Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blizzard Says Battle.Net Has Been Hacked

Posted by samzenpus on from the all-your-password-are-belong-to-us dept.

An anonymous reader writes "Blizzard announced today that its Battle.net service was compromised. The company is urging users to change their login information immediately. Blizzard is stressing that payment information was not compromised. 'The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators. It's important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.'"

24 of 340 comments (clear)

  1. Thanks! by Anonymous Coward · · Score: 5, Funny

    Thanks for your always-online requirement for Diablo 3! So very useful if I want to play alone.

    1. Re:Thanks! by ganjadude · · Score: 5, Insightful

      really??? thats your argument? From my point of view as a D player since D1, STILL play d2, and gave up on d3, i am sick of the people who claim that "d3 is a multiplayer game" maybe by marketing, but not by gameplay. it is NO DIFFERENT than d2, in gameplay that it should require me to check in with them if i want to play by myself. and on top of that, they wouldnt even work with me on a refund, when I had issues 3 weeks after launch because I pre ordered it, and therefore it was more than 30 days out of date, eventhough i only had the game for aweek less than 30 days.

      --
      have you seen my sig? there are many others like it but none that are the same
    2. Re:Thanks! by Sir_Sri · · Score: 5, Informative

      It's not an argument. It is. The game is a multiplayer game. Just because that's a stupid idea doesn't mean it isn't the one they went with.

      I'm sorry that your point of view is just wrong. But it is. The whole game was balanced around you being able to buy and sell from the auction house. That was a deliberate choice on blizzards part, and without the AH the game becomes prohibitively hard because you just can't get the right itemized gear and you need an astronomical amount of farming to get through the content. Again, I'm not saying that's a *good* design, but that is the design. If anything the game suffers because you almost never loot anything you actually want, I think I looted one inferno difficulty item I actually used, all of the rest I had to buy.

      They certainly could have designed the itemization differently or had a full on single player mode with different itemization. But they didn't.

      The 'core activity' of diablo is 'click'. I'll grant you that activity is mostly unchanged form previous versions. But most games are more than just one core activity.

      they wouldnt even work with me on a refund, when I had issues 3 weeks after launch because I pre ordered it, and therefore it was more than 30 days out of date, eventhough i only had the game for aweek less than 30 days.

      yes well, that's a whole other topic. But once they have your money they don't want to give it back.

    3. Re:Thanks! by ganjadude · · Score: 5, Interesting

      I understand your argument, I really do. however I dont understand any good reason to disable to single player mode from d2 (which the char was not able to play on battlenet, and therefore not able to access the "real money" market activision set up (in convinced this is an activision move, and not something blizzard would have done prior to being bought up) I simply disagree with the way the game was handled. Hell I pre ordered, pre downloaded, and still couldnt play for 2 days after it was "released" all because of server issues. If that the the route all games are going to go.. i guess I am not a gamer any longer. Thats just me, but I will not deal with that, Ill keep playing super mario world and D2 and be happy.

      --
      have you seen my sig? there are many others like it but none that are the same
    4. Re:Thanks! by PopeRatzo · · Score: 5, Insightful

      I am not the other guy, but maybe I can clarify: It is an online game. That is a fact.

      Let me clarify further: Diablo 3 is an extremely shitty game that not only is overpriced by about 3x, but then seeks to monetize even further with it's online crapola.

      As a free2play online game, Diablo 3 would be excusable. As the anchor in a very popular trilogy of AAA titles, it's inexcusable.

      Further, to heal FAIL on top of FAIL, the information that you had to give them to create an online account with Blizzard in order to play this mediocre free2play crap is now in the hands of some Bulgarian sleazebags who will do their best to monetize Diablo 3.

      Blizzard couldn't have mistreated Diablo fans much worse without infecting every one of them with Ebola virus and then smacked them in the face with a meat tenderizer.

      Naturally, Blizzard bears zero liability for any damage that might be caused by their inability to keep customer records secure because everyone who played the game had to sign away all of their rights in the endless EULAs that they had to agree to on installation and with every single update.

      Let me end this rant with a brief prayer: Jesus, Lord Baby Jesus, I beseech you. Please make the prostates of every one of the Blizzard upper management, board of directors and major shareholders swell up to the size of honeydew melons so that it takes them 15 minutes just to squeeze out a painful, burning drop of urine. And let them know, Father, that this pain is directly caused by their behavior with Diablo 3 (which, if it makes any difference to you, Baby Jesus, has satanic overtones). And I further pray, Lord, that you make an example of them so horrible as to cause sweaty, trembling nightmares for the upper management of every game developer and publisher, so that their nights may be beset with horrors so that they might look into their souls in order to change their ways and stop fucking over their customers. I pray this in the name of God (may Allah protect him), Amen. PS: please let the Bears win their home opener by 14 points or more..

      --
      You are welcome on my lawn.
    5. Re:Thanks! by Anonymous Coward · · Score: 5, Insightful

      Jesus, Lord Baby Jesus, I beseech you. Please make the prostates of every one of the Blizzard upper management, board of directors and major shareholders swell up to the size of honeydew melons so that it takes them 15 minutes just to squeeze out a painful, burning drop of urine.

      I'm afraid you're praying to the wrong God here. Jesus would tell you to forgive, and seek in you the strength to go to Blizzard and convince them to lose their bad ways, by being a loving example to them, as you'd like them to be to you.

      Muhammad would tell you to behave, be a good moslem, and insist Blizzard upper management is bound for fiery inferno anyway so why care.

