Blizzard Sued Over Security Concerns, Authenticators

But what they're failing to understand is that the super rad Diablo decal is totally worth the extra money.

I suppose it had to happen eventually. Blizzard‘s done a rather miraculous job of keeping hackers at bay for quite some time, but this year saw a few too many blemishes muddy its track record. So naturally, it’s lawsuit time. Specifically, the two plaintiffs target a May admission of an increase in account compromises on Blizzard’s part and August’s rather messy breach. Then they take aim at what they believe to be the all-too-achey-breaky heart of the matter: authenticators.

In short, the suit alleges that Blizzard’s recent authenticator requirements – for instance, in order to use the real money auction house in Diablo – constitute deception. In essence, they claim, it’s another product you must purchase that’s not disclosed until money’s already traded hands. So said lawyer Hank Bates:

“Blizzard requires all of its customers to establish accounts with its online gaming service, But it fails to disclose to consumers, prior to purchase, that they’ll need additional products called authenticators to keep information stored in these accounts safe. Even though the company frequently receives complaints about accounts being hacked, it simply tells the customer to attach an authenticator to their account. Blizzard doesn’t inform people about this requirement when they purchase the game, and that amounts to a deceptive trade practice.”

Further, he notes that products should include all necessary tools to keep them locked down out of the box (or infinite virtual expanse that’s basically the polar opposite of a box, as it were).

As is, the suing duo believes Blizzard has made $26 million off authenticator sales – one of which goes for $6.50 on Blizzard’s website. Alternatively, there’s a free mobile option, but Blizzard admitted that those “could potentially” have been compromised earlier this year. To make up for it, the suit demands damages and that Blizzard be barred from “tacking on additional, undisclosed costs to ensure security in the form of a post-point-of-sale Authenticator.” Lastly, they also want to permanently prevent Blizzard from requiring accounts for any game that’s not an MMO.

As of now, Blizzard still hasn’t responded to requests for comment concerning the lawsuit’s rather bold claims and infinitely bolder demands. And while I can’t help but agree that reliable security of personal info in online games should be a right – not a purchasable privilege – I don’t really see Blizzard eventually firing back with, “Oh shit, guys, you got us. Well damn. We kinda had this coming, though. Thanks for being good sports about it, anyway.”


  1. Heliocentric says:

    The mmo only thingy is stupid, how do you even define mmo when online services blur.

    Really, the suers clearly don’t understand the digital market place.

    Replace mmo with ‘multiplayer only game’ and you are fine.

    • DeVadder says:

      So, if they replace ‘Massive Multiplayer Online’ with ‘Multiplayer Online’?
      I can not see a huge difference there. In my opinion, ‘massive’ implies that everybody plays online while just online could also mean that two friends connect just with each other, in that case it makes sense to ask for battle net in MMO only.
      But you are right, with blurry services like the auction house, it is easy to argue for Blizzard that Diablo 3 for example IS a MMO.

      • Xepter says:

        Nono, he means you should replace it with “Multiplayer ONLY game” aka, you can ONLY play the game online, instead of just having the option of playing it online, I guess.

    • Bhazor says:

      The difference is that if my Battlefield 2 or Unreal Tournament account got hacked the hackers wouldn’t have my home address and bank details.

      To me, thats a pretty big difference.

      Holding personal details and payment details could and should put the company under much more scrutiny.

      • LionsPhil says:

        Why do you hate job creators?

        • dE says:

          Yeah. Why do you hate Job Creators?
          For example, Malware, Virus and Adware Programmers, Hacker – they all create jobs. You need to hire people that try to change (since improving is impossible) security, you need to hire people that clean up the mess and you even need to hire people to persecute those miscreants – and of course you need to hire people to train them. And those people training them, well they need to be trained in how to train people too.
          Job Creation is the best answer ever, to any situation and excuses everything. It’s about damn time we give more value to job creators. Let’s reach out our hands to brutal Gangs, the Mafia and Triads, lazy people that endanger other people, drunken drivers, Bankers, Pirates off the coast of Africa. They all create jobs!

          • Burlypenguin says:

            Never thought I would see the Broken Window Fallacy in RPS. Live and learn.

          • dE says:

            Gosh, I was going for hyperbole, based on the Mitt Romney Fanclub Comment earlier – but that’s actually a thing? As in, people really believe in that? I’m scared now.

          • scatterbrainless says:

            I’m pretty sure Lions was going for Irony, but when it met your Hyperbole they got into a misunderstanding, fought in the street like girls, then both went home and felt a little ashamed. Now they both have drinking problems and neglect their kids.

        • Premium User Badge

          Aerothorn says:

          Uh, guys, I’m pretty sure Lionsphil was being satirical.

          • stupid_mcgee says:

            I believe it’s more of sarcasm than satire, but, yeah, I don’t think LionsPhil was at all being serious.

            Also, why trot out this crap about Romney? Most commentators here are from the UK, and even if a few of us are not, this site is certainly UK leaning. Also, the USA elections are over. STFU with the political party rah-rah crap, please. I’ve heard enough adverts over the pass 6 months to last me a lifetime.

            And, remember: Republican, Democrat, Libertarian, Green Party, independent… No matter which candidate you cast your ballot for on last Tuesday, you voted for Hitler.

          • dE says:

            I’m pretty sure I was too, as I was under the impression no one could come up with that and believe in it. My fault was, that I didn’t know people really thought like that. And about Romney, I’m not even close to USA – it’s just the comment people wouldn’t be surprised to hear from him.

          • LionsPhil says:

            (I was, yeah.)

  2. MrPo0py says:

    Ha! I remember my comments on here and on Reddit being ripped to shreds for suggesting that Blizzard was being a bit deceptive with this authenticator business. Not surprised at this news at all.

    • Thomas says:

      It still will be, and so will this case.

      • Captain Joyless says:

        No, it won’t be. It’ll be settled and the attorneys will get something in the 7 figures for their trouble.

        Please, let’s have more completely ignorant layman predictions. My blood pressure has been dangerously low of late, so it’s therapeutic.

        • katinkabot says:

          Agreed. Unless they have attorneys willing to push as a matter of principle – and I don’t see any reason why here. This suit isn’t without merit though so I don’t think it will get thrown out entirely. I think they’ll be a mediation and that will be the end of that. Unless we agreed to binding arbitration in EULA – anyone know?

