Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blizzard Says Battle.Net Has Been Hacked

Posted by samzenpus on from the all-your-password-are-belong-to-us dept.

An anonymous reader writes "Blizzard announced today that its Battle.net service was compromised. The company is urging users to change their login information immediately. Blizzard is stressing that payment information was not compromised. 'The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators. It's important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.'"

33 of 340 comments (clear)

  1. Thanks! by Anonymous Coward · · Score: 5, Funny

    Thanks for your always-online requirement for Diablo 3! So very useful if I want to play alone.

    1. Re:Thanks! by ganjadude · · Score: 5, Insightful

      really??? thats your argument? From my point of view as a D player since D1, STILL play d2, and gave up on d3, i am sick of the people who claim that "d3 is a multiplayer game" maybe by marketing, but not by gameplay. it is NO DIFFERENT than d2, in gameplay that it should require me to check in with them if i want to play by myself. and on top of that, they wouldnt even work with me on a refund, when I had issues 3 weeks after launch because I pre ordered it, and therefore it was more than 30 days out of date, eventhough i only had the game for aweek less than 30 days.

      --
      have you seen my sig? there are many others like it but none that are the same
    2. Re:Thanks! by Sir_Sri · · Score: 5, Informative

      It's not an argument. It is. The game is a multiplayer game. Just because that's a stupid idea doesn't mean it isn't the one they went with.

      I'm sorry that your point of view is just wrong. But it is. The whole game was balanced around you being able to buy and sell from the auction house. That was a deliberate choice on blizzards part, and without the AH the game becomes prohibitively hard because you just can't get the right itemized gear and you need an astronomical amount of farming to get through the content. Again, I'm not saying that's a *good* design, but that is the design. If anything the game suffers because you almost never loot anything you actually want, I think I looted one inferno difficulty item I actually used, all of the rest I had to buy.

      They certainly could have designed the itemization differently or had a full on single player mode with different itemization. But they didn't.

      The 'core activity' of diablo is 'click'. I'll grant you that activity is mostly unchanged form previous versions. But most games are more than just one core activity.

      they wouldnt even work with me on a refund, when I had issues 3 weeks after launch because I pre ordered it, and therefore it was more than 30 days out of date, eventhough i only had the game for aweek less than 30 days.

      yes well, that's a whole other topic. But once they have your money they don't want to give it back.

    3. Re:Thanks! by ganjadude · · Score: 5, Interesting

      I understand your argument, I really do. however I dont understand any good reason to disable to single player mode from d2 (which the char was not able to play on battlenet, and therefore not able to access the "real money" market activision set up (in convinced this is an activision move, and not something blizzard would have done prior to being bought up) I simply disagree with the way the game was handled. Hell I pre ordered, pre downloaded, and still couldnt play for 2 days after it was "released" all because of server issues. If that the the route all games are going to go.. i guess I am not a gamer any longer. Thats just me, but I will not deal with that, Ill keep playing super mario world and D2 and be happy.

      --
      have you seen my sig? there are many others like it but none that are the same
    4. Re:Thanks! by PopeRatzo · · Score: 5, Insightful

      I am not the other guy, but maybe I can clarify: It is an online game. That is a fact.

      Let me clarify further: Diablo 3 is an extremely shitty game that not only is overpriced by about 3x, but then seeks to monetize even further with it's online crapola.

      As a free2play online game, Diablo 3 would be excusable. As the anchor in a very popular trilogy of AAA titles, it's inexcusable.

      Further, to heal FAIL on top of FAIL, the information that you had to give them to create an online account with Blizzard in order to play this mediocre free2play crap is now in the hands of some Bulgarian sleazebags who will do their best to monetize Diablo 3.

      Blizzard couldn't have mistreated Diablo fans much worse without infecting every one of them with Ebola virus and then smacked them in the face with a meat tenderizer.

