Blizzard’s BattleNet Hacked – Change Your Password Now!


Very important security notice this. Change your passwords now.

Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we’ll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we’ll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Sincerely,
Mike Morhaime


Thanks Lorderan

Tagged As: , , | Categories: Battle.net, Security

Comments

You're not logged in but can still post comments. Register or login to remember your details.
    • Blizzard obviously knew something was wrong when they pulled the mobile authenticators, they just chose to release the information now + Mike was on well deserved holiday.

    • The BEST phishing attempts will NOT ask you for your password either. They will fake a Blizzard style security email, and prompt you to log in to a fake Blizzard site….

      Blizzard should have kept mum on this and simply prompted a password change upon your next login into bnet.

      Scammers win again!

      • You’re saying you’d rather be ignorant of the fact that your personal information was stolen?

      • As a publicly-listed company, Activision Blizzard must report those security intrusions that have a potential impact on their bottom line, including in most cases where customer data has been compromised.

    • Well, the days of everyone using Blizzard as the standard-bearer of online gaming security have just come to a crashing halt.

      The days of defending Blizzard against being hacked and blaming everyone else for “clicking e-mail links” or “visiting naughty sites” or “using internet explorer” has been debunked.

      Blizzard was hacked, NOT the people who play their games.

      If their servers can be breached, considering all the money they make and the talented people they employ, then it’s quite clear that there is NO SUCH THING AS A SECURE SERVER.

      PERIOD.

      • If only, guess you havent seen the latest drone posts, they still saying that its people’s fault for clicking shady sites and 99.5% its the fault of the people not the company. I think your expectations of this people following logic are far too naive.

  1. I wasn’t going to post a comment but as I scrolled down the captcha was “moon cheese”

    how could I resist?

  2. Jay Wilson:

    “We took the meaning of “astral hell”…and doubled it!”

  3. Oh gee, you mean my account got hacked and it wasn’t my fault? Good job blizzard. You’re a shit company. Enjoy runic games sodomizing you.

    • Im tempted to say “it’s not their fault.”

      There’s too many assholes behind a computer who get their kicks out of another’s misery, and no secure mesure is 100% garanteed. But, how much of this would be true?

    • Same here, they really tried hard to make me believe it was my fault !

    • How exactly was this Blizzard’s fault?

      • Can you be any more of a fan boy?

        • Answer the question, oh wait sorry you can’t. You’re too busy blinded by ignorance to be objective here. I know well enough that D3 is a mess of a game but that doesn’t mean it’s Blizzard’s fault

          Unless you’re the type of person that thinks a house burglary is the victim’s fault or something.

          • “I know well enough that D3 is a mess of a game but that doesn’t mean it’s Blizzard’s fault.”

            It actually is 🙂 The hack may not be their fault, we do not know. They probably don’t know themselves yet.

        • You do realize that regardless of how tight your security is there’s always someone or a group of people who have more time on their hands than you have to focus on beefing up your security. This is the same thing I said when the PSN got hacked. No it’s not okay to have minimal security and just be like “Well we got hacked again sorry!” but no amount of prep can ever keep you 100% safe. Even if the security was being built, monitored and improved by an AI or some form of automated system. Someone will then build a better AI just to spite you and break your security.

          Moral of the story, stop being a flaming troll and think about stuff before you say it.

          • Not if you pay experts to audit your system. On the other hand, you wouldn’t expect that from a company that didn’t even pay QA to do their job.

      • How? How about by canceling people’s authenticator orders, for no reason, one full month after the email telling us that they had been successfully shipped. That would be a great start. All subsequent fuck-ups are just icing on the cake.

      • How? They didn’t take the required steps to secure their services. One would expect that such services would be protected properly. Would you expect bank services to be protected? Then with RMAH why wouldn’t you expect BNet to be secured?

  4. The world is a safer place!

  5. Guess Blizzard needs to…
    *puts on glasses*
    get an authenticator.

    In all seriously, the shit just keeps piling on.

