Diablo® III

Important Security Update


No. Blizzard got hacked onAugust 4. It would be highly illegal for them to lie about or not disclose that they got hacked.

In fact, this proves that Blizzard was NOT at fault for the first wave of hacks, because no single person will have their accounts hacked as a direct result of this compromise. Nothing of value was taken, certainty nothing that would allow the hacker to get into any account.


Doesn't prove anything, sorry. They only noticed on August 4th.

It's highly unlikely that on August 3rd someone released something new that caused the accounts to become vulnerable to hacking.

Just because there is a law somewhere requiring a business to do something, doesn't mean that the business, in fact, follows it.

Why is it highly unlikely that on August 4th Blizzard got hacked? Why is it any more likely that the hack happened on May 15th?

The fact remains no accounts will be compromised as a direct result of this hack, therefore Blizzard cannot possibly be at fault for the original wave of account compromises.
Reply Quote
So, I do not play Diablo 3, I never bought the game because honestly, I saw all this coming a mile away with online only and the RMAH. My question is that the security notice relates to Battle.Net passwords, which I have due to Starcraft2. Imagine my surprise when I read about the Battle.Net breach via the Pulse app from a Kotaku feed. So for those of us who haven't logged into Starcraft2 or WoW for a long time and do NOT play Diablo 3, when was Blizzard going to tell us about this breach? I found out that my account information may be compromised through Kotaku, not Blizzard as I should have been. No email notification at all.

I do work in Information Security and I fully understand that it's not a question of if you get hacked, but when. I'm not frustrated about the hack at all, if anything could be made 100% secure I would be out of a job, but moreso the complete lack of Blizzard telling me about it. GG Blizzard, Kotaku had to tell me about YOUR problem.

Yes I am posting in the Diablo3 forums and I do not actually own Diablo3. The thread on the Starcraft2 forums is 3 pages long which is why I posted here. I'd like someone to SEE this and Diablo3 forums are the most active by far on this topic between the two. I have not checked the WoW forums because for personal reasons I will never associate myself with that game again.
Reply Quote
It's a good thing I check back here once a week, otherwise I might not know that blizzard has found yet another way to ruin my day. No, it couldn't be something like the game just got worse, it had to be something that would make me doubly regret getting this game.
Reply Quote
Yes because their credibility is so much higher now. Who's to say this wasn't a problem since release as many claimed and was just now caught? Or that it hasn't happened multiple times and they only caught THIS attempt? Either way, people who even suggested this was a possibility in the past were treated like garbage at best, and it was disgusting to witness.

Seems the fanboys will be fanboys, even though they were in fact compromised.

And for the record, my computer was, and still remains, problem (and hack) free. Just can't believe how badly people were treated regarding the original string of hacks, now that this has come to light. I'd say apologies are in high order, but who am I kidding, this is the interwebz...


Again even if Blizzard's compermised went back that far, which is doubtful, there is no way each and every Cryptographically scrambled password of all of those accounts were deciphered. The individual deciphering of a Cryptographically scrambled password is something that takes days, of dedicated computer time.

So again your compromise was on your end, not Blizzards.


So it is impossible to decipher the encrypted passwords. Hm, just like it was impossible that blizzard's security was compromised. Sorry, in this instance that theory just does not hold water. It's too hard, it takes too long, it's just not possible.....same thing they said about blizzard's servers. Just continue to bury your head in the sand and deny, deny, deny, even as the proof presents itself to the contrary. I feel so sorry for the narrow minded.

And again, I was never, and still have never been compromised, so it has nothing to do with my end, and never will.
Reply Quote
For all you Chicken Littles:

1. Possessing encrypted data that doesn't belong to you doesn't mean much - it's one thing to get the data, it's a completely different exercise in effort & intent to try to decrypt it and use it.

2. You are not special. The world does not revolve around you, there are no Chinese sweat shops working 24/7 to decrypt YOUR account.
Reply Quote
For all you Chicken Littles:

1. Possessing encrypted data that doesn't belong to you doesn't mean much - it's one thing to get the data, it's a completely different exercise in effort & intent to try to decrypt it and use it.

