Change Your Passwords (Again): Battle.net Breached

By Nathan Grayson on August 10th, 2012 at 1:51 am.

I, like many of the highly evolved, vaguely human terminal cyborgs that we otherwise refer to as “Internet users,” perhaps somewhat unwisely use the same few passwords for, well, a lot of things. But damn it, I crafted those passwords. I didn’t use wars or stars, but they’re mine – forged through years of slight tweaks and realizations that my birthday and number sequences I’d learned in pre-school, in fact, presented sort of crackable codes. So I really wish videogame companies would stop losing track of them. But alas, it keeps happening. The most recent victim? Blizzard. Fortunately, it sounds like our most important info (credit card, address, real name, etc) is still safe and sound, but you’ll probably want to toss your password masterworks and start anew all the same. Same with mobile Authenticators – which Blizzard notes “could potentially” be compromised. Ruh-roh.

Blizzard put up a statement on its website admitting to a breach of Battle.net this week. Here are the key bits:

“This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened. At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.”

“Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.”

Scrambled passwords, meanwhile, were also snatched from North American servers, but Blizzard notes that “We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.”

Regardless, CHANGE YOUR PASSWORD AND SECRET QUESTION ASAP. Blizzard, at least, will be taking care of the latter via an “automated process” in the coming days. There will also be an update for mobile Authenticator software very soon. If you’re not clear about anything, there’s also a detailed FAQ.

So then, it’s a pain, but odds are, most of you will remain unaffected. I’d be remiss, however, if I didn’t point out that this is yet another crack in the paper-and-ash armor of Blizzard’s online requirement – at least, when it comes to series that used to be playable entirely offline like Diablo. Yes, I’m beating a dead horse and then spending hundreds of hours farming it for more loot while complaining about a lack of endgame, but it needs to be said all the same. Believe me: no one (except maybe the hackers) is happy about this, but I imagine people who just wanted a single-player experience with no muss or fuss are the angriest of all.

That said, kudos to Blizzard for leaping on this one quickly and putting together a plan of action to help affected customers. For now, this is just a minor inconvenience, and here’s hoping it stays that way.

__________________

« | »

, , , , .

123 Comments »

  1. D3xter says:

    Well, they should’ve bought an Authenticator for their servers! That grants like +100% Immunity to Hacks I heard.

    • cmelda13 says:

      That’s not true because they nerfed it in 1.0.3 patch (down to 25% Immunity to Hacks and to 15% if you are playing with friends).

      • Ninja Foodstuff says:

        Actually there’s now an Epic Authenticator someone’s selling on the RMAH which works just fine I’ve heard.

        • tetracycloide says:

          Does it say ‘Authenticates your account’ or ‘Account authenticater’ because I’ve heard one of the phrasings is bugged and doesn’t actually do anything even though it looks like it does.

    • iteyoidar says:

      The hackers can have my account. I don’t want it anymore. Having to play Diablo 3 again is a worthy punishment for anyone forcing me to change all my passwords

    • chucklepie says:

      Ok, they can secure it as much as they like with hardware generated passwords/ids and I can change my questions but I can’t change my mother’s maiden name or my date of birth.

      Apart from the obviousness and ease of finding this information out, why can’t they encrypt the security answers too?

  2. woodsey says:

    On the one hand, I hope everyone’s details genuinely are okay. On the other, I am laughing at everyone who only has a Battle.net account because they bought Diablo 3 (which is probably not that many people, but I’m sure there’s some of them out there). Dare I say it: I almost wish they’d been more severely breached. Just a smidge, mind you.

    • ninecome says:

      Everyone? I didn’t buy Diablo. I bought StarCraft… which does use Battle.net but at least can be played in offline mode.

      • woodsey says:

        Yes, I mean people who only have it because the only Battle.net game they own is Diablo 3.

        • JoeGuy says:

          Yeah I’d say people who were first welcomed to Battle.net because of Diablo III are really thinking they got screwed with the always-online DRM after all the crap they’ve put up with.

