Blizzard Confirms Battle.Net Hacked: Here's What We Know So Far

Blizzard announced yesterday that its popular service has been compromised. The company's investigation is ongoing, but Blizzard has released some early details on what's been taken and what the theft means for its users.

First off, the company doesn't believe any credit card information, Paypal addresses, or similar data was seized. No billing addresses or real names have been accessed, either. What was taken includes:
  • Email addresses for non-Chinese users
  • Personal security questions and answers
  • Information related to Mobile and dial-in Authenticators
  • Cryptographically hashed passwords
Those last two items are worrisome, and Blizzard's Mike Morhaime addresses it directly, stating that "Based on what we currently know, this information alone is NOT enough for anyone to gain access to accounts... We also know that cryptographically scrambled versions of passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually."

No "I told you so"

As tempting as it is to claim we saw this coming back in May, we're going to refrain. Here's why: hacking has become an even hotter topic in the Blizzard community since the launch of Diablo III. There are people who will read this news and immediately assume that the company launched some enormous cover-up, that the hacks go all the way back to launch, and that Blizzard was blowing smoke up our posteriors about the whole thing.

Sure. That could be true. But there's no proof of it. Security break-ins don't necessarily map to external issues. It's possible that Blizzard caught this almost as soon as it occurred. It could turn out that the hack occurred months ago, but data was only transferred recently. It's absolutely possible that the hack occurred months ago, but that Blizzard was being 100% honest when it said that no one with a Diablo III authenticator had ever been hacked.

If this blows up as big as the Sony hack did, or involves the same sort of blatant stupidity, we'll be there. For now, we recommend resetting your passwords, keeping an eye out for the company's updated Authenticator software (if you use one) and checking the FAQ if you have additional questions.
insidesin 2 years ago

Even if you have the Authenticator, unless you change the preference on your account so that you are prompted for it every time you login , the chances of compromise is still pretty high. I just changed all my passwords.

CDeeter 2 years ago

Yup time to change passwords, thanks for the heads up.

Jimmyrussellxd 2 years ago

Hey, are the beta keys affected by this hack? If I were to get a key today, would those still be working?

Joel H 2 years ago

As far as I know, yes -- provided the email itself is legitimately from Blizzard. If this hack seized legitimate email addresses, social engineering is *easily* the most effective way to steal further information. 

Eye any email for spelling errors and proper URLs. Eye the actual URL text that appears at the bottom-right of the browser, not whatever text is linked in blue. 

insidesin 2 years ago

The proper way to find out if the email is real is to (if you have hotmail) right click on the email and "view message source".

Then look at the "Received: from" section and check if it is from Blizzard's domain and not or something. The sender part of the email can easily be spoofed to say but looking at message source will determine if it is real.

omegadraco 2 years ago

Well that sucks. Hopefully they will release more about the scope of the hack soon.

JOMA 2 years ago

Changed my password this morning. No company is immune to this type of thing so I never use the same password on any accounts. It's a paint to have a different one for each site but it helps to avoid any issues if my PW/account gets compromised.

NLance 2 years ago

My girlfriend's account was hacked, idk if it was the 9/10 hack, but they got her email, hacked that, and now she can't reset the email because it was used strictly for (something they recommend) and as part of the recovery process the email provider requires information on emails sent and contacts, both of which don't exist as she only used it for

Attempts to contact blizzard directly are going nowhere fast, put in a ticket, was told I would have to call. Called in and got an automated message saying their call queue is full, and they are not taking incoming calls. I did make all the purchases on her account, so everything is linked to my credit card or my account as a gift, so hopefully when I do get someone I can get this resolved.

Post a Comment
or Register to comment