Battle.net Compromised. Here we go again.

Avatar image for metal_mills
#1 Edited by Metal_Mills (3439 posts) -
http://us.blizzard.com/en-us/securityupdate.html
 

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts. 
 

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime



 Oh shit! At least they didn't leave passwords just sitting there exposed but god damn.
Avatar image for mordeaniischaos
#2 Posted by MordeaniisChaos (5904 posts) -

Well, at least my pasword hint is probably "The Usual."

Avatar image for smilingpig
#3 Posted by SmilingPig (1370 posts) -

Blizzard is a victim of its own succes. Too bad for the rest of us who got haked.

Avatar image for jjnen
#4 Posted by jjnen (680 posts) -

I'm lazy. Should I change my password?

Avatar image for cloudenvy
#5 Posted by Cloudenvy (5893 posts) -

I'm in Europe so thankfully this doesn't affect me. Sucks for people on the North American servers.

Avatar image for garfield518
#6 Posted by Garfield518 (424 posts) -

Maybe now they'll actually allow passwords to be case sensitive.

Avatar image for ben_h
#7 Posted by Ben_H (3930 posts) -

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

??? All of my Bnet passwords are case sensitive and don't work otherwise. I just tried. They allow case sensitive passwords and allow punctuation to be used as well.

Avatar image for shivoa
#8 Posted by Shivoa (1529 posts) -

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

This. Their security system needlessly threw away password complexity and that's a good sign they were using the authenticator to mask a very low priority for actual security development. I'm shocked it took this long.

Avatar image for shivoa
#9 Posted by Shivoa (1529 posts) -

@Ben_H said:

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

??? All of my Bnet passwords are case sensitive and don't work otherwise. I just tried. They allow case sensitive passwords and allow punctuation to be used as well.

Word of blue, you are wrong if you are talking about B.Net passwords before this compromise. I have no idea if they just changed it right now but historically all B.Net access has always allowed entry with case insensitivity.

Avatar image for yinstarrunner
#10 Posted by yinstarrunner (1314 posts) -

Man, my account just got hacked on Battle.net last week.
 It's weird because I've been on the internet for 12 years now, and my Battle.net account is the only thing that has EVER been hacked, even though in the old days I used a super common, easily crackable password.  Yet my Battle.net account has been hacked THREE times in the past three years.
 Something about Blizzard games brings out the worst in people, I guess. lol.

Avatar image for jay444111
#11 Posted by Jay444111 (2639 posts) -

Wow... thanks blizzard... well... looks like I have to change a password for something I never use due to Blizzards horrid security and the fact that their downloader SUCKS and it would have taken me 3 just to download the patches to the demo of wow... so yeah... thanks a fucking bunch blizzard!

Avatar image for nadannmagogo
#12 Edited by NaDannMaGoGo (338 posts) -

@Shivoa said:

@Garfield518 said:

Maybe now they'll actually allow passwords to be case sensitive.

This. Their security system needlessly threw away password complexity and that's a good sign they were using the authenticator to mask a very low priority for actual security development. I'm shocked it took this long.

Eh Brute Forcing that stuff isn't a problem. That wouldn't be worth the cost, case-sensitive or not.

The question is rather if they can get behind the encryption.

And well lots of emails, so more spam, more phishing mails and thus more victims in that regard.

Avatar image for will1lucky
#13 Posted by Will1Lucky (412 posts) -

@Cloudenvy said:

I'm in Europe so thankfully this doesn't affect me. Sucks for people on the North American servers.

Personally mate I'd change it anyway as I just have, better safe than sorry.

Avatar image for brunchies
#14 Posted by Brunchies (2501 posts) -

Good thing I don't have anything important on my account.

Avatar image for john1912
#15 Posted by John1912 (2393 posts) -

@yinstarrunner said:

Something about Blizzard games brings out the worst in people, I guess. lol.

Money....

Avatar image for ravenlight
#16 Posted by Ravenlight (8057 posts) -

@Brunchies said:

Good thing I don't have anything important on my account.

That doesn't mean you shouldn't change your password anyway. If the same email address you use for Bnet is attached to other logins (IE: your bank) whoever stole the Bnet data could theoretically get into your other stuff, too.

Avatar image for mordeaniischaos
#17 Edited by MordeaniisChaos (5904 posts) -

@Jay444111 said:

Wow... thanks blizzard... well... looks like I have to change a password for something I never use due to Blizzards horrid security and the fact that their downloader SUCKS and it would have taken me 3 just to download the patches to the demo of wow... so yeah... thanks a fucking bunch blizzard!