    • emorium says:

      how is it deceptive? it provides an ADDED layer of security, not the ONLY layer of security. also, everyone who has a smartphone can get an authenticator for free. the physical one costs money because of shipping and materials cost. hacked accounts cost them way more in customer support and public confidence than they supposedly gain with authenticators.

      • Vorphalack says:

        ”the physical one costs money because of shipping and materials cost”

        Those things cost pennies to make and are sent out snail mail. At $6.50 a unit they will be bringing in extra revenue while continuing to peddle the company line that the physical authenticators are non-profit. I’d consider that pretty deceptive.

        • Timthos says:

          You have no data to back this up whatsoever. Blizzard does not manufacture the authenticators. They purchase them from another company, which has their own overhead and profit margin concerns. You’re making assumptions and drawing unfounded conclusions.

      • D3xter says:

        I’ve said this (and posted this link) before when Diablo III came out, but I love this ridiculous belief that Blizzard must surely sell them at a loss too in a noble gesture of self-sacrifice, they’re practically giving them away and doing everyone a favor!
        link to (those numbers even are old now, they practically cost cents to make)

        • Thomas says:

          Noone is dumb enough to suggest that, Authenticators represent significant savings in their budget for assisting people with hacked accounts.

          But regardless of the physical costs of manufacturing the device, there’s still a lot of licensing to account for, and that is not free.

          • RvLeshrac says:

            $0 in licensing. You buy physical authenticators per device, then purchase the server software per server, There’s nothing to “license.”

            For the record, when purchased in ~a dozen units, similar devices are ~$5/ea, shipped. Do you really think Blizzard isn’t getting them by the millions for 70-90% less?

        • Shuck says:

          That blog appears to be invitation only, but is it the one that ridiculously suggested that the final retail cost of the device should be the same as the cost of the raw materials?

      • Randomer says:

        And if you don’t have a smart phone, your $60 game is effectively $66.50 if you want full functionality. The full functionality they are so confident that everyone will want that Blizzard made the game online only to support it.

      • Captain Joyless says:

        It’s deceptive because they don’t tell you you should buy it at the point of sale, only after you’ve bought the game.

        • reggiep says:

          Except you don’t need it to play the game. You only need it to use the Real Money Auction House. You can use the regular auction house without an authenticator. It’s really not deceptive at all, and the fact that the iOS and Android authenticator apps are free backs that up.

          • elmo.dudd says:

            You need them to access an advertised feature of the game. What if someone bought the game partially because of the RMAH? Some gamers find such things convenient as they can only play in very limited spans and thus can’t afford timewise, the item grind.

      • whorhay says:

        I think a big part of the problem is that their security practices are complete crap and that all of your blizzard gaming products end up tied to that account. So if your account gets hacked and subsequently banned it’s quite the uphill fight to get it reinstated and restore full functionality to your games.

        The virtual authenticator is crap, it’s been cracked and it resides on your phone which also has crap security. Are you aware that blizzards password policy prevents you from using capital letters, that simplifies cracking accounts tremendously. I wouldn’t mind the whole authenticator issue if their security otherwise wasn’t so horrible, as it is though it seems like a deliberate attempt to drive sales of authenticators.

      • Baines says:

        At the time of the breaches, it certainly was not an uncommon argument that Blizzard’s non-authenticator security measures were poor. Blizzard didn’t appear to be concerned when people questioned their non-authenticator security in general, and some people questioned how Blizzard responded to reports of potential hacks.

        Combine all that, and you have people questioning whether Blizzard implemented sub-standard security with the mindset that authenticators (sold separately) would supply the real security. (Conspiracy theorists went further, questioning whether Blizzard *intentionally* implemented sub-standard security in order to push the sale and/or adoption of authenticators.)

        • Grygus says:

          True. I think that it is because a lot of people fail to understand that there is no such thing as security, if you define security as “cannot be hacked.” It simply cannot be done. All computer security is some degree of “make it really hard.” The only way to make a computer system completely unhackable is to remove all possible access.

  3. Valvarexart says:

    I can fully understand a lawsuit because of lacking security measures… But suing over the option to purchase additional security measures? The authenticators are not items that were stripped away from the security to then be sold at an additional cost.
    I think we should sue RPS because they didn’t state that you need an internet connection to make secure comments here.

    • Eviscerator says:

      I think you don’t quite get what the suit is about. It’s mainly centred around the fact Blizzard are extremely dismissive of hacking cases in which a person didn’t have an authenticator. This heavily implies that their security isn’t up to snuff without an authenticator- as such it’s deceptive trading because in order to ensure the product you purchased operates safely and securely, you need to fork out extra for an authenticator.

      The case will likely decide whether the authenticator is a vital part of Blizzard’s security (in which case Blizzard looses as it will be required to provide them with games or invest more heavily in non authenticator security), or just an add on (Blizzard also loose as it makes it seem like the authenticator isn’t needed and likely doesn’t help that much).

      Long story short, if security isn’t up to snuff without the Authenticators but is fine with them, then it is deceptive trading. It’s a classic example of creating a problem that doesn’t need to exist and then selling the solution.

      • Thomas says:

        How so?

        Other than recommending the Authenticator they have always assisted people, Authenticator or not.

        • Captain Joyless says:

          Step 1: provide bleh security with the game you sold
          Step 2: create authenticators to fix the flaw in your product
          Step 3: profit!

          if they gave out the authenticators for free, then there wouldn’t be a lawsuit.

          • Timthos says:

            They do give out authenticators for free. The Android/iOS app is free of charge entirely, and Blizzard even offers the dial-up authentication option as well. The physical authenticator is an option for people who want better security than the dial-up offers but don’t own a smartphone. The very idea they’re trying to run a scam while offering free alternatives is ridiculous and illogical. It’d be an absolutely terrible scam. Furthermore, an account is only as secure as the person who uses it. If you have a terrible password or download any link you see on the internet, you’re going to get screwed eventually. There is an industry based around targeting people with lax account security.

          • Baines says:

            Timthos, whether or not the free mobile app is effective, Blizzard admitting that it could potentially have been compromised does them little favor when lawyers get involved.

        • malkav11 says:

          They most certainly have not always assisted people. My original WoW account remains banned after hackers compromised it a year or so after I’d last subscribed. Blizzard did absolutely nothing to correct this and made no attempt to work with me to confirm that I had not been in control of the account at the time the banning offense occurred.

      • Soon says:

        Alternatively, everybody storing online information would end up having to provide authenticators.