          • pqmnwsd6 says:

            Yet another argument against the always-connected DRM issue.
            http://www.gamestop.ie/PC/Games/12136/dishonored

          • Ecto says:

            That link is spam. Don’t click :)

          • TidiusFF says:

            Now spam bots start to become intelligent and adapt to subject ? =O

          • c-Row says:

            More like posting an answer that fits every thread.

            UbiDRM servers not available? “Yet another argument against the always-connected DRM issue.” – New ME3 DLC? “Yet another argument against the always-connected DRM issue.” – Jim trading his first-born for Psychonauts 2? “Yet another argument against the always-connected DRM issue.”

            Well, 90% maybe.

            (actually it seems to simply copy another user’s comment and re-post it as its own – the same answer can be found some clicks below, but without the spam link)

          • jezcentral says:

            Then why haven’t we seen one that says “Edit: reply fail”, eh?

          • Jarenth says:

            Not yet. They’ll learn.

      • Squishpoke says:

        It can’t be played in offline mode if you’ve been offline for two months or so, because they downgrade your full SC2 copy to the “Starter Edition.” You have to connect to their shitty battle net thing in order for Blizzard to give you your game back.

    • vandinz says:

      No not that many bought Diablo 3. Only around 10 million people … Y U SO DUMB?

      • woodsey says:

        Y U NO READ?

        People who ONLY have Battle.net because they ONLY own Diablo 3. I’m sympathetic to those who have it because they bought something prior (and didn’t pick up D3 as well, I guess), but if you’re one of those who fed the always-online machine by buying D3 then I’m a little less bothered. Like I said, just a little.

    • tetracycloide says:

      That’s because you’re kind of a jerk.

  3. eclipse mattaru says:

    Minor inconvenience, right. Well, maybe it’s just me, but if I had spent money on an authenticator (which already was about the most ludicrous idea I’ve heard in my life) and now I were to find out that this crap “could potentially be compromised”, I imagine I would be kind of pissed off nevertheless.

    • Baines says:

      “Mobile and Dial-In Authenticators”? Aren’t these the free alternatives to buying an authenticator?

      Conspiracy theories ahoy! Who will be the first to ask whether Blizzard intentionally let this happen so as to drive people to buy authenticators instead of using the free alternatives, just as a few people asked whether the previous breach was a set-up (implement poor “normal” security and wait to get hit) to push people towards authenticators in general?

  4. MythArcana says:

    But…why’s the fun gone?!?

    • Hoaxfish says:

      If you’re not having fun, you simply aren’t trying to have the right kind of fun as dictated by Blizzard.

      Human concepts of fun are out dated.

      • MythArcana says:

        I haven’t bought anything by Blizzard since D2: LoD, but they do generate a lot of laughter over here watching their Cash Follies fail weekly. :)

  5. pipman3000 says:

    Good thing I only play off-line so I should have nothing to worry about.

  6. derbefrier says:

    Aren’t you thankful?

  7. pakoito says:

    Well deserved slow clap for them.

  8. max_1111 says:

    I saw what you did there.
    Was the picture for the article changed to help us visualize the dead horse?
    Because it totally helped. I’m like… there… man…

  9. Solidstate89 says:

    Well Nathan, time for you start using a Password Manager! I use LastPass myself but KeePass is another popular manager people use as well. There are dozens available but those are the two I’m aware of. It’s actually quite the peace of mind when you have a unique password for every single account.

    I think it was last year or so when the old Bioware forums were hacked. I didn’t bat an eye as it was using a completely unique password for that site alone. No frantically going through the rest of your accounts trying to figure out which account uses that password and which one doesn’t.

    Here’s a good guide on some of the more popular ones to pick from.

    http://lifehacker.com/5529133/five-best-password-managers

    No time like the present to learn and correct your mistakes ;)

    • Dances to Podcasts says:

      Tonight on “It’s the Mind”, we examine the phenomenon of déjà vu, that strange feeling we sometimes get that we’ve lived through something before, that what is happening now has already happened.

