Important Security Update

Blizzard Archive
Prev 1 72 73 74 76 Next
....
It is not Blizzard's fault that they were so sloppy with their own personal security to: Have an email account with their real name in it in the first place; or that they use that same email for everything.


The real name in the email address is the usual suggestion made by the email providers. And since when do you have to be a security expert to play games now? Oh, right, since they introduced the !@#$ty "always online" crap. So yes, I think it IS Blizzards fault and no the players were not sloppy.
08/09/2012 03:44 PMPosted by Davoc
Well, I know I for one tend to talk smack about Blizzard for shipping Diablo 3 in the state it was shipped in, but I do respect the fact that Mr. Morhaime was so direct and hasty in his address of this issue.


Hasty? Its been happening since release
....
It is not Blizzard's fault that they were so sloppy with their own personal security to: Have an email account with their real name in it in the first place; or that they use that same email for everything.


The real name in the email address is the usual suggestion made by the email providers. And since when do you have to be a security expert to play games now? Oh, right, since they introduced the !@#$ty "always online" crap. So yes, I think it IS Blizzards fault and no the players were not sloppy.


I do not know of any email providers that suggests you use your real name as your email address, at least not within the last 10 or 15 years. My ISP did give me a temporary email using my real last name as the master account, until I could set it the way I wanted. However they advised me not to use it for anything, other then communicating with them. In fact they advised to change it's name ASAP.

Yes Blizzard had a compromise and they are responsible for what little information that was lost. However they have a compartmentalized system, with only Billing and Accounting services having access to our personal and financial information. Apparently those precautions worked, as the hackers were not able to access, that part of their system.

But they can't be held responsible for your own foolishness, of giving away your real name, by using an email address within it. every time you use that email address on the internet you are giving it away. Signup for another game, such as Steam, Sony, Square-Enix, Bioware, Cryptic, and Trion Worlds (Rift); guess what you have given it away because they all were hacked as well within the last year. Signed up for for any fan or guild, web sites, guess what you have really given it away, because their hosting site, are notorious for lax security. The Former host for my guild's web site was hacked 5 times withing the same year.

Excrement happens and this time it happened to Blizzard, and unlike Sony they didn't try to cover it up. They took responsibility and let us know ASAP, so We can take steps to secure our accounts, before too much damage was done. But you need to take responsibly doing something as foolish as using an email address that contained your real name.
http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/

Have fun :D
http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-hard-to-crack/
Please read. Is Blizzard keeping us in the dark again?
QUOTED FROM Runar
Quote by Eglyntine: Well considering that they logged into my e-mail account and sent out over 2000 spam mails, tried to hack into my Facebook account with the e-mail but the password is different (thank God) AND two of my bank accounts which was the same password only a few letters reversed I think it is safe to say that the passwords were unencrypted and are actively being used.

I caught it quickly enough because I host my own domain on my own server and was alerted immediately about the break in so I was able to stop any serious damage. But in the 20 years that I have had this password and 10 years that I have had this particular e-mail address it has NEVER been hacked so I think I am pretty safe in assuming this was caused by the Blizzard issue. At the time it happened there were only two options that I could think of where this person got my password. My banking institute or Blizzard. And guess who it ended up being?

Ppl have been directly affected by this and I would even bet a lot of ppl do not know about what happened to Blizzard because they have not been directly contacted by Blizzard and they have stopped playing Diablo/Wow so it has not occurred to them to check so they are dealing with their issues on their own not knowing how or where the breach occurred.

I am glad that you have warm fuzzies about Blizzard and feel the need to defend them with your last dying breath but a lot of us are dealing with the aftermath of this problem. Our passwords and personal information WAS stolen and is being used but Blizzard does not want to admit it. In the meantime instead of getting an apology we are getting dumped on by ppl like you and Blizzard who are still maintaining that it is not their issue and treating this like it is no big deal.

This is a serious issue and you are a fool to keep down playing it. Yes this kind of thing happens but when you are part of the group on the internet that knows this, has worked in this field for as long as I have, you put every precaution in place you can and like I said previously, in 20 years this has NEVER happened to me before and I am pretty damn pissed about the way it is being handled. Not that it happened, that is expected from time to time but to brush it off and treat the victims of your mistake like it is their fault or they are completely ignorant of what they are doing is pretty asinine and insulting to say the least.
--------------------------------------------------------

Quote by Derogos: I wish I could like this 1000 times, and that blizzard would actively respond. I know if my banking information gets leaked someone will be answering legal questions in a hurry. Bad deal blizzard. If there is even a snowball's chance that people's information has been compromised this needs to be handled immediately. To wait only hurts your legal position, and strengthens anyone's who happens to be hurt by this. Playtime is over. People need to start getting official email's or letters about this. Finding out by accident is NOT acceptable.
--------------------------------------------------------

QUOTE by Runar: Thing is he's probably wrong. Blizzard is not stupid enough to store password unencrypted.