      • Eamo says:

        I would say it heavily implies that a lot of people are really bad at protecting their passwords. The only thing the authenticator does is make it very very hard to steal an account with a keylogger since you only get a brief window while the owner is logging in anyway. The fact that compromises pretty much drop to zero once a keylogger is attached suggests that pretty much all account compromises are due to either sharing (either advertently or inadvertently) of passwords and client side comprimises.

        • D3xter says:

          “I would say it heavily implies that a lot of people are really bad at protecting their passwords”

          You mean, like Blizzard themselves who can not only not protect their servers and passwords, but their customers’s either?
          link to

          • neurosisxeno says:

            All sorts of companies have been hacked in recent years, people don’t seem to understand that cybersecurity is becoming increasingly difficult as the complexity of online environments increases. People target the biggest names, or the ones that threaten the internet atmosphere. As such, you see companies like Sony, Epic, Gearbox, and Blizzard get hacked, but you aren’t seeing people knocking on Team Meat, Trion, or iD Software’s doors. It’s about how big the companies are, and how much information they have that people desire. Blizzard runs the largest, most popular MMO on the market, they face probably tens of thousands of hacking attempts a year, for one to get through and get a bunch of heavily encrypted information, really is not that bad. With Sony they were storing passwords, names, and addresses in plain text, which seems worse?

            Authenticators are hardly a necessity, it’s a piece of mind thing. After getting “hacked” once (I think I may have had a keylogger, reformatted for good measure) I spent the $6.50 on one because I had spent hundreds or even thousands of hours in WoW, and sitting there for 6-8 hours with nothing to show for it made me realize it was easily worth it. That thing lasted for 3+ years, and my account was never comprimised. Easily worth the investment. My roommate has played WoW since it launched, and has never used an authenticator, and has never once been “hacked”. He uses an insanely long and complicated password which throws any would-be hackers off pretty badly, and makes brute forcing damn near impossible.

        • iniudan says:

          Security would be upgraded if they permited longer password (at least for those with half a brain in a high number of attack environment like battlenet), because a sentence is actually a better password then any short random crap password, while also been much easier to remember, add a special character instead of space and/or easy to remember rule for capital (like every word of 4+ letters start with one or two letters word all in cap), if you really want the best while still possible to remember without memory training.

      • Moraven says:

        They point out the fact that the majority of “hacking” cases are people getting account info and passwords from other sources, such as forums and what not. This has happened to multiple online games. Everytime a game related system is hacked, the other major companies worn their players to change your password since you might have used it in both places. They have pointed out time to time other than this incident their system was never compromised. How is it any different from any other game or company?

        “Oh my Steam got hacked. Valve’s fault. Going to sue because they do not give me the option of having an authenticator.” Non MMO games are not targeted as much since they provide less value to the hackers. MMOs has tangible digital items that you can trade. I get spam email to accounts that do not have a SOE, Bioware or Blizzard account associated with it. But they have some email list and will poke around until they get the easy prey.

    • Soon says:

      What if you paid to access RPS, then afterwards you’re informed that you’ll need to buy an authenticator to be able to post?

      • Thomas says:

        But that is not how it is, the only place you “need” an Authenticator is for the balance, with the balance being the equivalent of a bank account i certainly see the reason for that requirement.

        No game requires the authenticator, if you get hacked without an Authenticator then they will help you, they may suggest that you get an authenticator, but they’re not telling you to get one or they won’t help you again.

        • Soon says:

          It mentioned the auction house. I guess it depends whether you want to consider the real-money auction house part of the game. It’s arguably reduced functionality without a purchase (which, apparently, they don’t tell you about).

          • Thomas says:

            If that argument was valid then you could make the same argument regarding buying a game but not having the credit card to use the Real Money Auction house either.

          • RakeShark says:

            That argument doesn’t hold much water, Blizzard is not a financial institution, and do not provide credit or methods of monetary transactions. Those are provided by third parties. Therefore whether a customer has the means to pay for a product is not within responsibility of this commercial business, but within the customer.

            However, a civil case can be made that Blizzard is responsible for creating a secure method of protection of their customers’ personal and financial details should they wish to continue charging money for their products. Personal security in the form of Anti-Virus software and what not is readily available and diverse in selection, so consumers do not have to rely on the competence of one group for their own well being. In the case of authenticators, Blizzard is the only authorized distributor of authenticators for their games. As someone stated either here or in the RPS forums, there is concern that Blizzard’s negligence in basic security measures is creating this market for authenticators, in a sense charging for the cure to an ailment they invented.

            It would be a different matter if other third-party companies could create authenticators for Blizzard’s games for consumers to use. However, the only one benefiting from this situation is Blizzard alone. And that is where the stink comes from.

          • Thomas says:

            The point wasn’t if they were really a financial instution or not, merely that they deal with a good amount of real money, and as such need protection for it.

            If they didn’t have this requirement, when an account gets hacked then the hacker in question could use his current balance to buy some random weapon on the RMAH, making the owner not just lose all his gold and items, but also his real money associated with the account.

            The requirement of an Authenticator reduces the risk, though admittedly it is of course not a fool-proof way of avoiding being hacked, and as it gains more popularity so do the hackers develop better ways of bypassing that security.

            Keep in mind that the security of personal and finacial details has nothing to do with the authenticators, AT ALL, and the previous hack attempt does signify just how serious they do take the security, as not only is the data very secure (Unlike Sony, where the case was also thrown out(I don’t agree with it in THAT case though)) they even make sure it’s not prone to single point of failure, as the hackers in question were only able to access sensitive information from “one region”.

            As for not allowing others to distribute it, well that is kind of obvious given the technology, if they had to share the seeds with others so they could compete against it, then that would eventually just lead to the seeds being leaked, and when that happens, all it takes is for some scammer to attach a “Enter your Authenticator serial number” and then they can create their own authenticator that will always match the authenticator of the person they hacked.

            The authenticator is not free, even the Mobile Authenticator which is “free” is not free, there are licensing costs that need to be considered, now i’m not going to pretend to know for sure whether they lose or gain money on it, but my speculation tells me that they may lose money on the hardware, but they save money on dealing with hacked accounts.

            Nevertheless they do distribute it to retail, and it should be noted that the company behind making them do not offer them themselves for less than 12.99€, so i do seriously doubt that they directly earn money from it, at best they just don’t sell them at a loss.

          • Bhazor says:

            “one region”
            Or as they’re sometimes known the continent of North America.

          • Thomas says:

            I’m sorry, are you saying that North America is bigger than the world?

