James brought this to my attention shortly after I checked in for my shift: http://us.blizzard.com/en-us/securityupdate.html There are a few more details here: http://us.battle.net/support/en/article/important-security-update-faq I'm going to repeat a little of what they said about what was accessed: Here's a summary of the data that we know was illegally accessed: North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia Email addresses Answers to secret security questions Cryptographically scrambled versions of passwords (not actual passwords) Information associated with the Mobile Authenticator Information associated with the Dial-in Authenticator Information associated with Phone Lock, a security system associated with Taiwan accounts only Accounts from all global regions outside of China (including Europe and Russia) Email addresses China-based accounts Unaffected At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information. Note the bit in bold: "Answers to secret security questions." As we saw with Mat Honan's ordeal earlier this week (http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard) the secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge. So, Blizzard's recommendation to "change your password" is largely ineffective for North American customers. If you're concerned about your account, change your security questions, and go with their two-factor solution too. |
Kevin Liston 292 Posts ISC Handler Aug 10th 2012 |
Thread locked Subscribe |
Aug 10th 2012 9 years ago |
I think SMS is useless for Blizzard these days or their SMS relay systems are malfunctioning.
I changed my password this morning as soon as i saw the notification in the blizzard launcher. After that change, i also changed the email address for my account with blizzard. I DID NOT RECEIVE ANY SMS notification about either the password change or the email change. I only received email notifications for both of them. Maybe this is because my home connection uses dynamic IP addresses and a few months ago ago, after i enabled SMS notifications, Blizzard freaked out when my ip address changed and locked my account until i did a mandatory password reset+validation via SMS. After i re-validated via SMS they never sent me SMS notifications anymore, even though i changed the password a couple of times since then. :( |
JustAMouse 12 Posts |
Quote |
Aug 10th 2012 9 years ago |
P.S. about changing the secret answer they have this to say:
https://eu.battle.net/support/en/blog/5631705 Quote: |
JustAMouse 12 Posts |
Quote |
Aug 10th 2012 9 years ago |
It would seem to me that these pay sites (sites which charge money and have $$ involved) would start providing a method to use a PIN and Secure Token (as well as password) to access the site (RSA or Symantec Verisign). I know that RSA algorithm was compromised, but it would seem the extra protect would be of some value. Thoughts ?
|
JustAMouse 20 Posts |
Quote |
Aug 10th 2012 9 years ago |
Alot of major gaming compagny (Blizzard, SOE, Square-Enix, Trion and other) already offre hardware and software(ios/android) secure token.
My concern is more about the information leaker. At first glance most people won't worry about it. However, having an email + security question answer open the door to reset password on multiple website, including most email provier if the question is the same... The Blizzard account hack then become the vector of "knowledge" leading to email account or other website account compromise. |
JustAMouse 4 Posts |
Quote |
Aug 10th 2012 9 years ago |
I have an account with another west coast gaming company that mostly re-published Chinese MMORPG's, and they also do not provide a method to change the secret questions. I think in their case they do that to prevent or limit people trading accounts (as the new account owner is less likely to know the initial questions, and the creator may forget what they set), but this goes against the company and the user if the answers to the questions were stolen from another source.
|
JustAMouse 1 Posts |
Quote |
Aug 11th 2012 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!