I've had a paypal account hacked, and that was with a 24 alphanumeric password with special characters, nobody knows my passwords but me, yet somebody managed to hack my paypal account. it happens sometimes. I'm guessing somebody hacked his email account password and it just happened at the time that this whole thing came out, assuming he's not lying through his teeth to begin with.

Try looking on the forum, you'll see how passwords are handled, they are not stored on Blizzards server unencrypted else you'd see a ton I'm talking hundreds, or thousands of new "I've been hacked" topics popping up since the 4th of Aug, which there hasn't been.


Reponse to Runar:

08/12/2012 02:43 PMPosted by Runar
Thing is he's probably wrong. Blizzard is not stupid enough to store password unencrypted.


First off I am a "She" for posterity purposes in the furture. Secondly, I did not say that Blizzard did not encrypt their passwords. I said that they are saying the passwords were encrypted and that they are assuming that the ppl that stole them cannot or did not unencrypt them.

What I am saying is that this obviously false as they used my password to log into my account. Which means they have unencrypted the password file. That password I used has never in 20 years been guessed or hacked into. That is the solid truth. I have had many of my hacker and IT friends/co-workers run various programs to hack that password to make sure that it is solid. Whether you choose to believe that or not is on you because I know the precautions that I have taken. I am your paranoid internet user since I have been on here for 20+ years and have worked in IT security and in pretty much every field within IT for the last 20 years.

This was NOT a coincidence that just happened to occur the same time Blizzard was stolen from. This password as I stated in an earlier post was my most secure password and since I knew that Blizzard was a target for hackers I used it here to add to the security of my account. My account was not hacked into because of a weak password. It was stolen from Blizzard's databases, unencrypted and then used. That is a lot different than someone using a hacking program to guess someone's password.

And yes it was the same password I use on my e-mail because again, it is my most secure password and god forbid I want to use the same password so that I do not have to add another freaking password to the 100's I already have to remember. Yes I made the mistake of not considering the scenario that an internal employee of Blizzard would steal the information and I can guarantee that I will not make this mistake again. Again though, the point is that this has happened and Blizzard is taking a passe attitude about the situation and they still have yet to notify all of their customers directly as to what has happened. And they are also not being forthright in explaining all of the details and seriousness of what has happened. They are continuing to blame the customers for this problem.

08/12/2012 02:43 PMPosted by Runar
I've had a paypal account hacked, and that was with a 24 alphanumeric password with special characters, nobody knows my passwords but me, yet somebody managed to hack my paypal account. it happens sometimes. I'm guessing somebody hacked his email account password and it just happened at the time that this whole thing came out, assuming he's not lying through his teeth to begin with.


I realize that nothing is unhackable. If someone is determined enough they can get into anything. But again I take that into consideration when I am on the computer/internet. I am a low profile type person so as to not draw attention to those that like to grief the hell out of someone bragging about how their stuff is unhackable. In this case I am drawing attention to it because ppl need to know the extent that their stuff on BattleNet has been compromised. Blizzard is down playing this situation and it is dangerous.

08/12/2012 02:43 PMPosted by Runar
Try looking on the forum, you'll see how passwords are handled, they are not stored on Blizzards server unencrypted else you'd see a ton I'm talking hundreds, or thousands of new "I've been hacked" topics popping up since the 4th of Aug, which there hasn't been.


Again, I never said they are holding a txt file some where that is not semi-secure. I am saying that the encrypted files that were stolen have been unencrypted and are being used.
As for your example of the forums being blasted with tons of posts of ppl saying they were hacked. I am betting that most that have been hacked do not realize it was because of Blizzard because Blizzard has still not sent out a notification that their customer's information was stolen. I found out through a FB article that was posted on a completely different site than Blizzard's. It was a news article in the Washington Post. Although I suspected Blizzard when it first happened, I called them and after being treated like complete crap by the CS Rep I was reassured that nothing was compromised on their end. Then several days later I found the article on the Washington Post.

