Diablo® III

Important Security Update

this is shameful how can we trust bliz now knowing that some one has are info
Reply Quote
Posts: 2
Ah yea, now I'm getting spam on my email google account, thanks!
Reply Quote
Hey Community manager.... i would like to let u know that there is a problem with the AH bidding. I believe there are hackers using bot programs to boost the bid prices and or there are issuse with the AH itself.
Reply Quote
Who needs a password when Blizzard already stated they have your secret question and answer. People who defend Blizzard are blind and stupid.


Expect hackers would need access to your email address as well for them to use the forgot password feature, or to delete any password change notice sent. While the hacker may know your email address, they would still need your email's password. That is unless you were foolish enough to use the same SQ&A for your email, as for your B-Net account.

Again even if Blizzard's compermised went back that far, which is doubtful, there is no way each and every Cryptographically scrambled password of all of those accounts were deciphered. The individual deciphering of a Cryptographically scrambled password is something that takes days, of dedicated computer time.

So again your compromise was on your end, not Blizzards.


No go look at any security forum discussing this, the bruteforcing of blizzards password is actually easy enough
http://www.opine.me/blizzards-battle-net-hack/
Just about every security forum talking about this says that.
Why do you think people sell lists of active battlenet/emails , for that purpose.


You can't brute force B-Net passwords. After so many tries they throttle down how often you can try to enter your password. Then after a few more tries you will trigger an account lock.
Edited by Ewing#1365 on 8/11/2012 11:20 AM PDT
Reply Quote
Anyone know of a good way to check what their security questions are? I don't think I reused mine from anywhere else but it is always good to check...
Reply Quote
This is just plain sad, good-bye Blizzard. Still think making a game strictly for grabbing money from players was a good idea ? You're fall as a premier gaming company is pretty much complete. Try making console games for awhile, you might find yourself more suited for something a little less complicated.

I use to think your customer service sucked now I guess I wasn't imagining it.
Reply Quote
10 Draenei Hunter
20
Posts: 506
this is an update? sounds a lot like a compromise to me.
Reply Quote
08/10/2012 10:08 AMPosted by PipChaos
Blizzard salted and hashed them. LinkedIn for example only hashed, no salt. That means anyone could take a precomputed rainbow table with the most commonly used passwords and their hashes, and instantly gain access to anyone's account that used one of those simple passwords. Because Blizzard salted, hopefully using a random salt, even accounts using the most common passwords are somewhat safer.


Salting doesn't prevent rainbow tables. They just increase the size/number of the rainbow tables you need by a factor of the number of different salts that are used.
If you use the same salt for every hash (which is far too common, alas), you gain nothing. If you use a 12 bit salt (common enough, at it can be represented in two ASCII characters), the hacker has to work 4096 times as hard, or use rainbow tables 4096 times as large.
If you allow case sensitivity, and the average password uses 12 letters, you get the same protection (4096 times "stronger"), unsalted. Combined with salting, it makes cracking much harder. Not fiendishly difficult, but requiring more work.

Anyhow, of course the passwords are crackable. That goes without saying. The question is how quickly you can brute force them. If you rent a relatively large botnet, or can invest in specialized hardware because the gains outweighs the price, fairly quickly. With a handful of regular i7 PCs, somewhat slower. You won't get all passwords quickly, but with this size of a user base, getting a million or so passwords within a few days is likely achievable by a hacker who has already shown competence by getting through two layers of defense to get the data.

Disclaimer: I do computer security for a living. My opinions may be biased by this.
Reply Quote
Are you serious.

No, really. Is this a serious statement.

I want to know if you are serious when you say this.


When a robber breaks in your window and steals your crap is that your fault?
Even if the window is open he takes something from you that's a crime. So even saying they had insufficient security isn't enough of a reason to blame them for someone stealing from them.

There really are VICTIMS in the world, whether you can believe that or not.


You're making this statement as if life were fair! LOL If a homeowner or renter was robbed, and something that belonged to someone else was inside that home and stolen, (regardless of how good their home security was) guess who is legally responsible for replacing the stolen items regardless of who committed the actual crime of theft??

