It seems that the authenticators will infact be useless if you had a mobile one.
Blizzard states it here
This means if they unencrypt the passwords, and then use a legitimate 3rd party authenticator like Winauth, they could plug in the serial number of your Auth and gain access. Simple as that after they break the encryption to the passwords.Why not immediately revoke the mobile authenticators?
Similar to the decision surrounding secret question and answer, we still believe that keeping mobile authenticators active provides a layer of security against unauthorized users who don't have access to the compromised data. In fact, the mobile authenticator information by itself won't grant access to a Battle.net account -- that still requires the actual password as well. We are working quickly to deploy new mobile authenticator software and will notify players to update as soon as it's available.
Think I'll just report my mastercard as stolen, and I'll get a new one!
They can't do more than they are doing. All data has to be read at some point so it needs to be readable some way or another. It's encrypted as well as it can be to still be usable. However, someone has to write the encryption in the first place; And if one person can write it, someone else can crack it.
That's just how it is.
Grats Us , world first !
well yes the only got EU e-mails ..
sorry i had to
on the other hand , well it can happen , sony was /is not a small company and it happend to them too.
Blizz makes a ton of cash normal that they are being attacked too.
First time they had a probleme of this kind in 7 years? i dont see a big probleme they got my mail so what?
i can change my pw , my secret questions and evrything no big deal ^^
Well, considering how many people bashing when it happened to rift... usually with "would never happen to wow", well... I knew it then but perhaps you all now that it could happen to anyone :P
Should EU battlenet accounts change their emails? Even though Im not playing anymore why hand out characters for free :P
You hoped it was over but Murky is backSign + avatar by Visenna
Blizzard is a massive company, so things like this can happen. There's no point in whining about it. Every large company has problems like this once in a blue moon. But at least Blizzard is informing us asap and telling everyone exactly what to do and what they're going to be doing. That's always a good sign.
There is a reason banks use the same system. It takes ages to crack and by the time it is the breach has been detected and a fix applied. Breaches will obviously happen, they'll just very very rarely involve anything useful being obtained before it's been made useless by updates.
This was bound to happen at some point.
I'm actually very impressed at how the community is handling this. WoW Players seem to be generally alright with it, and accept that things like this happen. However, if you go to the Diablo III forums it's just one big pile of 'derp' over there.
Good job, everyone. At handling this situation like adults. I'm so proud. <3
But if they've been smart about it and based the conversion on something non-static, maybe an internal number (every X chars should be upper case) that varies for different accounts they can still maintain almost the same level of security from a hacking point of view as case sensitive passwords.
By the time they are able to start compromising accounts, forced password changes will happen. That's assuming they don't have an authenticator which means they are sol.
Surprised it took this long for someone to get in. At least unlike Sony they told us right away.
It's OK Bliz,
just use the web form "i'm hacked".
Jokes aside, the value of the email database for advertising cannot be measured, millions and maybe more, for gaming companies....
let teh *yes, teh, spam begin.
You need more than the serial number. You need the 40 character token secret, which is generated when you request a mobile authenticator and saved on the servers and your phone. The serial number alone is useless.
Now if both of those items were indeed breached, then yes. Unlink your authenticator and generate a new one!
In fact, I'd do it anyway. All you need to remove an authenticator from someone's account is their secret word, and the serial to the authenticator. Now, you just crack that password, and now you have their account.
It can happen to the best companies in the world. In fact no one is protected or can even say they are "immune" to this.
On the safe spot, everyone should realy do what blizzard recomends now, even if you think you are not on the affected group of people.