Diablo® III

Important Security Update

08/11/2012 05:25 PMPosted by Chiefin
changed my password without that, and I did not even get an sms text or an email warning my password had been changed


i didnt get a text ither


I changed mine too, and I DID get an email telling me the password had been changed but no SMS message, and Yes I am signed up for SMS texts, and Yes I do have a physical authenticator.
Reply Quote
08/11/2012 05:30 PMPosted by Runar
I changed mine too, and I DID get an email telling me the password had been changed but no SMS message, and Yes I am signed up for SMS texts, and Yes I do have a physical authenticator.


Sorry email arrived 24 hours later still no text, but hey thats a problem only a month old and its not like hackers have been messing with them so thats ok,
Slightly amusing that after a week where there is lots of posts regarding people getting SMS texts from week and weeks ago that they admit their security is compromised.
Reply Quote
Ewing View profile

Edited by Ewing#1365 on 8/11/12 4:38 PM (PDT)

08/11/2012 03:29 PMPosted by Pictish
Look no offense you clearly have no idea about how security works, they will be able to track back and find out when it happened. Your other comment regarding your password clearly shows that, you could have the most unique non related to yourself password, but if they have enough info they can work it out, the most simplistic example i can give you would be simple school time math you are given certain information you work out the rest to a formula.

I understand much better then you do on how hackers of game account think and work. You are over thinking it. hackers want to get in and get out as fast as they, and with as little effort as possible. What you are talking about just takes too much time and effort on their part, when there are so many accounts that they can obtain through conventional means.

it was the same thing that happened with the "Man In the Middle," Attacks of 2 1/2 years ago. Hacker came up with a really large and nasty piece of malware to intercept authenticator codes in real time. The had to set up a fake/spoof wowmatrix site to trick players into downloading fake/spoof wowmatrix auto addon updater, that contained the infected file.

A “Man in the Middle Attack,” is a Trojan that works by blocking your access to the real log in server, and redirecting you to a spoof Log in screen/site. They then harvest all of your log in information, in real time, including your one time use Authenticator code. The hackers then very quickly uses this info to access your in game account, before the Authenticator code expires.

However this malware was dependent on the player to have a very big hold in their security, besides going to a fake site and actively downloading it, they had to have a very out of date, or over riding of their Window's firewall. Very quickly most if not all anti-malware programs offered protection from it

All that time and effort only netted them a total of 4 to 5 accounts. That is not much of a return for their time and effort, when players give away their details so easily, through conventional means. The hackers learned from that and while it is possible for a hacker to develop a new Man-in-the-Middle attack, no new ones have yet happened.

It is the same with what you are saying can possible be done. hackers are unlikely going to waste their time to do so.

The Mobile Authenticator algorithms has been public knowledge for years. It was the seeds, and the serial numbers they were tied into, that were taken.

Again no banking, financial information was affected or accessed, nor was personal information such as real names or billing addresses accessed.

No, they said at this time they do not think it was compromised, do you understand how much issues that would cause if they did admit that.

I understand full well what would happen if they are not honest about it, as such they can't speak in absolutists. They could be 99.99999999% sure that it wasn't compromised, and as such would have to tell us the same thing. That .00000001% would require them to only say there is no evidence of it. Heck even if they were 100% sure themselves, their lawyers would make then say the same thing, just in case.


No you do not , hackers do not want to get in and out as quick as possible that is for hackers that then go on to make public what they did, a true criminal hacker will try and keep it secret while working and intercepting the data passed, that is way more important than a grab and smash.
Do you really think there would be a market for Bnet logins, if there was no way to use them.
again you are clueless, and just about every security and botting/hacking site agrees with that. I am not over thinking it because I have spent a decade working with criminals who are in jail for getting caught for doing it. And that ranges from international banks to your local paypal based companies, so no you are wrong on so many levels it is unreal. 10 million plus active emails is worth a fair bit of money, add in all the other data that is a huge amount of cash.


If you are really in Law enforcement then you should be good at reading between the lines. reread what Mike Morhaime said in his announcement http://us.blizzard.com/en-us/securityupdate.html expressively this line here:

This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard


And here:

We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.