      • Solidstate89 says:

        Yes, I do believe I made the same kind of comment in the last Battl.net breach article. I hate to sound like a broken record but using some form of password manager really is one of the best things one can do on the web.

        Especially those managers that allow for Two-factor authentication. I think that feature is starting to get even more press now after what happened to that Wired journalist. Even I’m finally enabling two-factor authentication on my LastPass account with a Yubi-Key but they have quite a few options from Google Authenticator to even an old fashioned grid multi-factor authentication. Kind of like those key wheels you’d have to use for some software long before my time.

      • Kal says:

        Tonight on “It’s the Mind”, we examine the phenomenon of déjà vu, that strange feeling we sometimes get that we’ve lived through something before, that what is happening now has already happened.

        (PS – high5 for a relatively obscure Python reference. )

      • Milky1985 says:

        Tonight on “It’s the Mind”, we examine the phenomenon of déjà vu, that strange feeling we sometimes get that we’ve lived through something before, that what is happening now has already happened.

    • Revisor says:

      Keep spreading the word. Use a password manager, people! Long, unique passwords typed automatically for you, accessible from multiple devices.

      What’s not to like? Only the initial time investment of maybe 10 minutes.

      • LionsPhil says:

        Single point of failure.

        Not that I’m saying this outbalances the benefits; just that there is some downside.

      • ScubaMonster says:

        Well for starters, not every login lets you copy and paste. I sure as shit don’t want to type in sldj3@#$@sfSDFDF#337772 myself. You can use short switched around phrases/words with a couple numbers and maybe a special character that is easy to remember and still probably just as hard to crack (mostly). Something like snakduk48$ (snack duck 48 dollars lol) That’s easy enough to remember and still not easy to crack. And no, I don’t use that for any password lol.

        Not saying password managers are bad, I’ve used KeyPass myself and Passter is a good Chrome extension as well. If for no other reason than you have an easy way to keep log of every password you use since I use unique passwords. I do however use insanely long random character passwords for financial accounts though.

    • Dog Pants says:

      This isn’t the user’s mistake. Using a password manager may well be a good idea, but not doing doesn’t make Blizzard any less responsible.

      • Solidstate89 says:

        I never said, inferred, implied or even remotely hinted that it wasn’t Blizzard’s fault. But if you don’t use that password on any other website you have an account with, then you have nothing to fear from that password being leaked.

  10. Shortwave says:

    That’s quite terribly annoying.
    Indeed.

  11. Vorphalack says:

    I’ve not logged into Battle.net for a couple of years now, so when I did my password swap the first thing that sprang to mind was the Battle.net balance. If someone gets into your account, and you have credit, they could start spending your own money without even getting your card details. At least they can’t just cash convert the balance, but neither can you, and spending on Diablo items or WoW gold are about as good as cash these days. Hell, anyone getting in could just burn your money on crap to be a massive dick. I will never buy into this sort of system, and I extend my sympathies to anyone who gets burned by this. Motivating companies to care when you loose a relatively small amount of money is hard enough already.

  12. SkittleDiddler says:

    So Blizzard are quick enough to pester me with promotional emails and “are you still alive” letters for an account that’s been inactive for eight years, but they can’t be bothered to let me know it might have been hacked?

    Stay classy, Blizz.

  13. TheIronSky says:

    Yet another argument against the always-connected DRM issue.

    • Nevard says:

      Considering an online option exists I imagine that most people would have passwords regardless of whether it had always on DRM or not

      • MajorManiac says:

        You’re mistaken. Its perfectly possible to have an online multiplayer game without user accounts. Its just become the norm now-a-days, because companies want to track our every mouse click.

        • reggiep says:

          Yes, that is possible for a very specific type of game. For a game that tracks stats, inventory, achievements, friends, etc, that’s not possible. Sorry to burst your bubble.