          • D3xter says:

            “If they didn’t have this requirement, when an account gets hacked then the hacker in question could use his current balance to buy some random weapon on the RMAH, making the owner not just lose all his gold and items, but also his real money associated with the account.”

            Maybe they should have thought about that before trying to become a bank or do bank-like transactions and handle peoples money in the first place?

            We’re talking about a video game here, not your bank account and I can’t remember Torchlight 2 asking me to use an “Authenticator” or the need to buy things in the game with real money.

            It’s pretty funny that you try to defend Blizzard over a problem that they themselves created/engineered in the first place and wouldn’t exist if they’d have handled their game like any of the other dozens of other ARPGs out there.

            Not to say that everyone who would’ve just wanted to play Diablo III in SinglePlayer wouldn’t have been affected by any of this if they could’ve done just that to begin with.

            There’s also several known cases of where they mishandled peoples money directly too:
            link to
            link to

          • Thomas says:

            The Authenticator is not a product developed for use with the RMAH, so whatever criticisms against the RMAH system is irrelevant to the discussion.

            The case is about the claimant claiming that Blizzard have purposely laxed security in order to sell the Authenticator.

            RMAH was entered into the discussion as a means for Blizzard to force players to use the Authenticator or have a reduced gameplay experience, where i merely explained that the Balance is like payment method of its own, and considering it’s security is based on the account itself, it makes sense that they would use extra security for it.

            So no, i’m not defending them based on a propblem they themselves created, hacked accounts existed before then, and so did the authenticators, and the case is about the Authenticator being forced upon customers to properly defend their personal information.

            Now i’m not sure about if that’s just legalese for “game accounts”, but if it isn’t, then that part it blatantly false as the authenticator is not a device for that purpose itself.

          • D3xter says:

            I guess I’ll have to clarify some facts for the discussion:
            1) There is NO NEED for an Account-based Login for a SinglePlayer game (see, almost every SinglePlayer game in existence or even Blizzard previous titles like Diablo 2 or WarCraft III)
            2) There is NO NEED to have any sorts of financial transactions happen within a game (see, almost every single game out there yet again)
            3) There is NO NEED for credit card or other sensible information being stored on said Accounts for ANY reason.

            I haven’t heard anyone DEMAND from Blizzard that they include Always-Online DRM or a Real Money Auction House in the game because they all wanted to spend their money on virtual items creating a toxic environment where in game gold is worth actual money, helping to make that practice even more “mainstream” and creating an environment where Hackers systematically try to attempt to steal accounts. THAT’S ALL ON THEM.
            For that matter, I haven’t heard much about Torchlight 2 Account Logins or Data being stolen…

            Blizzard chose to do all of those things out of purely for-profit reasons and it’s on THEM to ensure that kind of information doesn’t get into anyone elses hands.

            There’s also several dozen things they could have done to prevent people from getting hacked in the first place I can think of:

            1) SinglePlayer Mode and Open Battle.Net, so everyone can choose if they’d rather play the game or get hacked
            2) Put in place a number of several “authentication” questions á la “What is your favorite movie/car/whatever?” at every Login, like Star Wars: The Old Republic did
            3) Give players the ability to Lock down items they don’t want to sell anymore to their accounts and don’t save credit information
            4) Introduce a hardware-based Login system similar to how Steam Guard works, if something changes within the machine used to Login pop over a Code via E-Mail one has to Input to Login
            5) To prevent Keyloggers they could use a KeyPad where you use the Mouse to Input the Password at random positions on the Screen.
            6) If they wanted to go the “Authenticator” way, include one in every box, they literally cost cents to produce and it would save them the trouble of Support cases (although take away their excuse if people would still be getting hacked)


          • Thomas says:

            And yet neither of those 3 facts are relevant to the case.

          • D3xter says:

            They are very relevant to the case, without Blizzard ignoring them in a misguided way, there would have been no case and considerably less hackers or Hacking attempts (if none at all e.g. Torchlight II).
            They have to take responsibility for the breaches and not try to shove them off on their customers like they’ve done in the past.

          • Thomas says:

            It could address the symptom, i.e. making the person suing them less likely to sue them, but the problem would remain, a claim that Blizzard is making money from Authenticators by not appropriately protecting personal information.

            Of course the problem is in reality non-existant, and he will lose the case, but nevertheless the same claim could’ve been made regardless of what choices Blizzard made in regards to Diablo 3 and the RMAH.

          • D3xter says:

            “Of course the problem is in reality non-existant, and he will lose the case”

            Of course… and that is apparently on you to decide or brush off casually? I don’t know about the US, it might well be, but in parts of the EU he’d have good chances to win his claim.

            For that matter, care to explain why you seem to be defending Blizzard in every comment you made throughout, as well as playing down the given complaints as much as you can?

          • Thomas says:

            Since you are so certain he would have good chances winning in Europe(He really doesn’t), do you perhaps know of a piece of evidence we do not?

            As for defending them, I’m not really defending them, as I said I’d definitely like to see an investigation into the hack earlier this year, however this case is blatant FUD, and the supporters of this case seem more interested in giving it support based upon their own grievances towards Blizzard, rather than the factual details of the case itself.

            I could ask you why you choose to attack Blizzard, but we both know the reason for that, and it’s not because they have misappropiated people’s personal details for financial gain.

          • D3xter says:

            “I could ask you why you choose to attack Blizzard, but we both know the reason for that, and it’s not because they have misappropiated people’s personal details for financial gain.”

            I’m not sure being for (more) consumer rights and control over a product you paid good money for is just as bizarre as defending a company for and despite their continued bad business practices (Activision Blizzard) as a consumer.

            I expect and understand PR people, board members, stockholders and maybe employees doing it, but not many others.

          • thecat17 says:

            Rakeshark said:

            As someone stated either here or in the RPS forums, there is concern that Blizzard’s negligence in basic security measures is creating this market for authenticators, in a sense charging for the cure to an ailment they invented.

            “This plague — the hacking is intensifying to the point where we may not be able to contain it.”
            “Why contain it? Let it spill over into the blogs and chans, let the accounts pile up in the public networks. In the end, they’ll beg us to save them.”

        • Captain Joyless says:

          Thomas, he’s not going to lose. They’ll settle, give out authenticators for free, and the attorneys/plaintiffs will get a few million dollars.

          • Moraven says:

            They through out the Sony lawsuit related to their hack (which gave out a lot more Info and CC). It got dismissed. Expect this one to also get dismissed.

