MMO-Champion - Important Security Update
Important Security Update
Originally Posted by Blizzard (Blue Tracker / Official Forums)
Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime

Important Security Update FAQ
Originally Posted by Blizzard (Blue Tracker)
Is there anything that players need to do right now to protect themselves?
While there is currently no evidence that any of the password or player data has been misused, we encourage our North American players to change their passwords. Click here to login and change your password.

In the coming days we will implement an automated process for all users to change their secret questions and answers, as a precautionary measure. We'll also prompt mobile authenticator users to update their authenticator software.

Additionally, while Blizzard has no indication that any of your information was shared with any other unauthorized parties or that there has been any unauthorized use of your data, we urge all members of our community to closely monitor all of their online accounts.

Players should also be wary of fraudulent emails (phishing). Unfortunately, because email addresses were exposed, it is entirely possible that this could result in an increased, targeted phishing campaign being sent to our users. Check this page for tips on how to spot and avoid these types of fraudulent emails.

What data was affected?
Here's a summary of the data that we know was illegally accessed:

North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia:
  • Email addresses
  • Answers to secret security questions
  • Cryptographically scrambled versions of passwords (not actual passwords)
  • Information associated with the Mobile Authenticator
  • Information associated with the Dial-in Authenticator
  • Information associated with Phone Lock, a security system associated with Taiwan accounts only

Accounts from all global regions outside of China (including Europe and Russia):
  • Email addresses

China-based accounts:
  • Unaffected

At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information.

What information related to Mobile and Dial-In Authenticators was exposed? What about Phone Lock?
With regard to Dial-In Authenticators, hashed (not actual) phone numbers were accessed. This is phone data from the relatively small number of people who opted into the program.

With regard to Mobile Authenticators, information was taken that could potentially compromise the integrity of North American Mobile Authenticators. We have no evidence that other regions were affected. We are working quickly to provide software updates to users.
Additionally we believe the integrity of the physical authenticators remains intact.

The information relating to Phone Lock represents a small number of hashed (not actual) phone numbers from Taiwanese players who opted into this service and had a North American Battle.net account.

Was the physical authenticator compromised?
We believe the integrity of the physical authenticators remains intact.

How did this happen?
Like all companies doing business online, it is not an uncommon occurrence to experience outside parties trying to illegitimately gain access to the operation’s structure at some level. We are continually upgrading our security technologies, policies, protocols and procedures to protect our customers and our games against the threats that increasingly arise in today’s online world.

When did Blizzard learn of the unauthorized access?
The trespass into our internal network was detected by us on August 4, 2012.

Why did Blizzard announce this on August 9?
We worked around the clock since we discovered the unauthorized user to determine the nature of the trespass and understand what data was accessed. Our first priority was to re-secure our network, and from there we worked simultaneously on the investigation and on informing our global player base. We wanted to strike a balance between speed and accuracy in our reporting and worked diligently to serve both equally important needs.

What action has Blizzard taken?
Upon learning of the unauthorized access, we worked quickly to re-secure our network. Afterward, we immediately notified law enforcement as well as security experts and launched an ongoing investigation to determine what had occurred. We also took steps to notify players, which happened in a matter of days from the time we discovered the illegal access.

Was any personal or financial information accessed?
At this time, there is no evidence that financial information was affected or accessed. There's also no evidence that personal information such as real names or billing addresses were accessed.

What can you tell us about the scrambled passwords that were accessed?
Cryptographically scrambled versions of passwords for North American players were accessed, protected by Secure Remote Password (SRP) protocol. This information alone doesn't give unauthorized users the actual passwords -- each password would need to be deciphered individually. The added layer of protection from SRP makes that process computationally very difficult and expensive.

Why not immediately invalidate the secret questions and answers that were compromised?
This was a difficult decision to make but in the end we believe that keeping the secret questions and answers in place still provides a layer of security against unauthorized users who don't have access to the compromised data. In the meantime, we are working quickly to create a mechanism for players to change the secret question and answer on their account. Our customer service staff will also know to use additional measures to verify player identities and not rely solely on secret question and answer.

Why not immediately revoke the mobile authenticators?
Similar to the decision surrounding secret question and answer, we still believe that keeping mobile authenticators active provides a layer of security against unauthorized users who don't have access to the compromised data. In fact, the mobile authenticator information by itself won't grant access to a Battle.net account -- that still requires the actual password as well. We are working quickly to deploy new mobile authenticator software and will notify players to update as soon as it's available.

Are you taking additional security measures as a result of this occurrence?
We are continually upgrading our security technologies, policies, protocols and procedures to help protect our customers and our games, and will continue to monitor the situation closely.

