Blizzard Says Battle.Net Has Been Hacked 340
An anonymous reader writes "Blizzard announced today that its Battle.net service was compromised. The company is urging users to change their login information immediately. Blizzard is stressing that payment information was not compromised. 'The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators. It's important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.'"
Anyone have real information? (Score:3, Informative)
Re:Anyone have real information? (Score:5, Informative)
Re:Cryptographically Scrambled Passwords (Score:5, Informative)
the server carries a verifier for each user, which allows it to authenticate the client but which, if compromised, would not allow the attacker to impersonate the client
Re:FYI, "secret" questions can not be changed. (Score:4, Informative)
That hasn't been true for over a year [epicnpc.com].
Also, they're going to en masse make everyone change their security question/answer real soon now.
Re:Well now. (Score:4, Informative)
Since I''m over 25 and work for a living
making you the target market for games, and modern MMO's. Especially so if you're male. Because you know, the people who actually work at blizzard want to play their own game, and they're mostly over 25 and have jobs. So if you're one of the 40 million or so people who ever created a battle.net account for starcraft or diablo or WoW then yes, this effects you. Because what was your security question, have you ever reused it, and was it publicly available information?
Re:FYI, "secret" questions can not be changed. (Score:5, Informative)
Re:Thanks! (Score:3, Informative)
Diablo 3 is a multiplayer game with a where you can choose to not directly interact with other players, but without the auction house the whole itemization would need to be completely different.
That was one of the things they realized with D2, the reason it stuck around was the multiplayer, they just got the idea that the whole thing should be multiplayer. starcraft has less of an excuse because there's no meta economy in starcraft.
Re:Thanks! (Score:5, Informative)
It's not an argument. It is. The game is a multiplayer game. Just because that's a stupid idea doesn't mean it isn't the one they went with.
I'm sorry that your point of view is just wrong. But it is. The whole game was balanced around you being able to buy and sell from the auction house. That was a deliberate choice on blizzards part, and without the AH the game becomes prohibitively hard because you just can't get the right itemized gear and you need an astronomical amount of farming to get through the content. Again, I'm not saying that's a *good* design, but that is the design. If anything the game suffers because you almost never loot anything you actually want, I think I looted one inferno difficulty item I actually used, all of the rest I had to buy.
They certainly could have designed the itemization differently or had a full on single player mode with different itemization. But they didn't.
The 'core activity' of diablo is 'click'. I'll grant you that activity is mostly unchanged form previous versions. But most games are more than just one core activity.
they wouldnt even work with me on a refund, when I had issues 3 weeks after launch because I pre ordered it, and therefore it was more than 30 days out of date, eventhough i only had the game for aweek less than 30 days.
yes well, that's a whole other topic. But once they have your money they don't want to give it back.
Re:Cryptographically Scrambled Passwords (Score:4, Informative)
Which is still very secure if they used a one time pad with the XOR.
The only thing stronger than XORing with a one time pad, is XORing the input with itself.
Using scrambling rather than cryptography (Score:4, Informative)
Using scrambling rather than cryptography gets around cryptographic export and import restrictions. This is why it was possible to decypt a lot of Windows and Microsoft Word scrambled content, and why Windows NT password recovery tools existed.
Unless you want to lock yourself out of most Asian countries where videogaming comes close to a religion, and is therefore worth gobs of money, you will not build something which violates their import restrictions. See also:
http://en.wikipedia.org/wiki/Restrictions_on_the_import_of_cryptography#Status_by_country [wikipedia.org]
This is for real (Score:5, Informative)
Real links here: http://us.blizzard.com/en-us/securityupdate.html [blizzard.com]
http://sea.battle.net/support/en/article/important-security-update-faq [battle.net]
The important thing to note is that the passwords were encrypted with Secure Remote Password protocol, meaning that Rainbow Tables are ineffective since each password is individually encrypted instead of using a common hash. Also, the process is CPU expensive so brute forcing is highly unfeasiable for reasonably length passwords.
Re:Cryptographically Scrambled Passwords (Score:5, Informative)
The letter from Blizzard itself says they use the Secure Remote Password protocol, so this is what they mean by "Cryptographically Scrambled":
http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol [wikipedia.org]