Slashdot Mirror
Blizzard Says Battle.Net Has Been Hacked
An anonymous reader writes "Blizzard announced today that its Battle.net service was compromised. The company is urging users to change their login information immediately. Blizzard is stressing that payment information was not compromised. 'The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators. It's important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.'"
Thanks for your always-online requirement for Diablo 3! So very useful if I want to play alone.
Can I please have my single player offline games back?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
I'm going to go out on a glass-half-empty limb here and say that means encrypted, not salted and hashed. "Cryptographically Scrambled" is too obviously ambiguous. I hope I'm wrong!
Since I''m over 25 and work for a living, this does not effect me.
If you want news from today, you have to come back tomorrow.
Nothing on battle.net, blizzard.com or any other location but marketwatch. Link in the article goes to a non-existant page on blizzard.com. Not saying shenanigans just yet, but some real information would be nice.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
meet me.
I have a maxed out Mage on Rexar that hasn't yet been hacked, BUT I do agree w/ you. Everyone 'else' I know has had their accounts just trashed.
Naked Gnomes everywhere...
How much is your data worth? Back it up now.
My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.
* I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.
Technically I'm working from home today, but I guess good security dictates I log into WoW to change my password and check for any foul play.
Once a Battle.net account is created, the first name, last name and security question can not be changed. Since these questions are now compromised, everyone is SOL.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Of the 56 unique players in my guild when we quit, only 2 had ever been hacked. We've certainly had people who were hacked off and on over time, (and most of them left the guild) but once they brought in authenticators it was pretty rare for people to get hacked. Even before that, you usually had to do something stupid to get your account hacked.
The most common culprits for it were from re-using passwords (especially on WoW fansites, because duh...) and people buying gold. Then there was the usual keyloggers and so on.
I seem to recall reading in the Security Question comments how Battle.net's system was excellent. That portion of it may have been, and they seem to be responding well to this, but the timing is interesting.
You are not the customer.
That's actually pretty common when people do get hacked. If you have gold they immediately mail it off and sell it, and then try and bot farm whatever the best gold/hour is. That might be tradeskilling, that might be cash runs through bosses, sort of depended.
My lingering suspicions is that WoW was vulnerable to a session spoof attack at some point, or the usual exploit of a flash vulnerability to get your password, but their systems became overall pretty robust with authenticators added in.
In your case I'd guess a flash vulnerability, possibly a 0 day one, those are much less of a problem today than they were 2 or 3 years ago when browsers weren't well sandboxed etc. etc. But those sorts of things always got a few people.
If they got my passwords now, I dont care. After the hassles i have had with D3 from day 1 I dont even care anymore,
Yeah i gave up on it too, the having to wait to play because the servers were full, the lag, the crashes...there's no reason it couldn't have just been an offline game like its predecessors. Very disappointed with it.
Oh the passwords are cryptographically scrambled? Do they mean hashed or encrypted? I imagine anyone with enough skill to steal all of those accounts knows how to operate a rainbow table. Why not just come clean an tell everyone their passwords are compromised too. Why leave everyone with a nebulous message like "cryptographically scrambled". Are they encrypted? Or did you just hash+salt them? I for one would really like to know!
Diablo 3 was DOA. It is a hamster-wheel farming game revolving around the auction house with no depth nor creativity.
Summary: It's fun but too easy going through normal, nightmare and hell if you gather a party. Then you hit the inferno act 2 brick wall, and your only hope for punching through that is either the RMAH or something like 100+ hrs into cheese-farming spots like dank cellar (gold) or the ancient path goblin (rares).
I found myself wishing someone else would "play" for a while because the game part peeled away and it was revealed to be a stupid repetitive virtual item farming-trading game. I bought the game mid-May, and haven't touched it past June and don't plan to either. Gonna keep it around for a couple more weeks and then give my login info to the first friend who shows interest when I go back to school for TA'ing in september.
https://dalgamotor.wordpress.com/ - Elektronik beyinlere ozgurluk asisi (Turkish)
Using scrambling rather than cryptography gets around cryptographic export and import restrictions. This is why it was possible to decypt a lot of Windows and Microsoft Word scrambled content, and why Windows NT password recovery tools existed.
