Diablo® III

Important Security Update

being rather direct about it, yes hacks could happen to any company.
But that does not mean that
1/Blizzard is not liable for losing our details
2/ they have yet to tell us when this attack started or when it happened, which to all those who had accounts hacked might be important since they were blamed.
3/they have not explained what has been taken, they have been very vague about details especially about information taken which could trigger lawsuits/government intervention/data protection act fines.
4/ they have seriously underplayed how at risk your account is
5/they failed to inform all those involved, the forum is used by a tiny amount of players not to mention all those who are not currently playing but have Bnet accounts and they have hidden the information in the general forum under a vague heading instead of having it plalstered all over their website. People should not be finding out from the press or gaming sites that their details are now in the hands of criminals.
6/ there has been no further updates

I would also point out their sms system is also not working right now.


They have been fairly clear on what information they know that was or was not taken.

What data was affected?

Here's a summary of the data that we know was illegally accessed:

North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia

Email addresses
Answers to secret security questions
Cryptographically scrambled versions of passwords (not actual passwords)
Information associated with the Mobile Authenticator
Information associated with the Dial-in Authenticator
Information associated with Phone Lock, a security system associated with Taiwan accounts only

Accounts from all global regions outside of China (including Europe and Russia)

Email addresses

China-based accounts

Unaffected

At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information.

Was any personal or financial information accessed?

At this time, there is no evidence that financial information was affected or accessed. There's also no evidence that personal information such as real names or billing addresses were accessed.


They have told everything that they know, But is always a little of the unknown their is always the question if they took a bit more. Since they can not be 100% sure, they have to hedge a bit on it, and use terms such as "There is no evidence."

You might find the following a bit enlightening: http://www.youtube.com/watch?v=xUI9E15vcEE&feature=channel&list=UL
Edited by Ewing#1365 on 8/11/2012 2:25 PM PDT
Reply Quote
08/11/2012 02:25 PMPosted by Ewing
They have told everything that they know, But is always a little of the unknown their is always the question if they took a bit more. Since they can not be 100% sure, they have to hedge a bit on it, and use terms such as "There is no evidence."

Except when it happened. You have also failed to say why they chose to keep the announcement hidden under a security update on their forum but not tell every person that had their details taken. How many millions of people have bnet accounts but do not currently play and how many people have accounts and do not visit the forums

And no that guy is even more clueless than me on security, he has no concept of data protection and everything he has said is utter garbage.
Edited by Pictish#2163 on 8/11/2012 2:45 PM PDT
Reply Quote
08/09/2012 03:46 PMPosted by Caillean
This. Nobody remembers when Anonymous hacked the FBI website during the SOPA protests?


LOL Hacked my !@#$. They DDoS'd one of their useless websites. That's not hacking, it's amateur mischief.

The FBI didn't lose any info. Blizzard did. And from the looks of it, Blizzard lost TONS of important data. Those passwords will be cracked, but more importantly, their authenticator algorithms are now compromised, along with (potentially) banking information, and what is equally scary: Personal security questions.

To try and downplay the severity of this breach of an online bank is absolutely irresponsible.
Reply Quote
Same thing happened to me!
Reply Quote
Ewing View profile


08/11/2012 12:46 PMPosted by Pictish

You can't brute force B-Net passwords. After so many tries they throttle down how often you can try to enter your password. Then after a few more tries you will trigger an account lock.

The cracking of the passwords does not happen by constantly spamming login it happens by working out before they put in the password

That is not brute force.


It is a part of the process, brute force password cracking does not always involve trying the password against the login. it involves creating tables from known data such as that which was taken and coming up with likely passwords or in other words breaking the encryption using computing power , not sitting spamming potential passwords at login screens


Maybe for simple common passwords, or if the hacker is able to gleam some real personal information. My password is a complex 16 letter phrase with alt spelling and numbers, that even someone who knows me very well, would never guess. The same with the email account name that I only use for B-Net, and it's password.

I am not worried about them knowing my SQ&A and Email account name, because I never give the correct answer to any SQ&A. and i don't use the same ones every where. So I am confident that my email address is secure, and the hackers can not change my nor access may password that way.

I am totally anonymous on the internet: because it would be too easy for someone to find me in RL; as there are only 2 people in the entire US with my exact name(myself and my son). So I do not have a facebook or any social network account.

Lastly I have had a physical Authenticator on my B-Net account for over 4 years now. So there : P

That said as a precaution, I have already changed my password and have made a new email account made, to attach to my account at the time we are prompted to change Our SQ&A.
Reply Quote
They have told everything that they know, But is always a little of the unknown their is always the question if they took a bit more. Since they can not be 100% sure, they have to hedge a bit on it, and use terms such as "There is no evidence."

Except when it happened. You have also failed to say why they chose to keep the announcement hidden under a security update on their forum but not tell every person that had their details taken. How many millions of people have bnet accounts but do not currently play and how many people have accounts and do not visit the forums

And no that guy is even more clueless than me on security, he has no concept of data protection and everything he has said is utter garbage.


