back to article Blizzard pwned: Gamers' email, encrypted passwords slurped

Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers. The gaming outfit said in a lengthy statement …


This topic is closed for new posts.
  1. Lionel Baden

    step one

    excluding those based in China,

    well its a starting point :)

    nothing like a litte national honour

  2. tkioz

    Still no official email here... nice...

    What percentage of players never visit the main website/forums and don't read tech sites?

    1. Mad Chaz

      They didn't send email, because you know, people will think it's ok to click a link in email and then wonder why they ended up with a comprisised account. However, if you open ANY blizzard game launcher right now, you'll see a big warning about it.

      1. tkioz

        So don't include a link, game companies (including Blizzard!) send official emails all the time, usually telling people to visit the home page and then browse to other parts of it...

    2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    It's a snow job


  4. EddieD

    Blizzard and password security

    I don't think that they should be mentioned in the same breath, ever since I spotted that the passwords were case independent - ABC123 was the same as abc123...

    It may have changed now, I haven't played WoW or similar for about 3 years, but it shows a less than stringent attitude to account security

    1. Robert Carnegie Silver badge

      Re: Blizzard and password security

      Case insensitive - I'd call that real-world user friendly (remember, gamers!) I'd like to not have to remember whether I typed snowstorm1212 or Snowstorm1212 when setting my password (not a real example, unless it is), and, while I'm at it, I don't like to use any word that is bad enough to describe the system administrators who think that the network security is somehow improved by rejecting a password of "thankyoukindly" and accepting "IHateDoingThis". They'd better just hope that hackers can't read my writing after I graffitied my password onto the wall of the building across the road for convenience.

      I assume, of course, that they are case-casting, super-salting, and heuristically hashing these passwords.

      1. wowfood

        Re: Blizzard and password security

        snowstorm1212 got it.

        *goes and logs into Roberts battlenet account*

        1. Comments are attributed to your handle

          Re: snowstorm1212

          Hey, that's the combination to my luggage!

      2. Neonin
        Thumb Up

        Password Length

        A game I recently took part in the beta for made a big thing during sign-up about the fact their password system would accept anything from 8 to 512 characters, case sensitive and including spaces, and as we all know it's length rather than weird characters that make a password secure. That's why "8h&n3!LP" is nowhere near as secure as "Thisgamesucksdonkeyballs" when it comes to brute force attacks, as written about on El Reg not all that long ago.

        I pondered for a while and came up with "I hate making up passwords for games 2012" (since they said it still had to have a capital and numbers in it) and it stuck in memory better than my usual crop of 8-character passwords, but as you said, not only is it more user friendly to be case-insensitive but makes as much sense as the opposite

      3. Athan

        Re: Blizzard and password security

        I think the case-insensitivity was more to do with reducing support load for "oops, I had CAPSLOCk on" cases.

      4. Michael Wojcik Silver badge

        Re: Blizzard and password security

        I assume, of course, that they are case-casting, super-salting, and heuristically hashing these passwords.

        No, they're using SRP, if the article and Blizzard's statement are accurate. SRP is a ZKP (zero-knowledge proof) authentication mechanism. The verifying party (the server, in this case) has a verifier which can be used to confirm the validity of the password, but which cannot be used to reconstruct the password. It also offers perfect forward secrecy, among other things.

        The main advantage of a ZKP authentication protocol over password hashing is that the password is never sent to the verifying party. If an attacker takes over the server, they can authenticate clients, but they can't get the clients' passwords from logon requests.

        An aside: for password storage, you wouldn't want a heuristic hash. You'd want one with well-understood, carefully-designed hashing behavior, in particular image and preimage collision resistance.

  5. artbristol

    Wrong advice

    You need to change your SECURITY QUESTION, if that's what the hackers have. Bad luck if you used the same one on multiple sites.

    1. TonyHoyle

      Re: Wrong advice

      You can't.. it's permanent for a reason. If you think about it, if you could change your security question what do you think the first thing a hacker would do when he gained access to your account?

      1. Anonymous Coward
        Anonymous Coward


        "If you think about it, if you could change your security question what do you think the first thing a hacker would do when he gained access to your account?"

        Change the password.

    2. Anonymous Coward
      Anonymous Coward

      Re: Wrong advice

      As a precaution I never use the same security questions on really important accounts more than once. I do wonder if they hash the security question answers though, because they don't mention it. Whilst it looks like I've not been affected by this, it did spur me to alter my password structure and swap over to supergenpass. I wish more places had two factor authentication, but I'm happy enough that my really important sites do have that and my email is about as hardened as I can get it now.

    3. PaulR79

      Re: Wrong advice

      The thing with security questions is that anyone who can find out about you will have a high chance of being able to answer questions like mother's maiden name, place of birth etc. To get around this I've started answering security questions with completely unrelated answers. The questions may be set in stone but that doesn't mean you have to answer them truthfully :)

      1. Claus P. Nielsen
        Paris Hilton

        Re: Wrong advice

        The "unrelated answer" method is very good from a security perspective, but does make it hard to remember which answer was used for a given question.

