Blizzard servers hacked, some personal info compromised

Perhaps it's been too long since you've reset your password in a mad attempt to secure your privacy? Blizzard has announced that they have discovered "unauthorized and illegal access into our internal network."

41

Perhaps it's been too long since you've reset your password in a mad attempt to secure your privacy? Blizzard has announced that they have discovered "unauthorized and illegal access into our internal network."

In a statement, the company says that there's "no evidence" that any financial information, including credit cards, billing address, and real names, has been compromised. Blizzard notes that their investigation is ongoing, "but so far nothing suggests that these pieces of information have been accessed."

E-mail addresses for Battle.net users was accessed, in addition to the answer to the personal security question, and information relating to mobile and dial-in authenticators. In a post on Blizzard's official website, Mike Morhaime writes that "this information alone is NOT enough for anyone to gain access to Battle.net accounts."

In addition, the cryptographically scrambled versions of Battle.net passwords was also taken. Because SRP is used to protect the passwords, it would be "extreme difficult" to extract that information. However, Blizzard is encouraging all players to change their password. And as always, if you use similar log-in information elsewhere, it would be wise to change that info as well.

Players will be prompted to change their secret questions and answers in an automated process in the coming days. In addition, mobile authenticator users will be asked to update their software. "As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password," Morhaime adds.

Andrew Yoon was previously a games journalist creating content at Shacknews.

Filed Under
From The Chatty
  • reply
    August 9, 2012 4:15 PM

    Andrew Yoon posted a new article, Blizzard servers hacked, some personal info compromised.

    Perhaps it's been too long since you've reset your password in a mad attempt to secure your privacy? Blizzard has announced that they have discovered "unauthorized and illegal access into our internal network."

    • reply
      August 9, 2012 4:20 PM

      They sure do know how take people's money. What else do they do, exactly?

      • reply
        August 9, 2012 4:25 PM

        They develop video games

        • reply
          August 9, 2012 6:47 PM

          video games that people can't play because their damned account has been hacked, or the server is down, or they've been identified as hackers for trying to play from linux. And said video games aren't even fun, unless having obsessive compulsive disorder is more fun that I'd previously suspected.

          Am I trolling yet?

      • reply
        August 9, 2012 6:18 PM

        What are you trying to say exactly? You think they employ a ton of people who just do nothing all day and night? I don't think you really believe that.....

        • reply
          August 9, 2012 6:44 PM

          I didn't say do nothing, they extract tons of money and then use very little of it on having secure and/or reliable servers.

          • reply
            August 9, 2012 6:48 PM

            lol

          • reply
            August 10, 2012 3:22 AM

            This is the first report of a compromise since 2004. I'd say 8 years is a pretty good run.

            • reply
              August 10, 2012 2:43 PM

              You really think they will tell you everything... Myself and whole shitloads of people had wow accounts boosted but then again its because we are all mouth breathing retards that have passwords 1234abcd and have 2 billion keyloggers on our PC's right? AMIRIGHT?

    • reply
      August 9, 2012 4:25 PM

      Uh oh.

    • reply
      August 9, 2012 4:30 PM

      Glorius!

    • reply
      August 9, 2012 4:35 PM

      So happy I have a Blizzard-specific password...

      • reply
        August 10, 2012 3:00 AM

        lol me too, a rarity

        my account was already accessed once, but nothing happend as I don't condone online credit card purchasing

    • reply
      August 9, 2012 4:35 PM

      Sounds like they had their shit much more together compared to other companies. Sure they suffered an intrusion, but sounds like their actual password security is up to scratch.

      • reply
        August 9, 2012 4:41 PM

        they must be one of the highest exposure targets out there

      • reply
        August 9, 2012 5:00 PM

        Yeah, all they got were our security question answers, user names, passwords (encrypted), and authenticator info. No reason to be alarmed.

        • reply
          August 9, 2012 6:01 PM

          Please tell me this is a troll.

          • reply
            August 9, 2012 6:20 PM

            I assume so. With email address and security question you can break into tons of stuff via password reset. Most people use the same secret question I assume so this is pretty much a disaster if that is the case.

            • reply
              August 9, 2012 7:10 PM

              They didn't get full passwords, or credit card data. It still sucks, but compared to a lot of other hacks in video gaming (Xbox Fifa nonsense, PSN, etc) I wouldn't call it a disaster.

              • reply
                August 9, 2012 7:14 PM

                People point at Valve, but Steam's compromise late last year included credit card info as well as this stuff.

              • reply
                August 9, 2012 7:18 PM

                Give me your email address and your secret question answer and we will see who has passwords.

                • reply
                  August 9, 2012 7:25 PM

                  Honestly? Secret questions are completely fucking terrible security and need to go away.

                  Over half of that shit you can publicly find on someone's facebook or twitter page. The rest is other generally publicly available information being indexed by the internet as well.

            • Zek legacy 10 years legacy 20 years
              reply
              August 10, 2012 2:10 AM

              You do understand that there's a big difference between knowing an email address and having access to that email, right? Unless of course your email account uses the same password as another account that uses your email as a login and has been compromised.

              • reply
                August 10, 2012 9:12 AM

                The secret question answer can be used to recover the password for a lot of people.

                • Zek legacy 10 years legacy 20 years
                  reply
                  August 10, 2012 9:39 AM

                  How?

                  • reply
                    August 10, 2012 9:43 AM

                    Probably because the name of your favourite pet or mother's maiden name or high school or whatever is the same on a lot of sites.