2. You are not special. The world does not revolve around you, there are no Chinese sweat shops working 24/7 to decrypt YOUR account.


No but when they have the secret questions and your emails, which hold information other than battle net and blizzard, then that becomes a problem. And I may not be special, and I may not be the target of their attempt, but if they end up with my banking information due to blizzard's incompetence and denial, are they not going to empty my account and spend my money simply because i'm not "important"? Get real.

More will come out, and blizzard will end up handling lawsuits. There were tons of people months ago saying blizzard has been compromised and they were belittled and called crazy at best. What a sad way for them to be vindicated.

And even though emails and questions were compromised, why no emails or texts or anything else from blizzard regarding the security breach? Why do I have to find out by accident through third party sites or friends? Blizzard owes me as a paying customer, to alert me instantly whenever my account may have been compromised. They still have not done so. Mark my words. This will not end well.
Reply Quote
Ewing View profile

Edited by Ewing#1365 on 8/11/12 8:58 PM (PDT)

08/11/2012 07:12 PMPosted by Pictish
Do not see your last edit, nice try on listing american rules but things are ever so slightly different in the EU. you know the millions of people over there that have just lost data.

The laws and regulations in each region defer widely. Because of this, the Blizzard incorporated in one region is a separate entity from that in other regions. In other words Blizzard EU, and Blizzard NA, are Different "Sister" Companies under the same Parent company Blizzard Entertainment.

While they are still over all, part of Blizzard Entertainment: Blizzard NA and Blizzard EU are legally two totally different Companies, incorporated under widely different set of laws, and regulations. To be in complacence with the different laws, they have slightly different ToU and EULA. US and EU B-Net accounts are separate and hosted only withing those regions. Because of this the notices of the compromise is a bit different as well.

While the servers at Blizzard's HQ might of had a listing of EU account's Email to make it easier to send out Blizzard promotions. They would not of had, any more of their account Information stored there.

You keep going as everything you posted so far has been wrong.
passwords security - wrong

Again B-Net passwords are only worth something to 3rd party gold seller/hackers, and they are not the type to go through the work needed to Crack them, not when they can get them faster, easier, and cheaper through conventional means. Sure they might be willing to buy already cracked passwords from someone else, but not as cheaply, as from conventional stolen data brokers.

Also it would be foolish to assume that Blizzard would have given full and complete details on how exactly, or how well the passwords are Cryptographically scrambled. why give the hackers hints on how to crack them.

08/11/2012 07:12 PMPosted by Pictish
Brute-forcing and cracking- wrong

You were the one that equated Cracking with Brute forcing. While it maybe passable to crack B-Net Passwords, they can not be brute forced. At least not in the traditional sense, and you did not qualify it as being anything other then in the traditional sense.

08/11/2012 07:12 PMPosted by Pictish
Not telling people about the issue while still sending account compromised emails, wow clearly they do believe in the power of emails.

Huh? What emails were sent out about this, by Blizzard? I haven't gotten one, but then I live in the US. Did they send out one to the EU? Here they are only required to contact us personally only if our personal and financial information was compermised.

Now tell me exactly when the guy on the "hacker site" listed his references to the university that created the security protocol as well as the algorithms involved as well as the open source software that evolved from that, do you get hacker site?

On this I must admit I was wrong, the name of that site is a bit similar to that of a known WoW hacker/exploiter site, and I got it confused with that one.

I did read what was said on it, however it did say that if Blizzard took some additional measures it would make the cracking of the password difficult to the point it would be impractical to do so. So I will repeat what I said earlier in this post. "it would be foolish to assume that Blizzard would have given full and complete details on how exactly, or how well the passwords are Cryptographically scrambled. why give the hackers hints on how to crack them."


Wow more backtracking and you even fail further

you state
The laws and regulations in each region defer widely. Because of this, the Blizzard incorporated in one region is a separate entity from that in other regions. In other words Blizzard EU, and Blizzard NA, are Different "Sister" Companies under the same Parent company Blizzard Entertainment.

