Forgot your password?
typodupeerror
Security IT Games

Blizzard Says Battle.Net Has Been Hacked 340

Posted by samzenpus
from the all-your-password-are-belong-to-us dept.
An anonymous reader writes "Blizzard announced today that its Battle.net service was compromised. The company is urging users to change their login information immediately. Blizzard is stressing that payment information was not compromised. 'The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators. It's important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.'"
This discussion has been archived. No new comments can be posted.

Blizzard Says Battle.Net Has Been Hacked

Comments Filter:
  • Thanks! (Score:5, Funny)

    by Anonymous Coward on Thursday August 09, 2012 @06:53PM (#40939819)

    Thanks for your always-online requirement for Diablo 3! So very useful if I want to play alone.

    • Re: (Score:3, Informative)

      by Sir_Sri (199544)

      Diablo 3 is a multiplayer game with a where you can choose to not directly interact with other players, but without the auction house the whole itemization would need to be completely different.

      That was one of the things they realized with D2, the reason it stuck around was the multiplayer, they just got the idea that the whole thing should be multiplayer. starcraft has less of an excuse because there's no meta economy in starcraft.

      • Re:Thanks! (Score:5, Insightful)

        by ganjadude (952775) on Thursday August 09, 2012 @07:34PM (#40940303) Homepage
        really??? thats your argument? From my point of view as a D player since D1, STILL play d2, and gave up on d3, i am sick of the people who claim that "d3 is a multiplayer game" maybe by marketing, but not by gameplay. it is NO DIFFERENT than d2, in gameplay that it should require me to check in with them if i want to play by myself. and on top of that, they wouldnt even work with me on a refund, when I had issues 3 weeks after launch because I pre ordered it, and therefore it was more than 30 days out of date, eventhough i only had the game for aweek less than 30 days.
        • Re:Thanks! (Score:5, Informative)

          by Sir_Sri (199544) on Thursday August 09, 2012 @07:50PM (#40940467)

          It's not an argument. It is. The game is a multiplayer game. Just because that's a stupid idea doesn't mean it isn't the one they went with.

          I'm sorry that your point of view is just wrong. But it is. The whole game was balanced around you being able to buy and sell from the auction house. That was a deliberate choice on blizzards part, and without the AH the game becomes prohibitively hard because you just can't get the right itemized gear and you need an astronomical amount of farming to get through the content. Again, I'm not saying that's a *good* design, but that is the design. If anything the game suffers because you almost never loot anything you actually want, I think I looted one inferno difficulty item I actually used, all of the rest I had to buy.

          They certainly could have designed the itemization differently or had a full on single player mode with different itemization. But they didn't.

          The 'core activity' of diablo is 'click'. I'll grant you that activity is mostly unchanged form previous versions. But most games are more than just one core activity.

          they wouldnt even work with me on a refund, when I had issues 3 weeks after launch because I pre ordered it, and therefore it was more than 30 days out of date, eventhough i only had the game for aweek less than 30 days.

          yes well, that's a whole other topic. But once they have your money they don't want to give it back.

          • Re:Thanks! (Score:5, Interesting)

            by ganjadude (952775) on Thursday August 09, 2012 @08:04PM (#40940623) Homepage
            I understand your argument, I really do. however I dont understand any good reason to disable to single player mode from d2 (which the char was not able to play on battlenet, and therefore not able to access the "real money" market activision set up (in convinced this is an activision move, and not something blizzard would have done prior to being bought up) I simply disagree with the way the game was handled. Hell I pre ordered, pre downloaded, and still couldnt play for 2 days after it was "released" all because of server issues. If that the the route all games are going to go.. i guess I am not a gamer any longer. Thats just me, but I will not deal with that, Ill keep playing super mario world and D2 and be happy.
            • by Rewind (138843)

              I understand your argument, I really do. however I dont understand any good reason to disable to single player mode from d2 (which the char was not able to play on battlenet, and therefore not able to access the "real money" market activision set up (in convinced this is an activision move, and not something blizzard would have done prior to being bought up) I simply disagree with the way the game was handled. Hell I pre ordered, pre downloaded, and still couldnt play for 2 days after it was "released" all because of server issues. If that the the route all games are going to go.. i guess I am not a gamer any longer. Thats just me, but I will not deal with that, Ill keep playing super mario world and D2 and be happy.

