Slashdot Mirror
Blizzard Says Battle.Net Has Been Hacked
An anonymous reader writes "Blizzard announced today that its Battle.net service was compromised. The company is urging users to change their login information immediately. Blizzard is stressing that payment information was not compromised. 'The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators. It's important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.'"
Thanks for your always-online requirement for Diablo 3! So very useful if I want to play alone.
Can I please have my single player offline games back?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
I'm going to go out on a glass-half-empty limb here and say that means encrypted, not salted and hashed. "Cryptographically Scrambled" is too obviously ambiguous. I hope I'm wrong!
Since I''m over 25 and work for a living, this does not effect me.
If you want news from today, you have to come back tomorrow.
and removing my CC (oh, wait, I already did that).
This is going to be bigger than the Sony breach
How much is your data worth? Back it up now.
If they got my passwords now, I dont care. After the hassles i have had with D3 from day 1 I dont even care anymore,
have you seen my sig? there are many others like it but none that are the same
Nothing on battle.net, blizzard.com or any other location but marketwatch. Link in the article goes to a non-existant page on blizzard.com. Not saying shenanigans just yet, but some real information would be nice.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
meet me.
I have a maxed out Mage on Rexar that hasn't yet been hacked, BUT I do agree w/ you. Everyone 'else' I know has had their accounts just trashed.
Naked Gnomes everywhere...
How much is your data worth? Back it up now.
When my account got hacked, it was the final straw that led me to quit WoW. All signs pointed to it being an inside job. I had a dedicated (hard) password for the site, I had not visited any questionable websites, and I hadn't installed any addons in months.
Whoever hacked it had a seriously weird sense of priorities too. They had sold the starting gear off my level 1 bank alt types and mailed off the money (at a loss!) but hadn't bothered to strip my midrange characters. They used my level 85 main character with bot-aided speedruns through Karazhan. Ironically, when I regained control of my character, I had a ton of gold from their most recent run. I donated it all to my guild and quit the next day. Since I was an officer, they'd looted that too - but since it was a casual guild the gold they got me easily replaced any items in there we'd cared about.
<Complete your profile by adding a signature!>
My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.
* I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.
Technically I'm working from home today, but I guess good security dictates I log into WoW to change my password and check for any foul play.
They didn't get billing information and can easily revert any accounts that get messed up.
Once a Battle.net account is created, the first name, last name and security question can not be changed. Since these questions are now compromised, everyone is SOL.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Same WoW password since 2004, never been hacked once. I might not even change it after this because , frankly, i dont care.
Good-bye
Of the 56 unique players in my guild when we quit, only 2 had ever been hacked. We've certainly had people who were hacked off and on over time, (and most of them left the guild) but once they brought in authenticators it was pretty rare for people to get hacked. Even before that, you usually had to do something stupid to get your account hacked.
The most common culprits for it were from re-using passwords (especially on WoW fansites, because duh...) and people buying gold. Then there was the usual keyloggers and so on.
I got hacked back in Vanilla when I was running on a Windows machine. It was a result of a key logger I picked up from the Curse addons site after they were compromised. Since moving back to a Mac for my primary WoW machine I haven't been compromised since. I also avoid using Curse as my primary source of Mods, preferring WoW Interface.
Sara
Designer, Gamer, Macgrrl in an XP World
I seem to recall reading in the Security Question comments how Battle.net's system was excellent. That portion of it may have been, and they seem to be responding well to this, but the timing is interesting.
You are not the customer.
That's actually pretty common when people do get hacked. If you have gold they immediately mail it off and sell it, and then try and bot farm whatever the best gold/hour is. That might be tradeskilling, that might be cash runs through bosses, sort of depended.
My lingering suspicions is that WoW was vulnerable to a session spoof attack at some point, or the usual exploit of a flash vulnerability to get your password, but their systems became overall pretty robust with authenticators added in.
In your case I'd guess a flash vulnerability, possibly a 0 day one, those are much less of a problem today than they were 2 or 3 years ago when browsers weren't well sandboxed etc. etc. But those sorts of things always got a few people.
As I mentioned below, because i'd forgotten about them, when I typed this flash exploits as well (which of course had keyloggers of various sorts). Strategy videos and all that.
So were the passwords salted or only encrypted? Do we have yet more passwords in the wild?
The use of secret questions are a weak form of password retrieval. Finding someones home town or mothers maiden name is not exactly difficult.
