Blizzard Compromise-- what they missed in their user communication
James brought this to my attention shortly after I checked in for my shift: http://us.blizzard.com/en-us/securityupdate.html
There are a few more details here: http://us.battle.net/support/en/article/important-security-update-faq
I'm going to repeat a little of what they said about what was accessed:
Here's a summary of the data that we know was illegally accessed: North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia Email addresses Answers to secret security questions Cryptographically scrambled versions of passwords (not actual passwords) Information associated with the Mobile Authenticator Information associated with the Dial-in Authenticator Information associated with Phone Lock, a security system associated with Taiwan accounts only Accounts from all global regions outside of China (including Europe and Russia) Email addresses China-based accounts Unaffected At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information.
Note the bit in bold: "Answers to secret security questions." As we saw with Mat Honan's ordeal earlier this week (http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard) the secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge.
So, Blizzard's recommendation to "change your password" is largely ineffective for North American customers. If you're concerned about your account, change your security questions, and go with their two-factor solution too.
UPDATE: After spending 15 minutes on the battlenet website I couldn't find an easy way to change/update the security question. The best I could do was add SMS alerts to authorize any password resets.
Comments
I changed my password this morning as soon as i saw the notification in the blizzard launcher. After that change, i also changed the email address for my account with blizzard. I DID NOT RECEIVE ANY SMS notification about either the password change or the email change. I only received email notifications for both of them.
Maybe this is because my home connection uses dynamic IP addresses and a few months ago ago, after i enabled SMS notifications, Blizzard freaked out when my ip address changed and locked my account until i did a mandatory password reset+validation via SMS.
After i re-validated via SMS they never sent me SMS notifications anymore, even though i changed the password a couple of times since then. :(
A.
Aug 10th 2012
1 decade ago
https://eu.battle.net/support/en/blog/5631705
[quote]
At this time we are unable to change the secret question or answer associated with a Battle.net account. However in the very near future, a service will be made available on the Battle.net Account Management site for players to change the secret question or answer on the account on their own. For more information, please see the Battle.net Support site
[/quote]
A.
Aug 10th 2012
1 decade ago
EVVJSK
Aug 10th 2012
1 decade ago
My concern is more about the information leaker.
At first glance most people won't worry about it.
However, having an email + security question answer open the door to reset password on multiple website, including most email provier if the question is the same...
The Blizzard account hack then become the vector of "knowledge" leading to email account or other website account compromise.
Andre C.
Aug 10th 2012
1 decade ago
JDinKC
Aug 11th 2012
1 decade ago