Important Security Update

[ro9ue]

I had someone use my paypal account within days of the Sony breach. Best thing you can do is just monitor your bank accounts and credit card charges. When that happened I set up mobile alerts, they text you when there's activity on your account. (You can choose which activity is important enough to send an alert for.)

If your credit card information was stolen, you might want to request a new card from your bank. You are usually given one free new card per year, and this doesn't happen that often anyway.

[Axxy]

I'm a little shocked because I just saw this on the BBC website and it's well down the MMO-C front page. Blizzard are just advertising this as a "Security Update"???? (I would think that they would be a bit more robust than that....)

Just checked my 2 email accounts and NO warning email from Blizzard at all, but I do have 19 phishing emails already from Blizzard-Entertainment and D3 Online \lol.

[Alayea]

I'm a little shocked because I just saw this on the BBC website and it's well down the MMO-C front page. Blizzard are just advertising this as a "Security Update"???? (I would think that they would be a bit more robust than that....)

Just checked my 2 email accounts and NO warning email from Blizzard at all, but I do have 19 phishing emails already from Blizzard-Entertainment and D3 Online \lol.

If you had been here the same day this news post was put up then you would have seen it at the top. Stop drinking the conspiracy kool-aid.

[Tharkkun]

I'm a little shocked because I just saw this on the BBC website and it's well down the MMO-C front page. Blizzard are just advertising this as a "Security Update"???? (I would think that they would be a bit more robust than that....)

Just checked my 2 email accounts and NO warning email from Blizzard at all, but I do have 19 phishing emails already from Blizzard-Entertainment and D3 Online \lol.

You should change your email address because it's been farmed and sold. It takes a while to make it around so it wouldn't be from the recent compromise which means another website which allows email addresses to be displayed has been hacked.

---------- Post added 2012-08-10 at 04:29 PM ----------

I had someone use my paypal account within days of the Sony breach. Best thing you can do is just monitor your bank accounts and credit card charges. When that happened I set up mobile alerts, they text you when there's activity on your account. (You can choose which activity is important enough to send an alert for.)

If your credit card information was stolen, you might want to request a new card from your bank. You are usually given one free new card per year, and this doesn't happen that often anyway.

Sony didn't disclose it for 18 days, not to mention there were public forums talking about how Sony was running an old version of Apache a few months before the break in was made public. What's worse is Sony had a public facing website that was allowed to access the internal network which is very bad and it most likely was going on for months.

Blizzard stated it was an internal break in which leans towards an employees laptop becoming infected with malware/rootkit. Most malware makes a lot of noise so any decent IDS system would've let them know quickly that someone's laptop has been compromised.

I work for Oracle and we are notified within a few hours of a compromise. If I start up a P2P client, I'll get called at my desk in 30 minutes or less.

[Remilia]

Sony didn't disclose it for 18 days

7 days tyvm.

Blizzard stated it was an internal break in which leans towards an employees laptop becoming infected with malware/rootkit. Most malware makes a lot of noise so any decent IDS system would've let them know quickly that someone's laptop has been compromised.

Where was this stated anyways.

[MouseD]

Not that authenticators would have helped... they're easy hackable aswell

The key fob auth is quite damn hard to hack...seeing its not connected to the internet at all.....and there is a very very small window for them to even try a man in the middle attack...now the auth on mobile phones are more and faster to be hack due to simple fact..most of the new phones that use those apps is connected to the internet.....personally I use the key fob one and think its better then phone app one...seeing cell phones can be broke..stolen...dropped and damaged....so then you can't use it...were as a key fob one you can attack it too your computer and its right there.

[sirgenesis]

China unaffected............. just sayin

[Detonati0n]

Blizzard was asking for this by releasing ability to cash out of Diablo 3. Money that is earned in Diablo 3 should not be able to be cashed out for real currency unless blizzard is willing to deal with the same type of cyber criminals that target international banks. Sad thing is that Blizzard's RMAH cuts are Diablo 3's revenue source.

[Coldhearth]

Yeah, Blizzard, and any other major companies who have been hacked are obviously full of incompetent fools, since they got hacked. They certainly don't have any training in network security. Blizzard should have had a drool cup.

But since you seem to be the pro when it comes to this, why don't you get a job there and fix their systems so they will never get hacked again? I'm sure they'd pay you well. Oh, you couldn't? That's a shame.

This is where reading comprehension comes in handy. I never said anything about Blizzard's own systems. I said if you can't secure YOUR OWN computer, you're an idiot. Which is why they offer authenticators. Most of the wow population is a drooling mass of stupid, much like you for failing to recognize a simple observation.

[Pyridoxine]

Did you have a authenticator, key loggers can show up as a spybot and not a virus so virus scanners wont see it, wireless security is easily hackable by anyone with linux knowledge, do you use your computers internal firewall, what are the ports.........i can keep going if you want? :P there are many different ways to get into your account an yes sometimes they will add time to your account that has been offline for any amount of time, whats 13 dollars to someone that could potentially use your account to make hundreds if not thousands of dollars.
They dont care what your level is or how long you have been playing (or haven't) its all about the account.

Macs ar good against potential threats but there not invulnerable Took apple 2? weeks to fix that PC's were patched over night.

Also some virus scanners just plain suck an dont catch everything so it could come down to what software you use.