Oh the passwords are cryptographically scrambled? Do they mean hashed or encrypted? I imagine anyone with enough skill to steal all of those accounts knows how to operate a rainbow table. Why not just come clean an tell everyone their passwords are compromised too. Why leave everyone with a nebulous message like "cryptographically scrambled". Are they encrypted? Or did you just hash+salt them? I for one would really like to know!
Diablo 3 was DOA. It is a hamster-wheel farming game revolving around the auction house with no depth nor creativity.
Summary: It's fun but too easy going through normal, nightmare and hell if you gather a party. Then you hit the inferno act 2 brick wall, and your only hope for punching through that is either the RMAH or something like 100+ hrs into cheese-farming spots like dank cellar (gold) or the ancient path goblin (rares).
I found myself wishing someone else would "play" for a while because the game part peeled away and it was revealed to be a stupid repetitive virtual item farming-trading game. I bought the game mid-May, and haven't touched it past June and don't plan to either. Gonna keep it around for a couple more weeks and then give my login info to the first friend who shows interest when I go back to school for TA'ing in september.
https://dalgamotor.wordpress.com/ - Elektronik beyinlere ozgurluk asisi (Turkish)
Using scrambling rather than cryptography gets around cryptographic export and import restrictions. This is why it was possible to decypt a lot of Windows and Microsoft Word scrambled content, and why Windows NT password recovery tools existed.
Unless you want to lock yourself out of most Asian countries where videogaming comes close to a religion, and is therefore worth gobs of money, you will not build something which violates their import restrictions. See also:
http://en.wikipedia.org/wiki/Restrictions_on_the_import_of_cryptography#Status_by_country
Last week my friend has his D3 account hacked, and they treated him as if it was his fault! What a bunch of assholes. Get your shit together Blizzard!
Their shit IS your shit, and being all together is actually the problem; Both in terms of security and bandwidth bottlenecks...
Oh man, I think I created an account for Starcraft I. Do you suppose it's still active? I doubt I can remember what password I used all those years ago, or what email address I might have had at the time.
Store password hashes in the database, but the answer to a security question, which enables resetting the password, in plain text. Cool story Blizzard
CLI paste? paste.pr0.tips!
My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.
* I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.
If I had mod points I'd vote this up.
My battle.net / wow account was fine for years. Never had a problem. Then I installed StarCraft2 and its updates. A day later I get a legitimate e-mail from Blizzard telling me my account had been used to spam the chat channels on wow. Changed my password, and started using their iPhone authenticator app. Nothing from any of my characters was missing. Not a single thing.
When it comes to security I don't think Blizzard knows what it is doing.
Authenticator! Oh yea it is free, if you have a smart phone.
When sony got hacked everyone and I mean everyone could not spewing unadulterate bile and hatred at sony for getting hacked and it went on for a year where no one couldnt post something without acting like a immature, bratty, uninformed child. Dozens of companies were hacked and now blizzard is but no one is pissed off.
Real links here: http://us.blizzard.com/en-us/securityupdate.html
http://sea.battle.net/support/en/article/important-security-update-faq
The important thing to note is that the passwords were encrypted with Secure Remote Password protocol, meaning that Rainbow Tables are ineffective since each password is individually encrypted instead of using a common hash. Also, the process is CPU expensive so brute forcing is highly unfeasiable for reasonably length passwords.
Before I got an auth'er, I once logged into the armory app on my iPhone over an insecure wireless. Yeah, stupid, I know. My account was compromised shortly after. A couple weeks later, I got it back, intact to the way it was before the hack.
Now, I have a password I don't use anywhere else, a mobile auth'er (that I changed the serial number on after I read about this breach), and I have it set to *always* require the auth'er to log in. Now that whatever mobile auth'er info they got regarding my account is useless, I should be relatively okay.
Your "friend" is likely an idiot who has a key-logged, malware-ridden machine. 99.99% of the time, what someone calls "hacking" is nothing more than poor personal security on their own machine.
There is a ton of stupid SHIT being posted here on the slashdot comments. I don't blame the commenters one bit, thought. Why? Because the article was a regurgitated rehashed pile of shit in comparison to the actual Blizzard press release... which was really hard to find, ya'know, being the top post on Blizzard.com after all... A very key detail, the usage of SRP, is completely missed by the article, which is leading to the majority of the confusion here and elsewhere.
http://us.blizzard.com/en-us/securityupdate.html
Well it probably wasn't their Fault. A few accounts hackers have admitted to hacking fan sites and getting usernames and passwords from there, and trying them against battle.net, quite a few people use the same logon details.. and account hacked. Not Defending them what has happened (according to this article), But alot of people are blaming blizzard for hacked accounts that had nothing to do with Blizzard. They have really F'd up big time with D3, but account hacking issues up to now haven't been because of them.
