Battle.net Compromised. Here we go again.

#1 Edited by Metal_Mills (3033 posts) -
http://us.blizzard.com/en-us/securityupdate.html
 

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts. 
 

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime



 Oh shit! At least they didn't leave passwords just sitting there exposed but god damn.
#2 Posted by MordeaniisChaos (5730 posts) -

Well, at least my pasword hint is probably "The Usual."

#3 Posted by SmilingPig (1340 posts) -

Blizzard is a victim of its own succes. Too bad for the rest of us who got haked.

#4 Posted by jjnen (661 posts) -

I'm lazy. Should I change my password?

#5 Posted by Cloudenvy (5891 posts) -

I'm in Europe so thankfully this doesn't affect me. Sucks for people on the North American servers.

#6 Posted by Garfield518 (405 posts) -

Maybe now they'll actually allow passwords to be case sensitive.

Online
#7 Posted by Ben_H (3408 posts) -

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

??? All of my Bnet passwords are case sensitive and don't work otherwise. I just tried. They allow case sensitive passwords and allow punctuation to be used as well.

#8 Posted by Shivoa (642 posts) -

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

This. Their security system needlessly threw away password complexity and that's a good sign they were using the authenticator to mask a very low priority for actual security development. I'm shocked it took this long.

#9 Posted by Shivoa (642 posts) -

@Ben_H said:

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

??? All of my Bnet passwords are case sensitive and don't work otherwise. I just tried. They allow case sensitive passwords and allow punctuation to be used as well.

Word of blue, you are wrong if you are talking about B.Net passwords before this compromise. I have no idea if they just changed it right now but historically all B.Net access has always allowed entry with case insensitivity.

#10 Posted by yinstarrunner (1231 posts) -

Man, my account just got hacked on Battle.net last week.
 It's weird because I've been on the internet for 12 years now, and my Battle.net account is the only thing that has EVER been hacked, even though in the old days I used a super common, easily crackable password.  Yet my Battle.net account has been hacked THREE times in the past three years.
 Something about Blizzard games brings out the worst in people, I guess. lol.

#11 Posted by Jay444111 (2441 posts) -

Wow... thanks blizzard... well... looks like I have to change a password for something I never use due to Blizzards horrid security and the fact that their downloader SUCKS and it would have taken me 3 just to download the patches to the demo of wow... so yeah... thanks a fucking bunch blizzard!

#12 Edited by NaDannMaGoGo (338 posts) -

@Shivoa said:

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

This. Their security system needlessly threw away password complexity and that's a good sign they were using the authenticator to mask a very low priority for actual security development. I'm shocked it took this long.

Eh Brute Forcing that stuff isn't a problem. That wouldn't be worth the cost, case-sensitive or not.

The question is rather if they can get behind the encryption.

And well lots of emails, so more spam, more phishing mails and thus more victims in that regard.

#13 Posted by Will1Lucky (408 posts) -

@Cloudenvy said:

I'm in Europe so thankfully this doesn't affect me. Sucks for people on the North American servers.

Personally mate I'd change it anyway as I just have, better safe than sorry.

#14 Posted by Brunchies (2484 posts) -

Good thing I don't have anything important on my account.

#15 Posted by John1912 (1926 posts) -

@yinstarrunner said:

Something about Blizzard games brings out the worst in people, I guess. lol.

Money....

#16 Posted by Ravenlight (8040 posts) -

@Brunchies said:

Good thing I don't have anything important on my account.

That doesn't mean you shouldn't change your password anyway. If the same email address you use for Bnet is attached to other logins (IE: your bank) whoever stole the Bnet data could theoretically get into your other stuff, too.

#17 Edited by MordeaniisChaos (5730 posts) -

@Jay444111 said:

Wow... thanks blizzard... well... looks like I have to change a password for something I never use due to Blizzards horrid security and the fact that their downloader SUCKS and it would have taken me 3 just to download the patches to the demo of wow... so yeah... thanks a fucking bunch blizzard!

Well, there's no way to know if Blizzard had "horrid security" so before ya bitch about it, maybe you should reign that it a bit. Security is a funny thing. Honestly, chances are you'll be fine. Look at the Sony outage/hacking. As far as we know, there were no real issues that came about from the data that was accessed. No one had their banks accessed or anything like that. In fact, I doubt there is much of anything that was done with the stuff that was accessed. I don't remember hearing about so much as PSN accounts being accessed in any great number.