      Naturally, Blizzard bears zero liability for any damage that might be caused by their inability to keep customer records secure because everyone who played the game had to sign away all of their rights in the endless EULAs that they had to agree to on installation and with every single update.

      Let me end this rant with a brief prayer: Jesus, Lord Baby Jesus, I beseech you. Please make the prostates of every one of the Blizzard upper management, board of directors and major shareholders swell up to the size of honeydew melons so that it takes them 15 minutes just to squeeze out a painful, burning drop of urine. And let them know, Father, that this pain is directly caused by their behavior with Diablo 3 (which, if it makes any difference to you, Baby Jesus, has satanic overtones). And I further pray, Lord, that you make an example of them so horrible as to cause sweaty, trembling nightmares for the upper management of every game developer and publisher, so that their nights may be beset with horrors so that they might look into their souls in order to change their ways and stop fucking over their customers. I pray this in the name of God (may Allah protect him), Amen. PS: please let the Bears win their home opener by 14 points or more..

      --
      You are welcome on my lawn.
    5. Re:Thanks! by Anonymous Coward · · Score: 5, Insightful

      Jesus, Lord Baby Jesus, I beseech you. Please make the prostates of every one of the Blizzard upper management, board of directors and major shareholders swell up to the size of honeydew melons so that it takes them 15 minutes just to squeeze out a painful, burning drop of urine.

      I'm afraid you're praying to the wrong God here. Jesus would tell you to forgive, and seek in you the strength to go to Blizzard and convince them to lose their bad ways, by being a loving example to them, as you'd like them to be to you.

      Muhammad would tell you to behave, be a good moslem, and insist Blizzard upper management is bound for fiery inferno anyway so why care.

      Buddha would tell you to care less for videogames, and maybe instead enjoy your next meal more (hmmm pork).

      Nanak would just smack you over the head, and then pee in your general direction.

      Eris would grant you your wish, turning Blizzard's management even more sour, then She would make you buy their next yet-shittier game nonetheless so you'd share some of the pain you sought to inflict, for the lulz.

      Most other deities would require costly sacrifices and long imprecations upfront just to listen, mostly understanding your plea half wrong anyway. And their antagonist deities would curse you afterwards.

  2. Yah by the_Bionic_lemming · · Score: 5, Insightful

    Can I please have my single player offline games back?

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
    1. Re:Yah by DoofusOfDeath · · Score: 4, Funny

      "No." -Activision

    2. Re:Yah by Teckla · · Score: 5, Insightful

      Can I please have my single player offline games back?

      Speaking just for myself, I'm skipping both StarCraft 2 and Diablo 3, because of the onerous DRM and always-online requirements Blizzard now uses.

      I wonder if the DRM and always-online requirements are preventing enough piracy that results in sales, to overcome the loss of buyers like me.

    3. Re:Yah by DoofusOfDeath · · Score: 4, Insightful

      My guess is that what they're losing in sales to people like you (and me), they're more than recouping in the buy-things-for-real-world-money shenanigans they've instituted.

      Sucks, but I guess that's how the cookie crumbles.

  3. Cryptographically Scrambled Passwords by PhrostyMcByte · · Score: 4, Interesting

    I'm going to go out on a glass-half-empty limb here and say that means encrypted, not salted and hashed. "Cryptographically Scrambled" is too obviously ambiguous. I hope I'm wrong!

    1. Re:Cryptographically Scrambled Passwords by GerardAtJob · · Score: 4, Funny

      It smell like XOR... ;)

      --
      I can't call that English ;-)
    2. Re:Cryptographically Scrambled Passwords by safetyinnumbers · · Score: 4, Informative
      The 'additional info' link in the announcement says they use SRP, which I'd not heard of but seems to be a hash-based system. http://srp.stanford.edu/

      the server carries a verifier for each user, which allows it to authenticate the client but which, if compromised, would not allow the attacker to impersonate the client

    3. Re:Cryptographically Scrambled Passwords by VortexCortex · · Score: 3, Informative

      Which is still very secure if they used a one time pad with the XOR.