I know I am replying to a troll, though I am not actually expecting any kind of sane reply from him, I'm rather replying to his post so that other users would notice the obvious flaw here.
The thing is, if the hack does not actually use any of the OS-specific features to gain access to privileged data then the OS is wholly irrelevant. All the hacks and attacks mentioned by the troll have been because of faults on the Internet-facing software that runs on top of the OS and would've happened just the same if the software was running on *BSD, OSX or Windows. Operating systems simply cannot protect against stupid people or faulty software, that is merely a pipedream. As an example if there is a bug in your latest Windows-based MMORPG that lets attackers gain access to your data do you blame Windows or do you blame the MMORPG for the failure? I sure would opt for the latter. With that in mind the troll in question here is simply trying to associate bugs in 3rd-party software with the OS, shifting blame from one party to another.
Trading 40 SoJs!
My account had a max level character in every slot of my main server. Never got hacked.
Next theory.
I don't think you've realized the magnitude of his insanity or trolling... the smoking crater from his last post here.
As I said, I don't expect any sane reply from him. In fact, I'm not expecting a reply at all. I merely wanted the...um, "less attentive" commenters not to fall prey to his obvious attempts, other than that I don't care who he is or what he has posted before.
I played from release day until last year. My account was never hacked.
I use noscript and, when I could get one, an authenticator. I also don't use the same email address for my battle.net authentication as I did for other WoW forums, so phishing was even easier to identify.
It doesn't hurt to be nice.
Actually depending on what the hackers do, changing your password might actually make things worse[1]... Plus Blizzard don't seem to have figured out the details of the hack, so why waste time creating an uberstrong password if they could get hacked again?
BUT if you happen to use the same password in other sites/services, change it at those places.
[1] They might then get the plaintext of your password instead of the "scrambled" version.
The flash exploit I believe. My ex had terrible securith with her gaming Vista laptop. I was more ignorant back then too with security issues as I have not worked in a pc shop yet and seen the machines coming in and the steps people took. I thought AV software was a waste too as I do not visit bad sites on this machines etc. I was quite stupid.
Nowdays I am so paranoid I tend to avoid firefox because it has no sandboxing, use flash that updates automatically, use Chrome which does it for me and has double sandboxing, am very serious with a good AV package and also run Malware bytes.
My kids run ancient java still probably on the old desktop out of my control to run minecraft and I shudder. I thought it was safe back then too in 2009/10. GOD. Windows 7 thankfully is much more secure as well as the steps I now take.
But still mac users back then were getting hacked and the ones who had access to the guild vault were always hacked. hmmm .... sorry something is up with that.
http://saveie6.com/
How many paying customers see other people getting it for free and decide they also no longer want to pay?
Proof of this behavior? Walking through a red light, once one person does it, others follow.
Guarding against theft is not just to stop active thiefs, it is also a way to keep non-thieves from turning to thieving.
Proof with regards to copyright infringement?
Whenever a story runs in the main stream media on thepiratebay or napster or whatever, every geek gets asked by non-geeks how they can get in on the action.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
It is a console game first of all. Console games do not have depth or replay value, rather they have difficulty levels that are locked forcing replay.
And Diablo has ALWAYS been a repetitive dungeon crawler/hack&slash game. That is what it is. And the only way to increase difficulty without improving AI is to add more monsters with more hit points and more resists and this creates the brick wall then your "skill" level is reached.
My advice for Diablo? Play it once, just like other games. Then STOP.
There are people who play Final Fantasy games to max everything or speed run RPG's and for THOSE people there is Inferno. They don't "play" a game for story or novelty, they play to get REALLY good at doing the exact same thing over and over again. If by some miracle of scripting a game company made every boss unique on every play through, these people would be REALLY upset. It stops them from using skillX at 3904872 HP followed by Y and Z in 2.322334 seconds.
Basically, the above poster is complaining that a porn movie gets a bit repetitive after the 100th play through. DUH!