They told us when they discovered it, and I don't think nor anyone can say for sure when it actually happened, and if they do know, announcing it may interfere with the police investigation. In any case it most likely turned up doing one one of their frequent security sweeps. So it could not of gone to far back.
Edited by Ewing#1365 on 8/12/2012 10:18 AM PDT
Reply Quote
08/11/2012 02:46 PMPosted by Bootes
but more importantly, their authenticator algorithms are now compromised, along with (potentially) banking information, and what is equally scary: Personal security questions.


The Mobile Authenticator algorithms has been public knowledge for years. It was the seeds, and the serial numbers they were tied into, that were taken.

Again no banking, financial information was affected or accessed, nor was personal information such as real names or billing addresses accessed.

http://us.battle.net/support/en/article/important-security-update-faq
Edited by Ewing#1365 on 8/11/2012 3:25 PM PDT
Reply Quote
08/11/2012 03:10 PMPosted by Ewing
They told us when they discovered it, and I don't thing nor anyone can say for sure when it actually happened, and if they do know, announcing it may interfere with the police investigation. In any case it most likely turned up doing one one of their frequent security sweeps. So it could not of gone to far back.


Look no offense you clearly have no idea about how security works, they will be able to track back and find out when it happened. Your other comment regarding your password clearly shows that, you could have the most unique non related to yourself password, but if they have enough info they can work it out, the most simplistic example i can give you would be simple school time math you are given certain information you work out the rest to a formula.

You may have had a physical authenticator on your account for 4 years, but one of the main point of hacking is not just to steal information and to run away it is to monitor the constant stream of data, call it the long con, and learn from it.
Reply Quote
The Mobile Authenticator algorithms has been public knowledge for years. It was the seeds, and the serial numbers they were tied into, that were taken.

Again no banking, financial information was affected or accessed, nor was personal information such as real names or billing addresses accessed.


No, they said at this time they do not think it was compromised, do you understand how much issues that would cause if they did admit that.
Reply Quote
I wish there was an option to change our security questions/answers without waiting for Blizzard to give us the ok... >.<
Reply Quote
wish there was an option to change our security questions/answers without waiting for Blizzard to give us the ok... >.<

I changed my password without that, and I did not even get an sms text or an email warning my password had been changed
Reply Quote
wish there was an option to change our security questions/answers without waiting for Blizzard to give us the ok... >.<

I changed my password without that, and I did not even get an sms text or an email warning my password had been changed


True, I don't remember getting notifications when I changed my pass. But, my point is that since the security questions/answers are compromised, I want to change everything that is comprised so the hackers are left with useless info. I can't do that because there appears to be no option to change your security questions/answers like I can with my e-mail, paypal and any other website in existence! I want to change this stuff ASAP and Blizzard is slowing me down. >.<
Reply Quote
I wonder how this will affect Blizzard's BBB rating.
Reply Quote
It's a good thing I still read this forum for the worst game of the decade.

Why not send an e-mail out? Not everyone reads the forums.
Reply Quote
08/11/2012 03:29 PMPosted by Pictish
Look no offense you clearly have no idea about how security works, they will be able to track back and find out when it happened. Your other comment regarding your password clearly shows that, you could have the most unique non related to yourself password, but if they have enough info they can work it out, the most simplistic example i can give you would be simple school time math you are given certain information you work out the rest to a formula.


I understand much better then you do on how hackers of game account think and work. You are over thinking it. hackers want to get in and get out as fast as they, and with as little effort as possible. What you are talking about just takes too much time and effort on their part, when there are so many accounts that they can obtain through conventional means.

it was the same thing that happened with the "Man In the Middle," Attacks of 2 1/2 years ago. Hacker came up with a really large and nasty piece of malware to intercept authenticator codes in real time. The had to set up a fake/spoof wowmatrix site to trick players into downloading fake/spoof wowmatrix auto addon updater, that contained the infected file.

A “Man in the Middle Attack,” is a Trojan that works by blocking your access to the real log in server, and redirecting you to a spoof Log in screen/site. They then harvest all of your log in information, in real time, including your one time use Authenticator code. The hackers then very quickly uses this info to access your in game account, before the Authenticator code expires.

However this malware was dependent on the player to have a very big hold in their security, besides going to a fake site and actively downloading it, they had to have a very out of date, or over riding of their Window's firewall. Very quickly most if not all anti-malware programs offered protection from it

All that time and effort only netted them a total of 4 to 5 accounts. That is not much of a return for their time and effort, when players give away their details so easily, through conventional means. The hackers learned from that and while it is possible for a hacker to develop a new Man-in-the-Middle attack, no new ones have yet happened.

It is the same with what you are saying can possible be done. hackers are unlikely going to waste their time to do so.

