Change Your Battle.net Password

#151 Posted by SuperPickle (28 posts) -

Its an hack job from china, so they left it alone.

#152 Posted by Deusx (1903 posts) -

@NAQ said:

@Deusx said:

@NAQ said:

@Deusx said:

Fuck you Blizzard, I´m happy to say I´m not buying another one of your FUCKING games. I got fucking hacked and I lost all my progress thanks to the roll back. Fuck you Blizzard, fuck you! Fuck.... FFFFFFF....

yeah you got hacked because of you not cause of blizz hope this helps

W-w-what? W-what?! Fuck you man. Because of me? Sure, keep sucking the blizzdrones dick. There are hackers out there, blizzard knows about this. With that much money they could at least learn from Sony´s mistakes and hire a good security service. I hope you´re kidding because if you are then I´m a fool and fell for it.

W-w-what? W-what?! Fuck you man

Nice 6 posts bro. Get the fuck out.

#153 Posted by GnomeonFire (715 posts) -

@Jayzilla: Kind of a weird thing to be stoked about.

I changed my password. Though I haven't played anything in a while and am starting to not care about Blizz games.

#154 Posted by fisk0 (4032 posts) -

ok, so we EU users don't need to change our passwords (probably should though)?

August 4 does seem to correlate pretty well to a huge bump in the amount of spam I've been recieving. Instead of around 10 a day it seems to be around 3-5 per hour now.

#155 Posted by Rawson (136 posts) -

@G0rd0nFr33m4n said:

@Rawson said:

All the more reason to get a fucking authenticator.

You think a company failing to keep your info safe deserves more of your hard earned cash ? ... For failing ? No no! I'll change my password and not give them money, thank you very much.

Actually, the $6 authenticator is sold at cost, since it saves them money in the long run by not having to deal with idiots losing their accounts to phishing schemes.

If $6 is too much for you to spend, then there's also the smartphone and SMS authenticator methods.

#156 Posted by AiurFlux (902 posts) -

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

#157 Posted by Dark_Lord_Spam (3253 posts) -

@Bell_End said:

this is why we need biometrics as security pronto. nobody would be able to hack my face

Don't say that, because next we'll just have people taking our faces with hacksaws to access our Amazon discount codes.

#158 Posted by enthalpy (37 posts) -

@AiurFlux said:

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

I wish someone in this thread would put the facts together instead of going off like a crazy person here. Blizzard responded in an extremely measured way here. They first went into lockdown, which is what you do. It sounds like they saw this in near real-time, which means that they have reasonable protections and effective monitoring in place. They then, after completing what was likely an insanely complicated assessment of the situation, explained this to their customers.

It is counterproductive to require any firm to immediately inform on a breach because that can indicate a current vulnerability. This is why software firms avoid announcing compromises for their software until they patch them.

Here is what happens in a typical security incident protocol:

  • The system is locked off from the outside, accounts and sessions are killed, etc...
  • An assessment of the means of entry is done and any security holes closed, while
  • a copy of the compromised systems is made immediately to preserve the system in its current state. This includes write-blocked drive imaging, any external system log aggregation, etc...
  • Forensics begin on a write-blocked copy of any images that were taken of servers and logs are reviewed
  • An early assessment is made of the data that was available on the compromised machine(s) and combined with a network traffic assessment to assess what may have leaked
  • Appropriate law enforcement is contacted, based on the initial compromise assessment
  • If any regulated data is found, the appropriate regulatory agencies are contacted
  • After continued assessment of the state of the entire environment, a more in depth assessment of the compromise is done and a communication plan is prepared
  • Communication to affected parties happens

What's important here is that it sounds like the way in which the passwords were stored is extremely secure and is probably close to computationally infeasable to crack. Here is what can happen now:

Someone can, knowing your email address and secret question, request a password reset that will be sent to your email. That is all. From the information that Blizzard released, there is no way that people can log into your account with the information they have gained from this compromise without accessing your email account, which is another item that would have delayed the announcement.

Also, this was an impressively fast response from such a huge company.