          • Nate says:

            The cost of giving out free authenticators is huge (>70 million dollars, much more than the cost of trying to win the case). And this is not a class action lawsuit– settling just leaves them vulnerable to further lawsuits by different plaintiffs. Meanwhile, the actual damages to the two plaintiffs are already a tiny fraction of their legal costs. I expect Blizzard to try to win the case, in order to discourage further lawsuits, and then make some changes to their promotions to make the requirement for an authenticator more explicit.

            The legal question will be about how Blizzard has framed services that require an authenticator. If RMT AH is featured on the box text, without any statement that it requires purchasing another product, the plaintiffs have a case.

            If the authenticator requirement is part of a service agreement (scroll down and click “I agree”), it could be an interesting test of those agreements.

  4. Tei says:

    No authentificator will help you when some server in Blizzard offices have a unpatched hole and the design of the farm (or whatever you call it the bunch of computers that made the service) is not compartamentalized enough so a compromised server serve as beach head.

    Also, the service with 100% inmunity for cracking is the service that don’t exist. Don’t store passwords and can’t be stolen. Don’t ask for registration in singleplayer games, and nobody can hack it. And so on.

    If is expensive to have a service of always on, and you don’t want to put the money in it, don’t create one and have people unpaid and the service in poor state. And out there, very good people will try to hack you, so you must really pay for experts to have a first world safety and quality on all components, ALL of it, or the string will break on the weakest point. Is not easy or cheap. So don’t do it for stupid reasons.

    How hard is to have anonymous accounts for forums and services? I am tired of entering and creating accounts here and theres. I must have more than 200 or 300 accounts in hundreds of servers, most of them easy to hack. ARRGH.

    • reggiep says:

      And out there, very good people will try to hack you

      Um, since when are malicious hackers “very good people”? It’s just the opposite.

  5. Hirmetrium says:

    Blizzard still don’t allow capitalization in their passwords, and their password length is very restrictive. I hope this lawsuit at least reflects that.

    • Thomas says:

      Neither of which is very useful as their service does not allow brute-force attacks anyway.

      • Bhazor says:

        Yes it does.
        It doesn’t block you out even after repeated failed tries.

        • Thomas says:

          No of course not, because you trying to get into your account != brute force attack.

          Their security is intelligent and does try to distinguish whether login attempts are geunine or not, and even if they didn’t, Brute force wouldn’t be viable anyway. (Not unless you plan on hacking his account after he(and you) is dead anyway)

          • RakeShark says:

            There is cause for concern that the login does not block you out after repeated failure attempts. For a company as heavily targeted by ner-do-wells as Blizzard, that’s a hell of a security omission to make.

          • Bhazor says:

            Hell the print credit machine in my local library has better security.

          • Thomas says:

            It does, it simply doesn’t do it the very obvious way you think it does.

            I merely stated that even if it didn’t, bruteforcing would still not be viable.

          • Faxmachinen says:

            Let’s use some actual numbers instead of vague guessing. With the current password requirements (minus the similarity to email), the math is as such:
            log2(10 * 52 * (95 ** 14)) ~= 101 bits

  6. wulfsiege says:

    I had never really thought of Blizzard’s authenticator system in this way, I did buy one but the battery has just recently died after a few years of use. Even before that though my account had never been hacked. That was thanks to strong/ unique passwords and never having any trojan’s get past my defences. i.e. don’t run any mods that have executables in them.

    With the improvements in Blizzards account management with their SMS verification service it is possible to increase the security of your account at no additional cost. It won’t stop your gold being stolen but it will prevent account theft by preventing unauthorised password changes and will notify you if something is amiss. Plus it made it super easy to decommission my authenticator. All at no extra cost if you have a mobile phone.

    Certainly I don’t think that this lawsuit will be particularly successful. Account security for the most part is in the hands of the user. If they don’t know what good account security is, then they need to get educated whether by their peers or by the hackers. All to often however I’ve seen people just abandon what is stolen instead of taking it back and then going on to do the same old thing somewhere else without learning from the experience.

    Nowadays there is a lot that people can do to keep their accounts secure, within the limitations of service breaches that are out of the control of the users. That’s why you limit the potential damage people! Just because a question is asked in those user details forms doesn’t mean you have to put in a truthful answer that can be socially engineered from other data.

    I stopped playing WOW, but I still wan’t to keep my account safe since I took up SC 2!

  7. Ich Will says:

    If Blizzard lose or settle out of court, who gets the money and how much are they asking for?

    • zeroskill says:

      Lawyer Hank Bates, of course…why do you think this guy is doing it? Because he has the best interests of Blizzard’s consumers in mind? Hohoho…

  8. kalniel says:

    I thought it was the free SMS one that was hacked, not the free mobile authenticator? Maybe there’s a case for them needing to say at point of purchase that to enhance security you need a free app for either a smart phone/PDA/mp3 player or to buy an authenticator.

  9. mr.ioes says:

    I don’t see why a company that doesn’t use case sensitive passwords shouldn’t be sued. It’s funny reading the comments on IGN, reddit & co to this story. Everyone seems to defend Blizzard. Yet their business with authenticators’ cost, weak passwords and mass hacked accounts @ Diablo 3 launch is so obviously shady.

    I was looking for the article that explained how much money Blizzard made with the Authenticators, but can’t find it anymore. But basically the author claimed it’s about a 5$ win margin for each unit sold in europe.

    • reggiep says:

      Yeah, and I’m sure that article that you can’t find was filled with factual information and statistics rather than speculation and opinion. Just look at how much a SecureID dongle costs and then come back and tell me it’s only $1.50. (CDW sells them in packs of 5 for $300).

      There are 2 points that strike this case down as frivolous. 1.) Blizzard gives the mobile auth app away for free on the Apple App Store or Google Play. 2.) You don’t need an authenticator to play Diablo 3 or use the auction house. It’s only necessary for the RMAH.

      The fact that this lawsuit tries to make Diablo 3 into an offline game certainly doesn’t add any credibility to the suit.

  10. affront says:

    Well above a decade of online gaming with accounts for any and every old shit and never getting “hacked” seems to indicate that losing your account is generally no one’s fault but your own.

    This lawsuit seems akin to “warning: coffee is hot” or “don’t poke yourself in the eye with this knife” warning label lawsuits.

    People should be happy to be given the opportunity to improve their lacking security instead of suing.