While they are still over all, part of Blizzard Entertainment: Blizzard NA and Blizzard EU are legally two totally different Companies, incorporated under widely different set of laws, and regulations. To be in complacence with the different laws, they have slightly different ToU and EULA. US and EU B-Net accounts are separate and hosted only withing those regions. Because of this the notices of the compromise is a bit different as well.

While the servers at Blizzard's HQ might of had a listing of EU account's Email to make it easier to send out Blizzard promotions. They would not of had, any more of their account Information stored there.

1/Blizzard promotions for one are region specific
2/Diablo 3 was global meaning people had accounts in other regions, as well as playing on other servers, the same servers that were hacked. Those servers held their information
3/Any company which offers a service in any region is bound by there laws, you will find no difference in TOA/EULA within those regions as has been pointed out by thousands of posts over the last few year regarding blizzrds T&Cs not being binding within the EU.
4/The US servers clearly did hold Eu players information, they would not have been able to use those servers otherwise.
5/ As a company they are bound by the regions they offer a service to laws and data protection acts, that is simply law.

08/11/2012 08:42 PMPosted by Ewing
Huh? What emails were sent out about this, by Blizzard? I haven't gotten one, but then I live in the US. Did they send out one to the EU? Here they are only required to contact us personally only if our personal and financial information was compermised.

Standard procedure for BLizz is to send an email with regards to spamming violations or others such as account bans. So why did they not send one out regarding their security issues. Again you state they did not do this because of people not believing those emails, yet that is their procedure. Also for account compromise they inform , yet chose not to this time regarding losing peoples info. again more nonsense from you.

On this I must admit I was wrong, the name of that site is a bit similar to that of a known WoW hacker/exploiter site, and I got it confused with that one.

I did read what was said on it, however it did say that if Blizzard took some additional measures it would make the cracking of the password difficult to the point it would be impractical to do so. So I will repeat what I said earlier in this post. "it would be foolish to assume that Blizzard would have given full and complete details on how exactly, or how well the passwords are Cryptographically scrambled. why give the hackers hints on how to crack them."

Clearly you did not read further on then as they stated it may be harder but still very possible and they already know a large chunk of the process, certain things are already known.

Lets face it your love for blizz has made you wrong on every point so far. Why on earth you are defending a company which lost peoples data, then decided not to tell them directly I do not know. the simple fact of the matter this was not a hack by some kids looking for glory, it was very clearly for criminal purposes, you may be happy for your info to be out there but alot of people are not.
Reply Quote
For all you Chicken Littles:

1. Possessing encrypted data that doesn't belong to you doesn't mean much - it's one thing to get the data, it's a completely different exercise in effort & intent to try to decrypt it and use it.

2. You are not special. The world does not revolve around you, there are no Chinese sweat shops working 24/7 to decrypt YOUR account.


No of course there is not thats why there is no market for that data and people have not been selling active battlenet emails, oh wait they have, there may not be chinese sweatshops but there may be some geek with a few pcs working away. Lists of active emails and phone numbers or personal data there is no market for that at all is there. so why are people stealing it.
Reply Quote
08/11/2012 10:41 PMPosted by Pictish
2/Diablo 3 was global meaning people had accounts in other regions, as well as playing on other servers, the same servers that were hacked. Those servers held their information


While players maybe able to access and login to other regions D3 servers; Their home region is the only place that data is "Stored."

08/11/2012 10:41 PMPosted by Pictish
Clearly you did not read further on then as they stated it may be harder but still very possible and they already know a large chunk of the process, certain things are already known.


I read all of it. While every thing is possible, there comes a point where is is not practical nor cost effective to do so, not when there is already a ton of people who give out their information, by using the same emails and passwords for everything. You know sites like Sony, that stored their passwords in plain text.

08/11/2012 10:41 PMPosted by Pictish
the simple fact of the matter this was not a hack by some kids looking for glory,


So Anonymous' hacking of Steam, Sony, Square-Enix, Bioware(SWORP), Cryptic, Trion Worlds(Rift), was not by some kids looking for glory. Oh wait!