                    • Zek legacy 10 years legacy 20 years
                      reply
                      August 10, 2012 10:06 AM

                      We've established that the answers were leaked, but it will still most likely require email access to reset your password. Unless you're suggesting that answering the question will just throw a password up on the screen, in which case the person who wrote the site is a buffoon.

                      • reply
                        August 10, 2012 11:13 AM

                        Currently if I sign out of my google gmail account and say that I can't access the account it gives me the option to enter my user name which is my email address and the hacker would have that info and then it says I can get a text message to reset password or answer my secret question. If one knew the secret question I assume they could then gain access to my account.

                        The gmail secret question can be a custom question, and mine is. However lots of places don't have custom questions and even if they do lots of people probably write one the regular ones other sits have like first school, first pet, first car, mother's maiden name etc.

          • reply
            August 9, 2012 6:25 PM

            I was shooting for sarcasm, but I guess you could be trolled by it if you want.

        • reply
          August 11, 2012 3:31 AM

          This is why your security question should be either the same as your password, or some long random copy-pasted gibberish.

          Secret questions are shit and a massive authentication flaw that I have no fucking idea why it still is a standard procedure. Its almost as bad as using pen signatures as a form of authentication.

    • reply
      August 9, 2012 4:47 PM

      [deleted]

    • reply
      August 9, 2012 4:47 PM

      [deleted]

      • reply
        August 9, 2012 5:06 PM

        I do the same, though instead of "hotdog" I use "hamburger"

      • reply
        August 9, 2012 5:14 PM

        [deleted]

      • reply
        August 9, 2012 7:05 PM

        L A S T P A S S

      • reply
        August 10, 2012 9:10 AM

        So when someone gets one of your site passwords they know parts of all of your passwords still. Cool.

        • reply
          August 10, 2012 9:21 AM

          I'm totally pulling this out of my ass but I get the feeling that in cases like this, most "hackers" aren't going to study individual passwords too closely and will just try stuff in bulk until something hits and then move on.

      • reply
        August 10, 2012 10:19 AM

        My pw is bigdildo. God forbid if i ever accidentally type it in the wrong box that doesnt hide the entry with asterisks.

    • reply
      August 9, 2012 5:20 PM

      This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard.

      This makes me think it wasn't an internet based hack, but someone that was physically at some internal location that had access to the network. Like maybe a former employee who's access wasn't fully removed when he was fired.

      • reply
        August 10, 2012 12:14 AM

        someone plugged a dreamcast in somewhere inside the building

      • reply
        August 10, 2012 12:49 AM

        Woohoo, drama queen!

    • reply
      August 9, 2012 5:35 PM

      Damn, bet this slows down my legit request to remove my authenticatir since I just got a new phone

    • reply
      August 9, 2012 6:21 PM

      My question is how long have they had access? A week? a year? two years?

      • reply
        August 9, 2012 6:23 PM

        I'm guessing some time in between when Diablo III was released and when people should have had authenticators.

        • reply
          August 9, 2012 6:43 PM

          Someone I work with just sent an email to the rest of the building that they had been hacked with an authenticator, several times now. I know people are going say they are a liar but I don't know why someone would send out an email saying that if they were lying about it.

      • reply
        August 9, 2012 6:32 PM

        [deleted]

    • reply
      August 9, 2012 6:34 PM

      [deleted]

      • reply
        August 9, 2012 7:37 PM

        That seems unfair. I mean, I rarely ever buy Blizzard products myself but it seems to me that they've been doing everything in their power to prevent intrusions like this with authenticators and they've been pretty fast to warn people when their info is compromised.

        • reply
          August 10, 2012 9:14 AM

          They have without a doubt poured more resources in to account security than pretty much any other account I use

    • reply
      August 10, 2012 4:42 AM

      I wouldn't be concerned since I only play single player, but thanks for making me sign in on line to do so.

      • Zek legacy 10 years legacy 20 years
        reply
        August 10, 2012 7:42 AM

        Have you never played WoW?

    • reply
      August 10, 2012 4:59 AM

      Blizzard, you fucking morons:

      "We understand that account security is critically important, and we are committed to helping maintain account security for our players. To that end, a feature that will allow players to securely change their secret question answer through Battle.net is in development now."

      How is this not a 'feature' already?

      • reply
        August 10, 2012 5:08 AM

        If the SQA could be easily changed/viewable, how is that much of a security feature? It's only be done now to allow people to change it due to the compromise.

        • reply
          August 10, 2012 5:10 AM

          They should have a ticket system live, right now, with people dedicated to it allowing all users to change their secret questions.

          The whole secret question thing is garbage anyways, it shouldn't even exist - but if you're going to use it, have a plan in place in case something like this happens that let's people change it ASAP.

    • reply
      August 10, 2012 6:26 AM

      Nowhere is safe!!!

    • reply
      August 10, 2012 7:16 AM

      HA HA

    • reply
      August 10, 2012 9:07 AM

      I can't figure out how to change my security question.

    • reply
      August 10, 2012 5:48 PM

      I wonder how long ago the hack really occurred. There were quite a number of people complaining about their accounts being compromised just after the launch of Diablo 3.

      I am really kind of tired of sites/companies not bothering to inform the users about the hack directly instead we have to find out about it on a news site.

    • reply
      August 10, 2012 6:17 PM

      i guess it was just a matter of time.

Hello, Meet Lola