Teams have also been working around the clock in an ongoing investigation with law enforcement and security experts, to gain a more detailed understanding of what happened. As we conclude the investigation there will be lessons learned that can help strengthen our security going forward.
This article was originally published in forum thread: Important Security Update started by chaud View original post
Comments 217 Comments
  1. Bahska's Avatar
    Quote Originally Posted by Pyridoxine View Post
    How long has this compromise been in place? How many accounts have been compromised because of this neglect of Blizzard Entertainment?

    Back in August of last year my account was hacked while being inactive for 6 months. I immediately got my account unbanned and noticed there was no time on my account which would make it impossible for someone to log in. Blizzard INSISTED that my end was compromised and not theirs. Regardless of the fact that my Mac, that I play on, is clean of any viruses and I use WPA2 Enterprise wireless security at home. After sending them pictures of my account being logged in after it was banned and calling them multiple times the only thing I would get is the generic "It's your fault" response. Any who this entire ordeal took a month to fix, due to some problem with our Guild Bank being inaccessible to everyone in the guild.
    Did you have a authenticator, key loggers can show up as a spybot and not a virus so virus scanners wont see it, wireless security is easily hackable by anyone with linux knowledge, do you use your computers internal firewall, what are the ports.........i can keep going if you want? :P there are many different ways to get into your account an yes sometimes they will add time to your account that has been offline for any amount of time, whats 13 dollars to someone that could potentially use your account to make hundreds if not thousands of dollars.
    They dont care what your level is or how long you have been playing (or haven't) its all about the account.

    Macs ar good against potential threats but there not invulnerable http://arstechnica.com/apple/2012/04...ssword-needed/ Took apple 2? weeks to fix that PC's were patched over night.

    Also some virus scanners just plain suck an dont catch everything so it could come down to what software you use.
  1. ro9ue's Avatar
    I had someone use my paypal account within days of the Sony breach. Best thing you can do is just monitor your bank accounts and credit card charges. When that happened I set up mobile alerts, they text you when there's activity on your account. (You can choose which activity is important enough to send an alert for.)

    If your credit card information was stolen, you might want to request a new card from your bank. You are usually given one free new card per year, and this doesn't happen that often anyway.
  1. Axxy's Avatar
    I'm a little shocked because I just saw this on the BBC website and it's well down the MMO-C front page. Blizzard are just advertising this as a "Security Update"???? (I would think that they would be a bit more robust than that....)

    Just checked my 2 email accounts and NO warning email from Blizzard at all, but I do have 19 phishing emails already from Blizzard-Entertainment and D3 Online \lol.
  1. Alayea's Avatar
    Quote Originally Posted by Axxy View Post
    I'm a little shocked because I just saw this on the BBC website and it's well down the MMO-C front page. Blizzard are just advertising this as a "Security Update"???? (I would think that they would be a bit more robust than that....)

    Just checked my 2 email accounts and NO warning email from Blizzard at all, but I do have 19 phishing emails already from Blizzard-Entertainment and D3 Online \lol.
    If you had been here the same day this news post was put up then you would have seen it at the top. Stop drinking the conspiracy kool-aid.
  1. Tharkkun's Avatar
    Quote Originally Posted by Axxy View Post
    I'm a little shocked because I just saw this on the BBC website and it's well down the MMO-C front page. Blizzard are just advertising this as a "Security Update"???? (I would think that they would be a bit more robust than that....)

    Just checked my 2 email accounts and NO warning email from Blizzard at all, but I do have 19 phishing emails already from Blizzard-Entertainment and D3 Online \lol.

    You should change your email address because it's been farmed and sold. It takes a while to make it around so it wouldn't be from the recent compromise which means another website which allows email addresses to be displayed has been hacked.

    ---------- Post added 2012-08-10 at 04:29 PM ----------

    Quote Originally Posted by Klog View Post
    I had someone use my paypal account within days of the Sony breach. Best thing you can do is just monitor your bank accounts and credit card charges. When that happened I set up mobile alerts, they text you when there's activity on your account. (You can choose which activity is important enough to send an alert for.)

    If your credit card information was stolen, you might want to request a new card from your bank. You are usually given one free new card per year, and this doesn't happen that often anyway.
    Sony didn't disclose it for 18 days, not to mention there were public forums talking about how Sony was running an old version of Apache a few months before the break in was made public. What's worse is Sony had a public facing website that was allowed to access the internal network which is very bad and it most likely was going on for months.

    Blizzard stated it was an internal break in which leans towards an employees laptop becoming infected with malware/rootkit. Most malware makes a lot of noise so any decent IDS system would've let them know quickly that someone's laptop has been compromised.