    • derbefrier says:

      I tend to agree with you barring any circumstances out of the customers control. But the avergae guy who gets hacked because he bought some gold.from some shady website is responsible for himslef not blizzard.

    • RakeShark says:

      I would normally agree, but personal experience with Blizzard’s security measures (D3 account being cleaned out when I only played with friends) has me singing otherwise. I like to think I’m an acutely aware person of protecting my personal information, and when something happens that gets past Norton, Malwarebytes, NoScript, and Windows Defender when I’m not doing something high risk (playing D3?), I can’t really find a fault on my end.

    • Bhazor says:

      Except that it was Blizzard who was hacked.
      link to

      • Thomas says:

        Except it has nothing to do with accounts being hacked.

        • Bhazor says:

          “These accounts being hacked have nothing to do with these accounts being hacked.”

          • Thomas says:

            “A list of e-mails with no password data, some mobile/dial-in authenticator data, some secret answer data have nothing to do with someone accessing your account illegitimately”

            There, fixed it for you.

          • Captain Joyless says:

            It doesn’t need to. You are so totally ignorant of the law you have no idea what you’re talking about.

          • Thomas says:

            I’d recommend reading the entire thread before commenting, i didn’t write what you think i did.

            I merely dismissed the correlation between players accounts being hacked and Blizzard being hacked as erroneous.

    • The_Terminator says:

      I think the question is “What lengths do blizzard need to go to to protect the personal information of customers?”. There’s definitely a legal requirement that they do have to keep it secure, but if they have the means to improve security at their disposal, do they have a responsibility to do that? And if, rather than make use of it, they inform customers (who were not informed prior to purchase, and who cannot use the product without Blizzard storing their personal information) that in order to achieve full security, there is an additional extra cost, is that acceptable?

      It’s not an issue of whether or not the customer is at fault for having their account hacked; it’s an issue of whether Blizzard took “appropriate technical and organisational measures” (to quote the UK’s data protection act) to protect customer information.

      • Thomas says:

        But that simply has nothing to do with the Authenticator, customer information is stored on their servers, and while i would have no issue with some kind of oversigt over the compromise at Blizzard earlier in the interest of full disclosure, the Authenticator is simply not relevant to that issue.

        This is simply just a tinfoil hat lawsuit, and it will quickly be dismissed as such.

        I’m more worried over the fact that Sony “got away” with their lack of security, than Blizzard’s perceived lack of security as a result of making money on a product the claimant have no idea as to what they actually make on the product.

        • The_Terminator says:

          Well, the authenticator is a security mechanism used to secure the user’s account, and associated data, against unauthorised/fraudulent access, yes? It doesn’t matter where they store it, the point is that personal information has to be protected, and you can’t really deny that that’s the whole point of the authenticators: Preventing people from gaining unauthorised access to your account.

          • Thomas says:

            But your account does not contain personal identifiable information, it contains your game accounts. The authenticator does nothing to augment the security of personal information.

          • The_Terminator says:

            Having never played D3 specifically, I assumed that your account would contain data such as your name, email address etc. And then, if you participate in the auction house, it would also contain billing information. Obviously Blizzard would have to be monumentally stupid to grant access to credit card details (beyond the last 4 digits of the number etc), but any billing information (address etc) should presumably be accessible, no?

            But even if billing/credit card information is not stored with the account, and is never accessible from within the account, even the account-specific data (such as the username) will count as personal data in this case. If it can be used to identify an individual in conjunction with any other data held by the data controller (Blizzard), eg. billing information from the auction house, then it is personal data. They need to store that for it to function, and they need to link it to the account somehow; hence, even if it is stored separately from account details, the account details are personal data.

            (I’m using UK definitions here btw. The US definitions are probably slightly different, but this should work as a rough guideline)

          • Thomas says:

            Basically all information is masked(Both name, addresses, CC info, etc.), e-mail is not, but you require the e-mail to access the account anyway.

            The masking of the information has nothing to do with the authenticator, which is exactly what i’m trying to say, if their masking is not sufficient then that has nothing to do with “forcing” people into buying an authenticator.

          • The_Terminator says:

            But, for example, say I’m an evil scammer/hacker/criminal/other shady individual trying to trace somebody. I know they play Starcraft 2, and I know the username of their Battle.NET account, but want to find out their credit card details. I am able to fraudulently gain access to their account (there are many different ways that could be done; some of them are protected against by the authenticator, some aren’t). In their account details, I see that they also play Diablo 3, and that they have used the auction house to buy something. So I now know that their credit card and billing information are stored on Blizzard’s servers, and I have the information to identify their records within that database.

            If, then, the server containing those details is compromised in a totally separate incident, completely unrelated to the security of the account’s details, authenticators, etc, I may be able to use my nefarious contacts to obtain a copy of the stolen details, and (since I know his account name and the last 4 digits of his card number), I am able to identify and obtain his credit card details and billing information.

            The issue here is not that the authenticators directly improve the security of data that personally identifies the user, the issue is that they improve the security of information that can then be used to locate or gain access to other data held by Blizzard, which personally identifies the user.

            In the above example, the hacker did not know how to obtain the user’s card details. But hacking into their account provided him with information (that the user had purchased goods from the auction house, and that Blizzard still held card/billing information) which enabled him to locate those details. The information made available by accessing the user’s account is therefore personal information.

            That is why the authenticators increase the security of customers’ personal information – because they increase the security of customers’ accounts.

          • Thomas says:

            No other information would be necessary.

            Also considering standards in storing credit card information, not only should that information be seperated from the main database, with the 4 digits being the only thing stored there, but they’re also, as far as i recall, legally required to discard the CvV verification code to even operate payments.

            So in the case Blizzard were hacked to the level you describe, not only is it completely irrelevant what you know about the user beforehand, but if the information is to pose any credible threat to your payment card, then Blizzard is housing the information illegally, and should of course be sanctioned for that.

            I doubt that is the case though, especially given the details of the earlier compromise,

          • The_Terminator says:

            The security of the credit card information itself is irrelevant – and even if they don’t hold enough for it to be useful for making payments, they don’t only hold that, do they? A billing address (and they might even have a contact telephone number too, I don’t know) is most definitely personally identifying.

            My point is, that if the information stored in the account can be used to personally identify a user, in conjunction with other data held by the data controller (ie. Blizzard), regardless of the security of that other information (and I agree the chances of it being compromised are incredibly slim, because it is extremely secure), then it is personal information. And, that being the case, the authenticators are used to increase the security of customers’ personal information.

