Blizzard Compromise-- what they missed in their user communication

Published: 2012-08-10
Last Updated: 2012-08-10 01:51:02 UTC
by Kevin Liston (Version: 2)
5 comment(s)

James brought this to my attention shortly after I checked in for my shift: http://us.blizzard.com/en-us/securityupdate.html

There are a few more details here: http://us.battle.net/support/en/article/important-security-update-faq

I'm going to repeat a little of what they said about what was accessed:

Here's a summary of the data that we know was illegally accessed:
North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia

Email addresses
Answers to secret security questions
Cryptographically scrambled versions of passwords (not actual passwords)
Information associated with the Mobile Authenticator
Information associated with the Dial-in Authenticator
Information associated with Phone Lock, a security system associated with Taiwan accounts only

Accounts from all global regions outside of China (including Europe and Russia)

Email addresses

China-based accounts

Unaffected

At this time, there’s no evidence that financial information of any kind has been accessed. 
This includes credit cards, billing addresses, names, or other payment information. 

Note the bit in bold: "Answers to secret security questions."  As we saw with Mat Honan's ordeal earlier this week (http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard) the secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge.

So, Blizzard's recommendation to "change your password" is largely ineffective for North American customers.  If you're concerned about your account, change your security questions, and go with their two-factor solution too.

UPDATE: After spending 15 minutes on the battlenet website I couldn't find an easy way to change/update the security question.  The best I could do was add SMS alerts to authorize any password resets.

Keywords:
5 comment(s)

Comments

I think SMS is useless for Blizzard these days or their SMS relay systems are malfunctioning.
I changed my password this morning as soon as i saw the notification in the blizzard launcher. After that change, i also changed the email address for my account with blizzard. I DID NOT RECEIVE ANY SMS notification about either the password change or the email change. I only received email notifications for both of them.

Maybe this is because my home connection uses dynamic IP addresses and a few months ago ago, after i enabled SMS notifications, Blizzard freaked out when my ip address changed and locked my account until i did a mandatory password reset+validation via SMS.

After i re-validated via SMS they never sent me SMS notifications anymore, even though i changed the password a couple of times since then. :(
P.S. about changing the secret answer they have this to say:
https://eu.battle.net/support/en/blog/5631705
[quote]
At this time we are unable to change the secret question or answer associated with a Battle.net account. However in the very near future, a service will be made available on the Battle.net Account Management site for players to change the secret question or answer on the account on their own. For more information, please see the Battle.net Support site
[/quote]
It would seem to me that these pay sites (sites which charge money and have $$ involved) would start providing a method to use a PIN and Secure Token (as well as password) to access the site (RSA or Symantec Verisign). I know that RSA algorithm was compromised, but it would seem the extra protect would be of some value. Thoughts ?
Alot of major gaming compagny (Blizzard, SOE, Square-Enix, Trion and other) already offre hardware and software(ios/android) secure token.

My concern is more about the information leaker.
At first glance most people won't worry about it.
However, having an email + security question answer open the door to reset password on multiple website, including most email provier if the question is the same...

The Blizzard account hack then become the vector of "knowledge" leading to email account or other website account compromise.
I have an account with another west coast gaming company that mostly re-published Chinese MMORPG's, and they also do not provide a method to change the secret questions. I think in their case they do that to prevent or limit people trading accounts (as the new account owner is less likely to know the initial questions, and the creator may forget what they set), but this goes against the company and the user if the answers to the questions were stolen from another source.

Diary Archives