      The only thing stronger than XORing with a one time pad, is XORing the input with itself.

    4. Re:Cryptographically Scrambled Passwords by Stormy+Dragon · · Score: 5, Informative

      The letter from Blizzard itself says they use the Secure Remote Password protocol, so this is what they mean by "Cryptographically Scrambled":

      http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

  4. Well now. by Frosty+Piss · · Score: 5, Funny

    Since I''m over 25 and work for a living, this does not effect me.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Well now. by Svippy · · Score: 4, Funny

      Since I am 25 and do nothing for a living, your incorrect spelling of 'affect' affects me.

      --
      Clicked pie.
    2. Re:Well now. by Sir_Sri · · Score: 3, Informative

      Since I''m over 25 and work for a living

      making you the target market for games, and modern MMO's. Especially so if you're male. Because you know, the people who actually work at blizzard want to play their own game, and they're mostly over 25 and have jobs. So if you're one of the 40 million or so people who ever created a battle.net account for starcraft or diablo or WoW then yes, this effects you. Because what was your security question, have you ever reused it, and was it publicly available information?

  5. Re:Anyone have real information? by Kenja · · Score: 5, Informative

    Found it. http://us.blizzard.com/en-us/securityupdate.html URL in the article is wrong.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  6. Re:This is not news by Anonymous Coward · · Score: 5, Interesting

    My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.

    * I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.

  7. The Responsible Thing To Do by TranquilVoid · · Score: 5, Funny

    Technically I'm working from home today, but I guess good security dictates I log into WoW to change my password and check for any foul play.

  8. FYI, "secret" questions can not be changed. by Kenja · · Score: 5, Interesting

    Once a Battle.net account is created, the first name, last name and security question can not be changed. Since these questions are now compromised, everyone is SOL.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:FYI, "secret" questions can not be changed. by dgatwood · · Score: 3, Informative

      That hasn't been true for over a year.

      Also, they're going to en masse make everyone change their security question/answer real soon now.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    2. Re:FYI, "secret" questions can not be changed. by Kenja · · Score: 4, Informative

      The link you provided says that only Blizzard can change them, so it sounds like its still true for now unless you want to argue with them on the phone and provided a photo id.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  9. Ironic. . . by Limburgher · · Score: 3, Insightful

    I seem to recall reading in the Security Question comments how Battle.net's system was excellent. That portion of it may have been, and they seem to be responding well to this, but the timing is interesting.

    --

    You are not the customer.

  10. Re:This is not news by Sir_Sri · · Score: 3, Interesting

    That's actually pretty common when people do get hacked. If you have gold they immediately mail it off and sell it, and then try and bot farm whatever the best gold/hour is. That might be tradeskilling, that might be cash runs through bosses, sort of depended.

    My lingering suspicions is that WoW was vulnerable to a session spoof attack at some point, or the usual exploit of a flash vulnerability to get your password, but their systems became overall pretty robust with authenticators added in.

    In your case I'd guess a flash vulnerability, possibly a 0 day one, those are much less of a problem today than they were 2 or 3 years ago when browsers weren't well sandboxed etc. etc. But those sorts of things always got a few people.

  11. Using scrambling rather than cryptography by tlambert · · Score: 3, Informative

    Using scrambling rather than cryptography gets around cryptographic export and import restrictions. This is why it was possible to decypt a lot of Windows and Microsoft Word scrambled content, and why Windows NT password recovery tools existed.

    Unless you want to lock yourself out of most Asian countries where videogaming comes close to a religion, and is therefore worth gobs of money, you will not build something which violates their import restrictions. See also:

    http://en.wikipedia.org/wiki/Restrictions_on_the_import_of_cryptography#Status_by_country

  12. Defeating your own security 101 by fisted · · Score: 4, Interesting

    Store password hashes in the database, but the answer to a security question, which enables resetting the password, in plain text. Cool story Blizzard

    --
    CLI paste? paste.pr0.tips!
  13. Re:This is not news by SilverJets · · Score: 5, Interesting

    My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.