#159 Edited by phrosnite (3518 posts) -

How many people remember their secret answers? I bet it's zero.

#160 Posted by Godlyawesomeguy (6398 posts) -

Password changed. Jesus fuck, you guys.

#161 Posted by AiurFlux (902 posts) -

@enthalpy said:

@AiurFlux said:

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

I wish someone in this thread would put the facts together instead of going off like a crazy person here. Blizzard responded in an extremely measured way here. They first went into lockdown, which is what you do. It sounds like they saw this in near real-time, which means that they have reasonable protections and effective monitoring in place. They then, after completing what was likely an insanely complicated assessment of the situation, explained this to their customers.

It is counterproductive to require any firm to immediately inform on a breach because that can indicate a current vulnerability. This is why software firms avoid announcing compromises for their software until they patch them.

Here is what happens in a typical security incident protocol:

  • The system is locked off from the outside, accounts and sessions are killed, etc...
  • An assessment of the means of entry is done and any security holes closed, while
  • a copy of the compromised systems is made immediately to preserve the system in its current state. This includes write-blocked drive imaging, any external system log aggregation, etc...
  • Forensics begin on a write-blocked copy of any images that were taken of servers and logs are reviewed
  • An early assessment is made of the data that was available on the compromised machine(s) and combined with a network traffic assessment to assess what may have leaked
  • Appropriate law enforcement is contacted, based on the initial compromise assessment
  • If any regulated data is found, the appropriate regulatory agencies are contacted
  • After continued assessment of the state of the entire environment, a more in depth assessment of the compromise is done and a communication plan is prepared
  • Communication to affected parties happens

What's important here is that it sounds like the way in which the passwords were stored is extremely secure and is probably close to computationally infeasable to crack. Here is what can happen now:

Someone can, knowing your email address and secret question, request a password reset that will be sent to your email. That is all. From the information that Blizzard released, there is no way that people can log into your account with the information they have gained from this compromise without accessing your email account, which is another item that would have delayed the announcement.

Also, this was an impressively fast response from such a huge company.

Bullshit. It occurred 5 days ago. That's 5 days of having information at risk, including financial information given the real money auction house in Diablo 3. That's 5 days that some asshole could have free reign. That's 5 days to many. When my information is at risk, when my finances are at risk, I should be informed of it right then and there. Not a work week after the fact.

You're right in saying that divulging that information could inform other people of a vulnerability, but the simple act of hacking it has exposed that vulnerability. If you don't think that these people communicate with one another you're out of your mind. Typically it's not just one person doing it anymore but rather a group of people that each delegate part of the operation. Furthermore if they're REALLY concerned with security then maybe they should make a public notice and shut down their shit system for those 5 days until they sort it out instead of leaving it online and forcing people to find out about this through a media site like Giant-fucking-Bomb.

It's irresponsible. It's lazy. It's ignorant. And it needs to fucking change. These companies need to be held accountable and MAYBE just maybe the traditional way of doing things isn't enough anymore. How many hacks have occurred within the past year? It's unacceptable, especially in the game industry where everything is going digital and everything has extra costs tacked on.

And the response wasn't fast at all. Sony had a similar response and they got bashed for it, but because it's Blizzard people hold them up like Christ on the Cross and say "THEY'RE TEH BEST EVAR!". You sound like a PR guy when you say shit like that. The investigation might have been started fast but the whole informing the public thing, the people that give them money and put their trust in them, wasn't good.

#162 Posted by enthalpy (37 posts) -

@AiurFlux said:

@enthalpy said:

@AiurFlux said:

August 4th this happened, we hear about this on the 9th, and even then it still isn't listed on Blizzards main site page. Fucking disgusting. I know I should blame the hackers but when a company charges for a goddamn authenticator AND doesn't notify it's customers that an intrusion took place until 5 days later I really really have a problem with that company. I don't fucking care if they didn't know what was compromised the simple fact is that an intrusion took place and they should HAVE to notify their customers on the day that it takes place.

I'm getting sick of this shit. Now I have to monitor my finances, website accounts, and my email account all because they're fucking morons more interested in saving face rather than looking after their customer.