              I am not the other guy, but maybe I can clarify: It is an online game. That is a fact. You may not like that, you may not have played previous Diablo games online ever, but Diablo III is sever side. It is an online game. That is not an argument, it is a statement of fact.

              You are free to not like that and not buy the game and mention how much you dislike the fact, but it is still fact, not an argument. I agreed with their decision here, but I hope they (like me) look at it in retrospec and say "yeah

              • Re:Thanks! (Score:5, Insightful)

                by PopeRatzo (965947) on Thursday August 09, 2012 @09:04PM (#40941175) Homepage Journal

                I am not the other guy, but maybe I can clarify: It is an online game. That is a fact.

                Let me clarify further: Diablo 3 is an extremely shitty game that not only is overpriced by about 3x, but then seeks to monetize even further with it's online crapola.

                As a free2play online game, Diablo 3 would be excusable. As the anchor in a very popular trilogy of AAA titles, it's inexcusable.

                Further, to heal FAIL on top of FAIL, the information that you had to give them to create an online account with Blizzard in order to play this mediocre free2play crap is now in the hands of some Bulgarian sleazebags who will do their best to monetize Diablo 3.

                Blizzard couldn't have mistreated Diablo fans much worse without infecting every one of them with Ebola virus and then smacked them in the face with a meat tenderizer.

                Naturally, Blizzard bears zero liability for any damage that might be caused by their inability to keep customer records secure because everyone who played the game had to sign away all of their rights in the endless EULAs that they had to agree to on installation and with every single update.

                Let me end this rant with a brief prayer: Jesus, Lord Baby Jesus, I beseech you. Please make the prostates of every one of the Blizzard upper management, board of directors and major shareholders swell up to the size of honeydew melons so that it takes them 15 minutes just to squeeze out a painful, burning drop of urine. And let them know, Father, that this pain is directly caused by their behavior with Diablo 3 (which, if it makes any difference to you, Baby Jesus, has satanic overtones). And I further pray, Lord, that you make an example of them so horrible as to cause sweaty, trembling nightmares for the upper management of every game developer and publisher, so that their nights may be beset with horrors so that they might look into their souls in order to change their ways and stop fucking over their customers. I pray this in the name of God (may Allah protect him), Amen. PS: please let the Bears win their home opener by 14 points or more..

                • Mmmmmm... ebola...
                • Re: (Score:3, Insightful)

                  by gutnor (872759)

                  Let me clarify further: Diablo 3 is an extremely shitty game that not only is overpriced by about 3x, but then seeks to monetize even further with it's online crapola.

                  Diablo 3 is almost the same as Diablo 2 pre-LoD with better graphics and a gameplay rebalanced toward more casual players than hardcore one:
                  - No need to spend 40+ hours to try a new build.
                  - An gold auction house (i.e. game money, not real $) to buy high level object without excessive grinding or spending hours in forum to find price, descriptions and reliable vendors.

                  Of course the guy still playing Diablo 2 today, Diablo 3 will feel dumbed down and "no elitist" enough. I played Diablo 2 as an obsessive

                • Re:Thanks! (Score:5, Insightful)

                  by Anonymous Coward on Friday August 10, 2012 @02:51AM (#40943029)

                  Jesus, Lord Baby Jesus, I beseech you. Please make the prostates of every one of the Blizzard upper management, board of directors and major shareholders swell up to the size of honeydew melons so that it takes them 15 minutes just to squeeze out a painful, burning drop of urine.

                  I'm afraid you're praying to the wrong God here. Jesus would tell you to forgive, and seek in you the strength to go to Blizzard and convince them to lose their bad ways, by being a loving example to them, as you'd like them to be to you.

                  Muhammad would tell you to behave, be a good moslem, and insist Blizzard upper management is bound for fiery inferno anyway so why care.

