Blizzard internal network compromised, encrypted passwords stolen

[Shawn Knight]

Blizzard has confirmed that their security team recently discovered their internal network had been compromised. The team says they quickly took steps to seal off access and opened an investigation with security experts and law enforcement to uncover exactly what happened.

As of writing, Blizzard is saying that there’s no evidence that financial data like credit cards, billing addresses or real names were compromised. Other data, however, including a list of email addresses for global Battle.net users, answers to the personal security question and information related to mobile and dial-in Authenticators was accessed. The developer and publisher points out that this information alone isn’t enough for anyone to gain access to a Battle.net account.

Furthermore, cryptographically scrambled versions of Battle.net passwords (but not actual passwords) for players on North American servers were taken. Since they use Secure Remote Password protocol to protect these passwords, it would be incredibly difficult for someone to extract a password from a scrambled version and each one would have to be done individually.

Blizzard is urging all players on North American servers to change their passwords immediately. They will also be prompting these same gamers to change their secret questions and answers through an automated process in the near future. Software updates are also in the works for mobile Authenticators.

Following up on Blizzard’s suggestion, it’s probably a good idea for anyone that has a Blizzard account to go ahead and change your password, regardless of which regional server you play on.

Permalink to story.

https://www.techspot.com/news/49732-blizzard-internal-network-compromised-encrypted-passwords-stolen.html

 

[dennis777]

Posted this in the forum a while ago...

 

[Guest]

My account was hacked a couple of weeks ago. My email was changed and account was compromised. My email was changed to someone from China's. Most of my gear was replaced with gold mining gear.

 

[treetops]

Since release people have been reporting being hacked on the forums in insanely high numbers, I was hacked too. They dont have a list of people hacked? With peoples email and pass(if they have it) they can raid bank accounts and paypal accounts across the web, time to change my password AGAIN.

I suspect they do have passwords due to the large volume of peoples account being hacked. Personally d3 is the only game I have ever been hacked on.

 

[Guest]

It is no wonder to be honest.
I posted some security vulnerabilities on their forums and all they did is delete my posts or lock them. One of the most basic security bad practices: passwords are not case-sensitive.

This reduces the number of passwords a brute force tool has to try by a considerable amount. An answer was given in this way: "Even Facebook does this" and I replied with: "Funny how bad examples are always given; I can say that Google, Linux even Microsoft does not do this" and no action taken.

 

[Guest]

my d3 account got hacked too, I'm about to change my pass on d3 and sc2...AGAIN

 

[Guest]

b.net passwords are not case sensitive ? really ? are you serious ?

 

[DanUK]

Yeah I almost get weekly emails saying my account has been hacked.. their security is shocking! Have added an authenticator phone app now and the problem seems to have stopped but still.. sort it out!

 

[Holyscrap]

Yeah I almost get weekly emails saying my account has been hacked.. their security is shocking! Have added an authenticator phone app now and the problem seems to have stopped but still.. sort it out!

LOL these weekly emails are probably scam emails , which is how most people get "hacked" ( I used quotes there cause they are not hacked, they actually give away their passwords themselves)

 

[DanUK]

LOL these weekly emails are probably scam emails , which is how most people get "hacked" ( I used quotes there cause they are not hacked, they actually give away their passwords themselves)

Yes while some of them are, others are legit. I never follow the links in the emails I just go straight to the battle.net website, and have found quite a few times now my diablo 3 account hijacked/suspended for spamming gold.

 

[Guest]

Case insensitive passwords are not really a big deal, you know. The largest effect is probably save players the hassle of caps lock. Blizzard asks for a minimum of 8 characters and at least one digit and one letter. So let us say that at the very least, a hacker needs 36^8 search. If we add 26 more letters, it is (26+36)^8. Both numbers are both high enough to be above what would be an easy password search.

Length is more important. Once we use 16 digits passwords that are not obvious, the number 36^16 becomes a completely impossible number. Adding 26 more letters really would not change it. Upper case letters also make pass phrases harder to type. Whilst encouraging pass phrases is better.

If interested in security, do not bother with case sensitive passwords, instead increase their length or, in the case of blizzard, use an authenticator. The company allows 2-factor verification...

Regarding the breach. It turns out that in comparison to other breaches, this one is pretty mild http://nakedsecurity.sophos.com/201...haemorrhage-painful-but-probably-not-too-bad/. Seems blizzard actually has good security. And yeah MOST (not some) emails saying you've been hacked are actually spam and all of the ones that ask you for password are.

 

[MilwaukeeMike]

Thanks for pointing that out, Guest... Blizzard strongly encourages the use of an authenticator (or maybe its even required by now). Passwords aren't very important when you need to be holding a physcial device (even your own phone with the app) to login.

 

[gwailo247]

I think that part of the major fault of these web sites is that they allow weak passwords.

All most of them do is tell you how weak/strong your password is.

If thy adhered to a very strict level of what is allowed, people wouldn't be allowed to enter with weak passwords. And no, it wouldn't deter customers because people want to play Diablo 3 more than they dislike having long passwords.

 

[Guest]

Your account has been hacked! Click on this link to log in and change your password for your safety. "Link> My server that looks just like theirs.com" Here you enter your password and they got it. Dumb users. Remember the question to ask. If my account has been hacked. How would you even know it?

 

[Guest]

All of you using the same passwords for crap like online games and your bank accounts, should not speak at all.... *sigh* ridiculous!!

 

[fimbles]

Not played on my WOW account fr some time now, I have an authenticator so im hoping its safe.

 

[yorro]

My password was hKUO/.*Yvh@BXjbcd+sQ

Now I have to change it again. That sucks man.

 

[MilwaukeeMike]

Not played on my WOW account fr some time now, I have an authenticator so im hoping its safe.

Well... you never know. If they get your password they can choose to unlink your authenticator. But to do that, they'd need to log in with your authenticator and fax them a photo copy of an official ID.

Ironically... your Blizz account is probably totally safe, even if they can figure out how to decrypt a password. But if you use the same password for something else (like your email) they might get access to it.

This really is a big hyped up story for the sake of trying to make news.

 

[Sniped_Ash]

If you don't have an authenticator tied to your Battle.net account, that is dumb and has been dumb for years.

 

[DanUK]

Your account has been hacked! Click on this link to log in and change your password for your safety. "Link> My server that looks just like theirs.com" Here you enter your password and they got it. Dumb users. Remember the question to ask. If my account has been hacked. How would you even know it?

When you get a legit email from blizzard saying your D3 account has been susupended for spamming gold.