Blizzard Confirms Battle.Net Hacked: Here's What We Know So Far

rated by 0 users
This post has 8 Replies | 0 Followers

Top 10 Contributor
Posts 25,895
Points 1,174,320
Joined: Sep 2007
ForumsAdministrator
News Posted: Thu, Aug 9 2012 9:37 PM
Blizzard announced yesterday that its popular Battle.net service has been compromised. The company's investigation is ongoing, but Blizzard has released some early details on what's been taken and what the theft means for its users.

First off, the company doesn't believe any credit card information, Paypal addresses, or similar data was seized. No billing addresses or real names have been accessed, either. What was taken includes:
  • Email addresses for non-Chinese Battle.net users
  • Personal security questions and answers
  • Information related to Mobile and dial-in Authenticators
  • Cryptographically hashed passwords
Those last two items are worrisome, and Blizzard's Mike Morhaime addresses it directly, stating that "Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts... We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually."

No "I told you so"

As tempting as it is to claim we saw this coming back in May, we're going to refrain. Here's why: Battle.net hacking has become an even hotter topic in the Blizzard community since the launch of Diablo III. There are people who will read this news and immediately assume that the company launched some enormous cover-up, that the hacks go all the way back to launch, and that Blizzard was blowing smoke up our posteriors about the whole thing.



Sure. That could be true. But there's no proof of it. Security break-ins don't necessarily map to external issues. It's possible that Blizzard caught this almost as soon as it occurred. It could turn out that the hack occurred months ago, but data was only transferred recently. It's absolutely possible that the hack occurred months ago, but that Blizzard was being 100% honest when it said that no one with a Diablo III authenticator had ever been hacked.

If this blows up as big as the Sony hack did, or involves the same sort of blatant stupidity, we'll be there. For now, we recommend resetting your Battle.net passwords, keeping an eye out for the company's updated Authenticator software (if you use one) and checking the FAQ if you have additional questions.
  • | Post Points: 110
Top 500 Contributor
Posts 191
Points 1,750
Joined: Aug 2012
Location: Canada
InsideSin replied on Thu, Aug 9 2012 11:39 PM

Even if you have the Authenticator, unless you change the preference on your account so that you are prompted for it every time you login , the chances of compromise is still pretty high. I just changed all my passwords.

"You can't just ask customers what they want and then try to give that to them. By the time you get it built, they'll want something new."

  • | Post Points: 5
Top 100 Contributor
Posts 1,089
Points 11,030
Joined: Jun 2010
Location: Pennsylvania
CDeeter replied on Fri, Aug 10 2012 8:20 AM

Yup time to change passwords, thanks for the heads up.

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Aug 2012

Hey, are the beta keys affected by this hack? If I were to get a key today, would those still be working?

  • | Post Points: 5
Top 100 Contributor
Posts 1,072
Points 11,625
Joined: Jul 2009
Joel H replied on Fri, Aug 10 2012 9:42 AM

As far as I know, yes -- provided the email itself is legitimately from Blizzard. If this hack seized legitimate email addresses, social engineering is *easily* the most effective way to steal further information. 

Eye any email for spelling errors and proper URLs. Eye the actual URL text that appears at the bottom-right of the browser, not whatever text is linked in blue. 

  • | Post Points: 5
Top 500 Contributor
Posts 191
Points 1,750
Joined: Aug 2012
Location: Canada
InsideSin replied on Fri, Aug 10 2012 12:16 PM

The proper way to find out if the email is real is to (if you have hotmail) right click on the email and "view message source".

Then look at the "Received: from" section and check if it is from Blizzard's domain and not ajsdgasudg.com or something. The sender part of the email can easily be spoofed to say @blizzard.com but looking at message source will determine if it is real.

"You can't just ask customers what they want and then try to give that to them. By the time you get it built, they'll want something new."

  • | Post Points: 5
Top 50 Contributor
Posts 2,865
Points 29,645
Joined: Mar 2011
Location: United States, Connecticut

Well that sucks. Hopefully they will release more about the scope of the hack soon.

  • | Post Points: 20
Top 500 Contributor
Posts 309
Points 2,990
Joined: Mar 2011
JOMA replied on Sat, Aug 11 2012 11:01 AM

Changed my password this morning. No company is immune to this type of thing so I never use the same password on any accounts. It's a paint to have a different one for each site but it helps to avoid any issues if my PW/account gets compromised.

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Sep 2012
NLance replied on Sat, Sep 15 2012 6:13 PM

My girlfriend's account was hacked, idk if it was the 9/10 hack, but they got her email, hacked that, and now she can't reset the email because it was used strictly for battle.net (something they recommend) and as part of the recovery process the email provider requires information on emails sent and contacts, both of which don't exist as she only used it for battle.net.

Attempts to contact blizzard directly are going nowhere fast, put in a ticket, was told I would have to call. Called in and got an automated message saying their call queue is full, and they are not taking incoming calls. I did make all the purchases on her account, so everything is linked to my credit card or my account as a gift, so hopefully when I do get someone I can get this resolved.

  • | Post Points: 5
Page 1 of 1 (9 items) | RSS