    • vandinz says:

      Is it? I have Company of Heroes, that doesn’t have always on but guess what!? I also have an online account to play with friends. Nice attempt at making this about DRM but the fact is, it’s not.

      • spedcor666 says:

        I agree. Having online accounts because of always online DRM has nothing to do with DRM because of Company of Heroes. Obviously.

  14. shagen454 says:

    Good, I hope whoever hacked into my Bnet D3 account is ripping shit apart right now. RIP that account to pieces, hacker boy

    • Askeladd says:

      You know… in a time that is the past, there was an evil sorcerer which practiced the arts of dark magic.
      He was a foul creature and at the pinnacle of his evil might he created something dreadful….
      Redundant backups

    • Rao Dao Zao says:

      Rip and tear and rip and tear… You are a huge game, so you must have huge guts!

  15. Vinraith says:

    Why do I have to hear about this from RPS? I mean, I appreciate RPS posting about it of course, but why on Earth hasn’t Blizzard sent out a notice. What do they have my email for, if not to notify me of this sort of thing?

    And yeah, same question for Valve back when this happened to Steam.

    • subedii says:

      I’m pretty certain I remember Steam putting up a big freaking pop up window with a message from Gabe Newell, notifying me of what happened when they confirmed that someone had hacked information, what information they believe it was, whether it was dangerous, and that it would be adviseable to change my password regardless.

      • Kaira- says:

        The pop-up didn’t happen if you had disabled the “show ads for games”-thingy.

      • Moraven says:

        Only if you launched a game from Steam and exited it. Only notification they have from Blizzard is from the launcher and people spreading the word.

        I do not understand why these companies will not simply e-mail their customers?

        Sony, late, at least sent an email.

        • Llewyn says:

          Sony only mailed some accounts – my primary PS3 account has never been officially informed of that breach, but most of the throwaway ones I created for friends to use for some game that was fussy about profiles were told.

    • Mungrul says:

      I don’t know about you Vinraith, but I get so many phishing mails claiming to be from Blizzard I tend to treat them all as spam. I’m sure Blizzard are aware that their userbase have learned not to trust any “Blizzard” email, particularly ones relating to account security, and so are trying to figure out the best way to let their players know.

    • MidoriChaos says:

      Because of the amount of people that would just scoff, say “phishing mail” and delete it without even reading the whole thing. Edit: pretty much what Mungrul said, he beat me to it.

    • trjp says:

      Phishing doesn’t stop anyone sending emails – despite getting a tonne of SPAM for the following, they also send real emails

      PayPal – this week they sent out a policy change email which included a link to click – which is massively, massively retarded.

      My Bank – pretty such as-per PayPal, regular emails inviting me to click to view their services.

      Quidco etc.

      and so on. Just because scumbags send out spam doesn’t make email useless – it’s not a bad idea to avoid providing direct links in emails tho – just to get it through the heads of stupid people that links in emails are highly insecure/pointless.

  16. The13thRonin says:

    “Change your password again”.

    Or better yet change to a better game… For that matter… Any game…

  17. mr.ioes says:

    So they got our security questions but Blizzard doesn’t let us change them. This company went apeshit at some point.

    • frightlever says:

      I couldn’t see an option either but I thought it was because I already have the authenticator and SMS options enabled.

      Who’da thunk it back when we was playing Outlaw on the Atari that it would come to this? I need to be an electronic road warrior just to get my game on now.

    • derbefrier says:

      they said in their security post that they will be making people change them soon. I would guess when its ready the next time you log in it will take you through the process automatically. but it appears they dont have a way to do it manually for some reason.

  18. frightlever says:

    Am I supposed to have gotten an email about this? It would be ironic to actually receive a Battlenet “your account has been compromised” email that WASN’T spam. I did check but I didn’t receive one, and the message on the DIII site is subtle to say the least. Meh.

    If Blizzard can get hacked what chance do we have?

  19. Lobotomist says:

    Regardless of hate towards Blizzard.

