bit-gamer.net

Blizzard warns of Battle.net security breach, data theft

Blizzard warns of Battle.net security breach, data theft

If you use Battle.net, change your password: a security breach has led to the leaking of personal data to unknown individuals.

Blizzard is advising its Battle.net users to change their passwords following a security breach which saw numerous pieces of personal data leaked to attackers unknown.

According to a statement from the company, responsible for the recently-launched Diablo III action-RPG as well as MMORPG giant World of Warcraft and popular RTS Starcraft II, attackers unknown perpetrated an 'unauthorised and illegal access into our internal network here at Blizzard.' The goal? Players' personal data.

'Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China,' company founder and president Michael Morhaim goes on to admit in his statement to press and customers. 'For players on North American servers - which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia - the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed .We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken.

'At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.'

The loss of the passwords is serious, but mitigated by Blizzard's claimed use of the Secure Remote Password protocol, which is an augmented password-authenticated key agreement protocol designed to make it near-impossible to brute force a password.

While that provides protection, some in the industry are suggesting it won't be enough. 'Sniffing SRP traffic tells you nothing about the user's password, and stealing the server's authentication database doesn't directly reveal any password secrets either,' explains Sophos's Paul Ducklin on the matter. 'Nevertheless, since Blizzard's servers hold enough data to verify that you know your password and can type it in correctly at your end, anyone who has a clone of Blizzard's authentication system has what he needs to run a password-guessing attack.'

Others are warning that the loss of personal security question answers are more significant. 'The secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge,' warns security researcher Kevin Liston - suggesting that attackers can simply change users' passwords in order to gain access to the compromised accounts. Sadly, changing the personal security question is not actually possible at present - an oversight on Blizzard's part - with the company stating that a solution will be developed as quickly as possible.

Blizzard's recommendation is for all users to change their passwords immediately, with Liston further suggesting that the personal security question be changed as well once that facility becomes available. Those who aren't using Blizzard's two-factor authentication system for Battle.net are advised to consider changing their minds on the matter, too.

With Blizzard presiding over a real-world-cash economy in its latest Diablo series entry, this latest security breach raises some serious questions.

24 Comments

Discuss in the forums Reply
Digi 10th August 2012, 11:57 Quote
No one is immune apparently. Would be nice to know when this occurred or is this information available on their website?

Seems like they acted quickly with information though, guess they learnt from the Sony et al debacle..
Gareth Halfacree 10th August 2012, 12:14 Quote
Quote:
Originally Posted by Digi
No one is immune apparently. Would be nice to know when this occurred or is this information available on their website?
Breach was detected on the 4th, public announcement was made late last night (9th.)
fdbh96 10th August 2012, 13:55 Quote
If I play on uk servers, not the north american ones, I presume this doesn't affect me.
Harlequin 10th August 2012, 13:58 Quote
emails from EU servers apparantly
fdbh96 10th August 2012, 14:11 Quote
Quote:
Originally Posted by Harlequin
emaisl from EU servers apparantly

So I should change my password :/
mingingbollock 10th August 2012, 15:14 Quote
Would have been nice reading this from Blizzard , but no as usual the whole world knows before blizzard will get round to letting its users know , utter CRAP Blizzard

Many thanks Bit Tech :)
Harlequin 10th August 2012, 15:25 Quote
it was news on blizzard yesterday???

http://us.blizzard.com/en-us/securityupdate.html

dated 9th august....
mingingbollock 10th August 2012, 15:34 Quote
Quote:
Originally Posted by Harlequin
it was news on blizzard yesterday???

http://us.blizzard.com/en-us/securityupdate.html

dated 9th august....

Yeah so i see , but something as important as this , an email letting us know should have been sent.....
Harlequin 10th August 2012, 15:35 Quote
Quote:
Originally Posted by mingingbollock
Yeah so i see , but something as important as this , an email letting us know should have been sent.....

do you play on US servers then?
Sloth 10th August 2012, 19:42 Quote
Quote:
Originally Posted by Article
Those who aren't using Blizzard's two-factor authentication system for Battle.net are advised to consider changing their minds on the matter, too.
Classy. They suggest that customers hand them more money to secure their accounts because they aren't doing it well enough themselves.
Krazeh 10th August 2012, 20:22 Quote
Quote:
Originally Posted by Sloth
Classy. They suggest that customers hand them more money to secure their accounts because they aren't doing it well enough themselves.

Yep, much better that they don't mention anything that might increase the security of people's accounts. Especially when their suggestion is an authenticator which i'm sure is a massive cash-cow for them....
Sloth 10th August 2012, 20:37 Quote
Quote:
Originally Posted by Krazeh
Yep, much better that they don't mention anything that might increase the security of people's accounts. Especially when their suggestion is an authenticator which i'm sure is a massive cash-cow for them....
$6.50 I believe for one authenticator, probably $0.50 a pop from China to make. Absolute scam if you ask me, ought to be included with each copy of games that use Battle.net or provided for free for each account holder who purchased a copy before they were included.