        That leads to repetition of the same answer or to writing down the question/answer combinations, which reduce the security a bit again.

        Personally I think these security questions generally bring about a lower level of security. Guessing or researching the answers to security questions is typically the main method used in hacking online mailboxes of celebrities and politicians.

        The practice would be improved quite a bit, if more institutions allowed the users to also state the questions, since that would at least prevent a hacker from researching a list of answqers to all the usual questions before trying to persuade the helpdesk that he or she has been shut out of Paris Hilton's account by mistake.

        This would also open the way for some more interesting support debates:

        Supporter > So lets check your security questions... (long pause) ... "would you like to go out with me?"

        Me > "Yes, but only if you pay for the beer"

        Supporter > That is correct


        1. John H Woods Silver badge

          Re: Wrong advice

          For a while one of my (female) bosses had:

          Q: "There's no way you're going out dressed like that young lady"

          A: "I'll dress how I like and you're not even my real dad!"

        2. Anonymous Coward
          Anonymous Coward


          "The "unrelated answer" method is very good from a security perspective, but does make it hard to remember which answer was used for a given question."

          Keep in mind that 'unrelated to the question' doesn't mean unrelated to the person who answers it.

          For example; "the name of your mother". Someone could easily answer with a name who has always been a mother-like figure to him/her. Within the context of the question totally unrelated, same for outsiders. But I bet the user won't have any problem remembering the answer.

  6. Crisp

    Given the amount of money that Blizzard make off their players

    They had better do a damn site more than just say "Sorry.".

    1. This post has been deleted by its author

      1. Neil B

        Re: Given the amount of money that Blizzard make off their players

        Armchair trolling is much more pathetic, and sadly, more ubiquitous.

  7. The Alpha Klutz

    what would actually happen to a person if their WoW account got took

    massive increase in going outside?

    1. Anonymous Coward

      Re: what would actually happen to a person if their WoW account got took

      Negative, in case of emergencies such as the one you mentioned as well as power or internet outages my girlfriend and I have the World of Warcraft trading card game to tide us over.

      Outside? Hah, we don't even have a lift we have to walk up THREE flights of stairs. That'll be the day.

    2. Anonymous Coward
      Anonymous Coward

      Re: what would actually happen to a person if their WoW account got took

      And random school shootings I would assume, XP points must be gained somewhere right?

  8. Joe Drunk

    Hahahha yes but then they would run right back inside, frightened by that bright yellow thing in the sky!

    1. I ain't Spartacus Gold badge

      Curse the yellow face! It hurts our eyes-es Preciousss. Yes-ss it does-ss.

  9. Rob Carriere

    "Please click this link to change your password."

    Password mishaps happen and at least these guys seem to have taken precautions. But then sending a message that looks exactly like a classic phishing mail? Didn't we all agree not to do that?

    1. Mad Chaz
      Big Brother

      Except it's not an email. It's a big fat warning on the game launchers that lead to a website.

      1. Rob Carriere

        Aha! Thank you, that makes sense now.

  10. cs94njw

    With the recent Amazon/Apple thing, and now this...

    Every website needs to either drastically improve their security (or 2 form authentication) or make it less strict.

    I'm not going to risk my hard-learned security question answers and passwords to websites, if they keep losing them. I'd rather have a unique really simple password so when it's hacked I've not lost much.

    1. Kane Silver badge

      aye, except it's not a website login, it's a dedicated launcher program

  11. Jimboom

    So glad I stopped playing wow a long time ago

    They obviously forgot to recast their firewall buffs!

  12. Anonymous Coward
    Anonymous Coward

    Let's be honest.

    How many of us work for companies that don't implement a proper password policy in their software?

    (at my last company passwords were in plain text, new company at least they're encrypted but still not hashed).

    Why don't I do anything? What can be done, I only go to work so I can afford food and clothes, If I had any say it would have been done correctly first time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Let's be honest.

      You should ask how many companies DO implement a proper password policy. Not many, not many at all.

      1. Anonymous Coward
        Anonymous Coward

        Re: not many at all.

        Sadly I fear you are correct. *sigh* this is not rocket science, and if companies would just hire one person to do this properly instead of outsourcing it to India, that would be one more person earning money paying taxes and making the economy go around. cant have that in Engand though.

        1. sabroni Silver badge

          Re: not many at all.

          You are so right, they spend all their money sending teenage muggers on holidays and filling prisons with playstations and drugs. And those fucking teachers who are too lazy to spend their free time running after school sports clubs. And all the 13 year old mums that have all that fake tan and watch celebrity big brother and the jeremy kyle show. And no one's allowed to go to church anymore and all the women have to wear burkas. And you're not even allowed to do a comedy "sieg heil" at a black athlete without the police arresting you, humourless bastards.

          Sorry, what were we talking about again?

        2. moronatwork

          Re: not many at all.

          You are shitting me, right? You seriously think just because you hire a local person, they would do it right? And a foreigner cannot do it right?

    2. Joe Montana

      Re: Let's be honest.

      Depends wether your company ever needs to have its software pentested by a third party...

