Blizzard/Activision security breach - personal account information stolen

[Grooveriding]

http://us.blizzard.com/en-us/securityupdate.html

...


This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.


Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.


We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.



...

If you still play Blizzard games, watch your accounts, email tied to your battle.net account, spam/phishing calls to your attached mobile phone and charges on any associated credit card/paypal accounts.

This also raises a lot of questions about the huge rash of Diablo 3 accounts being hacked in the first month of that game's release, then silence following. Almost like a security hole had suddenly been patched... Or maybe not. Either way I have personally removed my cell from their mobile alerts, unlinked my Paypal and removed my credit card information from my battle.net account. I don't play Blizzard games any more, but just in case.

update Account hacks are starting to take place

https://twitter.com/BlizzardCS
http://www.facebook.com/BlizzardCS

 

[Chiefcrowe]

thanks for letting us know.. craziness, whoever did this was pretty good!

 

[thespyder]

I kind of have to laugh. This type of thing was inevitable. And really who didn't see it coming. People are already playing Diablo 3 like a money making venture. it was only a matter of time before someone, seeing all of the money changing hands, thought it was a good idea to hack into Blizzard servers and attempt a more direct method of making money.

Thanks for the heads up.

 

[thujone]

people still play diablo 3? lol

 

[tHa ShIzNiT]

jesus, there is a veritable shitload of my information being potentially leaked lately

 

[Dumac]

Based on their statement, nothing too valuable was lost.

They could be lying, though.

 

[Nintendesert]

Based on their statement, nothing too valuable was lost.

They could be lying, though.

So getting the answers to your personal security questions isn't too valuable to you?

They have your email and answers. They can reset your own email passwords now if you don't have different questions and betting on how many people reuse passwords they have the same security questions too.

Most people don't even use the one time password features of their email/banking/video game service so there could potentially be a lot of hurt people by this.

I'm really curious as to why the security question answers weren't hashed like passwords are. D:

 

[shurato]

Thanks for the heads up. I haven't logged into Battle.net in ages. I changed my password. Man I haven't played a good Blizzard game since Warcraft 3.

 

[Anonemous]

Time to sign up for lifelock?

 

[Dumac]

So getting the answers to your personal security questions isn't too valuable to you?

They have your email and answers. They can reset your own email passwords now if you don't have different questions and betting on how many people reuse passwords they have the same security questions too.

Most people don't even use the one time password features of their email/banking/video game service so there could potentially be a lot of hurt people by this.

I'm really curious as to why the security question answers weren't hashed like passwords are. D:

Gmail has custom security questions, plus the answer is sent by text or to a backup email address.

I don't even know what my battle.net answers are. Are the questions leaked or just the answers?

 

[Elixer]

This could be really bad, if they have backdoor access that bypasses the fob.

 

[Nintendesert]

Gmail has custom security questions, plus the answer is sent by text or to a backup email address.

I don't even know what my battle.net answers are. Are the questions leaked or just the answers?

I have no idea yet, considering all the hacks that happened with Diablo 3 and now this I'm willing to bet that the full extent of the intrusion and compromise is much greater than they are letting on.

As for Gmail, it has some good protection if you set it up right. The victims though only need to be a small minority of users exploited by this to cause a major problem. We'll see how it turns out in time, but this is the first major attack like this where I remember them getting security question answers.

Though this isn't nearly as bad as Sony's plaintext passwords. D:

 

[Carfax83]

I'm glad that I bought this game retail rather than digitally..

 

[Kalmah]

In all seriousness, I'm trying to decide how much I care. I'm too lazy to go change my password. I paid the $6 for the authenticator. Tired of dealing with everything blizzard. I'm not sure if my battlenet account is worth anything to me anymore. Now that I think about it, d2 and war2.exe were the last games that I remember enjoying.
They can have it.

I think the way that users are authenticated needs to be re-designed. Now I gotta go and change my gmail password again I suppose. *sigh*

 

[Imp]

Thank goodness I had to put in my address and all other info except payment... Hey, that's actually better than a store account being hacked.

 

[SS Trooper]

Blizzard, you poor poor bastards. Another step in your apparant collapse. You are nearly dead to me after I spent 20 years buying everything you produced. For shame.

 

[KMFJD]

I'm glad that I bought this game retail rather than digitally..

How does that make a difference?

 

[Tweak155]

How does that make a difference?

Didn't supply Blizz with his CC info.

 

[diesbudt]

GOod thing I use separate passwords for everything and have an authenticator and no CC info on B.nets site

 

[SMOGZINN]

and information relating to Mobile and Dial-In Authenticators were also accessed.

This will likely allow who ever has access to this information to spoof the Authenticators making them basically worthless.

 

[crownjules]

Companies are getting hacked left and right. There are just so many vulnerabilities and points of access. Sadly, most private companies do not stress security enough since it's a money sink. They don't think of the huge PR hit and loss of consumer confidence when the shit hits the fan. So far, it seems Blizzard is one of the better prepared companies.

 

[Imp]

Great.... I changed my password this morning, now I can't log in (I wrote the password down, so wtf?), and I can't reset because I borrowed someone's phone for the SMS Protect and they're in another country.

 

[Olikan]

lol, it's actually refreshing to see a greedy company in problems

 

[Arkadrel]

lol, it's actually refreshing to see a greedy company in problems

Except that I had to go change some passwords and questions ect

But yeah I agree, blizzard are frekking greedy.

They cashed out on Diablo III, and made it so they could "profit" extra from a auction house then made the intire game based around a "no enjoyable" experiance without forking out real money for items. So they could profit even more, at the cost of those that didnt want that.

Ontop of that it cost like 60$ and turned out to be a huge let down.
If there is a diablo 4 ever made, I wont buy it, unless I wait a month and see what the playerbase say about it (and its overwhelmingly possitive).

 

[thespyder]

But yeah I agree, blizzard are frekking greedy.

They cashed out on Diablo III, and made it so they could "profit" extra from a auction house then made the intire game based around a "no enjoyable" experiance without forking out real money for items. So they could profit even more, at the cost of those that didnt want that.

Ontop of that it cost like 60$ and turned out to be a huge let down.
If there is a diablo 4 ever made, I wont buy it, unless I wait a month and see what the playerbase say about it (and its overwhelmingly possitive).

I read an article long about the time that D3 launched about how they were working on D3 in the early 2000s, only 'Corporate' wanted them to go in a different direction. So a bunch of the programmers left the company. Not sure how much of that was hype, but I agree 100% that the game we got was based strongly on the "Pay to win" model. And that quite a lot of the 'Fun' elements from D2 were altered to fit into that model, making the game significantly less fun to play.