    These password database breaches are getting to be common thing. There is no MMO or online gaming company that hasnt been breached in last year. Including Valve …

    When it was Sony (SOE) everyone blamed them for their shoddy protection policies. But then every company started getting hacked one after one.

    I am sure they would put better protections after first few warnings.

    Especially Blizzard – because of REAL MONEY TRADING – yes many people have easily transferable money and virtual goods there

    —-

    I am not big networking expert.
    But I think there is some networking vulnerability, currently known to hacker scene. Something they can use to gather access to anything connected to internet. And nobody can do jack about it…

    • Askeladd says:

      It just shows the shortsightedness of today’s companies. Their priorities are to make a profit, while the security of data comes second to that.
      Hackers on the other hand have other priorities. First cracking their security and then make a profit.

      • tetracycloide says:

        You’re mistakenly assuming that impenetrable able security is even possible, much less a goal. When things are compromised but all the important information, like credit card numbers and passwords, are still secure that is thinking about security first.

        • psyk says:

          Shall we take a stab and say at least 45% or the readers here are american? Guys your financial systems are hacked every other day go read up on some of them.

    • UncleLou says:

      I guess the old saying applies: There are two types of companies – those whose security has been breached, and those who don’t know it yet.

    • Bhazor says:

      The reason Sony got blamed for their hack? They didn’t use encryption for stored passwords.

      • UncleLou says:

        Yeah. Usually it suffices to change your password. In the case of Sony, I had to get a new credit card. In the last few months, I’ve had to change passwords for last.fm, Steam, and a couple of others I’ve already forgotten, so I can’t say I am overly excited by this news today.

    • trjp says:

      The “solution” to this is for the company to simply deny there are any hacks or breaches.

      The model situation for this is Microsoft, who’s online services have been hacked to hell and back but they consistently deny this.

      XBOX Live is a leaky sieve – anyone with points or a credit card on their account is effectively hanging their tackle out of the window with a sign on it saying “kick me”.

      HotMail (now Outlook Desperation Edition) is the webmail-of-choice if you want to do the same thing but with all your friends too!!

      and so on.

  20. mpiwo says:

    But isn’t chaning your password in Diablo III a pain in the less respectable part of my back? Last time I tried to do it, I got an message from Blizzard, my account was blocked and I had to go through their loops for 20 minutes before they unlocked the account.

    At which point my 20 minutes of gaming allowance was over and had to go watch the Gilmore Girls with my wife, content with the thought that tonight I conquered the allmighty password change quest at normal level.

  21. Bob says:

    Once again I heard it here first. Thanks for the heads up.

  22. Cameron says:

    The fact that Battle.Net passwords aren’t case sensitive should make cracking any passwords, if it turns out any were obtained, a little bit easier than otherwise too.

    • reggiep says:

      The encrypted salt significantly increases the difficulty of discovering the password through brute force — case-insensitive or not. Still, you should change your password and make sure it’s not shared on any other services linked to the same email or your name.

    • banelos says:

      Also the size of passwords seems to be limited to 16 characters. Why? Isn’t it hashed to the same size afterwards anyway?
      Blizzard is strange when it comes to account security. I wanted to change my secret question once and I went through all the hoops and just got told that it was not possible.

      • psyk says:

        Ms also has a strange way of handling your live account across multiple platforms lets just say for certain things they make you gimp your pass really bad but they wont really tell you this will be the case until after you have made your account and are attempting to sign in.

  23. scatterbrainless says:

    Bahahahahahahahahahhaha… ughm. How tragic.

  24. Commander Gun says:

    On a sidenote i want to say, just because i can, that Diablo 3 was the worst, painful, pity excuse for a Diablo sequel i could ever imagine. It’s sitting on the worst game of the year throne for me and i cannot possibly imagine it will get of that throne this year.