No of course there is not thats why there is no market for that data and people have not been selling active battlenet emails, oh wait they have, there may not be chinese sweatshops but there may be some geek with a few pcs working away. Lists of active emails and phone numbers or personal data there is no market for that at all is there. so why are people stealing it.


Beyond phisher spammers, lists of active B-Net emails and phone numbers there isn't much of a market for them. But then other then hacking Blizzard, they nave never been able to obtain them any other way. Oh wait again!
Edited by Ewing#1365 on 8/11/2012 11:39 PM PDT
Reply Quote
08/11/2012 10:41 PMPosted by Pictish
Lets face it your love for blizz has made you wrong on every point so far. Why on earth you are defending a company which lost peoples data, then decided not to tell them directly I do not know. the simple fact of the matter this was not a hack by some kids looking for glory, it was very clearly for criminal purposes, you may be happy for your info to be out there but alot of people are not.


I nether love nor unlike you I don't hate Blizzard I am totally neutral. There is a lot that they do that I like and agree with, and a lot i strongly disagree with and dislike. You will never see my posts in green text.

Example I think the RMAH is a very big mistake on their part. But not for the same reason most players are against it. i am very concerned about future tax regulations that may come out of it.

However I do not believe they are so stupid as not to be honest about the compromise. Expressively after what happened with, Steam, Sony, Square-Enix, Bioware(SWORP), Cryptic, and Trion Worlds(Rift).
Edited by Ewing#1365 on 8/12/2012 12:31 AM PDT
Reply Quote
/Any company which offers a service in any region is bound by there laws, you will find no difference in TOA/EULA within those regions as has been pointed out by thousands of posts over the last few year regarding blizzrds T&Cs not being binding within the EU.


Oh sorry You had it so jammed together, I missed this little tidbit. Posts by whom and where were these postings. I know that there have been blog posts by Blizzard haters, that have tried to stretch and distort EU court rulings against other companies' ToU/ToS/EULAs, to make it appear that those rulings applied to Blizzard as well. Those were against business software companies, or cell phone companies.

Oh there was one against EA games, but that was because their Shrinkwrap licenses, did not allow their players an out if they disagreed with their EULA/ToU.

Since Blizzard offers players a full refund for the cost of their games if they disagree with the EULA/ToU; Blizzard's EULA/ToU doesn't have that problem.
Edited by Ewing#1365 on 8/12/2012 12:54 AM PDT
Reply Quote
Fail Blizzard. Should've gotten an authenticator...
Reply Quote
too bad, nerd.
Reply Quote
Yay, just got first spam mail offering me a great deal on WoW and Diablo 3 Gold containing my real name sent to my valid (not guessed) mail address. Thanks a lot guys. Real name + Mail. That actually sucks... If I only would have known in advance - not playing that game for about 3 weeks and if I was told the price is about 50€ + Real Name + Mail Address given to spammers I would have chosen otherwise.

And you guys didn't event inform me personally. I have to click on a link in the launcher window of a game I'm not playing anymore to check the forum afterwards and find that quite important information.

That's what I consider unprofessional. I would have expected a personal mail explaining me that critical information of my person which I consider somewhat confidential has been leaked to some guys who probably didn't take it to add it to their personal mail/real name collection for fun.

What about all the other players out there who don't play that game anymore, didn't check the news section and, don't go to the forum. Is it their fault to not check your website on a daily base to make sure that confidential information they gave to you is still kept confidential?

I perfectly understand that this is quite emberassing but it simply might happen. Underpaid employees, plain ...holes and [insert generic reason to do that] sometimes can't be "detected" in advance. But it's up to you how to handle that situation and you actually did a very bad job. Probably you guys don't even read that thread carefully so my post will be unseen by any "authoroties". But I still expect an apologize which is sent to my leaked mail address and I absolutely see no reason to create a support ticket to get that as it is up to you to do that actively...