                  Buddha would tell you to care less for videogames, and maybe instead enjoy your next meal more (hmmm pork).

                  Nanak would just smack you over the head, and then pee in your general direction.

                  Eris would grant you your wish, turning Blizzard's management even more sour, then She would make you buy their next yet-shittier game nonetheless so you'd share some of the pain you sought to inflict, for the lulz.

                  Most other deities would require costly sacrifices and long imprecations upfront just to listen, mostly understanding your plea half wrong anyway. And their antagonist deities would curse you afterwards.

            • Re: (Score:2, Interesting)

              by Sir_Sri (199544)

              The real money auction house is an example of a free to play concept, and players were exchanging real money through unofficial channels. That poses huge security problems (like the one's people are talking about with WoW), which translate to customer support problems, and blizzard figured they could get a cut.

              Even without the real money though, the regular auction house is your entire region, and a main source of gear for high level balance. The ability to dupe items in D2 caused no end of balance grief a

          • you need an astronomical amount of farming to get through the content

            ... or you could play as the wizard and use the teleport skill at the same time as archon skill to enter god mode (complete invulnerability). It took them more than a month to fix this fairly major bug.

            • by Sir_Sri (199544)

              Unfortunately being invulnerable doesn't make drop rates better. Earns you lots of money from the AH though.

      • While true, it points to the major problem. The entire reason single player must be played "online" is because its a real money auction house. This single design decision drove all of the "features" that everyone detests. Their greed is the problem here.

        • by Sir_Sri (199544)

          No, not just the real money auction house. The regular one too. The RM AH is so blizzard can get a cut of the real money changing hands.

      • by _KiTA_ (241027)

        No, Blizzard realized there were still people selling runes 10 years after D2's release and thought: Christ, why aren't we getting a piece of that action?

        Every decision after that became suspect. The drop rates, the difficulty levels, even the layouts of the maps. Everything can (and has been) designed to push people towards the RMT AH. They have a direct economic incentive to do so.

  • Yah (Score:5, Insightful)

    by the_Bionic_lemming (446569) on Thursday August 09, 2012 @06:54PM (#40939825)

    Can I please have my single player offline games back?

    • Re:Yah (Score:5, Funny)

      by DoofusOfDeath (636671) on Thursday August 09, 2012 @07:25PM (#40940175)

      "No." -Activision

    • Re:Yah (Score:5, Insightful)

      by Teckla (630646) on Thursday August 09, 2012 @07:32PM (#40940273)

      Can I please have my single player offline games back?

      Speaking just for myself, I'm skipping both StarCraft 2 and Diablo 3, because of the onerous DRM and always-online requirements Blizzard now uses.

      I wonder if the DRM and always-online requirements are preventing enough piracy that results in sales, to overcome the loss of buyers like me.

      • Re:Yah (Score:5, Insightful)

        by DoofusOfDeath (636671) on Thursday August 09, 2012 @07:34PM (#40940297)

        My guess is that what they're losing in sales to people like you (and me), they're more than recouping in the buy-things-for-real-world-money shenanigans they've instituted.

        Sucks, but I guess that's how the cookie crumbles.

        • by Teckla (630646)

          Ah well, I'm still glad people like us are doing what we can, and voting with our wallets.

          (Piracy is not an option in my house.)

          • Ah well, I'm still glad people like us are doing what we can, and voting with our wallets.

            (Piracy is not an option in my house.)

            Honestly, I don't expect voting with my wallet to have any real impact. However, Torchlight 2 should provide roughly the kind of fund I'd been hoping for from D3. So even if Activision doesn't care that I go for T2 vs. D3, at least I can still have my fun.

        • My guess is that what they're losing in sales to people like you (and me), they're more than recouping in the buy-things-for-real-world-money shenanigans they've instituted.

          -- Or --
          They blame the lost sales on piracy and use the figures to justify even more draconian nonsense.

      • by Rewind (138843)

        Can I please have my single player offline games back?