Most of the ppl that quit playing D3 months ago like I did have not been back to the forums and they stop reading most articles about it. But I bet you real money that there are a lot of ppl out there that have been hacked and they have no idea where or how their information was compromised. All they can do is what I did and do damage control the best way they can, trying to figure out how and what caused the issue through osmosis.

I am not the only one this has happened to and to assume that everyone is a moron and does not know what they are doing with securing their accounts is asinine. Once again, the victims here are being treated like we are the ones at fault and that we have no clue as to what we are doing when comes to securing our information. I am not blaming Blizzard for being stolen from, it happens. I am blaming them for how they are handling it and how they are treating the customers. It is like telling a #!*! victim it was their fault for being #!*!d because the party they attended got hijacked by a group of #*#%%*s and the hosts are trying to down play the bad publicity by saying the victims should have know better than to draw attention to themselves by dressing up nice for the party.
*Slow Clap*

Well done Blizzard.

Well !@#$ing done.

I better get a ton of free %^-* from this.
08/13/2012 12:39 PMPosted by spiderisland
It is not Blizzard's fault that they were so sloppy with their own personal security to: Have an email account with their real name in it in the first place; or that they use that same email for everything.


Hey. Listen up chump:

It's Blizzard's fault because they were compromised and lost people's personal data. Personal data that people gave Blizzard on the pretense that the information would be kept safe: just between the person and Blizzard. Blizzard failed to deliver on this corporate responsibility.

It doesn't matter if the person's password was "123" and his secret question answer was "Mypasswordis123". I repeat: IT DOESN'T MATTER, BECAUSE NONE OF THIS INFORMATION SHOULD EVER HAVE BEEN REVEALED TO ANYONE. Do you get it yet?


Personal data is your real name, date of birth, address, phone number, Credit card number ect... With the exception of the phone numbers of the Dial up Authenticators users(which only works on WoW accounts) none of that was lost.

Again While Blizzard has accepted responsibility for the lose of our B-Net Cryptographically scrambled versions of the passwords, SQ&A, and our email account names. Blizzard has always suggest that we use a totally different and unique passwords, and email accounts from any of our others. So if you didn't follow that advice and used the same password, and email everywhere, or worse an email address with your real name; you do share partial responsibility for any problems that may come of it.

If you are driving down the street at 80 mph, and another car makes a lift hand turn in front of you, and you run into them, you both will be at fault. Him for making an unsafe lift turn, and you for going 80 mph. When the Insurance companies start to hammer out who responsible for what; they most likely decide that the other driver is 90% responsible and you 10%. Note I had this happen to me in real life(I was the driver making the turn)

"Blizzard is incorrect in claiming that SRP 'is designed to make it extremely difficult to extract the actual password' after the verifier database is stolen," Jeremy Spilman, the founder of a company called TapLink, wrote in a blog post titled "SRP Won’t Protect Blizzard’s Stolen Passwords," which was published on Friday. "That they would make this statement is at best misleading and inaccurate, and dangerous if users believe their passwords are still actually safe."

Game over fanboys. Blizzard officially sucks.

"Hackers with additional resources would have little trouble cracking a significant percentage of Blizzard passwords in a week or two."

Care to comment, CMs?

lol this article proves all my points.

"Algorithms such as SHA1, which is what the SRP whitepaper calls for, were designed to convert plaintext into hashes very quickly and with a minimal amount of computing power. That's precisely what someone out to crack millions of hashes wants most."

So, just as I predicted, Blizzard chose a weak encryption method because it has a low level of computing power, which translates to less cost. They sacrificed good security for more profit. Way to go, Blizzard.


While Blizzard suggest that we change our passwords as a precaution, the hackers were not able to get our passwords themselves. What they got was Cryptographically scrambled versions of the passwords, that are protected by Secure Remote Password (SRP) protocol. However it would be foolish to assume that Blizzard would have given full and complete details on how exactly, or how well the passwords are Cryptographically scrambled. why give the hackers hints on how to crack them.

While given enough time, effort and computing power it is entirely possible for the hackers to obtain our actual passwords. But they would have to decipher them individually. The main thing is, Blizzard most likely made the cracking of the passwords difficult to the point it would be impractical, for them to do so.