Well, there's no way to know if Blizzard had "horrid security" so before ya bitch about it, maybe you should reign that it a bit. Security is a funny thing. Honestly, chances are you'll be fine. Look at the Sony outage/hacking. As far as we know, there were no real issues that came about from the data that was accessed. No one had their banks accessed or anything like that. In fact, I doubt there is much of anything that was done with the stuff that was accessed. I don't remember hearing about so much as PSN accounts being accessed in any great number.

The real strength of the security in most cases isn't the thing keeping people out of the data but rather stopping them from using it. It's much easier to make the data useless than to build a hack proof system to keep it out of the hands of hackers. So chances are you'll be fine. You should of course ALWAYS be safe, change your password, etc.

And the Downloader isn't really important here. On top of that, it works the way all MMO launchers work. So, keep your whining at least to a relevant thread on that.

@yinstarrunner said:

Man, my account just got hacked on Battle.net last week. It's weird because I've been on the internet for 12 years now, and my Battle.net account is the only thing that has EVER been hacked, even though in the old days I used a super common, easily crackable password. Yet my Battle.net account has been hacked THREE times in the past three years. Something about Blizzard games brings out the worst in people, I guess. lol.

Battle.net accounts, because of Gold Farming and the like, are extremely valuable. And there are about a trillion phishing scams out there trying to get you to log into a fake battle.net, which of course gives them your password. If you ever clicked a link in your email to sign into battle.net, it was probably a scam.

Also, as far as I know, the strength of your password means fuck all when it comes to this sort of breach of security, its all up to the encryption. If you have an encrypted password, you already have the password. Once you decrypt it, you know the password that will work with the account. It's not significantly more work to decrypt a password with case sensitivity as far as I know. Password complexity is more of a front door protection, that stops people from brute forcing your password from scratch, or discovering it some other way. Encryption protects from when password data is acquired, making it difficult to turn that data into anything useful. Case sensitivity isn't important for a complex password anyway. Yes, it double the number of letter characters you can use, but you already have access to plenty of characters as it is. Just use what you have available to create a strong password and you'll still be fine. A hash with no case sensitivity is still possible, and still pretty effective.

Avatar image for seppli
#18 Edited by Seppli (11232 posts) -

Ya - not playing Diablo 3 anymore. Wonder if I'll pick up the inevitable expansions. 'Til that didn't happen, this is of no concern to me.

Endgame sucked major dicktits. Yet another game skewed to make indecent amounts of money by fucking with proper reward pacing.

Not with a 60$ game. Not with me.

Avatar image for nadannmagogo
#19 Posted by NaDannMaGoGo (338 posts) -

@Seppli said:

Ya - not playing Diablo 3 anymore. Wonder if I'll pick up the inevitable expansions. 'Til that didn't happen, this is of no concern to me.

Endgame sucked major dicktits. Yet another game skewed to make indecent amounts of money by fucking with proper reward pacing.

Not with a 60$ game. Not with me.

Well we do certainly understand that you're just a bad joke on this forum by now, but really? That off topic?

Avatar image for milkman
#20 Posted by Milkman (18913 posts) -

@Seppli said:

Ya - not playing Diablo 3 anymore. Wonder if I'll pick up the inevitable expansions. 'Til that didn't happen, this is of no concern to me.

Endgame sucked major dicktits. Yet another game skewed to make indecent amounts of money by fucking with proper reward pacing.

Not with a 60$ game. Not with me.

What does this have to do with anything?

Avatar image for mcfart
#21 Posted by Mcfart (2021 posts) -

Unless they want to renew my WoW sub (in which case I'd tell Bliz my account was hacked) then those Chinese got nothen on me

Avatar image for fox01313
#22 Posted by fox01313 (5205 posts) -

Glad I've been using the authenticator since wow so at least I feel slightly better though it could just be putting out a random series of numbers that don't do anything more than a keychain sized placebo. Kind of surprised to hear this though as blizz is still one of the larger mmorpgs out there so while it's only a matter of time for the hackers to get in, you'd think they be more secure considering their customer base. At least it wasn't another PS3pocalypse in how long they are shut down.

Avatar image for bemusedchunk
#23 Posted by bemusedchunk (886 posts) -

My WoW account has been hacked about once a year now.

This is just par for the course...

Avatar image for gakon
#24 Posted by gakon (2010 posts) -

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Avatar image for seppli
#25 Posted by Seppli (11232 posts) -

@Milkman: @NaDannMaGoGo:

The lack of care is as ontopic as it gets.

Avatar image for lotan
#26 Posted by Lotan (250 posts) -

ARGGGGG

This is the worst. Time to go change everything...AGAIN.

Thanks internet.

Avatar image for zithe
#27 Posted by Zithe (1060 posts) -

@MordeaniisChaos: That seems like a dumb thing to say and admit. All security question and answer systems do not work the same way. They don't all show you your hint and ask for your password. You might want to pay attention when you set those things up and you also might want to edit or delete that comment.

