MMO-Champion - Important Security Update
Important Security Update
Originally Posted by Blizzard (Blue Tracker / Official Forums)
Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime

Important Security Update FAQ
Originally Posted by Blizzard (Blue Tracker)
Is there anything that players need to do right now to protect themselves?
While there is currently no evidence that any of the password or player data has been misused, we encourage our North American players to change their passwords. Click here to login and change your password.

In the coming days we will implement an automated process for all users to change their secret questions and answers, as a precautionary measure. We'll also prompt mobile authenticator users to update their authenticator software.

Additionally, while Blizzard has no indication that any of your information was shared with any other unauthorized parties or that there has been any unauthorized use of your data, we urge all members of our community to closely monitor all of their online accounts.

Players should also be wary of fraudulent emails (phishing). Unfortunately, because email addresses were exposed, it is entirely possible that this could result in an increased, targeted phishing campaign being sent to our users. Check this page for tips on how to spot and avoid these types of fraudulent emails.

What data was affected?
Here's a summary of the data that we know was illegally accessed:

North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia:
  • Email addresses
  • Answers to secret security questions
  • Cryptographically scrambled versions of passwords (not actual passwords)
  • Information associated with the Mobile Authenticator
  • Information associated with the Dial-in Authenticator
  • Information associated with Phone Lock, a security system associated with Taiwan accounts only

Accounts from all global regions outside of China (including Europe and Russia):
  • Email addresses

China-based accounts:
  • Unaffected

At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information.

What information related to Mobile and Dial-In Authenticators was exposed? What about Phone Lock?
With regard to Dial-In Authenticators, hashed (not actual) phone numbers were accessed. This is phone data from the relatively small number of people who opted into the program.

With regard to Mobile Authenticators, information was taken that could potentially compromise the integrity of North American Mobile Authenticators. We have no evidence that other regions were affected. We are working quickly to provide software updates to users.
Additionally we believe the integrity of the physical authenticators remains intact.

The information relating to Phone Lock represents a small number of hashed (not actual) phone numbers from Taiwanese players who opted into this service and had a North American Battle.net account.

Was the physical authenticator compromised?
We believe the integrity of the physical authenticators remains intact.

How did this happen?
Like all companies doing business online, it is not an uncommon occurrence to experience outside parties trying to illegitimately gain access to the operation’s structure at some level. We are continually upgrading our security technologies, policies, protocols and procedures to protect our customers and our games against the threats that increasingly arise in today’s online world.

When did Blizzard learn of the unauthorized access?
The trespass into our internal network was detected by us on August 4, 2012.

Why did Blizzard announce this on August 9?
We worked around the clock since we discovered the unauthorized user to determine the nature of the trespass and understand what data was accessed. Our first priority was to re-secure our network, and from there we worked simultaneously on the investigation and on informing our global player base. We wanted to strike a balance between speed and accuracy in our reporting and worked diligently to serve both equally important needs.

What action has Blizzard taken?
Upon learning of the unauthorized access, we worked quickly to re-secure our network. Afterward, we immediately notified law enforcement as well as security experts and launched an ongoing investigation to determine what had occurred. We also took steps to notify players, which happened in a matter of days from the time we discovered the illegal access.

Was any personal or financial information accessed?
At this time, there is no evidence that financial information was affected or accessed. There's also no evidence that personal information such as real names or billing addresses were accessed.

What can you tell us about the scrambled passwords that were accessed?
Cryptographically scrambled versions of passwords for North American players were accessed, protected by Secure Remote Password (SRP) protocol. This information alone doesn't give unauthorized users the actual passwords -- each password would need to be deciphered individually. The added layer of protection from SRP makes that process computationally very difficult and expensive.

Why not immediately invalidate the secret questions and answers that were compromised?
This was a difficult decision to make but in the end we believe that keeping the secret questions and answers in place still provides a layer of security against unauthorized users who don't have access to the compromised data. In the meantime, we are working quickly to create a mechanism for players to change the secret question and answer on their account. Our customer service staff will also know to use additional measures to verify player identities and not rely solely on secret question and answer.