For those 70 pages before TL;DR but that's actually not my job. In case someone else mentioned that already I'm sorry for repeating...
Reply Quote
08/12/2012 12:10 AMPosted by PopeBenedXVI
The blue poster is lying. Everyone just needed to buy an authenticator. Blizzard is impregnable.


You good sir do not know what you are talking about. How in the world do you know if every one has an authenticator or not? Also it was the mobile authenticator that was effected which concerned some people in this thread if you bothered to read through it. Why would the blue poster lie about a security breech? It would not make any sense what so ever.
Edited by Fender178#1290 on 8/12/2012 6:01 AM PDT
Reply Quote
As Blizzard was hacked last week and Blizzard has mentioned that they have access to our secret question.

So I decided to promptly change all my passwords for all my accounts. However, when I went to change the answer to my secret question for my battle net account, BNET said that I cannot change the answer to my secret question unless I change my email address.

I have submitted a ticket for this but this simply astonishes me that Blizzard has messed up a simple programming logic such as changing the answer to our secret question while keeping our personal email address.
Reply Quote
Please..........

Credit card companies haven't been hacked? Banks, financial institutions. Google was spying on your browsing history in direct violation of federal law. Have you all given up banking? Have you all stopped using Google?

This stuff happens everyday and unless you are personally affected you don't care. How many of you flaming Blizzard in this post have been financially ruined by this hacking of Blizzard?

And surprisingly enough those of you flaming Blizzard seem to still have your accounts here and are posting.... hmmmm. Apparently the hacking didn't scare you enough to close your accounts immediately and start playing Wizard101.


Well considering that they logged into my e-mail account and sent out over 2000 spam mails, tried to hack into my Facebook account with the e-mail but the password is different (thank God) AND two of my bank accounts which was the same password only a few letters reversed I think it is safe to say that the passwords were unencrypted and are actively being used.

I caught it quickly enough because I host my own domain on my own server and was alerted immediately about the break in so I was able to stop any serious damage. But in the 20 years that I have had this password and 10 years that I have had this particular e-mail address it has NEVER been hacked so I think I am pretty safe in assuming this was caused by the Blizzard issue. At the time it happened there were only two options that I could think of where this person got my password. My banking institute or Blizzard. And guess who it ended up being?

Ppl have been directly affected by this and I would even bet a lot of ppl do not know about what happened to Blizzard because they have not been directly contacted by Blizzard and they have stopped playing Diablo/Wow so it has not occurred to them to check so they are dealing with their issues on their own not knowing how or where the breach occurred.

I am glad that you have warm fuzzies about Blizzard and feel the need to defend them with your last dying breath but a lot of us are dealing with the aftermath of this problem. Our passwords and personal information WAS stolen and is being used but Blizzard does not want to admit it. In the meantime instead of getting an apology we are getting dumped on by ppl like you and Blizzard who are still maintaining that it is not their issue and treating this like it is no big deal.

This is a serious issue and you are a fool to keep down playing it. Yes this kind of thing happens but when you are part of the group on the internet that knows this, has worked in this field for as long as I have, you put every precaution in place you can and like I said previously, in 20 years this has NEVER happened to me before and I am pretty damn pissed about the way it is being handled. Not that it happened, that is expected from time to time but to brush it off and treat the victims of your mistake like it is their fault or they are completely ignorant of what they are doing is pretty asinine and insulting to say the least.
Edited by Eglyntine#1813 on 8/12/2012 7:34 AM PDT
Reply Quote
Hi Blizzard,

Please send out a mass email to all the players on battle net, informing them of this breach and to take the necessary measures to protect users from this breach. I, like most players, had to find out about this breach from the forums.

Please do something about this ASAP, or players and fans of Blizzard's games will lose faith in the company.
Reply Quote
Wow, nice... haven't played d3 in 2 months and now they finally quietly announce the breach, which clearly has been happening from the start. They probably thought as long as the authenticator wasn't breached then they could push this off as player ignorance and have the fanboy community scream "get an authenticator" and no one would notice. Now that it has been breached and half their player base already left, they're trying to get away with a small announcement. This should surprise nobody except the ignorant fanboys who kept calling this a conspiracy theory.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]