    • UncleLou says:

      Sounds like hyperbole or you’re a victim of hype. It is – at the very least – a very competent ARPG, with hands down the most fun core mechanics/skills in the genre (and I include PoE and TL2, both of which I have played). Itemisation is a problem, but then absolutely noone needs to ever visit the AH before they hit Inferno. Honestly can’t take “worst game ever” type of posts seriously.

      • spedcor666 says:

        It doesn’t matter if you take them seriously or not. For some people, massive disappointment can easily turn it into one of their worst games regardless of how competent you believe it is.

        • tetracycloide says:

          Competence is not subjective. It’s not a question of thinking it is, it either is or it isn’t and that can be objectively measured. What you’re essentially arguing is that your subjective disappointment somehow trumps objective competence. I can see why you would see it that way but that’s going to ring hollow with everyone that wasn’t also subjectively disappointed.

          • spedcor666 says:

            You might want to read my post again. Maybe a bit more slowly this time.

            I’m well aware as to whether competence is subjective or not and no, I’m not arguing about subjective disappointment trumping objective competence. I’m arguing that if the OP thinks it’s their worst game of the year, then there are valid reasons why that might be. Such as disappointment for example.

  25. Safewood says:

    Why doesn’t Blizzard have a physical authenticator for their servers?

  26. Tei says:

    “Security answers” are stupid, and are implemented by stupid people.
    What now? Can I am changing my first dog name, and the firstname of my mother?

    Please stop with these ridiculous questions, add nothing and have localization issues.

    • Llewyn says:

      Localization is the least of the problems with security questions. Far worse is the social engineering aspect which creates an easy bypass for any other security measure Blizzard might implement. No-one* knows my battle.net password, not even me, but hundreds of people know my first dog’s name and thousands know my mother’s first name.

      *Assuming Blizzard’s auth servers aren’t broadcasting passwords every time they’re submitted.

      • Sayori says:

        By the way, you know you don’t have to really use your dog’s name, right? You can use “mashed_potatoes” . Much better.

        • Llewyn says:

          Indeed. But most people do use ‘genuine’ answers because otherwise it’s just something else to remember. Personally I just get KeePass to generate some more random strings for me and store them as attributes on the relevant password entry – especially after the stupidity of SWTOR wanting four or five different questions – but this is an issue about the security of Blizzard’s customer base as a whole, rather than something that revolves around me.

  27. Sayori says:

    This made my day.
    Somehow they got punished for their bullshits. I’m glad, Pity, users suffer as well. They only got hacked because of the RMAH – nothing else.
    Anyway, still no official email from Activision-Blizzard, just a few websites are spreading the word and twitter. ..and the launcher from what I heard. They say it’s only email, no passwords but what if they lie? Typical for them!

    • Llewyn says:

      Blizzard accounts have been a big target for years before there was any RMAH.

      • Sayori says:

        And now more than ever. It’s only their fault. If they cannot offer a solid security, they better do not attract the hackers more. Everything must be encrypted, everything. Not just passwords.

  28. Snorez says:

    Meh.. best of luck to ya.

    Though if whomever hacks my battle.net acc would kindly lvl my Dwarf Shaman to 85 while they’re at it… that would be awesome.

    Thanks

    Snores ;)

  29. mrmalodor says:

    AHAHAHAHAHAHA!

  30. Leonard Hatred says:

    You were quoted on the beeb news site, surely server collapse is mere moments away?

  31. tetracycloide says:

    More like beating a horse that was never alive to begin with.

  32. Shooop says:

    And nothing was learned.

  33. psyk says:

    ” Believe me: no one (except maybe the hackers) is happy about this, but I imagine people who just wanted a single-player experience with no muss or fuss are the angriest of all.”

    That made my day…..how out of touch are you with your reader base? lmao

  34. psyk says:

    http://leresearcher.wordpress.com/2012/08/01/cracking-complex-passwords-by-abusing-bigdata/

    “And as a bonus I added a passwords wordlist with 8.7 million words as a one time offer.”

    LOL Ruh-roh

Comment on this story

XHTML: Allowed code: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>