As a member of law enforcement, you would also know there is a limit to what can be said during an on going active investigation.

Also those 10 million plus active emails are now worthless to the hackers, because we know about it and can change and close those email accounts.
Edited by Ewing#1365 on 8/11/2012 5:45 PM PDT
Reply Quote
This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard


yet despite blaming customers for months about security compromises failed to say when it happened.

08/11/2012 05:41 PMPosted by Ewing
As a member of law enforcement, you would also know there is a limit to what can be said during an on going active investigation.


Rofl don't talk utter pish, BY law , ongoing legal investigation or not, any company is required by law in most countries in the western world due to the data protection acts laws to inform directly any person who has had their data compromised, they are also liable for any issues that come from that data loss. Do you understand why they only stated europe lost emails? that is because even a hint that they had lost more than emails, would mean massive government intervention and fines just like sony is facing
Reply Quote
Francis seem upset about this.

http://www.youtube.com/watch?v=EgMSmIWwyiU&feature=g-games
Reply Quote
Sony faces fines because it took them over 30 days to inform their players after their first compermised. In that case players passwords were stored plain text, and the hackers did get their personal and financial information as well. In fact they only went public, after Anonymous went public about it first.

The fact that Blizzard has not sent out any email, is a fairly clear indication that no real personal and financial information was taken. Because if it had, then they would of been required to contact us individually.

Besides even if they had sent out an email, would you have believe it was for real, or another phishing attempt?
Edited by Ewing#1365 on 8/11/2012 6:09 PM PDT
Reply Quote
Sony faces fines because it took them over 30 days to inform their players after their first compermised. In that case players passwords were stored plain text, and the hackers did get their personal and financial information as well. In fact they only went public, after Anonymous went public about it first.

The fact that Blizzard has not sent out any email, is a fairly clear indication that no real personal and financial information was taken. Because if it had then they would of been required to contact us individually.

Besides even if they had sent out an email, would you have believe it was for real, or another phishing attempt.

No sony faces fines because its loss of data breaches the data protection act in many countries, just like blizz has done. It lost data, just like Blizz has done, the fact of the matter is we do not know from Blizz what data they lost, they have been cryptic regarding that, if they turn round in 18 days and say yes we now have found out we lost personal data will you be so happy.
The fact that blizz has not sent out any emails indicates what, they have said themselves they do not know what data they have lost, they did not have the decency to inform player properly of what data they are 100% sure they have lost.
Again you are backtracking yourself into a corner, you have so far stated that everything is safe due to their security, not true according to multiple security blogs and sites.
You have tried to play the ongoing investigation card, again that breaches multiple countries data protection acts.
And then you fall back on the oh my if they sent out an email would anyone believe it, well as their own security works on texts and emails I would bloody hope so.
I did not see any SMS alerts regarding a potential security breach, or any email alerts which they use for informing you your account is now banned.
So let me see all those people banned for spamming, banned for account compromise should just ignore BLizz emails? because there might be some false ones out there, but is that not what blizz used to ban accounts multiple warnings,
That would be the ones you want everyone to ignore.
Stop talking crap and accept the rather blatent facts that blizz was compromised, they are liable and they need to keep people informed when they lose their details.
Reply Quote
Sony faces fines because it took them over 30 days to inform their players after their first compermised. In that case players passwords were stored plain text, and the hackers did get their personal and financial information as well. In fact they only went public, after Anonymous went public about it first.

The fact that Blizzard has not sent out any email, is a fairly clear indication that no real personal and financial information was taken. Because if it had then they would of been required to contact us individually.

Besides even if they had sent out an email, would you have believe it was for real, or another phishing attempt.