The real strength of the security in most cases isn't the thing keeping people out of the data but rather stopping them from using it. It's much easier to make the data useless than to build a hack proof system to keep it out of the hands of hackers. So chances are you'll be fine. You should of course ALWAYS be safe, change your password, etc.

And the Downloader isn't really important here. On top of that, it works the way all MMO launchers work. So, keep your whining at least to a relevant thread on that.

@yinstarrunner said:

Man, my account just got hacked on Battle.net last week. It's weird because I've been on the internet for 12 years now, and my Battle.net account is the only thing that has EVER been hacked, even though in the old days I used a super common, easily crackable password. Yet my Battle.net account has been hacked THREE times in the past three years. Something about Blizzard games brings out the worst in people, I guess. lol.

Battle.net accounts, because of Gold Farming and the like, are extremely valuable. And there are about a trillion phishing scams out there trying to get you to log into a fake battle.net, which of course gives them your password. If you ever clicked a link in your email to sign into battle.net, it was probably a scam.

Also, as far as I know, the strength of your password means fuck all when it comes to this sort of breach of security, its all up to the encryption. If you have an encrypted password, you already have the password. Once you decrypt it, you know the password that will work with the account. It's not significantly more work to decrypt a password with case sensitivity as far as I know. Password complexity is more of a front door protection, that stops people from brute forcing your password from scratch, or discovering it some other way. Encryption protects from when password data is acquired, making it difficult to turn that data into anything useful. Case sensitivity isn't important for a complex password anyway. Yes, it double the number of letter characters you can use, but you already have access to plenty of characters as it is. Just use what you have available to create a strong password and you'll still be fine. A hash with no case sensitivity is still possible, and still pretty effective.

#18 Edited by Seppli (10251 posts) -

Ya - not playing Diablo 3 anymore. Wonder if I'll pick up the inevitable expansions. 'Til that didn't happen, this is of no concern to me.

Endgame sucked major dicktits. Yet another game skewed to make indecent amounts of money by fucking with proper reward pacing.

Not with a 60$ game. Not with me.

#19 Posted by NaDannMaGoGo (338 posts) -

@Seppli said:

Ya - not playing Diablo 3 anymore. Wonder if I'll pick up the inevitable expansions. 'Til that didn't happen, this is of no concern to me.

Endgame sucked major dicktits. Yet another game skewed to make indecent amounts of money by fucking with proper reward pacing.

Not with a 60$ game. Not with me.

Well we do certainly understand that you're just a bad joke on this forum by now, but really? That off topic?

#20 Posted by Milkman (17173 posts) -

@Seppli said:

Ya - not playing Diablo 3 anymore. Wonder if I'll pick up the inevitable expansions. 'Til that didn't happen, this is of no concern to me.

Endgame sucked major dicktits. Yet another game skewed to make indecent amounts of money by fucking with proper reward pacing.

Not with a 60$ game. Not with me.

What does this have to do with anything?

#21 Posted by Mcfart (1712 posts) -

Unless they want to renew my WoW sub (in which case I'd tell Bliz my account was hacked) then those Chinese got nothen on me

#22 Posted by fox01313 (5088 posts) -

Glad I've been using the authenticator since wow so at least I feel slightly better though it could just be putting out a random series of numbers that don't do anything more than a keychain sized placebo. Kind of surprised to hear this though as blizz is still one of the larger mmorpgs out there so while it's only a matter of time for the hackers to get in, you'd think they be more secure considering their customer base. At least it wasn't another PS3pocalypse in how long they are shut down.

#23 Posted by bemusedchunk (708 posts) -

My WoW account has been hacked about once a year now.

This is just par for the course...

#24 Posted by gakon (1952 posts) -

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

#25 Posted by Seppli (10251 posts) -

@Milkman: @NaDannMaGoGo:

The lack of care is as ontopic as it gets.

#26 Posted by Lotan (219 posts) -

ARGGGGG

This is the worst. Time to go change everything...AGAIN.

Thanks internet.