  6. Hmm weird…

    I was playing some D2 single player today and no hacks or anything…

    WTF?

    • Ahhh yes back in the golden age. I really didn’t know how good I had it. Unlimited replay value. Stable servers. No problems logging in. No authenticator needed. Never got my account hacked or even trade scammed. Got to PVP and PK nooblings whenever I wanted. Didn’t have to give them my credit card info, real name, etc. How times have changed.

      • In all fairness, I have been playing D2 the last two weeks (ladder character) and the servers are extremely shitty. There are horrible lag spikes every time I handle my inventory, open windows with npcs, etc. Wish they would enable the ladder only runewords in single player as well.

  7. It’s as if Blizzard used up their quota of good fortune – at some point someone made a deal with the devil and now it’s time to cough up :/

  8. I like it how Mike actually used the word “sorry” and not some horse sh!t “apologies” line… Still, Blizzard is full of penguin marketeers sucking high salaries and influencing bad decisions… What next, white rings and ITH blades?

  9. yeah, good commenting.

    Really stick the boot in.

  10. And you want us to use our REAL NAMES when you can’t even secure your services?

    Fail!

  11. After this incident the most frequently used password on battle.net accounts will be: fuckblizzard

    It’s pretty hilarious seeing the forums in full damage control mode with locked threads left and right about the issue merely minutes after being posted. It’s probably the first time they have an actual sizeable number of people actually reading the forums.

  12. This is very serious, and goes way beyond the shortcommings of the game. Having my character cleaned out is one thing, but having my bank account cleaned out, or my personal details available…

    Neither the consumer nor the producer wins here. Very sad.

    • How so? Blizzard has done nothing illegal. Did they fail in security? Yes, but who hasn’t at one time or another?

      I like how everyone is flaming Blizzard when they are the victims (along with the customers) of an illegal act.

      Edit: I see you retracted some of your statement, disregard this.

  13. +1 to Blizzard for alerting us in a timely fashion.
    +1 to Blizzard for recognizing that servers get hacked and having better than average security on our passwords / CC info so that we don’t get burned too badly when it happens.
    -x to Blizzard for getting hacked; it could have been something ridiculously easy to prevent, or something ridiculously difficult, we’ll probably never know.
    -2 to Blizzard for failing to protect our secret question information. Hackers can now match secret question information to email addresses… email addresses are a rather prime target for hacking via secret question… hmmm….
    -5 to every idiot, consumer and company alike, that ever thought secret questions were a good way to deal with forgotten passwords. My first successful ‘hack’ was in 6th grade via secret questions. It would’ve been earlier if I’d tried earlier. Both my email and my b.net account have gibberish for answers, so I’m not too worried about that, but if you have real answers that’s probably the first thing you should change.

    • Well you can have real answers just dont make them something that someone can data mine from the internet or something. IE Dont pick Harry Potter as an answer to fav book and make it clear to everyone that its is your fav book etc. The thing to do is pick something that easy to remember and has nothing to do with the question, like “silly idiots put real answers here” as the answer to everything then there’s no way your ever going to get hacked via secret question.

      Anyway in most cases then need email access and if they got that your screwed anyway as they can change your passwords delete all warnings etc etc even change the email address.

      • If you put that as the answer everywhere, and used a gmail / hotmail account as your b.net login, you’d lose it (and by association anything else), as both of those are hackable via secret question without needing email access to begin with.

  14. This news update has nothing to do with Blizzard selling 10.000.000 copies therefore I do not care.

    • Original Diablo team and Diablo I, II have something to do with it.

      I will tell it straight. You’re either a fool (I really mean it) or paid Blizzard employee.

      • Nope, very simple answer

        He is a guy posting with my forum name.

        Pathetic as are all these hate guys.

        it shows the mentality of this hating site’.

        • You want to stop the confusion Thrall register your name and start making red posts.

          • If I register then the trolls and haters win.

            I won’t give them the satisfaction of that.

            It really is getting quite annoying sifting through both old and new posts every day looking for this idiot.

