Feeds

back to article Blizzard pwned: Gamers' email, encrypted passwords slurped

Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers. The gaming outfit said in a lengthy statement …

COMMENTS

This topic is closed for new posts.

Page:

Bronze badge
Holmes

step one

excluding those based in China,

well its a starting point :)

nothing like a litte national honour

1
5
FAIL

Still no official email here... nice...

What percentage of players never visit the main website/forums and don't read tech sites?

3
1
Linux

They didn't send email, because you know, people will think it's ok to click a link in email and then wonder why they ended up with a comprisised account. However, if you open ANY blizzard game launcher right now, you'll see a big warning about it.

4
0

This post has been deleted by its author

So don't include a link, game companies (including Blizzard!) send official emails all the time, usually telling people to visit the home page and then browse to other parts of it...

0
1
Anonymous Coward

It's a snow job

Sorry

1
0
Silver badge

Blizzard and password security

I don't think that they should be mentioned in the same breath, ever since I spotted that the passwords were case independent - ABC123 was the same as abc123...

It may have changed now, I haven't played WoW or similar for about 3 years, but it shows a less than stringent attitude to account security

3
0

Re: Blizzard and password security

Case insensitive - I'd call that real-world user friendly (remember, gamers!) I'd like to not have to remember whether I typed snowstorm1212 or Snowstorm1212 when setting my password (not a real example, unless it is), and, while I'm at it, I don't like to use any word that is bad enough to describe the system administrators who think that the network security is somehow improved by rejecting a password of "thankyoukindly" and accepting "IHateDoingThis". They'd better just hope that hackers can't read my writing after I graffitied my password onto the wall of the building across the road for convenience.

I assume, of course, that they are case-casting, super-salting, and heuristically hashing these passwords.

3
7
Silver badge

Re: Blizzard and password security

snowstorm1212 got it.

*goes and logs into Roberts battlenet account*

5
0

Re: snowstorm1212

Hey, that's the combination to my luggage!

4
0
Thumb Up

Password Length

A game I recently took part in the beta for made a big thing during sign-up about the fact their password system would accept anything from 8 to 512 characters, case sensitive and including spaces, and as we all know it's length rather than weird characters that make a password secure. That's why "8h&n3!LP" is nowhere near as secure as "Thisgamesucksdonkeyballs" when it comes to brute force attacks, as written about on El Reg not all that long ago.

I pondered for a while and came up with "I hate making up passwords for games 2012" (since they said it still had to have a capital and numbers in it) and it stuck in memory better than my usual crop of 8-character passwords, but as you said, not only is it more user friendly to be case-insensitive but makes as much sense as the opposite

2
0

Re: Blizzard and password security

I think the case-insensitivity was more to do with reducing support load for "oops, I had CAPSLOCk on" cases.

1
0
Silver badge

Re: Blizzard and password security

I assume, of course, that they are case-casting, super-salting, and heuristically hashing these passwords.

No, they're using SRP, if the article and Blizzard's statement are accurate. SRP is a ZKP (zero-knowledge proof) authentication mechanism. The verifying party (the server, in this case) has a verifier which can be used to confirm the validity of the password, but which cannot be used to reconstruct the password. It also offers perfect forward secrecy, among other things.

The main advantage of a ZKP authentication protocol over password hashing is that the password is never sent to the verifying party. If an attacker takes over the server, they can authenticate clients, but they can't get the clients' passwords from logon requests.

An aside: for password storage, you wouldn't want a heuristic hash. You'd want one with well-understood, carefully-designed hashing behavior, in particular image and preimage collision resistance.

0
0
Unhappy

Wrong advice

You need to change your SECURITY QUESTION, if that's what the hackers have. Bad luck if you used the same one on multiple sites.

7
0

Re: Wrong advice

You can't.. it's permanent for a reason. If you think about it, if you could change your security question what do you think the first thing a hacker would do when he gained access to your account?

1
0
Anonymous Coward

Re: Wrong advice

As a precaution I never use the same security questions on really important accounts more than once. I do wonder if they hash the security question answers though, because they don't mention it. Whilst it looks like I've not been affected by this, it did spur me to alter my password structure and swap over to supergenpass. I wish more places had two factor authentication, but I'm happy enough that my really important sites do have that and my email is about as hardened as I can get it now.

0
0
Bronze badge

Re: Wrong advice

The thing with security questions is that anyone who can find out about you will have a high chance of being able to answer questions like mother's maiden name, place of birth etc. To get around this I've started answering security questions with completely unrelated answers. The questions may be set in stone but that doesn't mean you have to answer them truthfully :)

5
0
Paris Hilton

Re: Wrong advice

The "unrelated answer" method is very good from a security perspective, but does make it hard to remember which answer was used for a given question.

