Change Your Battle.net Password

Its an hack job from china, so they left it alone.

@NAQ said:

@Deusx said:

@NAQ said:

@Deusx said:

Fuck you Blizzard, I´m happy to say I´m not buying another one of your FUCKING games. I got fucking hacked and I lost all my progress thanks to the roll back. Fuck you Blizzard, fuck you! Fuck.... FFFFFFF....

yeah you got hacked because of you not cause of blizz hope this helps

W-w-what? W-what?! Fuck you man. Because of me? Sure, keep sucking the blizzdrones dick. There are hackers out there, blizzard knows about this. With that much money they could at least learn from Sony´s mistakes and hire a good security service. I hope you´re kidding because if you are then I´m a fool and fell for it.

W-w-what? W-what?! Fuck you man

Nice 6 posts bro. Get the fuck out.

@Jayzilla: Kind of a weird thing to be stoked about.

I changed my password. Though I haven't played anything in a while and am starting to not care about Blizz games.

ok, so we EU users don't need to change our passwords (probably should though)?

August 4 does seem to correlate pretty well to a huge bump in the amount of spam I've been recieving. Instead of around 10 a day it seems to be around 3-5 per hour now.

@G0rd0nFr33m4n said:

@Rawson said:

All the more reason to get a fucking authenticator.

You think a company failing to keep your info safe deserves more of your hard earned cash ? ... For failing ? No no! I'll change my password and not give them money, thank you very much.

Actually, the $6 authenticator is sold at cost, since it saves them money in the long run by not having to deal with idiots losing their accounts to phishing schemes.

If $6 is too much for you to spend, then there's also the smartphone and SMS authenticator methods.

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

Don't say that, because next we'll just have people taking our faces with hacksaws to access our Amazon discount codes.

@AiurFlux said:

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

I wish someone in this thread would put the facts together instead of going off like a crazy person here. Blizzard responded in an extremely measured way here. They first went into lockdown, which is what you do. It sounds like they saw this in near real-time, which means that they have reasonable protections and effective monitoring in place. They then, after completing what was likely an insanely complicated assessment of the situation, explained this to their customers.

It is counterproductive to require any firm to immediately inform on a breach because that can indicate a current vulnerability. This is why software firms avoid announcing compromises for their software until they patch them.

Here is what happens in a typical security incident protocol:

• The system is locked off from the outside, accounts and sessions are killed, etc...
• An assessment of the means of entry is done and any security holes closed, while
• a copy of the compromised systems is made immediately to preserve the system in its current state. This includes write-blocked drive imaging, any external system log aggregation, etc...
• Forensics begin on a write-blocked copy of any images that were taken of servers and logs are reviewed
• An early assessment is made of the data that was available on the compromised machine(s) and combined with a network traffic assessment to assess what may have leaked
• Appropriate law enforcement is contacted, based on the initial compromise assessment
• If any regulated data is found, the appropriate regulatory agencies are contacted
• After continued assessment of the state of the entire environment, a more in depth assessment of the compromise is done and a communication plan is prepared
• Communication to affected parties happens

What's important here is that it sounds like the way in which the passwords were stored is extremely secure and is probably close to computationally infeasable to crack. Here is what can happen now:

Someone can, knowing your email address and secret question, request a password reset that will be sent to your email. That is all. From the information that Blizzard released, there is no way that people can log into your account with the information they have gained from this compromise without accessing your email account, which is another item that would have delayed the announcement.

Also, this was an impressively fast response from such a huge company.

How many people remember their secret answers? I bet it's zero.

@enthalpy said:

@AiurFlux said:

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

I wish someone in this thread would put the facts together instead of going off like a crazy person here. Blizzard responded in an extremely measured way here. They first went into lockdown, which is what you do. It sounds like they saw this in near real-time, which means that they have reasonable protections and effective monitoring in place. They then, after completing what was likely an insanely complicated assessment of the situation, explained this to their customers.

It is counterproductive to require any firm to immediately inform on a breach because that can indicate a current vulnerability. This is why software firms avoid announcing compromises for their software until they patch them.