Why not immediately revoke the mobile authenticators?
Similar to the decision surrounding secret question and answer, we still believe that keeping mobile authenticators active provides a layer of security against unauthorized users who don't have access to the compromised data. In fact, the mobile authenticator information by itself won't grant access to a Battle.net account -- that still requires the actual password as well. We are working quickly to deploy new mobile authenticator software and will notify players to update as soon as it's available.

Are you taking additional security measures as a result of this occurrence?
We are continually upgrading our security technologies, policies, protocols and procedures to help protect our customers and our games, and will continue to monitor the situation closely.

Teams have also been working around the clock in an ongoing investigation with law enforcement and security experts, to gain a more detailed understanding of what happened. As we conclude the investigation there will be lessons learned that can help strengthen our security going forward.
This article was originally published in forum thread: Important Security Update started by chaud View original post
Comments 217 Comments
  1. SinR's Avatar
    *points to his keychain authenticator*

    Well I'm still 98% secure. Can't remove a physical authenticator without a scan of my photo ID
  1. cyan421's Avatar
    scary times, apple and blizzard in the same week.
  1. nekobaka's Avatar
    Its been so many years that I forgot there was a security question.
  1. Nerraw's Avatar
    Quote Originally Posted by kabookiejoez View Post
    China Unaffected... can't imagine why...
    Blizzard doesn't run the Chinese servers directly, that's why.
  1. Winter Blossom's Avatar
    Really......Way to drop the ball, Blizzard...
  1. Malkazam's Avatar
    I didn't play since 5 month but still i just change a few minute ago my password on battle.net (US and EU).

    I want to thanks MMO Champ for this news. i think a lot of people don't know about this situation.
  1. nogard64's Avatar
    Quote Originally Posted by Phantoms View Post
    Authenticators ftw.
    haha last summer I was hacked, I was playing on a brand new computer, win 7 64bit. Haven't even had time to surf porn and get trojans and malware.

    I suspected there was a compromise at Blizzards end, because no matter how much the blizzard Fan-BEEPS (can't even use that word) defend blizzard, they are not invincible.

    About the same time last summer watched as other people also get hacked at the same time as me.... ever noticed the hacks come in waves? like all the sudden you see a few thousand people get hacked in a week, then its quiet for a month, then it happens again, hmmmmm....... almost like some one is getting a HUGE LONG list of screen names and passwords from a special source of screen names and passwords??????

    yeah sure put my tin foil hat back on right, you DELUSIONAL blizzard FAN-BEEPS!
  1. Arbs's Avatar
    Quote Originally Posted by Zoneseek View Post
    lol

    sorry gotta laugh, when this happened to Trion at the end of last year I read dozens of posts by people mocking them for being a crap company with bad security policies

    happens to blizzard - "eventually everything gets hacked, welcome to the interwebz"

    LOL jokes
    Ya but Trion didn't catch it fast anough they lost tons of personal info, Blizzard didn't and they caught it after5 days thats fast and Only NA Emails & encrypticed paswords, SQ & SA got taken thats all. An it very expensive to uncrypted all of those and majority of those will be useless in a couple days.
  1. Karizee's Avatar
    If Blizz didn't notice til 5 days ago, this information has long been sold off to everyone and their mother.
  1. Temma's Avatar
    It kinda makes me hope Lulzboat is back.
  1. Purple's Avatar
    I made it clear when Blizzard decided to go with current Battle.net structure that using the user's e-mail, and connecting all accounts to a single e-mail or username, rather than separate usernames for each game, was a terrible idea. And people picking up your e-mail, even without your password, is why. Yeah. I have my keychain authenticator, but I always thought it was a bad idea.