That leads to repetition of the same answer or to writing down the question/answer combinations, which reduce the security a bit again.

Personally I think these security questions generally bring about a lower level of security. Guessing or researching the answers to security questions is typically the main method used in hacking online mailboxes of celebrities and politicians.

The practice would be improved quite a bit, if more institutions allowed the users to also state the questions, since that would at least prevent a hacker from researching a list of answqers to all the usual questions before trying to persuade the helpdesk that he or she has been shut out of Paris Hilton's account by mistake.

This would also open the way for some more interesting support debates:

Supporter > So lets check your security questions... (long pause) ... "would you like to go out with me?"

Me > "Yes, but only if you pay for the beer"

Supporter > That is correct

etc...

3
0
Silver badge

Re: Wrong advice

For a while one of my (female) bosses had:

Q: "There's no way you're going out dressed like that young lady"

A: "I'll dress how I like and you're not even my real dad!"

2
0
Silver badge

@TonyHoyle

"If you think about it, if you could change your security question what do you think the first thing a hacker would do when he gained access to your account?"

Change the password.

2
0
Silver badge

@Claus

"The "unrelated answer" method is very good from a security perspective, but does make it hard to remember which answer was used for a given question."

Keep in mind that 'unrelated to the question' doesn't mean unrelated to the person who answers it.

For example; "the name of your mother". Someone could easily answer with a name who has always been a mother-like figure to him/her. Within the context of the question totally unrelated, same for outsiders. But I bet the user won't have any problem remembering the answer.

0
1
Silver badge

Given the amount of money that Blizzard make off their players

They had better do a damn site more than just say "Sorry.".

2
1

This post has been deleted by its author

Stop

Re: Given the amount of money that Blizzard make off their players

Armchair trolling is much more pathetic, and sadly, more ubiquitous.

3
3
Joke

what would actually happen to a person if their WoW account got took

massive increase in going outside?

1
1
Joke

Re: what would actually happen to a person if their WoW account got took

Negative, in case of emergencies such as the one you mentioned as well as power or internet outages my girlfriend and I have the World of Warcraft trading card game to tide us over.

Outside? Hah, we don't even have a lift we have to walk up THREE flights of stairs. That'll be the day.

6
0
Anonymous Coward

Re: what would actually happen to a person if their WoW account got took

And random school shootings I would assume, XP points must be gained somewhere right?

2
1
Trollface

Hahahha yes but then they would run right back inside, frightened by that bright yellow thing in the sky!

1
0
Gold badge

Curse the yellow face! It hurts our eyes-es Preciousss. Yes-ss it does-ss.

0
0

"Please click this link to change your password."

Password mishaps happen and at least these guys seem to have taken precautions. But then sending a message that looks exactly like a classic phishing mail? Didn't we all agree not to do that?

2
1
Big Brother

Except it's not an email. It's a big fat warning on the game launchers that lead to a website.

3
0

Aha! Thank you, that makes sense now.

1
0
FAIL

With the recent Amazon/Apple thing, and now this...

Every website needs to either drastically improve their security (or 2 form authentication) or make it less strict.

I'm not going to risk my hard-learned security question answers and passwords to websites, if they keep losing them. I'd rather have a unique really simple password so when it's hacked I've not lost much.

0
0

aye, except it's not a website login, it's a dedicated launcher program

2
0
Joke

So glad I stopped playing wow a long time ago

They obviously forgot to recast their firewall buffs!

2
0
Anonymous Coward

Let's be honest.

How many of us work for companies that don't implement a proper password policy in their software?

(at my last company passwords were in plain text, new company at least they're encrypted but still not hashed).

Why don't I do anything? What can be done, I only go to work so I can afford food and clothes, If I had any say it would have been done correctly first time.

1
0
Anonymous Coward

Re: Let's be honest.

You should ask how many companies DO implement a proper password policy. Not many, not many at all.

1
0
Anonymous Coward

Re: not many at all.

Sadly I fear you are correct. *sigh* this is not rocket science, and if companies would just hire one person to do this properly instead of outsourcing it to India, that would be one more person earning money paying taxes and making the economy go around. cant have that in Engand though.

1
1
Silver badge

Re: not many at all.

You are so right, they spend all their money sending teenage muggers on holidays and filling prisons with playstations and drugs. And those fucking teachers who are too lazy to spend their free time running after school sports clubs. And all the 13 year old mums that have all that fake tan and watch celebrity big brother and the jeremy kyle show. And no one's allowed to go to church anymore and all the women have to wear burkas. And you're not even allowed to do a comedy "sieg heil" at a black athlete without the police arresting you, humourless bastards.