Here is what happens in a typical security incident protocol:

• The system is locked off from the outside, accounts and sessions are killed, etc...
• An assessment of the means of entry is done and any security holes closed, while
• a copy of the compromised systems is made immediately to preserve the system in its current state. This includes write-blocked drive imaging, any external system log aggregation, etc...
• Forensics begin on a write-blocked copy of any images that were taken of servers and logs are reviewed
• An early assessment is made of the data that was available on the compromised machine(s) and combined with a network traffic assessment to assess what may have leaked
• Appropriate law enforcement is contacted, based on the initial compromise assessment
• If any regulated data is found, the appropriate regulatory agencies are contacted
• After continued assessment of the state of the entire environment, a more in depth assessment of the compromise is done and a communication plan is prepared
• Communication to affected parties happens

What's important here is that it sounds like the way in which the passwords were stored is extremely secure and is probably close to computationally infeasable to crack. Here is what can happen now:

Someone can, knowing your email address and secret question, request a password reset that will be sent to your email. That is all. From the information that Blizzard released, there is no way that people can log into your account with the information they have gained from this compromise without accessing your email account, which is another item that would have delayed the announcement.

Also, this was an impressively fast response from such a huge company.

Bullshit. It occurred 5 days ago. That's 5 days of having information at risk, including financial information given the real money auction house in Diablo 3. That's 5 days that some asshole could have free reign. That's 5 days to many. When my information is at risk, when my finances are at risk, I should be informed of it right then and there. Not a work week after the fact.

You're right in saying that divulging that information could inform other people of a vulnerability, but the simple act of hacking it has exposed that vulnerability. If you don't think that these people communicate with one another you're out of your mind. Typically it's not just one person doing it anymore but rather a group of people that each delegate part of the operation. Furthermore if they're REALLY concerned with security then maybe they should make a public notice and shut down their shit system for those 5 days until they sort it out instead of leaving it online and forcing people to find out about this through a media site like Giant-fucking-Bomb.

It's irresponsible. It's lazy. It's ignorant. And it needs to fucking change. These companies need to be held accountable and MAYBE just maybe the traditional way of doing things isn't enough anymore. How many hacks have occurred within the past year? It's unacceptable, especially in the game industry where everything is going digital and everything has extra costs tacked on.

And the response wasn't fast at all. Sony had a similar response and they got bashed for it, but because it's Blizzard people hold them up like Christ on the Cross and say "THEY'RE TEH BEST EVAR!". You sound like a PR guy when you say shit like that. The investigation might have been started fast but the whole informing the public thing, the people that give them money and put their trust in them, wasn't good.

@AiurFlux said:

@enthalpy said:

@AiurFlux said:

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

I wish someone in this thread would put the facts together instead of going off like a crazy person here. Blizzard responded in an extremely measured way here. They first went into lockdown, which is what you do. It sounds like they saw this in near real-time, which means that they have reasonable protections and effective monitoring in place. They then, after completing what was likely an insanely complicated assessment of the situation, explained this to their customers.

It is counterproductive to require any firm to immediately inform on a breach because that can indicate a current vulnerability. This is why software firms avoid announcing compromises for their software until they patch them.

Here is what happens in a typical security incident protocol:

• The system is locked off from the outside, accounts and sessions are killed, etc...
• An assessment of the means of entry is done and any security holes closed, while
• a copy of the compromised systems is made immediately to preserve the system in its current state. This includes write-blocked drive imaging, any external system log aggregation, etc...
• Forensics begin on a write-blocked copy of any images that were taken of servers and logs are reviewed
• An early assessment is made of the data that was available on the compromised machine(s) and combined with a network traffic assessment to assess what may have leaked
• Appropriate law enforcement is contacted, based on the initial compromise assessment
• If any regulated data is found, the appropriate regulatory agencies are contacted
• After continued assessment of the state of the entire environment, a more in depth assessment of the compromise is done and a communication plan is prepared
• Communication to affected parties happens

What's important here is that it sounds like the way in which the passwords were stored is extremely secure and is probably close to computationally infeasable to crack. Here is what can happen now:

Someone can, knowing your email address and secret question, request a password reset that will be sent to your email. That is all. From the information that Blizzard released, there is no way that people can log into your account with the information they have gained from this compromise without accessing your email account, which is another item that would have delayed the announcement.