For how often they're suggested by Blizzard as the best way to secure one's account it's a joke to have to buy one separately.
Krazeh 10th August 2012, 21:01 Quote
Quote:
Originally Posted by Sloth
$6.50 I believe for one authenticator, probably $0.50 a pop from China to make. Absolute scam if you ask me, ought to be included with each copy of games that use Battle.net or provided for free for each account holder who purchased a copy before they were included.

For how often they're suggested by Blizzard as the best way to secure one's account it's a joke to have to buy one separately.

And I suppose it costs Blizzard nothing to ship them either to themselves or to customers? And if authenticators are a scam to make money why would they provide a mobile authenticator for free?
Harlequin 10th August 2012, 21:12 Quote
hand over more money?


HUH?

the authenticator is FREE
Sloth 10th August 2012, 21:14 Quote
Quote:
Originally Posted by Krazeh
And I suppose it costs Blizzard nothing to ship them either to themselves or to customers? And if authenticators are a scam to make money why would they provide a mobile authenticator for free?
Shipping in bulk makes the shipping cost per authenticator extremely low, you can fit thousands in a single conex box. Also, shipping to customers is a non-issue if you include one with the game. Handing them out free to existing customers is just a courtesy to their loyal paying customers, somehow I think Blizzard can handle the related costs.

The free mobile authenticator is a nice feature, there's some customer courtesy, but not everyone will have that option. The basic authenticator feature, the physical device, is still a hauntingly Activision-y separate cost to their games which are already top-dollar priced.

EDIT: Harlequin, check Blizzard's store. It's $6.50.
Harlequin 10th August 2012, 21:39 Quote
Sloth you can get 2 FREE versions of the authenticator allready
Bogomip 11th August 2012, 01:54 Quote
Quote:
Originally Posted by Sloth
$6.50 I believe for one authenticator, probably $0.50 a pop from China to make. Absolute scam if you ask me, ought to be included with each copy of games that use Battle.net or provided for free for each account holder who purchased a copy before they were included.

If you have a smartphone there is a FREE authenticator ap for that.

At the end of the day, it turns out very little is unhackable and there are always going to be ways to circumvent security precautions if you are clever enough, which alot of people are! Blizzard could not have the authenticator system if you prefer...
Quote:
Originally Posted by Sloth
For how often they're suggested by Blizzard as the best way to secure one's account it's a joke to have to buy one separately.

The best way to secure your bike is with a lock but very few come with one. The best way to secure your laptop is with one of those things that attaches it to stuff, but very few come with one. etcetera.

edit: and also, why shouldnt they make money on something? The initial reason that they started with authenticators is because people were too lax with their own system security and were getting passwords stolen, and then accounts hacked. Blizzard then had to spend ridiculous amounts of money on staffing getting it sorted, which is when authenticators were introduced. Why should blizzard give something out for free when the person mostly responsible for an unsecured account is the user themself?
dyzophoria 11th August 2012, 09:34 Quote
for FFS its only $6.50
longweight 11th August 2012, 09:45 Quote
Quote:
Originally Posted by dyzophoria
for FFS its only $6.50

But it isn't in a Steam sale!
Fujukami 11th August 2012, 12:31 Quote
Quote:
Originally Posted by Bogomip



The best way to secure your bike is with a lock but very few come with one. The best way to secure your laptop is with one of those things that attaches it to stuff, but very few come with one. etcetera.

However, you do not pay a monthly fee for your BIKE, or your laptop for that matter.
Krazeh 11th August 2012, 12:57 Quote
Quote:
Originally Posted by Fujukami
However, you do not pay a monthly fee for your BIKE, or your laptop for that matter.

What's that got to do with anything?
Harlequin 11th August 2012, 13:06 Quote
Quote:
Originally Posted by Fujukami
However, you do not pay a monthly fee for your BIKE, or your laptop for that matter.

you dont pay a monthly fee for diablo 3 or starcraft 2 either......given it was bnet not just wow accounts....
Bogomip 11th August 2012, 13:14 Quote
Quote:
Originally Posted by Fujukami
However, you do not pay a monthly fee for your BIKE, or your laptop for that matter.

But if you did, say, rent your bike so you paid a monthly fee for it - would you expect that if you left it unsecured in your garage, and your house got broken into and it got stolen, that the guy at the bike shop would forgive you because you thought it was secure in your garage? Or you left it locked at the train station with the key in the lock?

If users get their own passwords stolen and their accounts hacked I cannot see how you would ever think its blizzards fault. Moreso I cant understand why you think they should shell out their own money to make up for your own mistakes. Sure authenticators are cheap to them, but they are a business and are thus out to make money.
bagman 11th August 2012, 14:10 Quote
All that DRM for nothing.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums