• Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
    Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.

Blizzard Hacked

L

LordCalin

Gawd
Joined
Oct 5, 2009
Messages
901
So... who knows how long ago it happened, but it's starting to make all those claiming D3 was hacked seem much more likely....

Original post @ http://us.blizzard.com/en-us/securityupdate.html

---------------------------
Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,

Mike Morhaime
 
All I can say is "DUH". I was hacked years ago multiple times in WoW even with an authenticator which was suppose to make hacking impossible. Every time I've talked about it in some topic related to this , some mouth breathing fool would interject "then you must have had a trojan or keylogger" despite having a clean install and fresh vanilla copy of WoW running.

Can't believe its taken Blizzard this long to fess up.
 
while i'm glad no credit card info was compromised, authenticators were / are... so between that and password lists from other sites they've compromised over time.... this is a huge blow.
 
Was Blizzard using an authenticator on their servers? If they were this would have never happened!!
 
This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard.
Click to expand...

It was discovered this week. I discovered it 2 weeks into the release of Diablo 3 when my account along with so many others was compromised and I decided to cancel it and get a refund. Can't wait for the spin on this. :rolleyes:

/In before all the stupid Blizztard idiot fanboys who have their heads buried in the sand come in here with the damage control claiming it never happened and calling us all stupid for having our accounts compromised.
 
I just thought about the fact passwords are case-insensative too... talk about making the salted passwords easier to decrypt.
 
QQ moar. If you want to feel safe, disconnet from the internet and buy 5 stacks of authenticators. Or, just keep buying new copies of the game before you feel like you're going to be hacked, staying 1 step ahead of the hackers.
 
Calling them Blizzard isn't really accurate anymore. It's all Activision now, the greediest fucks on the planet. Bobby Kotick would murder your grandmother for a penny.
 
DeathPrincess said:
Was Blizzard using an authenticator on their servers? If they were this would have never happened!!
Click to expand...

My egotistical side wants all those people who stated that it was the customers fault to come back here so they can get a big "I told you so", but unfortunately, most of them probably wised up and left the game.

Honestly, they just found it this week? I find that really hard to believe. Well, maybe they found the cause of the loophole this week, but they've probably been aware of it for at least a month, although telling their customers "It's your fault for getting your account hacked."

Face it, the internet isn't safe, and it frustrates me to no end that we as a society tend to always blame the victim rather than possibly admit that there is a problem. We like to take easy wrongs over hard rights.
 
ValeX said:
Is there any reason to change my password if I have an authenticator?
Click to expand...

They got autheticator serial numbers and hash tags so they can replicate your authenticator if your using the mobile one.

They "claim" the keychain ones are unaffected for now.
 
How do hackers manage to get around authenticators?

BTW, I don't think it's fair to completely blame Blizzard. You guys do realize even WITH using top of the line security NOTHING is un-hackable. The facvt is we don't know EVERY security measure Blizzard takes.

I'm not a Blizzard fanboy but I don't get these "lol stupid blizzard, should've used better security lol" people.
 
Blizzard makes a video game, that has more security than some bank websites.

Nothing is 100%. If you think it is, walk on water ;)

You only have to be in the business about 1 day to learn that as someone at
Arstechnica said "The hackers, only gotta be right 1 time, the people doing the
defense, right all the time, or shit hits the fan".

The more connected we become as a society, the more chances for flaws, the
less secure and the more damage that will be done.

I'm not blaming Blizzard, any more than I blame the 10's of thousands of
other sites that got hacked in the last 18-24 months. Should they do more
to secure the data, well that depends, if they had unsalted and unencrypted
password db's there, then yes. Otherwise, what else can they do honestly?

If you can make it more secure, perhaps you should send your resume to them.
Unless you wanna cast a stone into your own glass house first.
 
http://us.battle.net/d3/en/forum/topic/5149542352#6
I've personally examined the MSInfo files of nearly all of the handful of people who have truly been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling.
Click to expand...

They knew ppl with authenticators were getting hacked since May.
They were only hiding it for 3 months so their sales # wouldn't get hit. I haven't seen any reputable company hitting this low.

Well that's end of Bliz games for me.
 
Fuck sakes, not again! Anyone who is still complacent about trusting the cloud or any company for that matter to store personal/sensitive information seriously has rocks in their head....there is just no way to guarantee the safety of your information.
 
ValeX said:
Is there any reason to change my password if I have an authenticator?
Click to expand...

As far as I know, they can disable your authenticator by talking to Bliz and answering your security questions, which also has been stolen btw.

Basically it's extra tedious step for hackers which many wouldn't bother, but it's useless security wise.
 
I wish we could go back to the days when we just played the games instead of having to create accounts for everything...
 
Just remember, this is not about authenticators getting hacked. This is about a network being hacked.

It's different when accounts are being hacked because it's typically something on the players computer that is enabling it. This time hackers have bypassed the player altogether and gained access to the Blizzard network and databases. They didn't have to rely on a customer downloading a virus or their authenticator not working.
 
_PixelNinja said:
I wish we could go back to the days when we just played the games instead of having to create accounts for everything...
Click to expand...

Everything would have to be saved locally. 99% of the games wouldnt work. WoW locally lol k. Let me edit my save to get me ilvl 5356 gear. :p
 
stiltner said:
Blizzard makes a video game, that has more security than some bank websites.

Nothing is 100%. If you think it is, walk on water ;)

You only have to be in the business about 1 day to learn that as someone at
Arstechnica said "The hackers, only gotta be right 1 time, the people doing the
defense, right all the time, or shit hits the fan".

The more connected we become as a society, the more chances for flaws, the
less secure and the more damage that will be done.

I'm not blaming Blizzard, any more than I blame the 10's of thousands of
other sites that got hacked in the last 18-24 months. Should they do more
to secure the data, well that depends, if they had unsalted and unencrypted
password db's there, then yes. Otherwise, what else can they do honestly?

If you can make it more secure, perhaps you should send your resume to them.
Unless you wanna cast a stone into your own glass house first.
Click to expand...

Not my job or career to make video games.

This goes way beyond anything I can think of in the past. People lost REAL money, REAL time, and possibly even got perma-banned over this.

Considering how some people were treated who were legitimately hacked due to this... saying it was their fault because they had filesharing software or fell victim to phishing or w/e else.... this is bad news for Blizzard.

I know someone who got hacked because of this - it was partly his fault because he used a password he used in a previous game - but he figured he was fine considering he had a security question AND an authenticator. And I helped him move into his house so I KNOW his shit was secure and he had no filesharing software or anything else. This leak allowed the hackers to access e-mails, security questions, authenticators (maybe not the key-chain ones), and I wouldn't be surprised if the encryption was broken on the leaked passwords considering the scope of the hacking. This shit is BAD.

Security questions + answers = personal information BY THE WAY
 
Last edited:
Surprising a company like blizzard with so much revenue cant pay for better security
 
infojunkie said:
http://us.battle.net/d3/en/forum/topic/5149542352#6


They knew ppl with authenticators were getting hacked since May.
They were only hiding it for 3 months so their sales # wouldn't get hit. I haven't seen any reputable company hitting this low.

Well that's end of Bliz games for me.
Click to expand...

I don't think that meant when you think it meant. They said the people with authenticators were getting hacked because they had malware on their system. If the malware sends the auth code to the hackers, they can access the account...
 
ocellaris said:
I don't think that meant when you think it meant. They said the people with authenticators were getting hacked because they had malware on their system. If the malware sends the auth code to the hackers, they can access the account...
Click to expand...

Please don't correct someone with more wrongness. Blizzard was the one sending authenticator information with the malware on THEIR system.
 
ocellaris said:
I don't think that meant when you think it meant. They said the people with authenticators were getting hacked because they had malware on their system. If the malware sends the auth code to the hackers, they can access the account...
Click to expand...

They also said the massive hacking fiasco in may and june were not their fault because NO ONE who had authenticator got hacked, thus it was careless users doing wrong things.

Except for that single post in support/tech forum. they've been saying how failproof authenticators are for 3 months, and put blames on users. Any post saying otherwise or linking that post got deleted/locked/baned.
 
Nytegard said:
My egotistical side wants all those people who stated that it was the customers fault to come back here so they can get a big "I told you so", but unfortunately, most of them probably wised up and left the game.

Honestly, they just found it this week? I find that really hard to believe. Well, maybe they found the cause of the loophole this week, but they've probably been aware of it for at least a month, although telling their customers "It's your fault for getting your account hacked."

Face it, the internet isn't safe, and it frustrates me to no end that we as a society tend to always blame the victim rather than possibly admit that there is a problem. We like to take easy wrongs over hard rights.
Click to expand...

No, I bet they KNEW this shit 2 weeks into the release of Diablo 3 with the disproportionately high number of accounts during that period being compromised. This was the right time to "discover" and publicly disclose it since by this time they probably met some sales goals and secured the auction house.