Also, this was an impressively fast response from such a huge company.

Bullshit. It occurred 5 days ago. That's 5 days of having information at risk, including financial information given the real money auction house in Diablo 3. That's 5 days that some asshole could have free reign. That's 5 days to many. When my information is at risk, when my finances are at risk, I should be informed of it right then and there. Not a work week after the fact.

You're right in saying that divulging that information could inform other people of a vulnerability, but the simple act of hacking it has exposed that vulnerability. If you don't think that these people communicate with one another you're out of your mind. Typically it's not just one person doing it anymore but rather a group of people that each delegate part of the operation. Furthermore if they're REALLY concerned with security then maybe they should make a public notice and shut down their shit system for those 5 days until they sort it out instead of leaving it online and forcing people to find out about this through a media site like Giant-fucking-Bomb.

It's irresponsible. It's lazy. It's ignorant. And it needs to fucking change. These companies need to be held accountable and MAYBE just maybe the traditional way of doing things isn't enough anymore. How many hacks have occurred within the past year? It's unacceptable, especially in the game industry where everything is going digital and everything has extra costs tacked on.

And the response wasn't fast at all. Sony had a similar response and they got bashed for it, but because it's Blizzard people hold them up like Christ on the Cross and say "THEY'RE TEH BEST EVAR!". You sound like a PR guy when you say shit like that. The investigation might have been started fast but the whole informing the public thing, the people that give them money and put their trust in them, wasn't good.

I'm not trying to defend Blizzard per se--I'm trying to assess the breach in terms of its security implications for its users and also wanted to provide some information about how a typical incident response procedure works. I may have been too flippant with my first sentence or so, for which I apologize, and I've certainly changed my battle.net password to be on the safe side. But treating all compromises the same is not helpful to the gaming community who needs good information to assess their risk posture, nor is it particularly fair to the firms involved.

Given the timeline and types of data that they handle, I think that Blizzard informed pretty quickly. I also think that there is not a ton here that causes huge additional risk to users because, unlike many other large compromises, this compromise did not include any directly actionable data (CCNs, passwords, etc...).

Is this bad? Yes. The ability of people phish off of the email addresses is a concern, and the decision to handle secret questions in the way that they are just looks dumb. But unlike a number of the firms who have been recently compromised, the data was stored in a sensible way, i.e. hashed (hopefully salted) phone numbers and with a complex protection mechanism on the passwords.

I also think that it's best for this information to go through public sites. How do you want Blizzard to notify the community, assuming that their communication path (email) is the same as the one that the hackers now have access to? Because if this was an extremely well-planned hack, the attackers could have phished the "your account has been compromised" emails to land at the same time that Blizzard's did. And if they were even close to competent phish writers, a huge number of people would have lost their passwords to this phish.

I'm really not looking for this to be a contentious conversation--I understand your concern and anger regarding compromises, because a lot of companies are not doing what they need to do in order to keep their customers safe, and they do need to be held accountable. Like you, I hope that more facts come out of this breach and that there are clear steps taken to further tighten security around Blizzard.

Hope everyone has a pleasant weekend.

Man that sucks. Changed my password. But how long until this happens again?

@Bell_End: Correct, it is the hackers fault but if Blizzard are providing a service and they lose our private information because of their shitty security, then I have a problem with Blizzard too.

Don't tell me what to do Jeff.

I read the security memo from Blizzard telling me to change my password. But when I tried to log in I get a "Too many attempts. (403)" error, despite the fact that I have not been on BN for days. According to some BN forum posts, this is a problem with the Battlenet website. So... you have been hacked and I should change my pw, but I can't because your login page is glitching out. Thank you ever so much, Blizzard. I am going to send you a complementary fruit basket with a passive-aggressively resentful card. And I'm not even going to send real fruit. It will be one of those baskets full of plastic fruit that is uselessly decorative.

I haven't used my Battle.net account since I bought Warcraft 2, hell I don't even remember anything I might have put on the site.