I'm going to say it now, there needs to be legislation in the United States, Canada, the EU, the UK, and everywhere else that states when a company experiences any digital intrusion of any kind they must inform their customers at once. Period. If they don't they should face harsh fines upwards of 100,000 dollars. No more of this waiting for 5 days bullshit. It isn't fucking right, and they're only doing it because they want to preserve their value on the NYSE.

I wish someone in this thread would put the facts together instead of going off like a crazy person here. Blizzard responded in an extremely measured way here. They first went into lockdown, which is what you do. It sounds like they saw this in near real-time, which means that they have reasonable protections and effective monitoring in place. They then, after completing what was likely an insanely complicated assessment of the situation, explained this to their customers.

It is counterproductive to require any firm to immediately inform on a breach because that can indicate a current vulnerability. This is why software firms avoid announcing compromises for their software until they patch them.

Here is what happens in a typical security incident protocol:

  • The system is locked off from the outside, accounts and sessions are killed, etc...
  • An assessment of the means of entry is done and any security holes closed, while
  • a copy of the compromised systems is made immediately to preserve the system in its current state. This includes write-blocked drive imaging, any external system log aggregation, etc...
  • Forensics begin on a write-blocked copy of any images that were taken of servers and logs are reviewed
  • An early assessment is made of the data that was available on the compromised machine(s) and combined with a network traffic assessment to assess what may have leaked
  • Appropriate law enforcement is contacted, based on the initial compromise assessment
  • If any regulated data is found, the appropriate regulatory agencies are contacted
  • After continued assessment of the state of the entire environment, a more in depth assessment of the compromise is done and a communication plan is prepared
  • Communication to affected parties happens

What's important here is that it sounds like the way in which the passwords were stored is extremely secure and is probably close to computationally infeasable to crack. Here is what can happen now:

Someone can, knowing your email address and secret question, request a password reset that will be sent to your email. That is all. From the information that Blizzard released, there is no way that people can log into your account with the information they have gained from this compromise without accessing your email account, which is another item that would have delayed the announcement.

Also, this was an impressively fast response from such a huge company.

Bullshit. It occurred 5 days ago. That's 5 days of having information at risk, including financial information given the real money auction house in Diablo 3. That's 5 days that some asshole could have free reign. That's 5 days to many. When my information is at risk, when my finances are at risk, I should be informed of it right then and there. Not a work week after the fact.

You're right in saying that divulging that information could inform other people of a vulnerability, but the simple act of hacking it has exposed that vulnerability. If you don't think that these people communicate with one another you're out of your mind. Typically it's not just one person doing it anymore but rather a group of people that each delegate part of the operation. Furthermore if they're REALLY concerned with security then maybe they should make a public notice and shut down their shit system for those 5 days until they sort it out instead of leaving it online and forcing people to find out about this through a media site like Giant-fucking-Bomb.

It's irresponsible. It's lazy. It's ignorant. And it needs to fucking change. These companies need to be held accountable and MAYBE just maybe the traditional way of doing things isn't enough anymore. How many hacks have occurred within the past year? It's unacceptable, especially in the game industry where everything is going digital and everything has extra costs tacked on.

And the response wasn't fast at all. Sony had a similar response and they got bashed for it, but because it's Blizzard people hold them up like Christ on the Cross and say "THEY'RE TEH BEST EVAR!". You sound like a PR guy when you say shit like that. The investigation might have been started fast but the whole informing the public thing, the people that give them money and put their trust in them, wasn't good.

I'm not trying to defend Blizzard per se--I'm trying to assess the breach in terms of its security implications for its users and also wanted to provide some information about how a typical incident response procedure works. I may have been too flippant with my first sentence or so, for which I apologize, and I've certainly changed my battle.net password to be on the safe side. But treating all compromises the same is not helpful to the gaming community who needs good information to assess their risk posture, nor is it particularly fair to the firms involved.

Given the timeline and types of data that they handle, I think that Blizzard informed pretty quickly. I also think that there is not a ton here that causes huge additional risk to users because, unlike many other large compromises, this compromise did not include any directly actionable data (CCNs, passwords, etc...).