        • Well thrall, it would help if you werent a troll, maybe you should take advice from your superior in the blizzard astroturfing team, alexanderbarin, and sign up and put everyone you dislike on ignore while baiting and insulting indirectly

          • All of you think I’m a troll and that’s fine I get it.

            I have more money than anyone posting in this thread could ever hope to amass so if you think I lie awake at night worried about all the people who hate me here you would be naive.

            What does bother me is this idiot who is trying to impersonate me and the borderline moronic posts I read here on a daily basis bashing this game.

            I didn’t come here to make friends deal with it!

          • WTF, I am the real thrall, I swim in money and I do not care either but it bothers me how this second guy is saying that he’s the real thrall, your daily posts of defending this shitty game full of bullshit reasoning and outright lying.

            PS: I dont have a registered account either 🙄

    • “This news update has nothing to do with Blizzard selling 10.000.000 copies therefore I do not care.”

      I moonfrost +1 your post, truly this news update shouldnt even exist

  15. How do I change my personal security question too (and check what it is since I want to know what other websites may have that same email and security question)?

    • Dunno I been wondering as well TBH, cant find the info anywhere.

      Update in the FAQ they say they are working ojn allowing people to change it and that they are no longer using just the SQ for validating.

  16. Sometime over the last weekend, my account got accessed. I got an automated mail from blizzard that my account was locked. At first I thought it was the usual phishing BS, but I checked headers and it really was from Blizzard. I hadn’t logged into my D3 account in over a month, so I did, and was surprised to discover that my alt characters had been deleted, my main in completely different gear, and somehow ~3 million more gold than before. I also had 3 new achievements that had recently been earned when I know perfectly well that I didn’t do them.

    I’m already done with D3, but glad to get more proof that stopping playing was a better idea than it just not being fun anymore.

  17. “Some data was illegally accessed, including a list of email addresses … and the answer to the personal security question” “Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.”

    If your email address is your name, email address and answer to the security question is ALL it takes to get access to your account. Lying, incompetent sacks of crap.

  18. Remember when the Pentagon got hacked? About a year ago? 24,000 files compromised?

    Stop nailing Blizzard to the cross when a nation that considers itself the super-power of the world can’t even prevent hackers from having their fun.

    I’ve got my gripes with Blizzard, but seriously children, grow up.

    • Seriously guys, it’s only your personal information and possibly your bank accounts that were compromised… only a child would give a shit about that.

      • Only they specifically stated personal and bank information was not stolen. But go ahead and keep spreading mis-information to make your position look stronger like several other morons in this post.

    • LOL how immature of you sir. Put your money in a piggy bank on your desk like all the other big boys and you won’t have this problem again.

  19. I tried to log in to change my password. Some problem kept me failing at the authenticator sequence. Last time that happened, it was related to unsynched clocks in my cell and computer, but not this time.

    I removed my authenticator to log in, in order to change the compromised password. Now I can’t set the authenticator back on. “An error occurred.”

    Way to go, Blizzard. My trying to fix it up left me MORE vulnerable to future leaks.

    • You sure you didn’t make a typo, I had problems logging in once and then I realized that I had a typo. Due to how it works any error in email address password or authenticator code gives the same error and it looks like its the authenticator that broken.

      As for not being able to reattach it I guess that because the ID number of the authenticator has been deleted.

  20. The paid shills have really come out for this one!

    Amazing how the “blame the victim” approach just gets more and more manic.

  21. So uhm… Should european players change their pass?

  22. FYI blizzard passwords aren’t case sensitive. I just thought that was interesting…

  23. ::Sigh:: So, does anyone else miss the days of going to the store, buying your game cartridge, coming home, playing, and not having to deal with passwords or account info yet? The closest thing to a hack was someone walking by and yanking the cord for the controller from the system by mistake…

    • Didn’t you see the movie Hackers back then? It was going on… this hacker obviously got in through the old garbage file.

      • The garbage file is what the hacker downloaded. The hacker probably tried the backdoor, and also the PR chick’s (who has access to their entire network) password is ‘god’.