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
With most hacks, the application gets hacked and the attacker gets access to whatever users privileges the application is running as. That user usually is an administrator when you're on windows, or it has access to local exploits that target administrator or system accounts. On linux, chances that someone gets root after compromising an application are smaller, or require more manual work at least. That makes the OS safer, but as you said, the chance to get hacked is just as big. Mind you, the OS is safer against automated attacks and script kiddies. Someone that really wants to get in and knows what they are doing, often can still find a privilege escalation.
I was promised a flying car. Where is my flying car?
I went to Battle.net to change my account password. I use KeyPassX to generate reasonably safe password. I can remember each generated password but that is fine, I usually copy/paste them. Oddly enough, Battle.net doesn't allow you to copy/paste passwords when you change them (not in the old password input, nor the new one).
Especially those of us who have taken a break from Blizzard games?
No one I no of nor I have received any notification about this breech. It is not like they don't have my email address.
As for the part about credit card information, I can believe them for one reason. A while back we had an account deleted per our request because we wanted no CC information stored with any game company. Well we had to have the account deleted and you do that through an email to the Blizzard privacy group.
Guess what, they delete the account and all related information EXCEPT for the credit card. How did we know? Because we got billed on it six months later by Blizzard.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Well, it might be an "inside job", but not in the way you're thinking.
There was a issue with MS Xbox Live accounts being compromised recently. I was one of the ones affected by this and, until I learned more about it, I was utterly puzzled as to how it had happened.
See, prior to the Sony breach, I had been guilty of a bit of password sharing between accounts. After the Sony breach, I get more sensibly paranoid and, other than random don't-really-care forum accounts, everything gets its own password. As part of this, I change my Xbox Live password. I go for something reasonably strong - 10 characters, mix of lower case, upper case and numerals (spending your teenaged years learning Latin and ancient Greek is great for your memory). This password is only ever entered into my (stock, unmodified) 360. I'm pretty sure my PC is free of keyloggers - but even if it isn't, this particular sequence of characters has never been typed into a PC.
A few months later, I find I'm locked out of my Xbox Live account. The password and e-mail address have been changed (the e-mail address is now some German one) and around 50GBP has been spent on MS points, of which around a quarter have been spent on FIFA DLC. Fortunately, I notice within a few hours of this happening. Half an hour later, I've spoken to MS, who have locked the account and to my bank, who have refunded the credit card transaction.
The account then spends about 3 weeks locked while MS perform an investigation. At the end of this period, I get profuse apologies from them, a free 2 month extension to my gold subscription and my account back. This takes me by surprise - I'd previously thought that, except in cases of Sony-style security breaches, almost all compromised accounts were down to the behaviour of the user. Despite the circumstances of my case, I'd been torturing myself trying to think of all the ways I might have slipped up (god knows how many rootkit scanners I ran on my PC). I'd certainly not expected MS to be bending over backwards to make amends.
Anyway, Eurogamer picks up on stories from people who've had similar cases and investigates. A few months later, we quietly get our explanation. The security breach is at MS's end, but isn't in their software - it's in the protocols that their phone support guys use. Basically, it was possible to use social engineering techniques against MS's own support staff to get them to do password resets and e-mail address changes on an account, without actually knowing anything more than the name of the account. I gather the issue has since been "rectified", but it's still alarming.
Apparently my account had raised many of the flags that makes it desirable to the scumbags who do this. It's an old account (created on the day that the Xbox Live service for the original Xbox was launched in the UK), so it's a bit like having a low UID account on slashdot. It has a reasonably high gamerscore (though not exceptional). Perhaps more importantly, a few days before my account was taken, I'd got my first 1000/1000 gamerscore on a game (and not on one of the titles that are known to be quick and easy to do it for). This apparently meant that my account was desirable not only for the ability to spend on my credit card (FIFA DLC can apparently be traded for real-life cash, and hence is a way to re-monetise XBL currency), but would also have had a high resale value.
This used to be true, but an increasingly popular means of compromising accounts involves using social engineering techniques not on the end user, but on the host company's support staff. Look around a bit and you'll find some shocking examples of how easily certain companies *cough* MS Xbox Live *cough* have been giving their support staff protocols which make it trivial for scumbags to compromise individual accounts via phone-call while knowing nothing more than a username.
But I agree that "hacking" is the wrong word in 99% of cases. If an account's compromised through a Sony style breach, that's "hacking". In other cases, it's best to use a different term.