Not to say the hacker(s) are not to blame for the crime itself, but legally, Blizzard is "at fault" as far as their breach of customer data goes. Most U.S. states even have their own laws protecting consumers from things like this (some even include breach of security questions and answers). Now, my state law allows 45 for a business in this state to notify customers of a security breach - even if all that was taken was a security Q & A. I haven't looked into federal laws yet.

So aside from people saying "Blizzard sucks!" just to say it, most people putting the "blame" on Blizzard are legally correct, even if Blizzard did everything right to protect this data, they are still responsible for any security breach.
Reply Quote
08/09/2012 03:57 PMPosted by Roksteady
I thought that being forced to play online was to increase security?


That is more an effort to curb piracy then anything.
Reply Quote
08/11/2012 10:40 AMPosted by LymanAlpha
Ah yea, now I'm getting spam on my email google account, thanks!


Funny the email account that I only use for my B-Net account for the last 4 years has never gotten any spam, not even now. I feel so left out.
Reply Quote
08/11/2012 11:18 AMPosted by Ewing
You can't brute force B-Net passwords. After so many tries they throttle down how often you can try to enter your password. Then after a few more tries you will trigger an account lock.

The cracking of the passwords does not happen by constantly spamming login it happens by working out before they put in the password
Reply Quote
08/11/2012 12:46 PMPosted by Ewing
Funny the email account that I only use for my B-Net account for the last 4 years has never gotten any spam, not even now. I feel so left out.


being that they have about 10 million emails to sell or use, I would think it would take more than a few days to pass those around.
Reply Quote
being rather direct about it, yes hacks could happen to any company.
But that does not mean that
1/Blizzard is not liable for losing our details
2/ they have yet to tell us when this attack started or when it happened, which to all those who had accounts hacked might be important since they were blamed.
3/they have not explained what has been taken, they have been very vague about details especially about information taken which could trigger lawsuits/government intervention/data protection act fines.
4/ they have seriously underplayed how at risk your account is
5/they failed to inform all those involved, the forum is used by a tiny amount of players not to mention all those who are not currently playing but have Bnet accounts and they have hidden the information in the general forum under a vague heading instead of having it plalstered all over their website. People should not be finding out from the press or gaming sites that their details are now in the hands of criminals.
6/ there has been no further updates

I would also point out their sms system is also not working right now.
Edited by Pictish#2163 on 8/11/2012 1:06 PM PDT
Reply Quote
hey guys this is no bull i just recently logged into my g mail account and there have been two stopped sign in attempts by gmail one from saudia arabia and another from a different middle eastern country so go and change ur passwords 1st attempt was on the 6th 2nd was on the 10th of aug
Reply Quote
blizz you suck.
Reply Quote
08/11/2012 12:46 PMPosted by Pictish
You can't brute force B-Net passwords. After so many tries they throttle down how often you can try to enter your password. Then after a few more tries you will trigger an account lock.

The cracking of the passwords does not happen by constantly spamming login it happens by working out before they put in the password


That is not brute force.
Reply Quote
blizz states they were breached aug 5th-thats BS! I had numerous email login attempts from China IP's dating back 3 weeks ago. This security breach happened before Aug 5th blizz is mitigating the fallout with lies/damage control
Reply Quote
Posts: 50
Brute forcing password hashes that are case-insensitive using GPGPU clusters or even renting processor time on Amazon EC2 is basically childs play, salted or not.

They will simply take the easiest crackable hashes and use those, and ignore the hashes that take too long without any results.

They will get many accounts this way, even if there isn't any loot in them, they can use them for bots.
Reply Quote
Ewing View profile


08/11/2012 12:46 PMPosted by Pictish

You can't brute force B-Net passwords. After so many tries they throttle down how often you can try to enter your password. Then after a few more tries you will trigger an account lock.

The cracking of the passwords does not happen by constantly spamming login it happens by working out before they put in the password

That is not brute force.


It is a part of the process, brute force password cracking does not always involve trying the password against the login. it involves creating tables from known data such as that which was taken and coming up with likely passwords or in other words breaking the encryption using computing power , not sitting spamming potential passwords at login screens
Edited by Pictish#2163 on 8/11/2012 2:18 PM PDT
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]