    • Or when you played console games as a kid and your mom said you had enough and turns the system off right when you’re at the end boss 🙂

  24. The only people not at risk of being hacked are Sarah Conner and um… Ok that’s it I guess. Bad news for Blizzard and us associated gamers. Password changed.

  25. Don’t worry, a security upgrade is coming…soon.

  26. Yes, yes, they hacked Blizzard, but can anyone confirm if they’ve hacked the Gibson yet?

  27. Fuck RMAH. Fuck authenticators. Fuck allways online. Fuck barbarians. Fuck the D3. Fuck the Blizzard.

    D2 was so much better…why?!?!?!??!?!?

    • Because the internet was in its infancy back in 2000…

      D2 published in 2012 would mean: 5000 copies sold, 12.500.000 hacked and … unplayable due to massive dupes of ANY item 24 hours after launch.

      This is the internetz and people’s mentality.

      You see it here everyday how many jerks and crooks there are.

      It is the nature of our species.

      • Changed pass :”(

      • So you are suggesting that 9.995.000 out of the 10M people that bought D3 are potential hackers and would not have bought it if the game was not on-line.
        You discredit your position with such blunt statement.

        Furthermore, considering customers as potential thieves, is a major failure in any business. Nothing good never comes out from that.

  28. Laughing my ass off.

    In your face fanboys who said that noooooo, theres NO hacking around the d3 acounts, only stupid people.

    I wonder how many punches the community must take so the fanboys realize d3 is the greatest fuck-up in blizzard history.

    • Please note, that the hackers got only the encrypted passwords. Whether they can decrypt them or have information about which account they belong to remains to be seen. They may know your name (if it’s in your email address) and they will be able to spam you, but that’s it. People need to stop overreacting.

      In any case, this has nothing to do with D3 specifically.

      • If you are trying to tell me that this is no big deal .. I think you are being naive.

        Someone just got into their multi million $$$ infrastructure. Where people have their real money tied to their accounts.

        • What I’m saying is that based on what Mr. Morhaime said, at the moment we don’t have much to worry about. The issue may be more serious than what the guys at Blizzard know about or are telling us, but we don’t know that.

          I still don’t see why I would need to worry, when I can just change my password and reset my authenticator (just to be safe) to prevent someone from accessing my account. It only takes me a few minutes. This public announcement makes the leaked info completely useless, if people cooperate.

          • First, there are a lot of people who don’t listen, don’t play often, don’t keep up on the news etc. I had to tell all of my friends myself because I knew that they are not in the habit of checking on news and don’t play much anymore so they won’t get the information from Blizzard when they post it.

            Second, the real danger to me isn’t in battle.net but how applicable the information they have is to other websites. Honestly, we’re trained to be much more vigilant on passwords than on using multiple email accounts, varied password reset questions, etc.

            Third, the list of email addresses alone is worth quite a bit, regardless of if the hackers ever get onto battle.net accounts. The emails are mostly associated with gamers and much more likely to be primary email addresses than it would be from many other sites.

            Fourth, it’s the thought that it was very close to being much worse that probably gets people the most worked up.

      • Get of these boards with your logic and reasoning! There is no place for that here!

    • how exactly does that reflect solely on diablo 3? It’s BATTLE.NET accounts, affecting ALL games. So to be fair, go bash WoW and SC2 as well.

  29. wow what a debacle – i had a friend whose account also got compromised ~5 weeks ago – he told me that neither forum, email nor account Password matched one another. he also ran a virus check and had no key-logger.

    well now we know… what an embarrassing debacle.

    and ye i blame blizzard for it – sure they got hacked so they are the “victims” ; but it is not like hacking attempts were not to be expected. especially because Blizzard Accounts offer so many valuable data.

    eg Paypal , Bank account , credit card , real name / address /E-mail . and ofc WoW / D3 accounts can be used as farmbots.

    so yeah claiming that this debacle wasn’t blizzards fault is like leaving fort knox unguarded and than being surprised it got robbed…

    • Too soon to claim that your friend’s account was hacked due to this event. For all we knew the information they stole is meant to be used for something other than getting onto battle.net. Did your friend tell you that he/she never used the battle.net password anywhere else?