        Speaking just for myself, I'm skipping both StarCraft 2 and Diablo 3, because of the onerous DRM and always-online requirements Blizzard now uses.

        I wonder if the DRM and always-online requirements are preventing enough piracy that results in sales, to overcome the loss of buyers like me.

        You didn't miss anything with Diablo 3 really. It was ok, but nothing great. A step back for Blizzard if you ask me. With StarCraft 2 it was your own loss if you liked multiplayer. Also it had an offline mode that thanks to internet issues I got to make several uses of.

  • by PhrostyMcByte (589271) <phrosty@gmail.com> on Thursday August 09, 2012 @06:57PM (#40939861) Homepage

    I'm going to go out on a glass-half-empty limb here and say that means encrypted, not salted and hashed. "Cryptographically Scrambled" is too obviously ambiguous. I hope I'm wrong!

  • Well now. (Score:5, Funny)

    by Frosty Piss (770223) * on Thursday August 09, 2012 @07:00PM (#40939897)

    Since I''m over 25 and work for a living, this does not effect me.

    • Since I'm over 25 and work for a living,
      and since I got into Diablo and Starcraft when I was under 25,
      this does effect me.
    • Re:Well now. (Score:4, Informative)

      by Sir_Sri (199544) on Thursday August 09, 2012 @07:28PM (#40940213)

      Since I''m over 25 and work for a living

      making you the target market for games, and modern MMO's. Especially so if you're male. Because you know, the people who actually work at blizzard want to play their own game, and they're mostly over 25 and have jobs. So if you're one of the 40 million or so people who ever created a battle.net account for starcraft or diablo or WoW then yes, this effects you. Because what was your security question, have you ever reused it, and was it publicly available information?

    • by Mashiki (184564)

      Since I''m over 25 and work for a living, this does not effect me.

      Well this will surprise you then. The prime market for MMO's and gaming in general is...

      Male, 25-41, working, with an average yearly income of $38,000

  • and removing my CC (oh, wait, I already did that).

    This is going to be bigger than the Sony breach

  • If they got my passwords now, I dont care. After the hassles i have had with D3 from day 1 I dont even care anymore,
    • I bought D3 about 1 week after launch. Was very disappointed. Asked for a refund - four times. Blizzard refunded me.

      • by ganjadude (952775)
        I pre ordered the game. I know I dont have 24/7 access so my results may be different than others however. I have been able to play no more than 35% of the times I have attempted to.. I have had to redownload the.... almost 8 gig file 8 different times because it does not seem to understand the "forced update" every other day they push. I simply want to play by myself, which I cannot do without "checking in with mommy" and that is when it lets me connect. I assume (hope) I am in the minority here, but eithe
        • by lgw (121541)

          I pre ordered the game.

          Why would anyone do that in this day and age? A game is something you download, so paying for it more than a day or so before it comes out seems pointless. Waiting until there are some reviews seems better still.

          Having D3 at the launch did you little good - the servers were so overloaded that playtime was quite limited the first week.

    • by exomondo (1725132)

      If they got my passwords now, I dont care. After the hassles i have had with D3 from day 1 I dont even care anymore,

      Yeah i gave up on it too, the having to wait to play because the servers were full, the lag, the crashes...there's no reason it couldn't have just been an offline game like its predecessors. Very disappointed with it.

  • by Kenja (541830) on Thursday August 09, 2012 @07:02PM (#40939915)
    Nothing on battle.net, blizzard.com or any other location but marketwatch. Link in the article goes to a non-existant page on blizzard.com. Not saying shenanigans just yet, but some real information would be nice.
  • by TranquilVoid (2444228) on Thursday August 09, 2012 @07:11PM (#40940013)

    Technically I'm working from home today, but I guess good security dictates I log into WoW to change my password and check for any foul play.