Frankly its about time the credit card companies \ bank sorted themselves out. What we need is a number that can be given out but links to one merchant only. So if these numbers are retrieved by a third party damage is limited as they can only be used on the original site, and it would be trivial to revoke them when the intrusion was discovered. Unlike right now as when you discover someone might have your cc information, you have to cancel the card, wait for the new one to be issued and re-enter the new information into all the other sites.
The same goes for bank details. When we need to transfer cash electronically from one person to another, why not give us 'deposit only' details to give out?
I know the banking sector moves at a snails pace on things like this, but seriously, how hard can it be?
Blatant Advert: Android Apps!
As a long-term Blizzard customer, I am outraged; to have this news delivered through third party.
No notification came from Blizzard thru e-mail. Cool way to support your customers..
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
How do you know your account is getting "hacked"? E-mail notification?
Checking my spam folder I've found that my account gets hacked every couple of days and there's a easy link to verify my identity and login credentials... It seems you don't even need an account to get hacked!
"...the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators..."
Bluntly now they have an email and an sample of your secret question. Given a question of "What is your Mother's Maiden Name" then script kiddies now have your email address and one of your potential secret question responses. WTF wouldn't you hash the answers....
They now have an email address, your phone number, a secret answer response. Christ all might Activision.... way to fuck up. Now ever script kiddie with that data dump is going to spam every major site with those email address and now with at least one potential secret question response... just wow...
-=[ Who Is John Galt? ]=-
And then you have buddy@ and significan_other@, and then it's your birthday and both buddy@ and significan_other@ send you a FREE postcard, and suddenly all your accounts are flooded with spam.... I guess you have all your emails redirected to /dev/null by now.
If you have an android phone get the Google Authenticator also. It's that added wall that makes you feel a little more at ease.
No, not Trojan or key logged or phished or anything stupid like that.
Sorry but every time I see someone say that I laugh. It's like they think their computers are impervious or perfect and there is no way in hell they can be at fault. It's ALWAYS the other guy!
Back in the WoW BC days I was hacked. I thought I was pretty good with security. Come to find out I visited some website blog that was exploited with an iframe/XSS logger. That's how my password was logged. You don't have to have something installed on your computer to get keylogged.
The chance it was in fact your friends fault is still very high. Blizzard hasn't given a date span as to how long ago this occurred so you can't say your friend is a perfect little saint just yet.
What we need is a number that can be given out but links to one merchant only. So if these numbers are retrieved by a third party damage is limited as they can only be used on the original site, and it would be trivial to revoke them when the intrusion was discovered.
I know everyone hates on Bank of America, but they have exactly that. It's the main reason I didn't cancel my account there (during all of the other recent issues they've had) - the ShopSafe system they have for their CCs is pretty amazing. You generate a new CC# for online purchases. Once it has been used once, it's linked to that merchant, and will fail if any other merchant attempts to use it (which can be a bit of a hassle on occasion -- Amazon is not the same as Amazon Kindle is not the same as Amazon Marketplace, even if all of those are in a single account system from my perspective -- also fails if the merchant ever randomly changes their listed name or accounts on their end).
I won't defend anything else they may or may not do, since I barely touch most of their services, but as a basic direct-deposit-account-and-credit-card service they've been pretty good for me and the ShopSafe option is pretty cool (and likely patented or something which would explain no other institution managing to do it).
~Anguirel (lit. Living Star-Iron)
QA: The art of telling someone that their baby is ugly without getting punched.
Sounds about right! So it can be used for subscriptions, etc? Are listening First Direct?!
Blatant Advert: Android Apps!
So, it's not 10 to 15 minutes, but rather I should devote hours to setting it up?
Gee, that sorta makes the first anon coward post in the thread look - totally idiotic then.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Uberstrong password? You CAN'T set an uberstrong password! Case insensitive, alphanumeric only, 16 characters max. It's like requiring that a bank vault be secured with a sturdy rope.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Yes, it can be used for subscriptions (up to a year at a time - you choose how long a given number is valid, between 2 and 12 months). It also has a capped amount of cash associated with it (that you set when creating a new number), so even if the site you're buying from isn't on the level, you'd still only be at risk of losing whatever amount you expected to be paying (until fraud protections kick in), rather than suddenly having your card unusable until you can get the charges reversed.
~Anguirel (lit. Living Star-Iron)
QA: The art of telling someone that their baby is ugly without getting punched.