            To re-iterate: the fact that customer billing addresses etc are extremely secure and very unlikely to be compromised is irrelevant, but the fact that in the event they were compromised, people with access to account information could use those details to personally identify the holder of that account information, means that the account information is personal data.

            And since data controllers have a legal obligation to keep personal data secure, is the sale of authenticators in breach of that obligation? That is what this court case is asking.

            But yeah, my apologies; even with all these walls of texts I’ve written I haven’t really managed to get my point across very well. Hopefully this post makes it a bit clearer what I mean.

          • Thomas says:

            But once more, the billing address, that is stored in that database is only accessible by hacking Blizzard(or if they’re using a third party payment provider, then that third party)

            Security of those details to not change depending on whether or not i use an authenticator or not.

          • The_Terminator says:

            Yes, I know. But that’s irrelevant. The likelihood of billing information being compromised is infinitesimally small, and is completely unrelated to the authenticators, because that data is not protected by them. But the fact that Blizzard holds that data – the mere fact they have it – makes the account details that are protected by the authenticators personal information, because you could personally identify the holder of an account by using their billing information, if you had it. Even though, realistically, nobody other than Blizzard is ever likely to obtain both. Even though they’re stored separately, with separate security systems, and even though if one is compromised, the other will still be safe. The mere fact that it is theoretically possible is enough.

            In other words, the authenticators are used to increase the security of personal information. And that is the heart of this legal challenge. Are Blizzard charging people for extra security measures which they should be implementing by default anyway, and in not informing customers before they purchase the game, are Blizzard dishonestly tricking people out of their money?

            EDIT: Also, for all intents and purposes, even if a third-party company stores billing information on Blizzard’s behalf, it is still considered to be in Blizzard’s possession, so that doesn’t make any difference.

          • Thomas says:

            But that is what i’ve kept telling you, the authenticator protects no information.

            Lets try a real world analogy instead, lets say you work at a place that have 2 types of authentication:

            1. Keypad code.
            2. Keypad code + Keycard.

            Lets say i see a person with a keypad + keycard (i.e. Authenticator), i see the code he enters and i then later steal his keycard. With the keypad code and Keycard i am able to access the building (The account).

            But from accessing the building(the account) to getting the persons personal information i would need to access the database that the company have in their HR department(servers), so gaining access to the building (account) was completely and utterly useless.

            The security of the information that Blizzard has stored on their servers as well as the fragments of information that users can access is not changed by the fact that you have an authenticator.

      • The_Terminator says:

        It doesn’t matter that the billing information is not accessible. It doesn’t change the fact that information contained in the account, which on it’s own is not all that useful, could, if combined with the billing information, be used to identify the user whose account it is. The account contains information such as username, email address, what games the user owns, maybe what character they use in the case of WoW? (Not sure on that last one), etc. So if you gain access to an account (which can be protected by an authenticator) you get access to that information. If you also gained access to that users billing information, you would be able to use it to identify the individual who owns the account, and thus identify that that person plays D3, or what email address that person uses, or whatever. Therefore, some of the information stored in the account can be said to be personal data.

        Now, the fact that the billing information and account information are completely separate, and getting access to one does not grant access to the other, is totally irrelevant. All that matters is, and I quote the UK definition here, that data held within the account is “data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller”. The data controller is the organisation holding the data – in this case, Blizzard.

        There is no consideration of whether it is possible for someone to get hold of that other information. All that matters is that the data controller – Blizzard – possesses it, or is likely to possess it. This fact alone makes the data stored in the account personal data, and therefore, because the authenticator protects access to the account (just what’s in the account), it is protecting access to personal data. Even though it does not protect access to the other information.

        • Silarn says:

          I think what he’s trying to say is that what you’re getting at is NOT the same issue as what this lawsuit claims to be getting at.

          The lawsuit (as described in this article, I haven’t gone and read any source documents) appears to be entirely about users not being aware of the requirement of having an authenticator in order to access certain parts of Diablo III (the RMAH). And the fact that one of these authenticators has a cost to obtain. And the claim of massive profits from these authenticators without any concrete facts to back up their numbers – as well as conspiracy to reap those profits. It’s just a number pulled out of a hat, to be perfectly honest. I’ve read the websites out there which try to make these claims and not one of them has real information about Blizzard’s costs, just rampant speculation. And speculation does not make a case. Let’s not be convinced by truthiness.

          Blizzard being held to account over actual breaches in their own servers and the information gained therein would make a more pertinent case, as it is entirely within their purview to protect their internal database. But in that one case, they quickly reported it and took actions to immediately close the hole. Still, a lawsuit over the security of Blizzard’s storefront, where money changes hands and credit card info is stored, is far more pertinent than this — which is not about that topic at all.

    • D3xter says:

      It’s funny you bring up the “Hot Coffee” and similar cases, since most of those sunk in to peoples heads because there were large-scale orchestrated campaigns to make them seem “frivolous” so companies can ignore consumer interests and consumers give up more of their rights.
      There is a good HBO documentary called “Hot Coffee” that deals with these “frivolous” lawsuits you might want to watch before you bring that up again, here’s a Trailer: link to

      • Randomer says:

        My first thought was that you were talking about the Grand Theft Auto easter egg.

        But you do bring up a good point. The McDonald’s coffee lawsuit was not frivolous. The problem was that McDonald’s was serving their coffee at a negligently hot temperature. It was not about having stupid little warning labels like “This beverage you are about to enjoy is a bit on the toasty side. Take care as you drink, lest you suffer dire consequences!”

    • The_Candyman says:

      I would normally agree with you, but in the case of accounts it’s a different story.

      I have MANY accounts spanning heaps of games and online store websites etc. and the only account ever to be hacked has been my account. And not just once mind you, but THREE times. I do not buy gold, I keep my computer virus free, I am very careful about phishing emails and shady links, yet my account continues to get hacked.

      There is simply no way this a problem on my end, I should not have to buy an authenticator just to keep my account from getting hacked. At this stage my password may as well be “abc12345”, I am not going to purchase another Blizzard game until they bring their account security up to 2012 standards.

  11. Sayori says:

    Just btw, did any of you receive an email notification and apology for the security breach?
    I bet the answer is No.

    • onetrueping says:

      Yes, I did. And not only on the potentially breached authentication service, but also warnings to change passwords after other systems (including Steam) were breached. Blizzard is very security conscious.