And yes I'd also like to see all the Blizztard idiots back here herpin and derpin that it was user error.
 
infojunkie said:
http://us.battle.net/d3/en/forum/topic/5149542352#6


They knew ppl with authenticators were getting hacked since May.
They were only hiding it for 3 months so their sales # wouldn't get hit. I haven't seen any reputable company hitting this low.

Well that's end of Bliz games for me.
Click to expand...

It's just sickening all the crap that was being thrown around and spun by Blizzard on their official forums, their stupid fan base of idiots on their official forums, and on other forums like here. Their hubris, for each person's account that got compromised there were 50 fan boys rushing in to disprove anything that was said.
 
TheMadHatterXxX said:
No, I bet they KNEW this shit 2 weeks into the release of Diablo 3 with the disproportionately high number of accounts during that period being compromised. This was the right time to "discover" and publicly disclose it since by this time they probably met some sales goals and secured the auction house.
Click to expand...

Financially, such an announcement would be a disaster. Typically a public admission of security comprimise is about the last thing you want to issue. You honestly would be surprised at how often businesses are comprimised vs how often they admit it publicly. And the RMAH didn't come out until a month later. Any security comprimise announcement would have killed the RMAH, which is definitely not in Blizzard's financial interest.

And yes, their financial interest comes before your security in their eyes. That's how businesses operate. Profit over quality.
 
Seems alot of Blizzard fanbois are slamming that /thread

Hehe, glad I quit D3 after the RMAH was established.

Really it's Activision's RMAH APP with D3 demo inside it.

Glad they got hacked.
 
How does one update the mobile authenticator?

Will it be automatically done?
 
Hornet said:
How does one update the mobile authenticator?

Will it be automatically done?
Click to expand...

For a mere $9.99 you can have the latest hack-free* authenticator! Call now!



* we in no way guarantee it but we'll take your money nonetheless
 
Lots of tinfoil hats up in here. Not exactly a big fan of Bobby Kotick and ActiBlizzard, but I'm even less of a fan of coddling idiots and telling them they carry no responsibility for their own security. Blizzard is responsible for internal breaches like this one, and users are responsible for the various other account jackings that have occurred over the years.

First this is a new breach, from information that is available. You're free to speculate otherwise, but there's no proof so you might as well be claiming Blizzard stole your car and slept with your wife too. As far as I can tell, Blizzard fucked up and someone got unauthorized access to internal data.

Second, if your account was compromised months ago, it was probably your fault, not the fault of some flaw in the authenticator system. Seeing news of a new compromise and saying "See!! I got compromised six months ago, it really wasn't my fault, I am vindicated!" is just further evidence that your computer needs to be confiscated and you sentenced to hard labor in Siberia for your crimes against common sense.

Almost everyone who gets their account compromised reluctantly admits they didn't have an attached authenticator. Some lie and say they had an authenticator, and a few actually had one. If there were a previous internal compromise of the authenticator system, then you'd see people with authenticators get compromised more often.

If I remember correctly the only known attack on the Blizzard authenticator system that has been seen in the wild is a man in the middle attack where malware purveyors intercept the authentication attempt and use it for themselves. I don't think this was ever really widespread. It's easier to go after the low-hanging fruit, i.e. people who don't use authenticators because they think they are gods among men and are immune to their email address and password getting stolen.

It's not a stretch to say that almost all compromises are users without authenticators either being keylogged, sharing their account with someone who gets keylogged, or simply using the same email address and password on some random third party site that got compromised. I know from experience almost every tard on the Internet uses the same email and password for dozens if not hundreds of sites. A few months back when one of those email/password lists got leaked on Pastebin, I screwed around with some of the combinations and managed to find a bunch of sites where the login info worked.

Tell me what's easier to believe: Blizzard has had internal security breaches constantly for the past 7 years and just hasn't mentioned it until now. OR The majority of Blizzard's fanbase are tech-stupid gamer kids and overly-confident posers who got lazy with their security.

EDIT: Oh, and for the record, I'm speaking as someone who DID get their account compromised once upon a time before purchasing an authenticator. But I'm man enough to admit I fucked up instead of making excuses. I used my WoW account email address and a similar password for several seemingly legitimate WoW-related websites, and a few guild forums. I just wanted to keep all my WoW BS segregated to one account. Big mistake. I hadn't realized Blizzard's passwords were not case sensitive so I simply changed up the case on my existing WoW PW to use on these sites.

I don't know for certain that's how I was compromised of course, I may have logged in from someones compromised computer. My own systems were clean of any keylogging but my account had been inactive for 3 months before it was reactivated with a stolen CC and compromised, so in all likelyhood my info had been taken ages before they actually got into my account.
 
Last edited:
You must log in or register to reply here.
Back
Top