Avatar image for ben_h
#28 Posted by Ben_H (3930 posts) -

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

Avatar image for likeassur
#29 Posted by LikeaSsur (1752 posts) -

Jeez, I didn't know Blizzard was so hated on. What did they do to you, people?

Avatar image for spiceninja
#30 Posted by spiceninja (3239 posts) -

@LikeaSsur said:

Jeez, I didn't know Blizzard was so hated on. What did they do to you, people?

They became a popular multi-million dollar company. Damn them.

Avatar image for jay444111
#31 Edited by Jay444111 (2639 posts) -

@Mcfart said:

Unless they want to renew my WoW sub (in which case I'd tell Bliz my account was hacked) then those Chinese got nothen on me

Me as well... fuck, I haven't even done anything with it since trying to download the damn demo. So yeah, they can have fun with the fact that I don't have jack shit on me!

Avatar image for gakon
#32 Edited by gakon (2010 posts) -

@Ben_H said:

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

It's an app authenticator, for Windows Phone 7 specifically. So, yeah... we'll see. Mists isn't out for another month anyway.

[edit] Also I wonder how any of these authenticators work if you delete them off your phone and then redownload them. On iOS and WP7, when you delete an app all the data goes with it, which I assume would include whatever unique identifier is attached to the authenticator. Unless they know how to bind it to the Apple ID of the person who downloaded the app, I dunno.

Avatar image for catsakimbo
#33 Posted by CatsAkimbo (787 posts) -

I've come to terms with the fact that account compromises are going to happen all the time going forward, but damn if it isn't annoying. Things like this are why I haaate creating an account for anything anymore, because it's just another thing that'll be compromised sometime in the future.

Avatar image for probablytuna
#34 Posted by probablytuna (4922 posts) -

Woke up just then, just changed my password now. Hate changing passwords.

Avatar image for smcn
#35 Posted by smcn (949 posts) -

So when can I just buy a USB biometric scanner and stop having to worry about password bullshit?

Avatar image for stonyman65
#36 Posted by Stonyman65 (3615 posts) -

@yinstarrunner said:

Man, my account just got hacked on Battle.net last week. It's weird because I've been on the internet for 12 years now, and my Battle.net account is the only thing that has EVER been hacked, even though in the old days I used a super common, easily crackable password. Yet my Battle.net account has been hacked THREE times in the past three years. Something about Blizzard games brings out the worst in people, I guess. lol.

It's a gold mine, that's why. Gotta be careful.

Avatar image for example1013
#37 Posted by Example1013 (4854 posts) -

@Ravenlight said:

@Brunchies said:

Good thing I don't have anything important on my account.

That doesn't mean you shouldn't change your password anyway. If the same email address you use for Bnet is attached to other logins (IE: your bank) whoever stole the Bnet data could theoretically get into your other stuff, too.

Assuming my bank doesn't use multiple levels of security, which it does. Short of me unwittingly downloading a keylogger my bank info is pretty safe overall.

Avatar image for deadvillager
#38 Posted by DeadVillager (80 posts) -

@gakon said:

@Ben_H said:

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

It's an app authenticator, for Windows Phone 7 specifically. So, yeah... we'll see. Mists isn't out for another month anyway.

[edit] Also I wonder how any of these authenticators work if you delete them off your phone and then redownload them. On iOS and WP7, when you delete an app all the data goes with it, which I assume would include whatever unique identifier is attached to the authenticator. Unless they know how to bind it to the Apple ID of the person who downloaded the app, I dunno.

I had a similar problem. Just call their tech support and explain to them the situation. It seems common enough that they're used to it. As an added bonus, the Blizzard tech support is incredibly kind and helpful.

Avatar image for beforet
#39 Posted by beforet (3377 posts) -

Huh, well it's been a while since I've cared about any of those games. But still, rather not be compromised, so I'll just change that stuff.

*Doesn't remember password*

Huh, well I'll reset it.

*Doesn't remember secret answer*

Huh. Guess I'll look into work around.

*Needs to call billing*

Huh, well I guess those fuckers can keep the account, because that is far too much work to be able to not play those games.

Avatar image for toowalrus
#40 Posted by TooWalrus (13391 posts) -

Here we go again what? They didn't get anything usable, and Blizzard was doing the right thing by encrypting the information so heavily. They also told us right away and guess what- this news hit today and I'm on Battle.net RIGHT NOW.

Avatar image for bestusernameever
#41 Posted by BestUsernameEver (5026 posts) -

I learned my lesson, never make an account for anything, ever.

Avatar image for kanerobot
#42 Posted by KaneRobot (2668 posts) -

@TooWalrus said:

Here we go again what?

Battle.net was compromised.

Avatar image for toowalrus
#43 Posted by TooWalrus (13391 posts) -
@KaneRobot said:

@TooWalrus said:

Here we go again what?