Unless you want to lock yourself out of most Asian countries where videogaming comes close to a religion, and is therefore worth gobs of money, you will not build something which violates their import restrictions. See also:
http://en.wikipedia.org/wiki/Restrictions_on_the_import_of_cryptography#Status_by_country
Many people use the same password for all accounts including their e-mail. You can also assume that the same login and/or e-mail username is used in other places by many people and attempt to access other outside accounts. This creates a huge security threat for those affected.
I am becoming gerund, destroyer of verbs.
Store password hashes in the database, but the answer to a security question, which enables resetting the password, in plain text. Cool story Blizzard
CLI paste? paste.pr0.tips!
My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.
* I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.
If I had mod points I'd vote this up.
My battle.net / wow account was fine for years. Never had a problem. Then I installed StarCraft2 and its updates. A day later I get a legitimate e-mail from Blizzard telling me my account had been used to spam the chat channels on wow. Changed my password, and started using their iPhone authenticator app. Nothing from any of my characters was missing. Not a single thing.
When it comes to security I don't think Blizzard knows what it is doing.
Real links here: http://us.blizzard.com/en-us/securityupdate.html
http://sea.battle.net/support/en/article/important-security-update-faq
The important thing to note is that the passwords were encrypted with Secure Remote Password protocol, meaning that Rainbow Tables are ineffective since each password is individually encrypted instead of using a common hash. Also, the process is CPU expensive so brute forcing is highly unfeasiable for reasonably length passwords.
Your "friend" is likely an idiot who has a key-logged, malware-ridden machine. 99.99% of the time, what someone calls "hacking" is nothing more than poor personal security on their own machine.
There is a ton of stupid SHIT being posted here on the slashdot comments. I don't blame the commenters one bit, thought. Why? Because the article was a regurgitated rehashed pile of shit in comparison to the actual Blizzard press release... which was really hard to find, ya'know, being the top post on Blizzard.com after all... A very key detail, the usage of SRP, is completely missed by the article, which is leading to the majority of the confusion here and elsewhere.
http://us.blizzard.com/en-us/securityupdate.html
Well it probably wasn't their Fault. A few accounts hackers have admitted to hacking fan sites and getting usernames and passwords from there, and trying them against battle.net, quite a few people use the same logon details.. and account hacked. Not Defending them what has happened (according to this article), But alot of people are blaming blizzard for hacked accounts that had nothing to do with Blizzard. They have really F'd up big time with D3, but account hacking issues up to now haven't been because of them.
I know I am replying to a troll, though I am not actually expecting any kind of sane reply from him, I'm rather replying to his post so that other users would notice the obvious flaw here.
The thing is, if the hack does not actually use any of the OS-specific features to gain access to privileged data then the OS is wholly irrelevant. All the hacks and attacks mentioned by the troll have been because of faults on the Internet-facing software that runs on top of the OS and would've happened just the same if the software was running on *BSD, OSX or Windows. Operating systems simply cannot protect against stupid people or faulty software, that is merely a pipedream. As an example if there is a bug in your latest Windows-based MMORPG that lets attackers gain access to your data do you blame Windows or do you blame the MMORPG for the failure? I sure would opt for the latter. With that in mind the troll in question here is simply trying to associate bugs in 3rd-party software with the OS, shifting blame from one party to another.
How many paying customers see other people getting it for free and decide they also no longer want to pay?
Proof of this behavior? Walking through a red light, once one person does it, others follow.
Guarding against theft is not just to stop active thiefs, it is also a way to keep non-thieves from turning to thieving.
Proof with regards to copyright infringement?
Whenever a story runs in the main stream media on thepiratebay or napster or whatever, every geek gets asked by non-geeks how they can get in on the action.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
With most hacks, the application gets hacked and the attacker gets access to whatever users privileges the application is running as. That user usually is an administrator when you're on windows, or it has access to local exploits that target administrator or system accounts. On linux, chances that someone gets root after compromising an application are smaller, or require more manual work at least. That makes the OS safer, but as you said, the chance to get hacked is just as big. Mind you, the OS is safer against automated attacks and script kiddies. Someone that really wants to get in and knows what they are doing, often can still find a privilege escalation.
I was promised a flying car. Where is my flying car?
Well, it might be an "inside job", but not in the way you're thinking.
There was a issue with MS Xbox Live accounts being compromised recently. I was one of the ones affected by this and, until I learned more about it, I was utterly puzzled as to how it had happened.