Is this bad? Yes. The ability of people phish off of the email addresses is a concern, and the decision to handle secret questions in the way that they are just looks dumb. But unlike a number of the firms who have been recently compromised, the data was stored in a sensible way, i.e. hashed (hopefully salted) phone numbers and with a complex protection mechanism on the passwords.

I also think that it's best for this information to go through public sites. How do you want Blizzard to notify the community, assuming that their communication path (email) is the same as the one that the hackers now have access to? Because if this was an extremely well-planned hack, the attackers could have phished the "your account has been compromised" emails to land at the same time that Blizzard's did. And if they were even close to competent phish writers, a huge number of people would have lost their passwords to this phish.

I'm really not looking for this to be a contentious conversation--I understand your concern and anger regarding compromises, because a lot of companies are not doing what they need to do in order to keep their customers safe, and they do need to be held accountable. Like you, I hope that more facts come out of this breach and that there are clear steps taken to further tighten security around Blizzard.

Hope everyone has a pleasant weekend.

#163 Posted by CAVERN_OF_COBOL (4 posts) -

Man that sucks. Changed my password. But how long until this happens again?

#164 Posted by krazy_kyle (716 posts) -

@Bell_End: Correct, it is the hackers fault but if Blizzard are providing a service and they lose our private information because of their shitty security, then I have a problem with Blizzard too.

#165 Posted by CL60 (16906 posts) -

Don't tell me what to do Jeff.

#166 Posted by Walta (57 posts) -

I read the security memo from Blizzard telling me to change my password. But when I tried to log in I get a "Too many attempts. (403)" error, despite the fact that I have not been on BN for days. According to some BN forum posts, this is a problem with the Battlenet website. So... you have been hacked and I should change my pw, but I can't because your login page is glitching out. Thank you ever so much, Blizzard. I am going to send you a complementary fruit basket with a passive-aggressively resentful card. And I'm not even going to send real fruit. It will be one of those baskets full of plastic fruit that is uselessly decorative.

#167 Posted by Jabbawocky (74 posts) -

I haven't used my Battle.net account since I bought Warcraft 2, hell I don't even remember anything I might have put on the site.

#168 Edited by cannonballBAM (602 posts) -

The fact that people shrug this off as, "oh well, lets move on", is bullshit. Literally both sides are to blame, the people who hacked the site and Blizzard for not treating the consumer with dignity while trying to sweep this under the rug.

Stuff like this is why companies using the new agreement clause against class action suits in almost all major password protected services is taking one of your civil liberties just by clicking accept.

#169 Posted by Wright (637 posts) -

why would anyone want this shit

#170 Posted by amir90 (2154 posts) -

So glad I live in Europe right now ^^

#171 Posted by EXTomar (4685 posts) -

Could it be that people are shrugging it off because it really isn't that big of deal? Getting hacked is often the first exposure someone gets to Identify Theft but in the grand scheme of things the value of most Battle.net accounts is low and only useful to other Battle.net players.

#172 Posted by Grimhild (723 posts) -

I actually signed up for Bnet with a new Hotmail email, fake name and a password I don't use anywhere else, because I knew this was going to be an issue with the RM auction house. I also haven't played D3 since about a month after it came out so...

Meh.

#173 Posted by Tygerbite (36 posts) -

Thanks for the update. Just changed my password.

#174 Posted by NekuCTR (1663 posts) -

Yep, already got about 3 phishing e-mails. Fuuuuuu~

#175 Posted by Mumrik (1077 posts) -

What if my account seemingly got stolen a while ago and Blizzard just doesn't seem to give a fuck anyway?

#176 Posted by Andy_117 (169 posts) -

Once more, the glorious Chinese people are unaffected by Western civilization's petty "problems"!