No sony faces fines because its loss of data breaches the data protection act in many countries, just like blizz has done. It lost data, just like Blizz has done, the fact of the matter is we do not know from Blizz what data they lost, they have been cryptic regarding that, if they turn round in 18 days and say yes we now have found out we lost personal data will you be so happy.
The fact that blizz has not sent out any emails indicates what, they have said themselves they do not know what data they have lost, they did not have the decency to inform player properly of what data they are 100% sure they have lost.
Again you are backtracking yourself into a corner, you have so far stated that everything is safe due to their security, not true according to multiple security blogs and sites.
You have tried to play the ongoing investigation card, again that breaches multiple countries data protection acts.
And then you fall back on the oh my if they sent out an email would anyone believe it, well as their own security works on texts and emails I would bloody hope so.
I did not see any SMS alerts regarding a potential security breach, or any email alerts which they use for informing you your account is now banned.
So let me see all those people banned for spamming, banned for account compromise should just ignore BLizz emails? because there might be some false ones out there, but is that not what blizz used to ban accounts multiple warnings,
That would be the ones you want everyone to ignore.
Stop talking crap and accept the rather blatent facts that blizz was compromised, they are liable and they need to keep people informed when they lose their details.


What security blogs and sites? List them, and if they are legitimate I will go and read them myself. By legitimate I mean those run by real Internet Security professionals and not the hacker site you posted earlier. As you can not trust anything posted on those.

Edit: I accept that Blizzard was Compromise but not to the extent you seem to think it was. After rift was hacked twice last your I made myself familiar with the different laws and regulations about it.

There are a combination of several, State and Federal Laws and Regulations, that makes it to where Blizzard has to notify us and/or their stockholders of any security breach on Blizzard’s end. Both California and Texas, where Blizzard operates out of, has some of the strongest of these laws and regulations, in the world. While some of them may only apply to California/Texas residents, the rest of us will know very fast, thanks to the internet, if any notices ever goes out to them.

Legally they're not actually obligated to tell us anything unless our personal data is compromised. However they are required to notify their stockholders, of any security breach as it could negatively affect the price of their stock, if it “leaked out,”. Since these filling/reports are public records, again thanks to the internet the rest of us would know very shortly as well.

In addition to have to notify their stock holders, They have to notify the general public as well of any security breach, to avoid any insider trading entanglements. That law is not ambiguous You can not keep that kind of thing a secret and take part in any of the company’s stock transactions, without going to jail.
Edited by Ewing#1365 on 8/11/2012 6:58 PM PDT
Reply Quote
so far so good on my end, knock on wood though. i hope that everyone else can say the same. i don't see why someone would do this. why are people so lazy where they just don't work as hard as the rest of us to play the game and get the gear and the gold.
Edited by chantel123#1815 on 8/11/2012 6:42 PM PDT
Reply Quote
LOL!! that is where i got the scope of the whole situation. right when i put the dvd in the drive that is the first thing that it said, please read the security update or something of the matter. no player ever wants to see that.
Reply Quote
08/11/2012 06:51 PMPosted by Pictish
What security blogs and sites? List them, and if they are legitimate I will go and read them myself. By legitimate I mean those run by real Internet Security professionals and not the hacker site you posted earlier. As you can not trust anything posted on those

That was a hacker site now? wow it pretty much says the same things as multiple other sites, and it is a blog which covers not just hacks but general tech anywhere.
You could try google but you know other information might just melt your head .
Are you a troll or a moron?


Ahh name calling the sure sign when someone is losing and argument &/or had their bluff called.

Anyway never believe anything on a site that allows the selling of bot and hack programs, posts on how to exploit games.

Also see my edit to my last post.
Edited by Ewing#1365 on 8/11/2012 7:08 PM PDT
Reply Quote
Ahh name calling the sure sign when someone is losing and argument &/or had their bluff called.

See my edit to my last post.


Do not see your last edit, nice try on listing american rules but things are ever so slightly different in the EU. you know the millions of people over there that have just lost data.
Did they hide this information from their stockholders at the last meeting, you know the one after they found the breach.
You keep going as everything you posted so far has been wrong.
passwords security - wrong
Brute-forcing and cracking- wrong
Not telling people about the issue while still sending account compromised emails, wow clearly they do believe in the power of emails.