Hackers want to get in and get out as fast as they, and with as little effort as possible. It just will take too much time and effort on their part, when there are so many accounts that they can obtain through conventional means. So is extremely unlikely that any individual accounts were compromised because of this. But you should still change your password as Blizzard suggested.

08/13/2012 03:07 PMPosted by Eglyntine
It is like telling a #!*! victim it was their fault for being #!*!d because the party they attended got hijacked by a group of #*#%%*s and the hosts are trying to down play the bad publicity by saying the victims should have know better than to draw attention to themselves by dressing up nice for the party.


If you get robbed on the way to another party of theirs 3 months before, They can't be blamed for that. Or if in their invitation they advised you to leave your fine jewels, at home and wear paste copies instead; but you decide to wear the real one, you share some of the blame if they are taken in the robbery.
I laugh at fanboys, at first they were

"you got hacked? it was a problem at your end blizz is perfect!"

-Blizzard says they lost personal information

"Wow every company gets hacked, its normal, not a big deal, you are the dumbs that gave your information"


Troll more?

They require our personal info so we can do digital downloads and such legally from the page since they allow us to digitally download older game clients ;)
Hell, if I had the ability to do this I would have just to spite Blizzard's smug "customer service". I have never dealt with a company whose public face seems to so thoroughly hate the customers that it supposedly serves.

Blizzard is the true fallen angel, they have went from an incredible gaming company that was creative and "one of us" into an irresponsible company that has sacrificed the quality of their product in the name of the RMAH and can't protect its customers' critical information. I've gotten years of enjoyment out of their products, but I'm afraid that time is coming to an end.

"Well look, I already told you! I deal with the g*dd@mn customers so the (software) engineers don't have to! I have people skills! I am good at dealing with people! Can't you understand that? What the hell is wrong with you people?" -- Blizzard employee of the month...

You realize that a lot of people have e-mail addresses which are like firstname.lastname@isp.net or similar right?


It is not Blizzard's fault that they were so sloppy with their own personal security to: Have an email account with their real name in it in the first place; or that they use that same email for everything.


Facepalm

You do realise many email addresses have some form of real name or initials so people can ID that emails being sent from the address are legit and not some spam or trash email account. Also make its easier to remember, as you would easily forget a username "firstemail" but not "jsmith".

I can agree to using different emails for different purposes, but you do know that if your account gets hacked the only way to retrieve it is through your registered email

Which should be your most secure one and something you use quite often.
08/13/2012 05:19 PMPosted by Ewing


Hey. Listen up chump:

It's Blizzard's fault because they were compromised and lost people's personal data. Personal data that people gave Blizzard on the pretense that the information would be kept safe: just between the person and Blizzard. Blizzard failed to deliver on this corporate responsibility.

It doesn't matter if the person's password was "123" and his secret question answer was "Mypasswordis123". I repeat: IT DOESN'T MATTER, BECAUSE NONE OF THIS INFORMATION SHOULD EVER HAVE BEEN REVEALED TO ANYONE. Do you get it yet?


Personal data is your real name, date of birth, address, phone number, Credit card number ect... With the exception of the phone numbers of the Dial up Authenticators users(which only works on WoW accounts) none of that was lost.

Again While Blizzard has accepted responsibility for the lose of our B-Net Cryptographically scrambled versions of the passwords, SQ&A, and our email account names. Blizzard has always suggest that we use a totally different and unique passwords, and email accounts from any of our others. So if you didn't follow that advice and used the same password, and email everywhere, or worse an email address with your real name; you do share partial responsibility for any problems that may come of it.

If you are driving down the street at 80 mph, and another car makes a lift hand turn in front of you, and you run into them, you both will be at fault. Him for making an unsafe lift turn, and you for going 80 mph. When the Insurance companies start to hammer out who responsible for what; they most likely decide that the other driver is 90% responsible and you 10%. Note I had this happen to me in real life(I was the driver making the turn)

"Blizzard is incorrect in claiming that SRP 'is designed to make it extremely difficult to extract the actual password' after the verifier database is stolen," Jeremy Spilman, the founder of a company called TapLink, wrote in a blog post titled "SRP Won’t Protect Blizzard’s Stolen Passwords," which was published on Friday. "That they would make this statement is at best misleading and inaccurate, and dangerous if users believe their passwords are still actually safe."

Game over fanboys. Blizzard officially sucks.

"Hackers with additional resources would have little trouble cracking a significant percentage of Blizzard passwords in a week or two."

Care to comment, CMs?

lol this article proves all my points.