    * I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.

    If I had mod points I'd vote this up.

    My battle.net / wow account was fine for years. Never had a problem. Then I installed StarCraft2 and its updates. A day later I get a legitimate e-mail from Blizzard telling me my account had been used to spam the chat channels on wow. Changed my password, and started using their iPhone authenticator app. Nothing from any of my characters was missing. Not a single thing.

    When it comes to security I don't think Blizzard knows what it is doing.

  14. This is for real by tangent3 · · Score: 5, Informative

    Real links here: http://us.blizzard.com/en-us/securityupdate.html
    http://sea.battle.net/support/en/article/important-security-update-faq

    The important thing to note is that the passwords were encrypted with Secure Remote Password protocol, meaning that Rainbow Tables are ineffective since each password is individually encrypted instead of using a common hash. Also, the process is CPU expensive so brute forcing is highly unfeasiable for reasonably length passwords.

  15. Re:Proof Linux is more insecure than Windows by Gaygirlie · · Score: 3, Insightful

    I know I am replying to a troll, though I am not actually expecting any kind of sane reply from him, I'm rather replying to his post so that other users would notice the obvious flaw here.

    The thing is, if the hack does not actually use any of the OS-specific features to gain access to privileged data then the OS is wholly irrelevant. All the hacks and attacks mentioned by the troll have been because of faults on the Internet-facing software that runs on top of the OS and would've happened just the same if the software was running on *BSD, OSX or Windows. Operating systems simply cannot protect against stupid people or faulty software, that is merely a pipedream. As an example if there is a bug in your latest Windows-based MMORPG that lets attackers gain access to your data do you blame Windows or do you blame the MMORPG for the failure? I sure would opt for the latter. With that in mind the troll in question here is simply trying to associate bugs in 3rd-party software with the OS, shifting blame from one party to another.

  16. And the counter argument by SmallFurryCreature · · Score: 3, Insightful

    How many paying customers see other people getting it for free and decide they also no longer want to pay?

    Proof of this behavior? Walking through a red light, once one person does it, others follow.

    Guarding against theft is not just to stop active thiefs, it is also a way to keep non-thieves from turning to thieving.

    Proof with regards to copyright infringement?

    Whenever a story runs in the main stream media on thepiratebay or napster or whatever, every geek gets asked by non-geeks how they can get in on the action.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  17. Re:What do you expect? by RogueyWon · · Score: 3, Interesting

    You know it's not a console game, right?

    Right?

    Blizzard have mulled over the possibility of a console release from time to time, but there's nothing announced. The game's not that different from its predecessors - as you yourself note.

    In fact, the Diablo series is historically a PC/Mac series. There was a Playstation 1 version of the original, but it never got much traction. This series is as computery as a very computery thing that was just made even more computery by the injection of a big pile of computer.

    I think you're using "console" as a shorthand for "shallow and repetitive". Well, I can certainly agree that Diablo games are shallow and repetitive. Absolutely. Definitely. With cherries on.

    But then, I look at some of the console games I own and I don't necessarily see much in the way of shallowness or repetition in some of those. Valkyria Chronicles (PS3 exclusive) is absolutely brimming with depth and complexity, packaged beneath a highly accessible exterior. Dark Souls (360 and PS3, belated PC version due later this month) is more action oriented, but has one of the deepest and most precise combat systems I've come across. The Forza Motorsport (360 exclusive) games have depth coming out of their ears.

    By all means criticise the Diablo series for its core gameplay - god knows it deserves a bit of a grilling as a counter-point to the fawning it got from some review sites. But if you're claiming it's a console game, you look ridiculous and if you're claiming that all console games are shallow, you look ignorant to boot.