      Buddha would tell you to care less for videogames, and maybe instead enjoy your next meal more (hmmm pork).

      Nanak would just smack you over the head, and then pee in your general direction.

      Eris would grant you your wish, turning Blizzard's management even more sour, then She would make you buy their next yet-shittier game nonetheless so you'd share some of the pain you sought to inflict, for the lulz.

      Most other deities would require costly sacrifices and long imprecations upfront just to listen, mostly understanding your plea half wrong anyway. And their antagonist deities would curse you afterwards.

  2. Yah by the_Bionic_lemming · · Score: 5, Insightful

    Can I please have my single player offline games back?

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
    1. Re:Yah by DoofusOfDeath · · Score: 4, Funny

      "No." -Activision

    2. Re:Yah by Teckla · · Score: 5, Insightful

      Can I please have my single player offline games back?

      Speaking just for myself, I'm skipping both StarCraft 2 and Diablo 3, because of the onerous DRM and always-online requirements Blizzard now uses.

      I wonder if the DRM and always-online requirements are preventing enough piracy that results in sales, to overcome the loss of buyers like me.

    3. Re:Yah by DoofusOfDeath · · Score: 4, Insightful

      My guess is that what they're losing in sales to people like you (and me), they're more than recouping in the buy-things-for-real-world-money shenanigans they've instituted.

      Sucks, but I guess that's how the cookie crumbles.

  3. Cryptographically Scrambled Passwords by PhrostyMcByte · · Score: 4, Interesting

    I'm going to go out on a glass-half-empty limb here and say that means encrypted, not salted and hashed. "Cryptographically Scrambled" is too obviously ambiguous. I hope I'm wrong!

    1. Re:Cryptographically Scrambled Passwords by GerardAtJob · · Score: 4, Funny

      It smell like XOR... ;)

      --
      I can't call that English ;-)
    2. Re:Cryptographically Scrambled Passwords by safetyinnumbers · · Score: 4, Informative
      The 'additional info' link in the announcement says they use SRP, which I'd not heard of but seems to be a hash-based system. http://srp.stanford.edu/

      the server carries a verifier for each user, which allows it to authenticate the client but which, if compromised, would not allow the attacker to impersonate the client

    3. Re:Cryptographically Scrambled Passwords by Stormy+Dragon · · Score: 5, Informative

      The letter from Blizzard itself says they use the Secure Remote Password protocol, so this is what they mean by "Cryptographically Scrambled":

      http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

  4. Well now. by Frosty+Piss · · Score: 5, Funny

    Since I''m over 25 and work for a living, this does not effect me.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Well now. by Svippy · · Score: 4, Funny

      Since I am 25 and do nothing for a living, your incorrect spelling of 'affect' affects me.

      --
      Clicked pie.
  5. Re:Anyone have real information? by Kenja · · Score: 5, Informative

    Found it. http://us.blizzard.com/en-us/securityupdate.html URL in the article is wrong.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  6. Re:This is not news by Anonymous Coward · · Score: 5, Interesting

    My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.

    * I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.

  7. The Responsible Thing To Do by TranquilVoid · · Score: 5, Funny

    Technically I'm working from home today, but I guess good security dictates I log into WoW to change my password and check for any foul play.

  8. FYI, "secret" questions can not be changed. by Kenja · · Score: 5, Interesting

    Once a Battle.net account is created, the first name, last name and security question can not be changed. Since these questions are now compromised, everyone is SOL.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:FYI, "secret" questions can not be changed. by Kenja · · Score: 4, Informative

      The link you provided says that only Blizzard can change them, so it sounds like its still true for now unless you want to argue with them on the phone and provided a photo id.

      --

      "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
  9. Defeating your own security 101 by fisted · · Score: 4, Interesting

    Store password hashes in the database, but the answer to a security question, which enables resetting the password, in plain text. Cool story Blizzard

    --
    CLI paste? paste.pr0.tips!
  10. Re:This is not news by SilverJets · · Score: 5, Interesting

    My account keeps being hacked*, despite the fact I don't login, have no real interest in playing the games, change it to random passwords even I don't remember, run linux day to day, and have it associated to a gmail account which hasn't had any suspicious activity. I've tried to reason with them, but they refuse to listen. I've come to the conlusion that Blizzard are incompetant in this area.

    * I've never seen any proof of my account being hacked besides their e-mails telling me and locking my account. I managed to get them unlocked the first few times, my characters still has all items and gold I remember. Now they want me to fax a passport or some 'real identification'. I honestly don't want the games that bad, I'm just annoyed they're taking them off me.

    If I had mod points I'd vote this up.

    My battle.net / wow account was fine for years. Never had a problem. Then I installed StarCraft2 and its updates. A day later I get a legitimate e-mail from Blizzard telling me my account had been used to spam the chat channels on wow. Changed my password, and started using their iPhone authenticator app. Nothing from any of my characters was missing. Not a single thing.

    When it comes to security I don't think Blizzard knows what it is doing.

  11. This is for real by tangent3 · · Score: 5, Informative

    Real links here: http://us.blizzard.com/en-us/securityupdate.html
    http://sea.battle.net/support/en/article/important-security-update-faq

    The important thing to note is that the passwords were encrypted with Secure Remote Password protocol, meaning that Rainbow Tables are ineffective since each password is individually encrypted instead of using a common hash. Also, the process is CPU expensive so brute forcing is highly unfeasiable for reasonably length passwords.