#27 Posted by Zithe (1045 posts) -

@MordeaniisChaos: That seems like a dumb thing to say and admit. All security question and answer systems do not work the same way. They don't all show you your hint and ask for your password. You might want to pay attention when you set those things up and you also might want to edit or delete that comment.

#28 Posted by Ben_H (3408 posts) -

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

#29 Posted by LikeaSsur (1579 posts) -

Jeez, I didn't know Blizzard was so hated on. What did they do to you, people?

#30 Posted by spiceninja (3064 posts) -

@LikeaSsur said:

Jeez, I didn't know Blizzard was so hated on. What did they do to you, people?

They became a popular multi-million dollar company. Damn them.

#31 Edited by Jay444111 (2441 posts) -

@Mcfart said:

Unless they want to renew my WoW sub (in which case I'd tell Bliz my account was hacked) then those Chinese got nothen on me

Me as well... fuck, I haven't even done anything with it since trying to download the damn demo. So yeah, they can have fun with the fact that I don't have jack shit on me!

#32 Edited by gakon (1952 posts) -

@Ben_H said:

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

It's an app authenticator, for Windows Phone 7 specifically. So, yeah... we'll see. Mists isn't out for another month anyway.

[edit] Also I wonder how any of these authenticators work if you delete them off your phone and then redownload them. On iOS and WP7, when you delete an app all the data goes with it, which I assume would include whatever unique identifier is attached to the authenticator. Unless they know how to bind it to the Apple ID of the person who downloaded the app, I dunno.

#33 Posted by CatsAkimbo (641 posts) -

I've come to terms with the fact that account compromises are going to happen all the time going forward, but damn if it isn't annoying. Things like this are why I haaate creating an account for anything anymore, because it's just another thing that'll be compromised sometime in the future.

#34 Posted by probablytuna (3797 posts) -

Woke up just then, just changed my password now. Hate changing passwords.

#35 Posted by smcn (926 posts) -

So when can I just buy a USB biometric scanner and stop having to worry about password bullshit?

#36 Posted by Stonyman65 (2808 posts) -

@yinstarrunner said:

Man, my account just got hacked on Battle.net last week. It's weird because I've been on the internet for 12 years now, and my Battle.net account is the only thing that has EVER been hacked, even though in the old days I used a super common, easily crackable password. Yet my Battle.net account has been hacked THREE times in the past three years. Something about Blizzard games brings out the worst in people, I guess. lol.

It's a gold mine, that's why. Gotta be careful.

#37 Posted by Example1013 (4834 posts) -

@Ravenlight said:

@Brunchies said:

Good thing I don't have anything important on my account.

That doesn't mean you shouldn't change your password anyway. If the same email address you use for Bnet is attached to other logins (IE: your bank) whoever stole the Bnet data could theoretically get into your other stuff, too.

Assuming my bank doesn't use multiple levels of security, which it does. Short of me unwittingly downloading a keylogger my bank info is pretty safe overall.

#38 Posted by DeadVillager (77 posts) -

@gakon said:

@Ben_H said:

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

It's an app authenticator, for Windows Phone 7 specifically. So, yeah... we'll see. Mists isn't out for another month anyway.

[edit] Also I wonder how any of these authenticators work if you delete them off your phone and then redownload them. On iOS and WP7, when you delete an app all the data goes with it, which I assume would include whatever unique identifier is attached to the authenticator. Unless they know how to bind it to the Apple ID of the person who downloaded the app, I dunno.

I had a similar problem. Just call their tech support and explain to them the situation. It seems common enough that they're used to it. As an added bonus, the Blizzard tech support is incredibly kind and helpful.

#39 Posted by Beforet (2931 posts) -

Huh, well it's been a while since I've cared about any of those games. But still, rather not be compromised, so I'll just change that stuff.

*Doesn't remember password*

Huh, well I'll reset it.

*Doesn't remember secret answer*

Huh. Guess I'll look into work around.

*Needs to call billing*

Huh, well I guess those fuckers can keep the account, because that is far too much work to be able to not play those games.

#40 Posted by TooWalrus (13255 posts) -

Here we go again what? They didn't get anything usable, and Blizzard was doing the right thing by encrypting the information so heavily. They also told us right away and guess what- this news hit today and I'm on Battle.net RIGHT NOW.