      If you sell it into government, to companies that need things like PCI compliance, or even to a client who just happens to be security conscious chances are they will have the software tested, and such problems *should* be flagged up.

      Better to fix what you know about now, otherwise it could get quite embarrassing later and might result in lost business.

  13. TraceyC

    And this after my authenticator stopped authenticating

    "Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers."

    Which it can't do until it implements the ability to change the questions and answers. D'oh.

    Usually, I'm very critical of Blizzard, but I have to admit they've done several things right here. On the plus side, I'm glad that the information taken doesn't look like it could actually be used to access an account as-is. They did a good job by working quickly to seal the breach & notify users. Unlike my usual experiences with their website, the notices make it easy to find what to do (change your password).

    Ironically, I had to remove the authenticator from my account recently because it stopped working. In this case, it would not have protected me anyway. I had been using the Android authenticator app, and the security tokens just stopped being accepted one day. I tried re-syncing it but to no avail. The "support" process was broken in a few key ways.

    - I couldn't contact support online. You have to log into your account to do that, and I couldn't log in without the authenticator token being accepted.

    - I couldn't use their web form for resetting my authenticator. The Serial Number field did not accept all the digits from the SN in the authenticator app Blizzard had provided.

    At least they will be getting up to date with other institutions that have managed to provide the ability to change your own Q&A. :p

  14. Anonymous Coward
    Anonymous Coward


    Are they using MS Winblows on their servers?

    1. sabroni Silver badge

      Re: Hmmm

      Winblows?! Ha! That is well funny. Maybe they run Spewnix, or something from Crapple. Oh, my sides have just ruptured from all the wordplay hilarity.

      No, really.

      1. Dana W

        Re: Hmmm

        Blizzard and Warcraft are Windows based.

  15. Furbian

    Oh not again...

    So I've had e-mails telling me to change my password from...




    But not from Sony after their grand hack, but I changed it anyway on my ancient PSN account.

    I have a trial WoW account, so maybe I can expect and e-mail from them too, or I'll do it myself.

    With these on-line services, many of which even keep your credit card details, (Google Play want to keep a copy of my passport too because I updated an expired credit card), leaking credentials like a sieve, this is becoming tiresome.

    The future, a digital economy where the gates are left open every so often for a quick mass account grab by some thieves.

  16. raving angry loony


    So their announcement that the users need to change passwords is almost identical to announcements sent out by scammers - INCLUDING the "click this link"? What a wonderful way to inspire confidence!

    Did they hire a bunch of untrained monkeys at Blizzard? Or are they just really, really stupid?

  17. DJ Particle

    Mobile Authenticators

    As soon as I heard that mobile auth'er info was compromised, I changed the serial number on mine. A lot of users don't realize you can do that.

  18. Dropper


    Hacking battlenet and WoW accounts in general has been an issue since our Chinese brethren started selling gold to those gullible enough to swap real money for the pretend kind (often obtained from hacked accounts). It is the reason I purchased a regular authenticator for the princely sum of $6 and steadfastly refused to switch that to the mobile version, especially as Blizzard have the gall to charge a second subscription if you go that route.

    The way they work is if your IP changes you have to supply an authentication number sent to your authenticator (or mobile) by Blizzard, which prevents someone from China using your credentials a couple minutes after you login. This authentication number changes every 15s or so, so it can't be guessed. It also requires you to authenticate your password if you don't loggon for a few days and at least once a fortnight if you do happen to be so addicted to "The Game" that you login every day.

    It doesn't require you to authenticate every time you logon because that is both annoying and pointless, given the ways an authentication is already triggered.

    All in all, if you care about your account then a one time payment of $6 is a reasonable expense to secure it. If you don't care, then that's fine too, just don't be surprised if your friends get pissed off at you when some Chinese fucker empties the guild bank.

    1. Dana W

      Re: Authenticators

      They do NOT charge a second subscription to use a Mobile authenticator, we both use them and I assure you I feel stupid enough giving them $15 a month. There is NOTHING that could induce me to get a second subscription.

      And the mobile based one is FREE. What more can you ask?

      And BTW you can set your account to require authentication EVERY log in.

    2. moronatwork

      Re: Authenticators

      The "lock your account if your IP address changes" is one of the most fscking goddamn stupid ideas. I play irregularly, and I don't play online games, only in single player mode. That I have to login to somewhere to play locally is already stupid enough, but to lock it everytime I start the game up is beyond stupid.

      And yes, Verizon FIOS changes your IP address regularly, and their range is huge.

      And you cannot just unlock your account - you have to perform a damned password reset as well. Apparently screwing the customer over every few days is a good business practice nowadays.

      And if you call them up, they want your damned first name and last name. I used a first and last name that is visibly not real (say, Captain America). The bastard on the phone kept asking for my "real name".

      And of course, now we see that checking for a first and last name on a phone call is such a security win *MWAHAHAHA*



  19. Nordrick Framelhammer

    Wow Players.


  20. Thorne

    Poetic Justice

    When a WOW player gets raided while on a raid......

  21. Aussie Brusader
    Thumb Up

    So the only way to win

    Is not to play the game?

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022