Battle.net was compromised.

What is he referring to? Does Battle.net have a reputation of being compromised? I remember there being a scare around the time Diablo III came out but I think anything vital was lost, and there wasn't any significant downtime as a result, and I know individual accounts are hacked all the time, but that's because there are literally millions of them, and the chance of being hacked can be reduced to basically 0 by using an authenticator. So I'm not sure the sense of sensationalism he's trying to invoke here is really grounded in anything.
Avatar image for gakon
#44 Posted by gakon (2010 posts) -

@DonNoFace said:

@gakon said:

@Ben_H said:

@gakon said:

Oh look, I just realized I switched phones and left the authenticator on my old phone, and that old phone has since been the recipient of a hard reset so who knows where that leaves me.

Do you have the SMS security? If you do, you're fine and you can just disable the authenticator. If not, well, I don't know how to put this positively... have fun dealing with support I guess (I've heard it is a pain to remove an authenticator without SMS)?

It's an app authenticator, for Windows Phone 7 specifically. So, yeah... we'll see. Mists isn't out for another month anyway.

[edit] Also I wonder how any of these authenticators work if you delete them off your phone and then redownload them. On iOS and WP7, when you delete an app all the data goes with it, which I assume would include whatever unique identifier is attached to the authenticator. Unless they know how to bind it to the Apple ID of the person who downloaded the app, I dunno.

I had a similar problem. Just call their tech support and explain to them the situation. It seems common enough that they're used to it. As an added bonus, the Blizzard tech support is incredibly kind and helpful.

I've had to appeal a few bans (following account compromises) with the phone tech support and they were always super friendly about it. Obviously that probably doesn't happen to everyone but my experience has been nothing but positive.

Avatar image for fateofnever
#45 Posted by FateOfNever (1874 posts) -

This sucks, but, I also really don't get the people that are, more or less, pointing at Blizzard and going "This is your fault, assholes!" But whatever, it's cool to hate on Blizzard, right?

I'm also debating if I really want to bother changing my password. I know that changing it would be for the better though, so, maybe I'll go do that tomorrow or just before I go to bed. I'm also just really not that concerned considering how strong my passwords usually are, and that all the passwords were encrypted, and that I still have an authenticator. Or maybe I'll wait until they prompt me to change my secret question and answer because until they do that, it doesn't really matter if I change my password, does it? And since you can't change your secret question and answer on your own, not much I can do until they prompt me.

Avatar image for extomar
#46 Posted by EXTomar (5047 posts) -

As long as your email submitted into Battle.net isn't the same password or have the same info you are probably fine for the short term. Personally I change the password every time I make a modification which is uncommon and usually a "a new game got release" event.

Reading the announcement, it sounds like an internal compromise: Someone who worked for Blizzard or contracted got into something they were not supposed too to do something they were not supposed too. There have been rumblings for awhile now that one of the issues about their global service is that it requires them to share important information about how Battle.net works with people who aren't vetted as highly as other places.

Avatar image for nickl
#47 Posted by NickL (2267 posts) -

@TooWalrus said:

@KaneRobot said:

@TooWalrus said:

Here we go again what?

Battle.net was compromised.

What is he referring to? Does Battle.net have a reputation of being compromised? I remember there being a scare around the time Diablo III came out but I think anything vital was lost, and there wasn't any significant downtime as a result, and I know individual accounts are hacked all the time, but that's because there are literally millions of them, and the chance of being hacked can be reduced to basically 0 by using an authenticator. So I'm not sure the sense of sensationalism he's trying to invoke here is really grounded in anything.

Yet another compromise scare related to a video game thing. Like PS3 and steam. Don't really think he meant anything more direct by it.

Avatar image for tycobb
#48 Posted by TyCobb (2031 posts) -

Hopefully now the passwords will be case-sensitive and also not have a cap on the length. Couldn't believe it when I realized my password was 1/3 shorter than what it was supposed to be. Doesn't matter what your password is. All the matters is the length.

This is Blizzards mindset: "Do we make the user have a password? Yes? Our job is done."

Good thing Diablo 3 has made me never want to purchase another Blizzard game again. Blizzard is nothing but a giant target for hackers and in my eyes one of the greediest companies around.

Avatar image for mrpandaman
#49 Posted by mrpandaman (956 posts) -

@BestUsernameEver said:

I learned my lesson, never make an account for anything, ever.

Well if we all really learn our lesson, we should never use the internet again.

This edit will also create new pages on Giant Bomb for:

Beware, you are proposing to add brand new pages to the wiki along with your edits. Make sure this is what you intended. This will likely increase the time it takes for your changes to go live.

Comment and Save

Until you earn 1000 points all your submissions need to be vetted by other Giant Bomb users. This process takes no more than a few hours and we'll send you an email once approved.