PSA: Battle.net security breach

http://www.blizzard.com/securityupdate

Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime

And as a thing: If you *still* haven't put an authenticator on your Battle.net account, please do it. It's a little thing that'll save you a ton of hassle.

A bit of a bump. Thanks for the heads up.

I'm just going to use a secure one-off password and between this and the disappointment that Diablo 3 for me, just not patronise Blizzard much in the future I think. I'm still on a company BlackBerry (their mobile authenticator doesn't support the newest model) and I'm not paying them money for an authenticator because of their inability to secure their system.

Some people in other forums have been mentioning that there were a not insignificant number of users complaining about their accounts being hacked not long after D3 launched and Blizzard kept going "No no, nothing's wrong, it must be your password, you should buy an authenticator." I wonder if this has been an issue for a while and it took them a long time to confirm it.

The always-on cloud future, whee!

Well that was inevitable. *sigh* I think I'm at the point where the number of services that haven't been compromised is smaller than the ones that have

Parallax Abstraction wrote:

I wonder if this has been an issue for a while and it took them a long time to confirm it.

You'd think it would've presented itself sooner given WoW has more users and has been running longer.

The always-on cloud future, whee! :)

Not to be pedantic, but this would've happened regardless of Bnet 2.0's required authentication. Blizzard's got a lot of credit card numbers locked up in their system due to WoW and people buying games/merch from them.

Parallax Abstraction wrote:

I wonder if this has been an issue for a while and it took them a long time to confirm it.

My thoughts too. Unless I missed it in the release they didn't put a time frame on the access the hackers had to those databases... so it could have been involved in the D3 issues. Unfortunately, they'll probably not admit any responsibility like most other companies.

shoptroll wrote:

Well that was inevitable. *sigh* I think I'm at the point where the number of services that haven't been compromised is smaller than the ones that have

Parallax Abstraction wrote:

I wonder if this has been an issue for a while and it took them a long time to confirm it.

You'd think it would've presented itself sooner given WoW has more users and has been running longer.

The always-on cloud future, whee! :)

Not to be pedantic, but this would've happened regardless of Bnet 2.0's required authentication. Blizzard's got a lot of credit card numbers locked up in their system due to WoW and people buying games/merch from them.

I agree, It would have came up alot sooner if it's been going on for a while especially with WoW, Who knows how long it's been going on but I would think they would catch it sooner than later.

Lothar wrote:

I agree, It would have came up alot sooner if it's been going on for a while especially with WoW, Who knows how long it's been going on but I would think they would catch it sooner than later.

I don't know. People get hacked all the time in WoW... what would make them catch this sooner or suspect this over traditional social engineering and phishing?

Duoae wrote:
Lothar wrote:

I agree, It would have came up alot sooner if it's been going on for a while especially with WoW, Who knows how long it's been going on but I would think they would catch it sooner than later.

I don't know. People get hacked all the time in WoW... what would make them catch this sooner or suspect this over traditional social engineering and phishing?

Something must have alerted them to there being someone in there network, I would assume that it would have been a change to the system or something that alerted them to the hack. What it was and how long they had access? I have no clue but until I can see more information, I will take it that it has happened recently.

Going to have to remember to change my password when I get home (where my authenticator lives).

shoptroll wrote:

Not to be pedantic, but this would've happened regardless of Bnet 2.0's required authentication. Blizzard's got a lot of credit card numbers locked up in their system due to WoW and people buying games/merch from them.

Well, you're right in that the always-on component of the game didn't contribute to this but I do think forcing people to sign in to an account, even when they want to play single player could have resulted in many more accounts getting exposed than otherwise would have. But in the end, it's not the number of accounts but that a breach happened at all that's the main worry.

Parallax Abstraction wrote:

Well, you're right in that the always-on component of the game didn't contribute to this but I do think forcing people to sign in to an account, even when they want to play single player could have resulted in many more accounts getting exposed than otherwise would have.

True, but that would still be a large number of accounts even if you take away Starcraft II and Diablo III :\

But in the end, it's not the number of accounts but that a breach happened at all that's the main worry.

Agreed At this point I'm just waiting for Google to get compromised.

Quick question: I haven't been to battle.net for maybe a year or two and my mobile authenticator was on an old phone. Is it worth me going through all the hassle to try to get a new authenticator, etc. etc. just to change my password? Since I did have an authenticator on my account it should be safe, right?

Looks like I missed this PSA - even with my authenticator, I can't logon, and my security question doesn't work. Granted, I haven't played for a few months, so I've been out of the Diablo 3 loop. I would really like to play my single player game without having to send in picture ID to Blizzard to reset my account. I'm a bit livid right now.

Looks like my wife and son's accounts were both hacked too. Gah!

Authenticators will lose sync after awhile, if they haven't been used -- their clocks drift. WoW can correct for drift when you type in correct sequences that are a little too soon or too late, but if you don't log in for long enough, the divergence becomes too great, and you have to talk to a CS rep.

Malor wrote:

Authenticators will lose sync after awhile, if they haven't been used -- their clocks drift. WoW can correct for drift when you type in correct sequences that are a little too soon or too late, but if you don't log in for long enough, the divergence becomes too great, and you have to talk to a CS rep.

How long is "awhile?"

LobsterMobster wrote:
Malor wrote:

Authenticators will lose sync after awhile, if they haven't been used -- their clocks drift. WoW can correct for drift when you type in correct sequences that are a little too soon or too late, but if you don't log in for long enough, the divergence becomes too great, and you have to talk to a CS rep.

How long is "awhile?"

That would explain the sync feature on the mobile authenticators.

I can't even get as far as the authenticator in most cases though, it was hacked - hook, line and sinker. I sucked it up and sent in a copy of my photo ID (seriously.. ffs.. to play a single player game..) albeit heavily edited, as I don't want my face and other personal information stolen from their servers. They responded that they didn't think my account was compromised.. and did not reset my information.

So I submitted another ticket today. I'll give them another couple chances before I open a case with the Better Business Bureau.

How long is "awhile?"

I'm not sure. It probably depends on the specific physical Authenticator in question, and how accurate it is.

Guess I'll find out when I get home.

Swat wrote:

They responded that they didn't think my account was compromised.. and did not reset my information.

Why do they think you're aren't compromised?

They closed the ticket with:

"We have reviewed our logs for the Diablo III account attached to this Battle.net account, and we were unable to verify a compromise took place."

Swat wrote:

They closed the ticket with:

"We have reviewed our logs for the Diablo III account attached to this Battle.net account, and we were unable to verify a compromise took place."

So you can't log into your account, and they just won't assist you with that? That's... interesting. Torchlight II for me from now on. Just gotta install it on the back room computer.