The Mobile Authenticator algorithms has been public knowledge for years. It was the seeds, and the serial numbers they were tied into, that were taken.

Again no banking, financial information was affected or accessed, nor was personal information such as real names or billing addresses accessed.


No, they said at this time they do not think it was compromised, do you understand how much issues that would cause if they did admit that.


I understand full well what would happen if they are not honest about it, as such they can't speak in absolutists. They could be 99.99999999% sure that it wasn't compromised, and as such would have to tell us the same thing. That .00000001% would require them to only say there is no evidence of it. Heck even if they were 100% sure themselves, their lawyers would make then say the same thing, just in case.
Edited by Ewing#1365 on 8/11/2012 4:38 PM PDT
Reply Quote
On a lighter note - I don't usually use a bunch of words the DHS monitors, but when I do, it's on the D3 forums, especially after the hackers got to Blizzard.
Reply Quote
Ewing View profile

Edited by Ewing#1365 on 8/11/12 4:38 PM (PDT)

08/11/2012 03:29 PMPosted by Pictish
Look no offense you clearly have no idea about how security works, they will be able to track back and find out when it happened. Your other comment regarding your password clearly shows that, you could have the most unique non related to yourself password, but if they have enough info they can work it out, the most simplistic example i can give you would be simple school time math you are given certain information you work out the rest to a formula.

I understand much better then you do on how hackers of game account think and work. You are over thinking it. hackers want to get in and get out as fast as they, and with as little effort as possible. What you are talking about just takes too much time and effort on their part, when there are so many accounts that they can obtain through conventional means.

it was the same thing that happened with the "Man In the Middle," Attacks of 2 1/2 years ago. Hacker came up with a really large and nasty piece of malware to intercept authenticator codes in real time. The had to set up a fake/spoof wowmatrix site to trick players into downloading fake/spoof wowmatrix auto addon updater, that contained the infected file.

A “Man in the Middle Attack,” is a Trojan that works by blocking your access to the real log in server, and redirecting you to a spoof Log in screen/site. They then harvest all of your log in information, in real time, including your one time use Authenticator code. The hackers then very quickly uses this info to access your in game account, before the Authenticator code expires.

However this malware was dependent on the player to have a very big hold in their security, besides going to a fake site and actively downloading it, they had to have a very out of date, or over riding of their Window's firewall. Very quickly most if not all anti-malware programs offered protection from it

All that time and effort only netted them a total of 4 to 5 accounts. That is not much of a return for their time and effort, when players give away their details so easily, through conventional means. The hackers learned from that and while it is possible for a hacker to develop a new Man-in-the-Middle attack, no new ones have yet happened.

It is the same with what you are saying can possible be done. hackers are unlikely going to waste their time to do so.

The Mobile Authenticator algorithms has been public knowledge for years. It was the seeds, and the serial numbers they were tied into, that were taken.

Again no banking, financial information was affected or accessed, nor was personal information such as real names or billing addresses accessed.

No, they said at this time they do not think it was compromised, do you understand how much issues that would cause if they did admit that.

I understand full well what would happen if they are not honest about it, as such they can't speak in absolutists. They could be 99.99999999% sure that it wasn't compromised, and as such would have to tell us the same thing. That .00000001% would require them to only say there is no evidence of it. Heck even if they were 100% sure themselves, their lawyers would make then say the same thing, just in case.


No you do not , hackers do not want to get in and out as quick as possible that is for hackers that then go on to make public what they did, a true criminal hacker will try and keep it secret while working and intercepting the data passed, that is way more important than a grab and smash.
Do you really think there would be a market for Bnet logins, if there was no way to use them.
again you are clueless, and just about every security and botting/hacking site agrees with that. I am not over thinking it because I have spent a decade working with criminals who are in jail for getting caught for doing it. And that ranges from international banks to your local paypal based companies, so no you are wrong on so many levels it is unreal. 10 million plus active emails is worth a fair bit of money, add in all the other data that is a huge amount of cash.
Edited by Pictish#2163 on 8/11/2012 5:31 PM PDT
Reply Quote
08/11/2012 03:34 PMPosted by Pictish
changed my password without that, and I did not even get an sms text or an email warning my password had been changed


i didnt get a text ither
Edited by Chiefin#1672 on 8/11/2012 5:25 PM PDT
Reply Quote
At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information.


At this time
At this ti
At thi
At t
At ...

People often eat famous last words. But we need to give it time to see how much the hackers really accessed. Because, "at this time" they are saying, they don't know if anything else was accessed or not, at this time. Give them time to find the evidence, I think it likely that "in time" they will find out that the hackers didn't do this for the beans but rather they were out to get the whole enchilada.
Edited by Runar#1385 on 8/11/2012 5:29 PM PDT
Reply Quote
Epic fail. Beleive nothing of what you hear half of what you see. Like they would tell us how bad it really is. Ejecting last money they ever get from me.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]