thanks, Gerstmann!

UUUUUUUUUUUUUU-you know what? I can't even muster up being shocked or angry anymore.

Edit: Ya know what? Maybe a LITTLE angry over the whole "Use an authenticator for EXTRA PROTE-they stole the authenticator...SORRY!

UUUUUUUUUUGH!!!

I am so sick of this shit.

For the lazy: https://us.battle.net/account/management/settings/change-password.html

I suppose this is a form of "punishment" for releasing Diablo III without PVP or some other hacker bullshit.

this is why we need biometrics as security pronto. nobody would be able to hack my face

That article picture shows a rather strong password. I don't think you can brute force Felix The Cat.

My Battle.net account is locked behind an authenticator that doesn't exist anymore.

Man, my e-mail address was going through such a good phase right now. I was getting around 10 spam e-mails a week, tops. Guess that will change now. Thanks Blizzard.

@Winternet said:

Man, my e-mail address was going through such a good phase right now. I was getting around 10 spam e-mails a week, tops. Guess that will change now. Thanks Blizzard.

why is it blizzards fault. blame the fucking hackers

I am glad that our information is safe in these companies hands. Seriously, Microsoft with their FIFA crap, PSN, even steam... now Blizzard.

Is any of our information even safe anymore? That's why I barely store any credit or phone info online. This stuff is too easy to hack and get ahold of people's personal lives...

@Skooky: Call them and ask for it to be removed... you will need to fax them or email them a copy of your ID and then they will remove it.

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

Just got to take a picture, and if it requires blink authentication, just crumple the photo a bit and you're good to go.

Now if you were talking about needles that dig into you and take a chunk of your DNA every time, now that'd be some future shit right there.

I'm going to trust them and leave the password as it is. I really don't care if someone plays my Diablo 3 or Starcraft II account, there's nothing of value there. Well, I suppose if someone got in and deleted my progress or sold off all my stuff that'd be a bummer, but seeing as I haven't played Diablo 3 in months it wouldn't be that much of one.

Changed it, thanks for the heads up

Fuck! Now people know my favorite high school teacher's name!

@TheMasterDS said:

I'm going to trust them and leave the password as it is. I really don't care if someone plays my Diablo 3 or Starcraft II account, there's nothing of value there. Well, I suppose if someone got in and deleted my progress or sold off all my stuff that'd be a bummer, but seeing as I haven't played Diablo 3 in months it wouldn't be that much of one.

I felt the same way, haha. I'm not even mad, because I just don't care.

Passwords changed. Man, I can't wait for the day when everything in the industry goes digital so we can't have hard copies of things and must be connected to the system at all times to play so that this can happen all the time.

Well that was easy enough. It will take years for people to hack my new password, 6enisB00Bs!

Answers to the secret questions you say? That makes one of us.

ugh. Can't copy paste a new password in their password box. Screw this, enjoy my lvl 60. Not worth the effort.

Using a canned security question is less of a thing than choosing an irrelevant security answer you can always remember. What was the first street I lived on? Waffles. First pet? Waffles. Favourite teacher? Waffles. Mother's maiden name? Waffles. One of those might be true, but you see the point. Cracking secret questions are about social engineering, not dictionary attacks.

Also, if you use your birthdate information for anything (like say, a hastily chosen forum name) don't be shocked when people can track it back to find out more about you. Pick a different birthdate on forms you can always remember, without outright lying about your age. ~6 months different is reasonable if you're over 21.

The point being, when (not if) the info gets stolen, the people who get to see it do not have real data they can use when calling your banks, credit cards, government offices, etc. If you think it's only about gold farmers hacking your inventory you're outta yo' goddamn mind. This shit is sold to the highest bidder. Be careful of who knows your DOB, Mother's maiden name, and address history. You will be amazed how much access to other information those things will get you over the phone. (Hopefully I shouldn't even have to say guard your SSN/SIN like gold these days, but I remember old news stories where schools were posting grade printouts on doors using SSN numbers to identify students.)

@Ravenlight said:

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

Clearly, @Bell_End hasn't seen Mission Impossible. It's only a matter of time, people!

I keep getting e mails from blizzard saying I'm trying to sell my Warcraft character.... I've never played WOW in my life.

Will Blizz make the passwords case sensitive now?

Thanks Jeff!

Fuck, at first I didn't care, but my bnet password is also my email password. Now I have to go on full lockdown.

@CrossTheAtlantic said:

@Ravenlight said:

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

Clearly, @Bell_End hasn't seen Mission Impossible. It's only a matter of time, people!

maybe bell_end could use his Bell end as a biometric device

@Sackmanjones said:

I keep getting e mails from blizzard saying I'm trying to sell my Warcraft character.... I've never played WOW in my life.

Yeah, that's a known scam. I haven't played WoW in years, but I get them once or twice a year.

I changed my password, but if people have my email and the answers to my secret question(I can't even remember what that is) doesn't that render my password redundant? Although, I guess only if they also have my email password.

I'm trying to figure out how much I should be freaking out right now. At the moment I'm still at "Not at all."

@CrossTheAtlantic said:

@Ravenlight said:

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

Clearly, @Bell_End hasn't seen Mission Impossible. It's only a matter of time, people!

Nicholas Cage is way ahead of you guys. Waaay ahead.

Hackers suck, glad my account wasn't caught up in this. This is also why your secret question should be something only you know. It could be worse though, I'm sure there are a lot of important databases full of our details that are far worse protected than Blizzard's.

So EU users are safe? Cool.

@Wurmbollie said:

Will Blizz make the passwords case sensitive now?

wouldn't help anything against unauthorized access.

Access to my mobile aunthenticator? What do I even do about that? Delete the app and get a new one? I don't even know what my Blizzard secret question is. I don't even know what sites ask for it so I can go change it. What a pain in the ass.

Fuck you Blizzard. For many many annoyances regarding the password change process on your website. And for requiring to put myself at risk just to play your SINGLEPLAYER game. FUCK YOU!

I like how they dont inform people on the front page of battle net nor any of their game pages..

just goes to show blizzard could really give a rats ass about their customers security.

@ck1nd said:

People are ignorant. I hate hackers :/

what? hackers are probably the least ignorant of all people luls.

Not surprised. The company needs a damn Mobile Authenticator in order to keep things safe... I didn't use one, but now I will. It'll add an extra inkling of security after I change the PW.

So, the authenticator attached to my keychain is basically useless now? That kinda sucks if that's the case.

Fuck you Blizzard.

What a pain but gotta change those passwords.

This goes beyond battle.net - if you use the same password for Blizzard that you do for anything else, time to go on a password changing spree. It'd be extremely easy to extrapolate from your email address to a ton of other accounts and brute force your password/email into them to see if they work.

Is there a way to just cancel my Battle.net account? I was done with Diablo 3 after a few days, and all it's gotten me is Chinese IPs trying to access my email.

Ok, with the thumbnail used on the front page, I have to say this: Guess Blizzard screwed the pooch once again.

You would think Blizzard of all companies would value customer security. I'm glad that none of their products beyond Diablo interest me, it will make it easy to not give them another dime.

If I remember correctly, the reason for Australia being in in the "North Americas" is that they originally were lumped in with Asia, which didn't work out since Australians like to: a) chat in English b) not be bested by the Koreans. 
 
Ironically, this is the first time I'm glad that battle.net is split into regions, as us Europeans seem rather unaffected by all this (directly, at least).