Account Security Alert: Gawker Media

General Discussion
As some of you know, several Gawker Media websites, including Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, and Deadspin, were recently compromised. To help minimize the effects of this compromise -- namely for players who might be using the same login information for their Gawker Media accounts and their Battle.net accounts -- we issued password-reset emails for several accounts.

If you've received an email from Blizzard Entertainment requesting a password reset as a result of the Gawker Media compromise, clicking on the Account Management link included in the email's body will allow you to choose a new password. You can also log in to Battle.net Account Management directly by visiting https://us.battle.net/account/management to reset your password on your own. If you're unable to confirm that the email is legitimate* or prefer not to follow email hyperlinks, this may be best option for you.


If you used your Battle.net email address to sign up with any of the Gawker Media sites listed above (for example, to post comments), we also recommend that you update your Battle.net email address as soon as possible via Account Management. If you are unable to complete this step or the password reset and believe your account might be compromised, please contact our customer support staff by using the Account Recovery Form ( https://us.battle.net/account/support/account-recovery.html ) and be sure to check out our Account Security Awareness guide ( http://us.battle.net/en/security/ ) for additional security tips and suggestions.


For more information about this situation, please visit Gawker Media's official announcement ( http://gawker.com/5713056/gawker-security-breach-were-here-to-help ) or Lifehacker’s comprehensive FAQ ( http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media ).


* To verify that an email has been sent by Blizzard Entertainment, please check the email's header information and hyperlink destinations: http://us.blizzard.com/support/article/25133
Thanks for the info. I did change my account already because of this!
Never heard of any of this.
Isn't it possibly a bad idea to ask people to click links in emails like that?

Wouldn't it be better to ask them to type battle.net in the address bar, etc etc?

Most of the fake emails disguise the link so it looks like it goes somewhere proper until you mouseover it, and some of the urls are pretty creative.
---------
List of CC and Interrupts
http://us.battle.net/wow/en/forum/topic/1406726958
Posted by Whynot
Isn't it possibly a bad idea to ask people to click links in emails like that?

Wouldn't it be better to ask them to type battle.net in the address bar, etc etc?


If you're able to confirm that the email is sent by Blizzard Entertainment, clicking on the included link is perfectly fine. We understand that many players prefer to remain cautious of hyperlinks in general due to the prevalence of phishing scams, though, which is why we also noted that you can log in to Battle.net Account Management to reset your password on your own. :)
Got hacked this morning.. go on lockdown people
Posted by Whynot
Isn't it possibly a bad idea to ask people to click links in emails like that?


Security 101, actually. Never, ever, ever, ever click on a link in an e-mail. It doesn't matter if "you're sure it's from someone you know and trust". Just go to the website by typing it in.

Tsk tsk Lylirra.


Security 101, actually. Never, ever, ever, ever click on a link in an e-mail. It doesn't matter if "you're sure it's from someone you know and trust". Just go to the website by typing it in.


Tsk tsk Lylirra.




Perfectly acceptable to click on a link if the headers check out. :P
<Posted by Whynot Isn't it possibly a bad idea to ask people to click links in emails like that?


Security 101, actually. Never, ever, ever, ever click on a link in an e-mail. It doesn't matter if "you're sure it's from someone you know and trust". Just go to the website by typing it in.




Indeed. There's prolly some hackwad out there now sending out official looking emails from "Blizzard" with a nice tidy link that gets you royally screwed.
Cant believe blizzard is telling people to click links in emails ROFL the scammers make emails that with addresses that are legit but once clicked take you to a dodgy site.

BTW FIX PRIESTS HEALZ!!!
12/14/2010 6:25 PMPosted by Lylirra
namely for players who might be using the same login information for their Gawker Media accounts and their Battle.net accounts -- we recently issued password-reset emails for several accounts.


How would you happen to know this info?
I received this email too, but beware that some of the warning emails are also fake, they requested you to change your password but the links to do so took you to copycat sites, so NEVER follow the links in any emails
Do we need to reset our passwords if we're not worried about this?


My password for WoW is a completely unique password, not used anywhere else on the internet for any THING else.


How would you happen to know this info?



Gawker probably gave them the list.
yeah you should edit that and just say go to battle.net . People are dumb... have to make things easier for them.
See, my concern--and I know how to check headers. Believe me, I fervently did each time I got a CATACYSM BETA KEY email--is that most players don't. The prevalence of warcraft phising emails, paypal phishing emails, and facebook phishing emails proves this.

I never did get that key... =(.

And of course, there's some neat tricks you can do. If a wrod cotnains all the rihgt letters and ends and begins corrcetly, people have a difficult time seeing that.

Not to rnention the fail that is capital i and lowercase L being pretty identical.

(Betcha didn't notice 'mention' doesn't start with an m.)
---------
List of CC and Interrupts
http://us.battle.net/wow/en/forum/topic/1406726958
12/14/2010 7:19 PMPosted by Nazgulrider
yeah you should edit that and just say go to battle.net . People are dumb... have to make things easier for them.


No joke. I think Blizzard puts a little too much faith in people sometimes.
Posted by Lylirra
If you've received an email from Blizzard Entertainment requesting a password reset as a result of the Gawker Media compromise, please click on the link included in the email's body to choose a new password. You can also log in to Battle.net Account Management to reset your password on your own ( https://us.battle.net/account/management ).


Naughty, naughty Blizzard. Very few of your users know how to read email headers (or would bother, since it's faster to type www.battle.net), and I would have no trouble at all simulating everything but. If I was the type, I bet I could have 10,000 accounts hacked by tomorrow morning because of this short-sighted post. Links in emails are ALWAYS a bad idea, and I am disappointed that Blizzard would post this up. Did Lylirra's account get hacked, perhaps?
12/14/2010 7:07 PMPosted by Mikolai
Perfectly acceptable to click on a link if the headers check out. :P


And you also read the source code for the link, sure. But it's faster to type http://www.battle.net than to dig down to the headers (the actual raw headers, not the "From" box which can be faked).

Think of email in terms of normal mail. I copy some letterhead, say your local government taxation office, and send an official looking letter that says if you don't pay $X into account no <blah> by <insert date here> you're going to jail. The letter looks completely legit. But lets say that you are FORCED to put your real return address on the envelope (because in email you effectively are). If you have the envelope, you know it's a fake. If you had the letter without the envelope, you can't tell. Email is the same. The headers are the envelope. If you read them, you can see the truth. If you only look at the letter it could be identical to the real thing in every way except the actual link, and HTML mail lets you obscure the link too. A simple man-in-the-middle attack (which means that the server you log in on really does authenticate to the Blizzard server and changes your real password, it just slurps up the new one along the way) and you're hacked. It's EXTREMELY easy to do. Hang on, I'll sit down and do one now, it'll take me about 20 seconds .... (joking about the doing, not about how long it takes).
Well, I'm glad to finally hear that the emails were sent from Blizzard. I was worrying about this all day.

Join the Conversation

Return to Forum