Online
#41 Posted by BestUsernameEver (4825 posts) -

I learned my lesson, never make an account for anything, ever.

#42 Posted by KaneRobot (1783 posts) -

@TooWalrus said:

Here we go again what?

Battle.net was compromised.

#43 Posted by TooWalrus (13255 posts) -
@KaneRobot said:

@TooWalrus said:

Here we go again what?

Battle.net was compromised.

What is he referring to? Does Battle.net have a reputation of being compromised? I remember there being a scare around the time Diablo III came out but I think anything vital was lost, and there wasn't any significant downtime as a result, and I know individual accounts are hacked all the time, but that's because there are literally millions of them, and the chance of being hacked can be reduced to basically 0 by using an authenticator. So I'm not sure the sense of sensationalism he's trying to invoke here is really grounded in anything.
Online
#44 Posted by gakon (1952 posts) -

@DonNoFace said:

@gakon said:

@Ben_H said:

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

It's an app authenticator, for Windows Phone 7 specifically. So, yeah... we'll see. Mists isn't out for another month anyway.

[edit] Also I wonder how any of these authenticators work if you delete them off your phone and then redownload them. On iOS and WP7, when you delete an app all the data goes with it, which I assume would include whatever unique identifier is attached to the authenticator. Unless they know how to bind it to the Apple ID of the person who downloaded the app, I dunno.

I had a similar problem. Just call their tech support and explain to them the situation. It seems common enough that they're used to it. As an added bonus, the Blizzard tech support is incredibly kind and helpful.

I've had to appeal a few bans (following account compromises) with the phone tech support and they were always super friendly about it. Obviously that probably doesn't happen to everyone but my experience has been nothing but positive.

#45 Posted by FateOfNever (1855 posts) -

This sucks, but, I also really don't get the people that are, more or less, pointing at Blizzard and going "This is your fault, assholes!" But whatever, it's cool to hate on Blizzard, right?

I'm also debating if I really want to bother changing my password. I know that changing it would be for the better though, so, maybe I'll go do that tomorrow or just before I go to bed. I'm also just really not that concerned considering how strong my passwords usually are, and that all the passwords were encrypted, and that I still have an authenticator. Or maybe I'll wait until they prompt me to change my secret question and answer because until they do that, it doesn't really matter if I change my password, does it? And since you can't change your secret question and answer on your own, not much I can do until they prompt me.

#46 Posted by EXTomar (4916 posts) -

As long as your email submitted into Battle.net isn't the same password or have the same info you are probably fine for the short term. Personally I change the password every time I make a modification which is uncommon and usually a "a new game got release" event.

Reading the announcement, it sounds like an internal compromise: Someone who worked for Blizzard or contracted got into something they were not supposed too to do something they were not supposed too. There have been rumblings for awhile now that one of the issues about their global service is that it requires them to share important information about how Battle.net works with people who aren't vetted as highly as other places.

#47 Posted by NickL (2247 posts) -

@TooWalrus said:

@KaneRobot said:

@TooWalrus said:

Here we go again what?

Battle.net was compromised.

What is he referring to? Does Battle.net have a reputation of being compromised? I remember there being a scare around the time Diablo III came out but I think anything vital was lost, and there wasn't any significant downtime as a result, and I know individual accounts are hacked all the time, but that's because there are literally millions of them, and the chance of being hacked can be reduced to basically 0 by using an authenticator. So I'm not sure the sense of sensationalism he's trying to invoke here is really grounded in anything.

Yet another compromise scare related to a video game thing. Like PS3 and steam. Don't really think he meant anything more direct by it.

#48 Posted by TyCobb (1976 posts) -

Hopefully now the passwords will be case-sensitive and also not have a cap on the length. Couldn't believe it when I realized my password was 1/3 shorter than what it was supposed to be. Doesn't matter what your password is. All the matters is the length.

This is Blizzards mindset: "Do we make the user have a password? Yes? Our job is done."

Good thing Diablo 3 has made me never want to purchase another Blizzard game again. Blizzard is nothing but a giant target for hackers and in my eyes one of the greediest companies around.

#49 Posted by mrpandaman (870 posts) -

@BestUsernameEver said:

I learned my lesson, never make an account for anything, ever.

Well if we all really learn our lesson, we should never use the internet again.

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.