    I work for Oracle and we are notified within a few hours of a compromise. If I start up a P2P client, I'll get called at my desk in 30 minutes or less.
  1. Remilia's Avatar
    Quote Originally Posted by Tharkkun View Post
    Sony didn't disclose it for 18 days
    7 days tyvm.
    Quote Originally Posted by Tharkkun View Post
    Blizzard stated it was an internal break in which leans towards an employees laptop becoming infected with malware/rootkit. Most malware makes a lot of noise so any decent IDS system would've let them know quickly that someone's laptop has been compromised.
    Where was this stated anyways.
  1. MouseD's Avatar
    Quote Originally Posted by Gourmandises View Post
    Not that authenticators would have helped... they're easy hackable aswell
    The key fob auth is quite damn hard to hack...seeing its not connected to the internet at all.....and there is a very very small window for them to even try a man in the middle attack...now the auth on mobile phones are more and faster to be hack due to simple fact..most of the new phones that use those apps is connected to the internet.....personally I use the key fob one and think its better then phone app one...seeing cell phones can be broke..stolen...dropped and damaged....so then you can't use it...were as a key fob one you can attack it too your computer and its right there.
  1. sirgenesis's Avatar
    China unaffected............. just sayin
  1. Detonati0n's Avatar
    Blizzard was asking for this by releasing ability to cash out of Diablo 3. Money that is earned in Diablo 3 should not be able to be cashed out for real currency unless blizzard is willing to deal with the same type of cyber criminals that target international banks. Sad thing is that Blizzard's RMAH cuts are Diablo 3's revenue source.
  1. Coldhearth's Avatar
    Quote Originally Posted by Seegtease View Post
    Yeah, Blizzard, and any other major companies who have been hacked are obviously full of incompetent fools, since they got hacked. They certainly don't have any training in network security. Blizzard should have had a drool cup.

    But since you seem to be the pro when it comes to this, why don't you get a job there and fix their systems so they will never get hacked again? I'm sure they'd pay you well. Oh, you couldn't? That's a shame.
    This is where reading comprehension comes in handy. I never said anything about Blizzard's own systems. I said if you can't secure YOUR OWN computer, you're an idiot. Which is why they offer authenticators. Most of the wow population is a drooling mass of stupid, much like you for failing to recognize a simple observation.
  1. Pyridoxine's Avatar
    Quote Originally Posted by Bahska View Post
    Did you have a authenticator, key loggers can show up as a spybot and not a virus so virus scanners wont see it, wireless security is easily hackable by anyone with linux knowledge, do you use your computers internal firewall, what are the ports.........i can keep going if you want? :P there are many different ways to get into your account an yes sometimes they will add time to your account that has been offline for any amount of time, whats 13 dollars to someone that could potentially use your account to make hundreds if not thousands of dollars.
    They dont care what your level is or how long you have been playing (or haven't) its all about the account.

    Macs ar good against potential threats but there not invulnerable Took apple 2? weeks to fix that PC's were patched over night.

    Also some virus scanners just plain suck an dont catch everything so it could come down to what software you use.
    No. I did not have an authenticator. At the time when I was playing I had the mobile authenticator on my iPhone. However seeing as I do iOS development and I'm constantly installing beta firmwares from Apple I de-authorized my mobile authenticator from my phone when I stopped playing. Spybot is a piece of software for Windows I think you mean Spywear. As for Spywear I only used my Mac to play WoW and to program using XCode. I also used Google Chrome to browse the web, to which at the time no one was able to get out of chrome's sandbox and install something on the local computer. (That didn't happen till March of this year.) All of my ports were and still blocked on my router and also on my computer's firewall. My Battle.net password consisted of a 16 character randomly generated password consisting on different case letters, numbers, and symbols. (This has been bumped to 27 characters.) This password was also only used for Battle.net. The anti-virus I use is ClamXAV, the Mac OS X port of the ever so popular ClamAV which is used on many Unix/Linux based server around the world. It's also worth noting that I've had my WoW account since vanilla (November of 2005) and my account was never once hacked since this incident.

    Also you don't find it strange that my account was 'hacked' without any time being added to the account? (My WoW Characters were cleaned of all their items and the guild bank emptied so they must have been able to login to WoW with no gametime added. [Wish I knew how to do that.]) You don't find it strange that my character was logged into after hours of being banned? (I have a screenshot of this from a friend that noticed and brought it to my attention.) How about my account being so screwed up that no one in my guild could access the guild bank and it took Blizzard a month to fix this issue, even after having 3 different GMs took control of my character and tried it out for themselves? (Literally no one could access the guild bank when you right clicked on it nothing showed up.)
  1. Nerraw's Avatar
    Quote Originally Posted by sirgenesis View Post
    China unaffected............. just sayin
    As stated several times, the Chinese servers are run by a 3rd party.
  1. Seegtease's Avatar
    Quote Originally Posted by Coldhearth View Post
    This is where reading comprehension comes in handy. I never said anything about Blizzard's own systems. I said if you can't secure YOUR OWN computer, you're an idiot. Which is why they offer authenticators. Most of the wow population is a drooling mass of stupid, much like you for failing to recognize a simple observation.
    If Blizzard can be hacked, you can be hacked. I'd imagine their systems are more secure than yours.
  1. Kaeleena's Avatar
    Gotta hand it to Blizzard. They really have the sheep snowed on this one.