  • by Kenja (541830) on Thursday August 09, 2012 @07:12PM (#40940023)
    Once a Battle.net account is created, the first name, last name and security question can not be changed. Since these questions are now compromised, everyone is SOL.
  • Ironic. . . (Score:4, Insightful)

    by Limburgher (523006) on Thursday August 09, 2012 @07:36PM (#40940341) Homepage Journal
    I seem to recall reading in the Security Question comments how Battle.net's system was excellent. That portion of it may have been, and they seem to be responding well to this, but the timing is interesting.
    • If anyone gets an email for the hackers - I forgot my battlenet account info years ago, maybe they can send it to me?
  • by Coolhand2120 (1001761) on Thursday August 09, 2012 @07:57PM (#40940541)
    Oh the passwords are cryptographically scrambled? Do they mean hashed or encrypted? I imagine anyone with enough skill to steal all of those accounts knows how to operate a rainbow table [wikipedia.org]. Why not just come clean an tell everyone their passwords are compromised too. Why leave everyone with a nebulous message like "cryptographically scrambled". Are they encrypted? Or did you just hash+salt them? I for one would really like to know!
    • scrambled? Do they mean hashed or ... Or did you just hash+salt them? I for one would really like to know!

      I think what's best is unsalted, over easy, and hash browns on the side.

  • Who cares.. (Score:3, Interesting)

    by SD-Arcadia (1146999) on Thursday August 09, 2012 @08:10PM (#40940699) Homepage
    Diablo 3 was DOA. It is a hamster-wheel farming game revolving around the auction house with no depth nor creativity.
    Summary: It's fun but too easy going through normal, nightmare and hell if you gather a party. Then you hit the inferno act 2 brick wall, and your only hope for punching through that is either the RMAH or something like 100+ hrs into cheese-farming spots like dank cellar (gold) or the ancient path goblin (rares).
    I found myself wishing someone else would "play" for a while because the game part peeled away and it was revealed to be a stupid repetitive virtual item farming-trading game. I bought the game mid-May, and haven't touched it past June and don't plan to either. Gonna keep it around for a couple more weeks and then give my login info to the first friend who shows interest when I go back to school for TA'ing in september.
  • Oh man, I think I created an account for Starcraft I. Do you suppose it's still active? I doubt I can remember what password I used all those years ago, or what email address I might have had at the time.

  • by fisted (2295862) on Thursday August 09, 2012 @08:35PM (#40940911)
    Store password hashes in the database, but the answer to a security question, which enables resetting the password, in plain text. Cool story Blizzard
  • This is for real (Score:5, Informative)

    by tangent3 (449222) on Thursday August 09, 2012 @08:44PM (#40940997)

    Real links here: http://us.blizzard.com/en-us/securityupdate.html [blizzard.com]
    http://sea.battle.net/support/en/article/important-security-update-faq [battle.net]

    The important thing to note is that the passwords were encrypted with Secure Remote Password protocol, meaning that Rainbow Tables are ineffective since each password is individually encrypted instead of using a common hash. Also, the process is CPU expensive so brute forcing is highly unfeasiable for reasonably length passwords.

  • Before I got an auth'er, I once logged into the armory app on my iPhone over an insecure wireless. Yeah, stupid, I know. My account was compromised shortly after. A couple weeks later, I got it back, intact to the way it was before the hack.

    Now, I have a password I don't use anywhere else, a mobile auth'er (that I changed the serial number on after I read about this breach), and I have it set to *always* require the auth'er to log in. Now that whatever mobile auth'er info they got regarding my accoun
  • by darkain (749283) on Thursday August 09, 2012 @09:37PM (#40941367) Homepage

    There is a ton of stupid SHIT being posted here on the slashdot comments. I don't blame the commenters one bit, thought. Why? Because the article was a regurgitated rehashed pile of shit in comparison to the actual Blizzard press release... which was really hard to find, ya'know, being the top post on Blizzard.com after all... A very key detail, the usage of SRP, is completely missed by the article, which is leading to the majority of the confusion here and elsewhere.

    http://us.blizzard.com/en-us/securityupdate.html [blizzard.com]

  • As a long-term Blizzard customer, I am outraged; to have this news delivered through third party.

    No notification came from Blizzard thru e-mail. Cool way to support your customers..

A LISP programmer knows the value of everything, but the cost of nothing. -- Alan Perlis

Working...