See, prior to the Sony breach, I had been guilty of a bit of password sharing between accounts. After the Sony breach, I get more sensibly paranoid and, other than random don't-really-care forum accounts, everything gets its own password. As part of this, I change my Xbox Live password. I go for something reasonably strong - 10 characters, mix of lower case, upper case and numerals (spending your teenaged years learning Latin and ancient Greek is great for your memory). This password is only ever entered into my (stock, unmodified) 360. I'm pretty sure my PC is free of keyloggers - but even if it isn't, this particular sequence of characters has never been typed into a PC.
A few months later, I find I'm locked out of my Xbox Live account. The password and e-mail address have been changed (the e-mail address is now some German one) and around 50GBP has been spent on MS points, of which around a quarter have been spent on FIFA DLC. Fortunately, I notice within a few hours of this happening. Half an hour later, I've spoken to MS, who have locked the account and to my bank, who have refunded the credit card transaction.
The account then spends about 3 weeks locked while MS perform an investigation. At the end of this period, I get profuse apologies from them, a free 2 month extension to my gold subscription and my account back. This takes me by surprise - I'd previously thought that, except in cases of Sony-style security breaches, almost all compromised accounts were down to the behaviour of the user. Despite the circumstances of my case, I'd been torturing myself trying to think of all the ways I might have slipped up (god knows how many rootkit scanners I ran on my PC). I'd certainly not expected MS to be bending over backwards to make amends.
Anyway, Eurogamer picks up on stories from people who've had similar cases and investigates. A few months later, we quietly get our explanation. The security breach is at MS's end, but isn't in their software - it's in the protocols that their phone support guys use. Basically, it was possible to use social engineering techniques against MS's own support staff to get them to do password resets and e-mail address changes on an account, without actually knowing anything more than the name of the account. I gather the issue has since been "rectified", but it's still alarming.
Apparently my account had raised many of the flags that makes it desirable to the scumbags who do this. It's an old account (created on the day that the Xbox Live service for the original Xbox was launched in the UK), so it's a bit like having a low UID account on slashdot. It has a reasonably high gamerscore (though not exceptional). Perhaps more importantly, a few days before my account was taken, I'd got my first 1000/1000 gamerscore on a game (and not on one of the titles that are known to be quick and easy to do it for). This apparently meant that my account was desirable not only for the ability to spend on my credit card (FIFA DLC can apparently be traded for real-life cash, and hence is a way to re-monetise XBL currency), but would also have had a high resale value.
You know it's not a console game, right?
Right?
Blizzard have mulled over the possibility of a console release from time to time, but there's nothing announced. The game's not that different from its predecessors - as you yourself note.
In fact, the Diablo series is historically a PC/Mac series. There was a Playstation 1 version of the original, but it never got much traction. This series is as computery as a very computery thing that was just made even more computery by the injection of a big pile of computer.
I think you're using "console" as a shorthand for "shallow and repetitive". Well, I can certainly agree that Diablo games are shallow and repetitive. Absolutely. Definitely. With cherries on.
But then, I look at some of the console games I own and I don't necessarily see much in the way of shallowness or repetition in some of those. Valkyria Chronicles (PS3 exclusive) is absolutely brimming with depth and complexity, packaged beneath a highly accessible exterior. Dark Souls (360 and PS3, belated PC version due later this month) is more action oriented, but has one of the deepest and most precise combat systems I've come across. The Forza Motorsport (360 exclusive) games have depth coming out of their ears.
By all means criticise the Diablo series for its core gameplay - god knows it deserves a bit of a grilling as a counter-point to the fawning it got from some review sites. But if you're claiming it's a console game, you look ridiculous and if you're claiming that all console games are shallow, you look ignorant to boot.
As a long-term Blizzard customer, I am outraged; to have this news delivered through third party.
No notification came from Blizzard thru e-mail. Cool way to support your customers..
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
No, not Trojan or key logged or phished or anything stupid like that.
Sorry but every time I see someone say that I laugh. It's like they think their computers are impervious or perfect and there is no way in hell they can be at fault. It's ALWAYS the other guy!
Back in the WoW BC days I was hacked. I thought I was pretty good with security. Come to find out I visited some website blog that was exploited with an iframe/XSS logger. That's how my password was logged. You don't have to have something installed on your computer to get keylogged.