Change Your Battle.net Password

Posted by Jeff (3626 posts) -
Hey, while we're posting passwords in the open around here...

This is the world we live in now. A world where some service you've signed up with seems to get penetrated every couple of weeks, sending everyone into a password-changing frenzy. I bet the guys selling password-securing apps are stoked. This month's victim of unauthorized access is Blizzard, which disclosed yesterday that someone got into its network on or around August 4 of this year.

So what'd they take? According to Blizzard's FAQ on the matter, players in the North American region--which includes Australia for reasons that I'm sure would make sense if someone bothered to describe it--have the following items to worry about:

  • Email addresses
  • Answers to secret security questions
  • Cryptographically scrambled versions of passwords (not actual passwords)
  • Information associated with the Mobile Authenticator
  • Information associated with the Dial-in Authenticator
  • Information associated with Phone Lock, a security system associated with Taiwan accounts only
  • In addition to this list of North American information, all users except those with China-based accounts had their email address taken.

So that means, at the minimum, your email address is out there. If you're part of what Blizzard considers its North American region, the answer to your secret security question is out there, too. Considering the number of sites that don't let you choose what your secret question is (if mine is any indication, Blizzard is among them), this may be an actual concern for you. Anyone that doesn't let you create your own custom secret question is a Bad Person. Blizzard says that an automated process to update secret questions and answers will be available in the near future. In the meantime, if you use the same secret question/answer combo on multiple sites, this might be a good time to tear your hair out and yell at the sky for a bit.

The FAQ goes on to say that the company believes that physical Blizzard Authenticators are secure, but app-based authentication will eventually require an update. For more details on how your password was stored and why it's unlikely that this will lead to your actual password getting out in the open, read the rest of Blizzard's FAQ... after you're finished changing your password, that is.

Online
#1 Posted by Jeff (3626 posts) -
Hey, while we're posting passwords in the open around here...

This is the world we live in now. A world where some service you've signed up with seems to get penetrated every couple of weeks, sending everyone into a password-changing frenzy. I bet the guys selling password-securing apps are stoked. This month's victim of unauthorized access is Blizzard, which disclosed yesterday that someone got into its network on or around August 4 of this year.

So what'd they take? According to Blizzard's FAQ on the matter, players in the North American region--which includes Australia for reasons that I'm sure would make sense if someone bothered to describe it--have the following items to worry about:

  • Email addresses
  • Answers to secret security questions
  • Cryptographically scrambled versions of passwords (not actual passwords)
  • Information associated with the Mobile Authenticator
  • Information associated with the Dial-in Authenticator
  • Information associated with Phone Lock, a security system associated with Taiwan accounts only
  • In addition to this list of North American information, all users except those with China-based accounts had their email address taken.

So that means, at the minimum, your email address is out there. If you're part of what Blizzard considers its North American region, the answer to your secret security question is out there, too. Considering the number of sites that don't let you choose what your secret question is (if mine is any indication, Blizzard is among them), this may be an actual concern for you. Anyone that doesn't let you create your own custom secret question is a Bad Person. Blizzard says that an automated process to update secret questions and answers will be available in the near future. In the meantime, if you use the same secret question/answer combo on multiple sites, this might be a good time to tear your hair out and yell at the sky for a bit.

The FAQ goes on to say that the company believes that physical Blizzard Authenticators are secure, but app-based authentication will eventually require an update. For more details on how your password was stored and why it's unlikely that this will lead to your actual password getting out in the open, read the rest of Blizzard's FAQ... after you're finished changing your password, that is.

Online
#2 Posted by kindgineer (2767 posts) -

People are ignorant. I hate hackers :/

#3 Posted by aceofspudz (938 posts) -

Done. Thanks, Gerstmann!

#4 Edited by Undeadpool (4957 posts) -

UUUUUUUUUUUUUU-you know what? I can't even muster up being shocked or angry anymore.

Edit: Ya know what? Maybe a LITTLE angry over the whole "Use an authenticator for EXTRA PROTE-they stole the authenticator...SORRY!

UUUUUUUUUUGH!!!

#5 Posted by BaneFireLord (2949 posts) -

I am so sick of this shit.

#6 Posted by hussatron (189 posts) -
#7 Posted by RuthLoose (820 posts) -

I suppose this is a form of "punishment" for releasing Diablo III without PVP or some other hacker bullshit.

#8 Posted by Bell_End (1208 posts) -

this is why we need biometrics as security pronto. nobody would be able to hack my face

#9 Posted by Lunar_Aura (2779 posts) -

That article picture shows a rather strong password. I don't think you can brute force Felix The Cat.