Soon they shall have total control of the intertrons! SOON AMERICA SHALL COLLAPSE UNDER CHINESE MIGHTY FOOTSTEP!! FIRST BLIZZARD, AND THEN... THE WOORLD

#177 Posted by roughplague (131 posts) -

Fuck, that's probably why I've had trouble logging into my e-mail these last days >=I

#178 Posted by Elwoodan (817 posts) -

we should BACKTRACE them and hack them in...real life... like, use a hatchet or something, see how they like it.

#179 Posted by ReverendHunt (339 posts) -

Thank God I don't have a Battle.net account. I did get pegged by the PlayStation hack (didn't get any funds taken or anything, but I was a potential victim so I changed everything up), and that embarrassed me since I work in online security. Bah! Points Cards for everything now!

#180 Posted by Video_Game_King (36272 posts) -
#181 Posted by rmills87 (463 posts) -

Jesus fucking Christ, I'm getting so tired of this shit.

#182 Posted by rossi_g (5 posts) -

this is why i don't like digital media

#183 Posted by smellylettuce (119 posts) -

I don't mind the email info being hacked, it's the security question answers that really fuck things up, I can't recall what other sites I used what security question with...Ah, Blizzard you go through such lengths to make your users comply with high security standards while you can't get your employees to do the same. Shame for us I suppose for entrusting any vital information to you. Lesson learned. On the plus side, I could care less about my battle.net account have at 'er hackers.

#184 Posted by gamefreak9 (2358 posts) -

I hear more and more instances of hacking. I wonder if hacking is too easy....

#185 Posted by Rowr (5537 posts) -

What a fucking joke.

Seems like my account details have probably been hacked more times than I can keep up with this year all through game services.

#186 Posted by Enigma_2099 (146 posts) -

@Bell_End:

Well, when it happened to SONY, everybody blamed SONY, so why stop now?

#187 Posted by Wurmbollie (17 posts) -

@stinky: Yeah I realise that, it's just what I would do, seeing as everyone should change their passwords anyway now

#188 Posted by Bunny_Fire (297 posts) -

Im not really surprised by this Blizzard and there awful DRM site battle.net . Though i guess blizzard can look on the bright side they will sill a heap of there authenticators.

#189 Posted by avantegardener (1118 posts) -

Bawls.

#190 Edited by thehuntsmen5434 (427 posts) -

They can have my Diablo III, WoW, and SC2. I don't play them anyways. Waste of my money.

#191 Posted by Guntank81 (7 posts) -

So blizzard has millions of dollars and still get hacked by kids... lol

#192 Posted by i8246i (119 posts) -

I no longer feel any regret for not buying any blizzard games since warcraft 2.

#193 Posted by Sammo21 (3261 posts) -

So...authticators are ahit to own then.

#194 Posted by Mediquette (2 posts) -

Oh just lovely... so much hacking these days, it's rather breathtaking... well, only breathtaking as that'd be me trying not to shout every colorful word in the dictionary at the little script-kiddies. Things have so changed, so so changed... back in the day, hacking was about access and sticking it to the big guys on top... now that's like 180... everytime the morons go at it, it's the little people/users at the bottom getting bent-over and mounted.

#195 Posted by DocDino (5 posts) -

I keep an email address specifically for paying bills and ordering things online, and another for video game stuff (no credit cards linked). I'm glad my Battle.net address was the latter.

#196 Posted by Boopie (191 posts) -

Blizzard sealed their fate with that awful Superman game on SNES

#197 Posted by A_Talking_Donkey (262 posts) -

@RuthLoose said:

I suppose this is a form of "punishment" for releasing Diablo III without PVP or some other hacker bullshit.

What would hacker non-bullshit be?

#198 Posted by RuthLoose (805 posts) -

@A_Talking_Donkey said:

@RuthLoose said:

I suppose this is a form of "punishment" for releasing Diablo III without PVP or some other hacker bullshit.

What would hacker non-bullshit be?

Creative Commons... Sourceforge.net... any legitimate modding community.

#199 Posted by That1BlackGuy (217 posts) -

Well that's the by product of technology you got to take the good with the bad. Got to be smart with your online content because you never know when stuff like this can hit you.

#200 Posted by SpartanHoplite (384 posts) -

this stuff seems to be happening every other week nowadays :(

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.