    This issue here, would have happened no matter what, I imagine, but I'll still appalled. I expected more of Blizzard, since, like many of you, I trusted them with my information. I don't want assurances, and I'll accept that I have to change up my information.. but all I really want is to see them go after the people responsible, legally, like the wrath of God coming down on the heretics. That is the only apology that will satisfy me. I want the punishment of those responsible to be so severe and resonating that others will think twice, though, obviously, nothing will sway the truly ambitious.
  1. tripleh's Avatar
    Guessing it was anon. http://www.youtube.com/watch?v=5faKC38L9Lg Activisions ceo pissed them off months ago with call of duty . Anon leaks the CEO's private information . lol
  1. Kathranis's Avatar
    Quote Originally Posted by Temma View Post
    It kinda makes me hope Lulzboat is back.
    Why would you ever support a group of people who intentionally hack and steal personal data from companies and then release it on the internet or sell it to third parties? Just because they have lulz in their name? Because they claim they're "fighting the man" or whatever? Give me a break. The only people they hurt are consumers.


    Anyway, surprised this hasn't happened sooner, frankly. Glad to know they at least encrypt their passwords, unlike some other companies that have gotten hacked in the last year or two.

    Might just go ahead and create a new email for my battle.net account.
  1. LazyJones's Avatar
    Quote Originally Posted by nogard64 View Post
    haha last summer I was hacked, I was playing on a brand new computer, win 7 64bit. Haven't even had time to surf porn and get trojans and malware.
    You played on a different computer before that though. They could've gotten your password from that.
    Also:

    About the same time last summer watched as other people also get hacked at the same time as me.... ever noticed the hacks come in waves? like all the sudden you see a few thousand people get hacked in a week, then its quiet for a month, then it happens again, hmmmmm....... almost like some one is getting a HUGE LONG list of screen names and passwords from a special source of screen names and passwords??????
    Lots and lots of people use the same email/username, and the same password as well, in many different games or websites.
    When one game/website gets hacked, the hackers then have a long list of those usernames/passwords, and they ARE going to try them out on other games/websites as well.
    If people used the same login information in a game that got hacked, as they do in WoW, it isn't Blizzard's security at fault if their WoW account then gets hacked later.
  1. Xingu's Avatar
    Wth Blizzard, unable to paste a chosen password into the field on battlenet? I use KeePass and internal password generator and I am supposed to type in the current impossibly long and tricky password and then twice more a new impossibly long and tricky password??? FU Blizzard, it didn't use to be this way, I want my pasting comfort not broken fingers. Before this I changed password regularly, now not anymore. Unless you want me to type in a simple password or my username ... Hm, come to think of it, that is exactly what I did on Steam where pasting is disabled for the client, I made up a simple password.

    Of all the services, Bliizard and steam are the only ones who don't allow pasting. And now Blizzard gets hacked. Well done -.-

    ps: I am so happy I never trusted them with my credit card, prepaid cards ftw!
  1. Syio's Avatar
    I definitely appreciate the openness and brutal honesty of this notice. Thank you, Blizzard. It's not fun at all, but I approve of the transparency in this situation and will take steps to minimise the damage.
  1. Redblade's Avatar
    Quote Originally Posted by Xingu View Post
    Wth Blizzard, unable to paste a chosen password into the field on battlenet? I use KeePass and internal password generator and I am supposed to type in the current impossibly long and tricky password and then twice more a new impossibly long and tricky password??? FU Blizzard
    Had the same issue and thought about the same about Blizz when I realized, most retarded fucking design, had to use a g15 macro to auto type the passwords for me.
  1. skitzin's Avatar
    Quote Originally Posted by Purple View Post
    I expected more of Blizzard, since, like many of you, I trusted them with my information. I don't want assurances, and I'll accept that I have to change up my information.. but all I really want is to see them go after the people responsible, legally, like the wrath of God coming down on the heretics. That is the only apology that will satisfy me. I want the punishment of those responsible to be so severe and resonating that others will think twice, though, obviously, nothing will sway the truly ambitious.
    The sad part is many of these hackers live in regions of the Earth where the are either no laws or the local authorities do not care as long as they aren't targeted, making it impossible in many cases to fully punish these people by legal means.
  1. reve's Avatar
    Not like anything that bad happened, they didn't get passwords and most importantly they didn't get CC info.
  1. Rigimi44's Avatar
    Sounds similar to the Great PS3 Hack of 2011. Brb, changing passwords.

Site Navigation