#10 Posted by Skooky (477 posts) -

My Battle.net account is locked behind an authenticator that doesn't exist anymore.

#11 Posted by Winternet (8025 posts) -

Man, my e-mail address was going through such a good phase right now. I was getting around 10 spam e-mails a week, tops. Guess that will change now. Thanks Blizzard.

#12 Posted by Bell_End (1208 posts) -

@Winternet said:

Man, my e-mail address was going through such a good phase right now. I was getting around 10 spam e-mails a week, tops. Guess that will change now. Thanks Blizzard.

why is it blizzards fault. blame the fucking hackers

#13 Posted by WickedCobra03 (2109 posts) -

I am glad that our information is safe in these companies hands. Seriously, Microsoft with their FIFA crap, PSN, even steam... now Blizzard.

Is any of our information even safe anymore? That's why I barely store any credit or phone info online. This stuff is too easy to hack and get ahold of people's personal lives...

#14 Posted by SomeJerk (3296 posts) -
In addition to this list of North American information, all users except those with China-based accounts had their email address taken.
 
Send the marines.
#15 Posted by Duxa (163 posts) -

@Skooky: Call them and ask for it to be removed... you will need to fax them or email them a copy of your ID and then they will remove it.

#16 Posted by Ravenlight (8040 posts) -

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

#17 Posted by Goldanas (546 posts) -

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

Just got to take a picture, and if it requires blink authentication, just crumple the photo a bit and you're good to go.

Now if you were talking about needles that dig into you and take a chunk of your DNA every time, now that'd be some future shit right there.

#18 Posted by TheMasterDS (2082 posts) -

I'm going to trust them and leave the password as it is. I really don't care if someone plays my Diablo 3 or Starcraft II account, there's nothing of value there. Well, I suppose if someone got in and deleted my progress or sold off all my stuff that'd be a bummer, but seeing as I haven't played Diablo 3 in months it wouldn't be that much of one.

#19 Posted by Joker369 (881 posts) -

Changed it, thanks for the heads up

#20 Posted by buzz_killington (3532 posts) -

Fuck! Now people know my favorite high school teacher's name!

#21 Posted by Xeirus (1333 posts) -

@TheMasterDS said:

I'm going to trust them and leave the password as it is. I really don't care if someone plays my Diablo 3 or Starcraft II account, there's nothing of value there. Well, I suppose if someone got in and deleted my progress or sold off all my stuff that'd be a bummer, but seeing as I haven't played Diablo 3 in months it wouldn't be that much of one.

I felt the same way, haha. I'm not even mad, because I just don't care.

#22 Posted by Drayco90 (17 posts) -

Passwords changed. Man, I can't wait for the day when everything in the industry goes digital so we can't have hard copies of things and must be connected to the system at all times to play so that this can happen all the time.

#23 Edited by pyromagnestir (4326 posts) -

Well that was easy enough. It will take years for people to hack my new password, 6enisB00Bs!

#24 Edited by Xymox (2104 posts) -

Answers to the secret questions you say? That makes one of us.

ugh. Can't copy paste a new password in their password box. Screw this, enjoy my lvl 60. Not worth the effort.

#25 Edited by Brackynews (4090 posts) -

Using a canned security question is less of a thing than choosing an irrelevant security answer you can always remember. What was the first street I lived on? Waffles. First pet? Waffles. Favourite teacher? Waffles. Mother's maiden name? Waffles. One of those might be true, but you see the point. Cracking secret questions are about social engineering, not dictionary attacks.

Also, if you use your birthdate information for anything (like say, a hastily chosen forum name) don't be shocked when people can track it back to find out more about you. Pick a different birthdate on forms you can always remember, without outright lying about your age. ~6 months different is reasonable if you're over 21.

The point being, when (not if) the info gets stolen, the people who get to see it do not have real data they can use when calling your banks, credit cards, government offices, etc. If you think it's only about gold farmers hacking your inventory you're outta yo' goddamn mind. This shit is sold to the highest bidder. Be careful of who knows your DOB, Mother's maiden name, and address history. You will be amazed how much access to other information those things will get you over the phone. (Hopefully I shouldn't even have to say guard your SSN/SIN like gold these days, but I remember old news stories where schools were posting grade printouts on doors using SSN numbers to identify students.)

#26 Posted by CrossTheAtlantic (1146 posts) -

@Ravenlight said:

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

Clearly, hasn't seen Mission Impossible. It's only a matter of time, people!

#27 Posted by Sackmanjones (4738 posts) -

I keep getting e mails from blizzard saying I'm trying to sell my Warcraft character.... I've never played WOW in my life.