Sorry, what were we talking about again?

3
1
FAIL

Re: not many at all.

You are shitting me, right? You seriously think just because you hire a local person, they would do it right? And a foreigner cannot do it right?

2
0
Go

Re: Let's be honest.

Depends wether your company ever needs to have its software pentested by a third party...

If you sell it into government, to companies that need things like PCI compliance, or even to a client who just happens to be security conscious chances are they will have the software tested, and such problems *should* be flagged up.

Better to fix what you know about now, otherwise it could get quite embarrassing later and might result in lost business.

0
0
Meh

And this after my authenticator stopped authenticating

"Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers."

Which it can't do until it implements the ability to change the questions and answers. D'oh.

https://us.battle.net/support/en/blog/6940803

Usually, I'm very critical of Blizzard, but I have to admit they've done several things right here. On the plus side, I'm glad that the information taken doesn't look like it could actually be used to access an account as-is. They did a good job by working quickly to seal the breach & notify users. Unlike my usual experiences with their website, the notices make it easy to find what to do (change your password).

Ironically, I had to remove the authenticator from my account recently because it stopped working. In this case, it would not have protected me anyway. I had been using the Android authenticator app, and the security tokens just stopped being accepted one day. I tried re-syncing it but to no avail. The "support" process was broken in a few key ways.

- I couldn't contact support online. You have to log into your account to do that, and I couldn't log in without the authenticator token being accepted.

- I couldn't use their web form for resetting my authenticator. The Serial Number field did not accept all the digits from the SN in the authenticator app Blizzard had provided.

At least they will be getting up to date with other institutions that have managed to provide the ability to change your own Q&A. :p

0
0
Anonymous Coward

Hmmm

Are they using MS Winblows on their servers?

1
3
Silver badge
Happy

Re: Hmmm

Winblows?! Ha! That is well funny. Maybe they run Spewnix, or something from Crapple. Oh, my sides have just ruptured from all the wordplay hilarity.

No, really.

7
1
FAIL

Re: Hmmm

Blizzard and Warcraft are Windows based.

0
0
Flame

Oh not again...

So I've had e-mails telling me to change my password from...

Twitter

LastFM

Linkedin

But not from Sony after their grand hack, but I changed it anyway on my ancient PSN account.

I have a trial WoW account, so maybe I can expect and e-mail from them too, or I'll do it myself.

With these on-line services, many of which even keep your credit card details, (Google Play want to keep a copy of my passport too because I updated an expired credit card), leaking credentials like a sieve, this is becoming tiresome.

The future, a digital economy where the gates are left open every so often for a quick mass account grab by some thieves.

0
0

Idiots.

So their announcement that the users need to change passwords is almost identical to announcements sent out by scammers - INCLUDING the "click this link"? What a wonderful way to inspire confidence!

Did they hire a bunch of untrained monkeys at Blizzard? Or are they just really, really stupid?

0
0

Mobile Authenticators

As soon as I heard that mobile auth'er info was compromised, I changed the serial number on mine. A lot of battle.net users don't realize you can do that.

0
0

Authenticators

Hacking battlenet and WoW accounts in general has been an issue since our Chinese brethren started selling gold to those gullible enough to swap real money for the pretend kind (often obtained from hacked accounts). It is the reason I purchased a regular authenticator for the princely sum of $6 and steadfastly refused to switch that to the mobile version, especially as Blizzard have the gall to charge a second subscription if you go that route.

The way they work is if your IP changes you have to supply an authentication number sent to your authenticator (or mobile) by Blizzard, which prevents someone from China using your credentials a couple minutes after you login. This authentication number changes every 15s or so, so it can't be guessed. It also requires you to authenticate your password if you don't loggon for a few days and at least once a fortnight if you do happen to be so addicted to "The Game" that you login every day.

It doesn't require you to authenticate every time you logon because that is both annoying and pointless, given the ways an authentication is already triggered.

All in all, if you care about your account then a one time payment of $6 is a reasonable expense to secure it. If you don't care, then that's fine too, just don't be surprised if your friends get pissed off at you when some Chinese fucker empties the guild bank.

0
1
Meh

Re: Authenticators

They do NOT charge a second subscription to use a Mobile authenticator, we both use them and I assure you I feel stupid enough giving them $15 a month. There is NOTHING that could induce me to get a second subscription.

And the mobile based one is FREE. What more can you ask?

And BTW you can set your account to require authentication EVERY log in.

0
0

Page:

This topic is closed for new posts.