    Response to SOE being hacked: It's SOEs fault. People leaving SOE in droves.
    Reponse to other Battle.net users getting hacked: It's your fault. Not Blizzards. Get an authenticator. Use a unique password. Use a unique email. Don't download addons from untrusted websites. Don't click on links in phishing emails. Always verify the web address before entering your information.
    Response to Blizzard being hacked: It's not Blizzards fault. This type of thing is inevitable.

    lol

    ‘SRP’ Won’t Protect Blizzard’s Stolen Passwords
  1. wunksta's Avatar
    Quote Originally Posted by Pyridoxine View Post
    No. I did not have an authenticator. At the time when I was playing I had the mobile authenticator on my iPhone. However seeing as I do iOS development and I'm constantly installing beta firmwares from Apple I de-authorized my mobile authenticator from my phone when I stopped playing. Spybot is a piece of software for Windows I think you mean Spywear. As for Spywear I only used my Mac to play WoW and to program using XCode. I also used Google Chrome to browse the web, to which at the time no one was able to get out of chrome's sandbox and install something on the local computer. (That didn't happen till March of this year.) All of my ports were and still blocked on my router and also on my computer's firewall. My Battle.net password consisted of a 16 character randomly generated password consisting on different case letters, numbers, and symbols. (This has been bumped to 27 characters.) This password was also only used for Battle.net. The anti-virus I use is ClamXAV, the Mac OS X port of the ever so popular ClamAV which is used on many Unix/Linux based server around the world. It's also worth noting that I've had my WoW account since vanilla (November of 2005) and my account was never once hacked since this incident.
    It's a common misconception that you can only be hacked by something that was on your computer. Some people become compromised because they use the same user name and password on different sites, and then those sites become compromised and your account information is gained without anything ever getting on your computer. They then have access to your email, and then reset the Battle.net password.

    Also, using random letters, numbers and symbols doesn't prevent programs from brute forcing the password. In fact, random letter/number strings are easier for it to break. Using a string of common words is actually much more effective to prevent brute force attempts. See readwriteweb<dot>com/enterprise/2011/01/why-using-2-or-3-simple-words.php

    Most account information isn't obtained through brute force methods though, afaik. They are gained because people use the same information for every other account, and/or infected computers.

    Also you don't find it strange that my account was 'hacked' without any time being added to the account? (My WoW Characters were cleaned of all their items and the guild bank emptied so they must have been able to login to WoW with no gametime added. [Wish I knew how to do that.]) You don't find it strange that my character was logged into after hours of being banned? (I have a screenshot of this from a friend that noticed and brought it to my attention.)
    Not sure how you would know if game time was added or not. Most of the time, game time is added exploitively with fraudulent game time cards, which then are removed once they are determined to be fraudulent. However, in between that time, a player's account is compromised.

    How about my account being so screwed up that no one in my guild could access the guild bank and it took Blizzard a month to fix this issue, even after having 3 different GMs took control of my character and tried it out for themselves? (Literally no one could access the guild bank when you right clicked on it nothing showed up.)
    That doesn't sound related to the compromise at all actually. Many guilds have had similar issues unrelated to a compromise. It seems to be more of a guild UI issue.

    All a hacker would do is take the contents of the guild and leave as quickly as possible.
  1. Tharkkun's Avatar
    Quote Originally Posted by Remilia View Post
    7 days tyvm.
    Where was this stated anyways.
    Blizzard said it was an internal compromise. That would indicate an external, customer facing website wasn't compromised. Internal hacks are usually caused by malware/rootkits unless some yahoo walked into the building with a laptop. Which could have happened but I highly doubt it.
  1. Remilia's Avatar
    Quote Originally Posted by Tharkkun View Post
    Blizzard said it was an internal compromise. That would indicate an external, customer facing website wasn't compromised. Internal hacks are usually caused by malware/rootkits unless some yahoo walked into the building with a laptop. Which could have happened but I highly doubt it.
    Where was this piece of information stated.
    As in, where did you hear this, or where did blizzard state this.

Site Navigation