  30. Don’t worry guyz, always-on DRM will fix it… Er…

  31. I’m glad EU passwords are untouched, so i can keep my “1234” and feel safe.

  32. This is obviously some totally noob hacker. I mean what kind of hacker would stole
    Account info, passwords, and bank account numbers rather then 1.0.4 patch and devel notes??

  33. Blizzard created a Master****piece in D3. All you read about D3 from the blue are negative stories about fixes, understanding issues, removing game play features, an update that an update is going to be coming out, and services being hacked. When will something good come out of them?

  34. Don’t worry, Hans Solo told me everything is fine here and asked how I am.

  35. If you did not expect something like this, you are living a very sheltered life. Hackers would be trying anyway, but with real money possibly being attached to the accounts, it was just a matter of time. I never had my PayPal attached(since I don’t have one anyway),

  36. Like some others, some time ago my account was locked. Justification for it was that I´ve been involved in “suspicious activity” whatever that was, and got locked. After I fixed it, it didn´t happened again. My characters hadn´t change, so I was wondering wtf happened in there. But that was more than a month ago, so I suspect that this has been going on for more than blizzard tells us, and maybe it got out of their hands, so they are now telling us.

    Well, in light that blizzard publicly admitted that the accounts got hacked, what does this means? It means that all they said about online only being THE way to fight hackers simply doesn´t work. Can I get my offline mode now?

  37. Something i predict in the past.Lames!That’s why i refuse to use RMAH and attach my Paypal/CreditCard info on their crap systems.
    Noobs Blizzard Noobs.Fail again! (what a surprise!)

  38. I never heard of Paypal account hacked?Why is that ? Better security ?

    • i predict, even want to bet, that at someday in the future paypal will also be hacked.

    • But it has actually happened, at least with wow there were cases were people used money of others to pay for items and whatnot.
      I’m no expert but the people that I’ve seen talking about paypal and saying that it isnt very hard to do it. The thing is lots of hackers wont dare because that’s going for real money and will get you in real trouble IRL.

  39. Changing your password is a good first step, but the message also says:

    “…information relating to Mobile and Dial-In Authenticators were also accessed”

    So, it would be wise to remove your mobile authenticator (if you have one), get a new serial number (look in the “About” menu) and re-attach it, in case they have enough data to duplicate your authenticator as well.

    This is pretty much the worst-case scenario I imagined might happen after Blizzard announced their real money auction house. The dollar value of our accounts to outside hackers went way up in the last few months.

  40. Well…. all this is a bunch of bologna. Password changed.

  41. Absolutely brilliant. I laughed out loud when i read this. Thumbs up for their sorry excuse of a battle.net 2.0. “We’ve learned a lot”

  42. Hmm it looks like your website ate my first comment (it was extremely long) so
    I guess I’ll just sum it up what I submitted and say, I’m thoroughly enjoying your blog.
    I as well am an aspiring blog blogger but I’m still new to the whole thing. Do you have any helpful hints for inexperienced blog writers? I’d really appreciate it.

  43. Uhoh.. so it finally happened.. actually I never even knew such blizzard news exist, til today .. my account got stolen.. I think first they change ur Email, and change the rest of the info. That’s what happened to me… today while I was taking a walk outside, one of my friend irl called me, and told me I’m currently online.. then I was like ur joking … hours later when I get home I tried to login D3. Nothing work. I checked Email, oh a notice that Blizzard changed my email attached to blizzard.net with some [email protected]. Note I haven’t played diablo for quite a long while.. like at least 2 months, maybe close to 3 months. And now it happened. I tried recovery, nothing works, everything changed.

    all in all, Blizzard, gg have fun with ur little oh we’re so sorry, meh whatever.

Comments are closed.