"Algorithms such as SHA1, which is what the SRP whitepaper calls for, were designed to convert plaintext into hashes very quickly and with a minimal amount of computing power. That's precisely what someone out to crack millions of hashes wants most."

So, just as I predicted, Blizzard chose a weak encryption method because it has a low level of computing power, which translates to less cost. They sacrificed good security for more profit. Way to go, Blizzard.


While Blizzard suggest that we change our passwords as a precaution, the hackers were not able to get our passwords themselves. What they got was Cryptographically scrambled versions of the passwords, that are protected by Secure Remote Password (SRP) protocol. However it would be foolish to assume that Blizzard would have given full and complete details on how exactly, or how well the passwords are Cryptographically scrambled. why give the hackers hints on how to crack them.

While given enough time, effort and computing power it is entirely possible for the hackers to obtain our actual passwords. But they would have to decipher them individually. The main thing is, Blizzard most likely made the cracking of the passwords difficult to the point it would be impractical, for them to do so.

Hackers want to get in and get out as fast as they, and with as little effort as possible. It just will take too much time and effort on their part, when there are so many accounts that they can obtain through conventional means. So is extremely unlikely that any individual accounts were compromised because of this. But you should still change your password as Blizzard suggested.

08/13/2012 03:07 PMPosted by Eglyntine
It is like telling a #!*! victim it was their fault for being #!*!d because the party they attended got hijacked by a group of #*#%%*s and the hosts are trying to down play the bad publicity by saying the victims should have know better than to draw attention to themselves by dressing up nice for the party.


If you get robbed on the way to another party of theirs 3 months before, They can't be blamed for that. Or if in their invitation they advised you to leave your fine jewels, at home and wear paste copies instead; but you decide to wear the real one, you share some of the blame if they are taken in the robbery.


You know I am pretty much done with this conversation because it is pretty obvious that you all are going to defend Blizzard to the end and unless this happened to you then you have no idea what you are talking about. I did not get hacked on any other forum or site besides this one. I had that password in three places, my e-mail, my bank account and Blizzard. My computer was hack free, my banking institute was hacker free that weekend, and my e-mail server (which I run myself) was not hacked into. They used that e-mail and that password. Choose to believe it was a complete coincidence all you want, blame the customers right along with Blizzard, I know it is fun for some of you and makes you feel all superior. It is the whole "Until it happens to you then you refuse to believe the story". But the truth of the matter is that it was a breach on their end and ppl were hit with the backlash. In the future I will be sure not use their services so I will definitely make sure this does not happen again. Blizzard has shown that they could really care less what happens to their customer's information as long as they have ppl like the fanboys defending them and feeding them with cash. Blizzard can do no wrong. Congratulations and Bravo!

I do however feel sorry for those that know what I am talking about and those that still have not been told what happened. Every major reporting agency out there feels the same way we do about how Blizzard has handled this situation so it does give me some consolation that not everyone has been implanted with the Blizzard Happy Chip.
I am not defending Blizzard, about the compromise itself, yes they let us all down. However I had accounts with both Sony and Rift and the both got hacked twice last year(you would think they would have learned the 1st time). Nether one made any attempt to encrypt our passwords they were kept in plain text. They both lost my personal and credit card info. Sony actually tried to hide the compromise from us for over 30 days.

At least Blizzard was able to keep our Credit card info secure, and they did not store our Passwords in plain texts like those other companies did. Perhaps their encryption is not the best in the world, but then again it could be the best. We may never know because they certainly not going to help the hackers crack it, by giving out to much info. However as long as it holds up until, we can change our passwords, that is all that matters.

After my experience with both Sony and Rift; Heck yeah! I am impressed with Blizzard handling of this.

However no matter how badly Blizzard Screwed up, it still does not excused the bad security habits some of you seen so proud of. Really using the same password on your B-Net account, email account, and on your Bank Account! Heck forget you used it on your B-Net account, using the same password on your both email and bank account, by itself is beyond foolish.

You can be as mad at Blizzard all that you want. But please, for your own sake, learn from it, and tighten up your online security practices.

08/13/2012 08:25 PMPosted by kickthecat
Which should be your most secure one and something you use quite often.


The least you use it the more secure it is. Again Blizzard has always suggest we use a email account that is totally dedicate to our B-Net Accounts only. While you should check it frequently, you should not use it for anything else.

Join the Conversation

Return to Forum