The fact that people shrug this off as, "oh well, lets move on", is bullshit. Literally both sides are to blame, the people who hacked the site and Blizzard for not treating the consumer with dignity while trying to sweep this under the rug.

Stuff like this is why companies using the new agreement clause against class action suits in almost all major password protected services is taking one of your civil liberties just by clicking accept.

why would anyone want this shit

So glad I live in Europe right now ^^

Could it be that people are shrugging it off because it really isn't that big of deal? Getting hacked is often the first exposure someone gets to Identify Theft but in the grand scheme of things the value of most Battle.net accounts is low and only useful to other Battle.net players.

I actually signed up for Bnet with a new Hotmail email, fake name and a password I don't use anywhere else, because I knew this was going to be an issue with the RM auction house. I also haven't played D3 since about a month after it came out so...

Meh.

Thanks for the update. Just changed my password.

Yep, already got about 3 phishing e-mails. Fuuuuuu~

What if my account seemingly got stolen a while ago and Blizzard just doesn't seem to give a fuck anyway?

Once more, the glorious Chinese people are unaffected by Western civilization's petty "problems"!

Soon they shall have total control of the intertrons! SOON AMERICA SHALL COLLAPSE UNDER CHINESE MIGHTY FOOTSTEP!! FIRST BLIZZARD, AND THEN... THE WOORLD

Fuck, that's probably why I've had trouble logging into my e-mail these last days >=I

we should BACKTRACE them and hack them in...real life... like, use a hatchet or something, see how they like it.

Thank God I don't have a Battle.net account. I did get pegged by the PlayStation hack (didn't get any funds taken or anything, but I was a potential victim so I changed everything up), and that embarrassed me since I work in online security. Bah! Points Cards for everything now!

It's Baby Felix Halloween, in case you're wondering.

Jesus fucking Christ, I'm getting so tired of this shit.

this is why i don't like digital media

I don't mind the email info being hacked, it's the security question answers that really fuck things up, I can't recall what other sites I used what security question with...Ah, Blizzard you go through such lengths to make your users comply with high security standards while you can't get your employees to do the same. Shame for us I suppose for entrusting any vital information to you. Lesson learned. On the plus side, I could care less about my battle.net account have at 'er hackers.

I hear more and more instances of hacking. I wonder if hacking is too easy....

What a fucking joke.

Seems like my account details have probably been hacked more times than I can keep up with this year all through game services.

@Bell_End:

Well, when it happened to SONY, everybody blamed SONY, so why stop now?

@stinky: Yeah I realise that, it's just what I would do, seeing as everyone should change their passwords anyway now

Im not really surprised by this Blizzard and there awful DRM site battle.net . Though i guess blizzard can look on the bright side they will sill a heap of there authenticators.

Bawls.

They can have my Diablo III, WoW, and SC2. I don't play them anyways. Waste of my money.

So blizzard has millions of dollars and still get hacked by kids... lol

I no longer feel any regret for not buying any blizzard games since warcraft 2.

So...authticators are ahit to own then.

Oh just lovely... so much hacking these days, it's rather breathtaking... well, only breathtaking as that'd be me trying not to shout every colorful word in the dictionary at the little script-kiddies. Things have so changed, so so changed... back in the day, hacking was about access and sticking it to the big guys on top... now that's like 180... everytime the morons go at it, it's the little people/users at the bottom getting bent-over and mounted.

I keep an email address specifically for paying bills and ordering things online, and another for video game stuff (no credit cards linked). I'm glad my Battle.net address was the latter.

Blizzard sealed their fate with that awful Superman game on SNES

@RuthLoose said:

I suppose this is a form of "punishment" for releasing Diablo III without PVP or some other hacker bullshit.

What would hacker non-bullshit be?

@A_Talking_Donkey said:

@RuthLoose said:

I suppose this is a form of "punishment" for releasing Diablo III without PVP or some other hacker bullshit.

What would hacker non-bullshit be?

Creative Commons... Sourceforge.net... any legitimate modding community.

Well that's the by product of technology you got to take the good with the bad. Got to be smart with your online content because you never know when stuff like this can hit you.

this stuff seems to be happening every other week nowadays :(