#28 Posted by Wurmbollie (17 posts) -

Will Blizz make the passwords case sensitive now?

#29 Posted by JSwan13 (285 posts) -

Thanks Jeff!

#30 Posted by Brodehouse (10066 posts) -

Fuck, at first I didn't care, but my bnet password is also my email password. Now I have to go on full lockdown.

#31 Posted by doobie (605 posts) -

@CrossTheAtlantic said:

@Ravenlight said:

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

Clearly, hasn't seen Mission Impossible. It's only a matter of time, people!

maybe bell_end could use his Bell end as a biometric device

#32 Posted by Doppelgamer (321 posts) -

@Sackmanjones said:

I keep getting e mails from blizzard saying I'm trying to sell my Warcraft character.... I've never played WOW in my life.

Yeah, that's a known scam. I haven't played WoW in years, but I get them once or twice a year.

#33 Posted by Sweep (8913 posts) -

I changed my password, but if people have my email and the answers to my secret question(I can't even remember what that is) doesn't that render my password redundant? Although, I guess only if they also have my email password.

I'm trying to figure out how much I should be freaking out right now. At the moment I'm still at "Not at all."

Moderator
#34 Posted by JoeyRavn (4992 posts) -

@CrossTheAtlantic said:

@Ravenlight said:

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

You say that, but it would only be a matter of time.

Clearly, hasn't seen Mission Impossible. It's only a matter of time, people!

Nicholas Cage is way ahead of you guys. Waaay ahead.

#35 Posted by Gamer_152 (14091 posts) -

Hackers suck, glad my account wasn't caught up in this. This is also why your secret question should be something only you know. It could be worse though, I'm sure there are a lot of important databases full of our details that are far worse protected than Blizzard's.

Moderator
#36 Posted by GunslingerPanda (4826 posts) -

So EU users are safe? Cool.

#37 Posted by stinky (1549 posts) -

@Wurmbollie said:

Will Blizz make the passwords case sensitive now?

wouldn't help anything against unauthorized access.

#38 Posted by Lukeweizer (2706 posts) -

Access to my mobile aunthenticator? What do I even do about that? Delete the app and get a new one? I don't even know what my Blizzard secret question is. I don't even know what sites ask for it so I can go change it. What a pain in the ass.

#39 Edited by MrKlorox (11209 posts) -

Fuck you Blizzard. For many many annoyances regarding the password change process on your website. And for requiring to put myself at risk just to play your SINGLEPLAYER game. FUCK YOU!

#40 Posted by HansKaosu (757 posts) -

I like how they dont inform people on the front page of battle net nor any of their game pages..

just goes to show blizzard could really give a rats ass about their customers security.

#41 Posted by jayjonesjunior (1090 posts) -

@ck1nd said:

People are ignorant. I hate hackers :/

what? hackers are probably the least ignorant of all people luls.

#42 Edited by LegendaryChopChop (1213 posts) -

Not surprised. The company needs a damn Mobile Authenticator in order to keep things safe... I didn't use one, but now I will. It'll add an extra inkling of security after I change the PW.

#43 Posted by Butano (1746 posts) -

So, the authenticator attached to my keychain is basically useless now? That kinda sucks if that's the case.

#44 Posted by Delta_Ass (3282 posts) -

Fuck you Blizzard.

#45 Posted by MeatSim (10892 posts) -

What a pain but gotta change those passwords.

#46 Posted by Deathpooky (1417 posts) -

This goes beyond battle.net - if you use the same password for Blizzard that you do for anything else, time to go on a password changing spree. It'd be extremely easy to extrapolate from your email address to a ton of other accounts and brute force your password/email into them to see if they work.

#47 Posted by ChuckDeNomolos (72 posts) -

Is there a way to just cancel my Battle.net account? I was done with Diablo 3 after a few days, and all it's gotten me is Chinese IPs trying to access my email.

#48 Posted by ILuvMsMarvel (140 posts) -

Ok, with the thumbnail used on the front page, I have to say this: Guess Blizzard screwed the pooch once again.

#49 Posted by Tesla (1927 posts) -

You would think Blizzard of all companies would value customer security. I'm glad that none of their products beyond Diablo interest me, it will make it easy to not give them another dime.

#50 Posted by tineyoghurt (358 posts) -

If I remember correctly, the reason for Australia being in in the "North Americas" is that they originally were lumped in with Asia, which didn't work out since Australians like to: a) chat in English b) not be bested by the Koreans. 
 
Ironically, this is the first time I'm glad that battle.net is split into regions, as us Europeans seem rather unaffected by all this (directly, at least).

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.