Now tell me exactly when the guy on the "hacker site" listed his references to the university that created the security protocol as well as the algorithms involved as well as the open source software that evolved from that, do you get hacker site?
Reply Quote
So would it be safer at this point to just completely remove the mobile authenticater then?
Reply Quote
Realise this is a company, they will sell ther mother or lie forever if it makes them (or makes them think it makes them) more money. They dont care about customers. THey handle them and defelc them. Thats all.
Reply Quote
this is great news!
i've totally forgotten my secret question answer, and since that is one of the most important things to a blizz account when they ask me to change it i'll now know it!
Reply Quote
so physical authenticator people are ok?
Reply Quote

Did they hide this information from their stockholders at the last meeting, you know the one after they found the breach.


You mean Vivendi?
Reply Quote
08/11/2012 07:12 PMPosted by Pictish
Do not see your last edit, nice try on listing american rules but things are ever so slightly different in the EU. you know the millions of people over there that have just lost data.


The laws and regulations in each region defer widely. Because of this, the Blizzard incorporated in one region is a separate entity from that in other regions. In other words Blizzard EU, and Blizzard NA, are Different "Sister" Companies under the same Parent company Blizzard Entertainment.

While they are still over all, part of Blizzard Entertainment: Blizzard NA and Blizzard EU are legally two totally different Companies, incorporated under widely different set of laws, and regulations. To be in complacence with the different laws, they have slightly different ToU and EULA. US and EU B-Net accounts are separate and hosted only withing those regions. Because of this the notices of the compromise is a bit different as well.

While the servers at Blizzard's HQ might of had a listing of EU account's Email to make it easier to send out Blizzard promotions. They would not of had, any more of their account Information stored there.

You keep going as everything you posted so far has been wrong.
passwords security - wrong


Again B-Net passwords are only worth something to 3rd party gold seller/hackers, and they are not the type to go through the work needed to Crack them, not when they can get them faster, easier, and cheaper through conventional means. Sure they might be willing to buy already cracked passwords from someone else, but not as cheaply, as from conventional stolen data brokers.

Also it would be foolish to assume that Blizzard would have given full and complete details on how exactly, or how well the passwords are Cryptographically scrambled. why give the hackers hints on how to crack them.

08/11/2012 07:12 PMPosted by Pictish
Brute-forcing and cracking- wrong


You were the one that equated Cracking with Brute forcing. While it maybe passable to crack B-Net Passwords, they can not be brute forced. At least not in the traditional sense, and you did not qualify it as being anything other then in the traditional sense.

08/11/2012 07:12 PMPosted by Pictish
Not telling people about the issue while still sending account compromised emails, wow clearly they do believe in the power of emails.


Huh? What emails were sent out about this, by Blizzard? I haven't gotten one, but then I live in the US. Did they send out one to the EU? Here they are only required to contact us personally only if our personal and financial information was compermised.

Now tell me exactly when the guy on the "hacker site" listed his references to the university that created the security protocol as well as the algorithms involved as well as the open source software that evolved from that, do you get hacker site?


On this I must admit I was wrong, the name of that site is a bit similar to that of a known WoW hacker/exploiter site, and I got it confused with that one.

I did read what was said on it, however it did say that if Blizzard took some additional measures it would make the cracking of the password difficult to the point it would be impractical to do so. So I will repeat what I said earlier in this post. "it would be foolish to assume that Blizzard would have given full and complete details on how exactly, or how well the passwords are Cryptographically scrambled. why give the hackers hints on how to crack them."
Edited by Ewing#1365 on 8/11/2012 8:58 PM PDT
Reply Quote
You got phished.

Don't blame Blizzard because you were stupid enough to click a dodgy link.

No, I was not. I know it's customary to assume that everyone else is "stupid" when bad things happen to them and not you, but I never even touch the email associated with my Battle.net account on a regular basis. The only reason I checked it and noticed the email in Chinese was because I couldn't log in to my account. Whoever was accessing my account obviously has my secret question answer because they kept attempting to change my password afterward. Blizzard already announced that answers to security questions were compromised. But no, it must be a huge coincidence and it's all my fault even though I've barely done anything involving this game for a month. Right.

Knowing the answer to the secret question isn't enough to hack an account.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]