  12. vexytube says:

    Source on this? Who is suing them? Whats the source on that quote?

    Unless you left that out since you don’t want to give these people their 5mins of fame (which they want)

    based on the quote this will be thrown out. I wish people would stop using the word “hacked” or “hacking”

  13. ScubaMonster says:

    Deceptive or not, this is Blizzard’s product and you signed the EULA to play the game. You don’t own it, you agreed to a license under their terms and conditions. Odds are this guy never even read the EULA before clicking Accept. I don’t read EULA’s either, but then I’m not a sue-happy nut.

    • Vorphalack says:

      Regardless of weather or not you think this case has merit, the EULA is worthless as a defense if a court decides that consumer rights or trading standards legislation has been breached. Local law overrides EULAs for a very good reason.

      • Nate says:

        The EULA can’t be discounted so easily. If, prior to payment, the user agrees to a EULA that says something like, “Blizzard cannot guarantee the protection of any information you provide, and you agree not to bring suit in case of the compromise of this information,” and “The auction hall service is unavailable without also purchasing an authenticator,” then the suit will probably be thrown out. Mr. Bates is claiming that the second sentence is not present, or that agreement to the EULA happens after the agreement to purchase.

        EULAs have been tested. Giving up the right to sue has been tested (and is essentially what a settlement is– you give up the right to sue in exchange for certain things). Probably one of the most worrisome recent cases found that AT&T was capable of including an agreement to refrain from class action in its user agreement.

        This is all based on US law. Different countries have different laws, and as an international organization, suit could be brought against Blizzard from a different country. I’m not certain that the case is being brought in the US, just assuming it in the absence of any sources in this article.

  14. AngusPrune says:

    While I suspect this lawsuit will come to nothing in regards to changing Blizzard’s business practices, I am interested in what turns up in discovery for this case.

    I do wonder if they’ve been hiding security vulnerabilities from their customers and pretending its business a usual. The big spate of complaints about hacks in Diablo 3’s early life may well have been a bunch of idiots getting attempting to download cheats, cracks and suchlike, but I do wonder if maybe there was some sort of client vulnerability that let hackers waltz off with people’s digital goods.

  15. Dreissigacker says:

    “Alternatively, there’s a free mobile option, but Blizzard admitted that those “could potentially” have been compromised earlier this year.”

    Could you provide a source for this? I’ve read about the hacks occurring in August, but haven’t read anything about the mobile authenticators being compromised.

  16. trjp says:

    I wonder if, after this case, Mr Ambulance-Chaser will go after car manufacturers who don’t include a high-security garage or electronics companies who don’t remind customers they need a house – with a burglar alarm or other security options – to use it…

    There’s been a lof of research done on the issue of how much money a jury will award a plaintiff tho – and I can boil it down for you quite simply.

    The more you ask for – the more you get.

    Ask for £10000 and you might get £9000

    Ask for £10000000 and you might get £6000000 – much less as a percentage but MUCH more as a number

    So why aim low? :)

  17. Joshua Northey says:

    Wow does that not sound like grounds for a lawsuit.

    When I buy a car, they later try to sell me all sorts of things to “make it better or safer”. None of that is illegal. Lawsuits are not the solution to everything that annoys you in life people!

    Sometimes you just have to be an adult and if you don’t like something refuse to purchase it. Instead of stealing it or suing them if they don’t offer it on terms you find acceptable.

  18. usonfj says:


    +++ link to ++++++++++

    Best online store

    Best quality, Best reputation , Best services

    —**** NHL Jersey Woman $ 40 —**** NFL Jersey $ 35

    —**** NBA Jersey $ 34 —**** MLB Jersey $ 35

    —**** Jordan Six Ring_m $ 36 —**** Air Yeezy_m $ 45

    —**** T-Shirt_m $ 25 —**** Jacket_m $ 36

    —**** Hoody_m $ 50 —**** Manicure Set $ 20

    —**** handbag $ 37 —**** ugg boot $ 43 —****

    —**** sunglass $ 16 —**** bult $ 17 —****

    +++ link to ++++++++++

  19. Kiytan says:

    It still amazes me that blizzard passwords aren’t case sensitive (at least, they certainly aren’t for Diablo III, don’t have an active WoW account to test it with)

  20. vexytube says:

    “Bell claims that game players have to pay $6.40 for a product called the Authenticator to protect their private information from hackers.”

    Wut? The Authenticator only stops middle man attacks, Clearly if people download silly stuff the deserve to be “hacked”

    The problem is your data is safe as can be. Nothing is truely safe. However surely a “hacker” would rather hack something real then blizzards servers…

    Instead of Authenticators, Just do what Taiwan do… Force password change every month (cannot be a previously used password)

    This “bell” should sue the users for being stupid and exposing their infomations.. I’ve not seen blizzard leak tons of Credit card details/addresss/or anything like that

  21. seattlepete says:

    I’m just going to fire this comment off into the void and see if anyone is in a similar boat:

    I never trusted Blizzard with my real identity. When I bought SC2 I signed up for BNET with a fake name and address. I may have bought SC2 in a box from a store, which is how I prefer to buy things. Later, when I bought D3 on-line, it was tied to my fake account.

    Later, my account was compromised and my BNET password was changed. I was unable to retrieve this password because I was unable to verify my fake name and address with Blizzard.

    All in all I think that I made out OK. I was able to play my games for a while. I miss SC2 but D3 I ran through once and didn’t enjoy. Also, whoever controls my account doesn’t have anything of value beyond those 2 games. They don’t know who I am, which is what I was afraid of in the first place.

    Anyone else in the same boat? I lost access to what I paid for, but it’s worth it to me knowing that I did everything I could to protect myself. Unfortunately I think Blizz has changed the way they verify identity, and I won’t be able to fool them again.

  22. yruudios says:


    +++ link to ++++++++++

    Best online store

    Best quality, Best reputation , Best services

    —**** NHL Jersey Woman $ 40 —**** NFL Jersey $ 35

    —**** NBA Jersey $ 34 —**** MLB Jersey $ 35

    —**** Jordan Six Ring_m $ 36 —**** Air Yeezy_m $ 45

    —**** T-Shirt_m $ 25 —**** Jacket_m $ 36

    —**** Hoody_m $ 50 —**** Manicure Set $ 20

    —**** handbag $ 37 —**** ugg boot $ 43 —****

    —**** sunglass $ 16 —**** bult $ 17 —****

    +++ link to ++++++++++