Blizzard Servers Hacked, User Data Compromised

[btarunr]

Online gaming giant Blizzard Entertainment reported unauthorized access to its servers. The security breach was detected earlier this week, and the company claims that the hackers may have accessed user data such as e-mail addresses of Battle.net users, their personal security questions, and information related to mobile and dial-in authentications.

Blizzard claims that the information compromised is not enough for anyone to gain access to the Battle.net accounts, and that there was no evidence to suggest that more vital bits of user data, such as real names, credit card information, or billing addresses were accessed. Users' Battle.net passwords, which are cryptographically-scrambled, may have been accessed. Since SRP (secure remote protocol) is used to protect the passwords, it is extremely difficult to unscramble them. Blizzard strongly recommends users to change their passwords as investigations into the security breach are on.

View at TechPowerUp Main Site

 

[WhiteLotus]

Can someone please tell me why this information is being so readily hacked into? There seemingly has been a handful of companies now that have had this happen to them.

 

[Munki]

Can someone please tell me why this information is being so readily hacked into? There seemingly has been a handful of companies now that have had this happen to them.

Because their security employees don't know what they are doing. They don't keep it up to date like they should which makes it easy to exploit.

 

[WhiteLotus]

Because their security employees don't know what they are doing. They don't keep it up to date like they should which makes it easy to exploit.

Fools. Well here's to the inevitable "they might have taken some card details" line that is bound to come up.

 

[v12dock]

Blame flash mysql and java

 

[FordGT90Concept]

Or generally bad programming behaviors (like not checking inputs).

 

[Munki]

Or generally bad programming behaviors (like not checking inputs).

Very true.

I would hope their programmers know this, but that's like saying "I would hope they know to keep their programs updated" Someone somewhere in the company needs some security training or know how to use Google to check for known exploits. Bad Blizzard, BAD!

 

[semantics]

eh no skin off my back changed password, security question and email, benefits of holding several different accounts that just get forwarded to one account that has no job but to get forwarded mail. Only thing that ticked me off was that i couldn't copy paste my password when i change password apparently they hate keepass users.

 

[Easy Rhino]

generally it is not the IT staff that is in the wrong. phishing is still in this day and age a great way to get user credentials. corporations need to train employees to not give out their credentials to ANYONE.

 

[Hilux SSRG]

Just want to know, did Blizzard use an authenticator? Cause if not,...

 

[TheMailMan78]

I changed my password last night just to be safe. I also have an authenticator so I'm really not worried.

 

[GSquadron]

I laughed so hard and said myself:
In the whole forums i register, they get the one i dont!

 

[Delta6326]

Changed password to be safe much harder now should take over 60,000 years to get it a a rate of 100,000 passwords a sec.

But I also use a authenticator.

 

[NinkobEi]

Oh no, someone might steal my Diablo 3 account that I never use and my long-canceled WOW subscription. What ever will I do?

 

[[XC] Oj101]

 

[Lionheart]

God damnit Blizzard, now I'm gonna feel worried every time I play SC2

 

[GSquadron]

I think it is the web programmers fault. They use the old mysql_escape_string instead of mysqli_real_escape_string($connect, $fetch($query))

 

[Jimmy2k9]

This is the first I've heard of them ever being hacked, I been playing WoW on and off since 05'.

Having an authenticator and using pre-paid game cards, I'm personally not worried about anything. Out of roughly 10 million people who play wow, plus other blizzard games, also inactive accounts created over the years... Odds are pretty slim anything happened to you.

 

[Jacez44]

Just like Sony, they have more than enough money and more than enough riding on their online integrity to let something like happen.

I would say it is either something unavoidable or they're really trying to skim the bottom line..

 

[Easy Rhino]

I think it is the web programmers fault. They use the old mysql_escape_string instead of mysqli_real_escape_string($connect, $fetch($query))

more than likely they dont use mysql.

 

[Ikaruga]

Ok, let's imagine I work as the head of internet security at Blizzard and I see all those ****-ups at Sony, Nvidia, etc... So guess what I do? I pick up my huge salary and go home to take some rest what I truly deserve.... for months after months .......... obviously

 

[Kreij]

Seems to me that a lot of people here have little knowledge concerning internet security.
There is no such thing as 100% secure, as the "guards at the gates" will always have some inherent weakness which sooner or later someone will find and exploit.

Training and updating is, of course, paramount but that will not stop a hacker who finds a way in that no one knew existed. As protection gets better so do the hackers, and it's a constant battle to keep networks secure.

And Easy Rhino is right ... one disgruntled employee with server access, and a bone to pick, will foil your best efforts at intrusion prevention.

 

[koorosh]

And those suckers still force you to use your real name for accounts! There's no privacy anymore:shadedshu

Even if they didn't get the credit cards and other info, the emails and names are enough for spamming.

Name + Email + some other personal info = Spam (scam) that really looks like an actual email!

 

[Ikaruga]

Seems to me that a lot of people here have little knowledge concerning internet security.
There is no such thing as 100% secure, as the "guards at the gates" will always have some inherent weakness which sooner or later someone will find and exploit.

Training and updating is, of course, paramount but that will not stop a hacker who finds a way in that no one knew existed. As protection gets better so do the hackers, and it's a constant battle to keep networks secure.

And Easy Rhino is right ... one disgruntled employee with server access, and a bone to pick, will foil your best efforts at intrusion prevention.

But if hackers are always a step ahead no matter what (and they were, they are, and they will be ofc), doesn't it paramount to prevent the leeching of mass database chunks to anybody at any time?
I have to admit that it was more than 15 years ago when I had to touch security related stuffz, (so I pretty much have no clue how it's going nowadays), but these massive user data leaks are happening all over the globe, and somehow I feel that there must be a way to prevent it happening this large scale, even if it's impossible to avoid it entirely .
These kind of news telling stories that the hackers are getting the whole user databases, and the only question is that if they can "decode" it or not in that particular case.

(I hope all of this doesn't sounds like that I want to be a smart*** here, because (honestly) I'm not...:B)

 

[Kreij]

But if hackers are always a step ahead no matter what (and they were, they are, and they will be ofc), doesn't it paramount to prevent the leeching of mass database chunks to anybody at any time?

Yes, but the user base must have access to their personal information in order to change it if the need arises. Herein lies the problem for security people.
When you open a window to let the air in, it can be very difficult to keep the dust out despite your best attempts.

I have to admit that it was more than 15 years ago when I had to touch security related stuffz, (so I pretty much have no clue how it's going nowadays), but these massive user data leaks are happening all over the globe, and somehow I feel that there must be a way to prevent it happening this large scale, even if it's impossible to avoid it entirely.

As more and more information is kept online, more will be hacked. It's the nature of the beast.
Even the best minds in the security fields fight this kind of thing daily. It is no trivial task.
Add to that the fact that even the best admins are human and may make mistakes ...

These kind of news telling stories that the hackers are getting the whole user databases, and the only question is that if they can "decode" it or not in that particular case.

This is usually more the media capitalizing on sensationalistic news than the reality. If things are encrypted in a secure manner it is still VERY difficult to extract information.

(I hope all of this doesn't sounds like that I want to be a smart*** here, because (honestly) I'm not...:B)

Better to be a smartass than a dumbass. lol
Just kidding, your post was fine and brings up good discussion.