No. I did not have an authenticator. At the time when I was playing I had the mobile authenticator on my iPhone. However seeing as I do iOS development and I'm constantly installing beta firmwares from Apple I de-authorized my mobile authenticator from my phone when I stopped playing. Spybot is a piece of software for Windows I think you mean Spywear. As for Spywear I only used my Mac to play WoW and to program using XCode. I also used Google Chrome to browse the web, to which at the time no one was able to get out of chrome's sandbox and install something on the local computer. (That didn't happen till March of this year.) All of my ports were and still blocked on my router and also on my computer's firewall. My Battle.net password consisted of a 16 character randomly generated password consisting on different case letters, numbers, and symbols. (This has been bumped to 27 characters.) This password was also only used for Battle.net. The anti-virus I use is ClamXAV, the Mac OS X port of the ever so popular ClamAV which is used on many Unix/Linux based server around the world. It's also worth noting that I've had my WoW account since vanilla (November of 2005) and my account was never once hacked since this incident.

Also you don't find it strange that my account was 'hacked' without any time being added to the account? (My WoW Characters were cleaned of all their items and the guild bank emptied so they must have been able to login to WoW with no gametime added. [Wish I knew how to do that.]) You don't find it strange that my character was logged into after hours of being banned? (I have a screenshot of this from a friend that noticed and brought it to my attention.) How about my account being so screwed up that no one in my guild could access the guild bank and it took Blizzard a month to fix this issue, even after having 3 different GMs took control of my character and tried it out for themselves? (Literally no one could access the guild bank when you right clicked on it nothing showed up.)

[Nerraw]

China unaffected............. just sayin

As stated several times, the Chinese servers are run by a 3rd party.

[Seegtease]

This is where reading comprehension comes in handy. I never said anything about Blizzard's own systems. I said if you can't secure YOUR OWN computer, you're an idiot. Which is why they offer authenticators. Most of the wow population is a drooling mass of stupid, much like you for failing to recognize a simple observation.

If Blizzard can be hacked, you can be hacked. I'd imagine their systems are more secure than yours.

[Kaeleena]

Gotta hand it to Blizzard. They really have the sheep snowed on this one.

Response to SOE being hacked: It's SOEs fault. People leaving SOE in droves.
Reponse to other Battle.net users getting hacked: It's your fault. Not Blizzards. Get an authenticator. Use a unique password. Use a unique email. Don't download addons from untrusted websites. Don't click on links in phishing emails. Always verify the web address before entering your information.
Response to Blizzard being hacked: It's not Blizzards fault. This type of thing is inevitable.

lol

‘SRP’ Won’t Protect Blizzard’s Stolen Passwords

[wunksta]

No. I did not have an authenticator. At the time when I was playing I had the mobile authenticator on my iPhone. However seeing as I do iOS development and I'm constantly installing beta firmwares from Apple I de-authorized my mobile authenticator from my phone when I stopped playing. Spybot is a piece of software for Windows I think you mean Spywear. As for Spywear I only used my Mac to play WoW and to program using XCode. I also used Google Chrome to browse the web, to which at the time no one was able to get out of chrome's sandbox and install something on the local computer. (That didn't happen till March of this year.) All of my ports were and still blocked on my router and also on my computer's firewall. My Battle.net password consisted of a 16 character randomly generated password consisting on different case letters, numbers, and symbols. (This has been bumped to 27 characters.) This password was also only used for Battle.net. The anti-virus I use is ClamXAV, the Mac OS X port of the ever so popular ClamAV which is used on many Unix/Linux based server around the world. It's also worth noting that I've had my WoW account since vanilla (November of 2005) and my account was never once hacked since this incident.

It's a common misconception that you can only be hacked by something that was on your computer. Some people become compromised because they use the same user name and password on different sites, and then those sites become compromised and your account information is gained without anything ever getting on your computer. They then have access to your email, and then reset the Battle.net password.

Also, using random letters, numbers and symbols doesn't prevent programs from brute forcing the password. In fact, random letter/number strings are easier for it to break. Using a string of common words is actually much more effective to prevent brute force attempts. See readwriteweb<dot>com/enterprise/2011/01/why-using-2-or-3-simple-words.php

Most account information isn't obtained through brute force methods though, afaik. They are gained because people use the same information for every other account, and/or infected computers.

Also you don't find it strange that my account was 'hacked' without any time being added to the account? (My WoW Characters were cleaned of all their items and the guild bank emptied so they must have been able to login to WoW with no gametime added. [Wish I knew how to do that.]) You don't find it strange that my character was logged into after hours of being banned? (I have a screenshot of this from a friend that noticed and brought it to my attention.)

Not sure how you would know if game time was added or not. Most of the time, game time is added exploitively with fraudulent game time cards, which then are removed once they are determined to be fraudulent. However, in between that time, a player's account is compromised.

How about my account being so screwed up that no one in my guild could access the guild bank and it took Blizzard a month to fix this issue, even after having 3 different GMs took control of my character and tried it out for themselves? (Literally no one could access the guild bank when you right clicked on it nothing showed up.)

That doesn't sound related to the compromise at all actually. Many guilds have had similar issues unrelated to a compromise. It seems to be more of a guild UI issue.

All a hacker would do is take the contents of the guild and leave as quickly as possible.

[Tharkkun]

7 days tyvm.
Where was this stated anyways.

Blizzard said it was an internal compromise. That would indicate an external, customer facing website wasn't compromised. Internal hacks are usually caused by malware/rootkits unless some yahoo walked into the building with a laptop. Which could have happened but I highly doubt it.

[Remilia]

Blizzard said it was an internal compromise. That would indicate an external, customer facing website wasn't compromised. Internal hacks are usually caused by malware/rootkits unless some yahoo walked into the building with a laptop. Which could have happened but I highly doubt it.

Where was this piece of information stated.
As in, where did you hear this, or where did blizzard state this.