Blizzard Being Sued Over Authenticator Requirement to Protect User Info

Blizzard are the attention of class action lawsuit which claims that Activision Blizzard are “deceptively and unfairly” charging customers by requiring players to purchase an authenticator to protect their personal information from hackers.

Plaintiff Benjamin Bell has taken out the action against Activision Blizzard and is seeking damages for “consumer fraud, unjust enrichment, negligence, breach of contract and bailment”.

Bell is claiming that Blizzard is placing the repsonsibility of securing customers personal information on the customer by making players purchase an authenticator instead of tightening security inhouse.

The complaint stems back to the problems around the launch of Diablo 3 when players were reporting account hacks on an almost daily basis. Then on the 10 August Battle.Net was hacked and a statement was released by Mike Morhaime to address concerns. Bell adds in the complaint that neither Activision or Blizzard took “the legally required steps to alert” gamers.

Bell is seeking damages from Activision/Blizzard for “tacking on” additional costs after customers have purchased the games and for requiring them to sign-up for

Source: Courthouse News via IncGamers.

Related to this article
  • Diablo 3 Holiday Giveaway #3
  • Diablo 3 Holiday Giveaways
  • Blizzard Respond to Class Action “False Information”

  • You're not logged in. Register or login to post a comment.

    55 thoughts on “Blizzard Being Sued Over Authenticator Requirement to Protect User Info

    1. Can see both sides here. From the player perspective, it is pathetic that Blizz cannot ensure that a password protected account (or their own servers) are secure.

      From the Blizz perspective, the mobile app is free and many (probably not all) of those hacked may have had spyware on their box that stole the password.

      • This is a load of crap. It’s not Blizzard’s responsibility to protect the privacy of your password, and that’s all this is. The problem is that people want to spend money on a game, thus the accounts have a lot more value when stolen. If people had their account hacked and lost all their items, it wouldn’t be a major issue unless they paid real money for those items. Blizzard doesn’t have to offer authenticator support, and you don’t have to take it. It’s still 100% your fault when your account is hacked, because either someone you know got your login info, or you have a keylogger, end of story. Blizzard might get hacked from time to time, and it’s possible (yet unlikely) that their password authentication is vulnerable, but this would be responsible for far less than 1% of hacking incidents.

        If you suck at the internet and get keylogged repeatedly, get an authenticator. If you can’t get the free one and don’t feel like buying one, then just don’t play or deal with being hacked.

        • Password not being case-sensitive is the only crazy part, for me.

          I bought a (cheap) smartphone to use the authenticator asap (without importing one and paying taxes).

          Personally, I’m glad I have access to an authenticator for free, while I reckon it isn’t the case of some people (a few months ago, iirc, we hadn’t multi-SIM devices that supported the authenticator and two companies, two diffent number etc.).

          The whole problem started and died when that green IK armor stopped being just lots of pixels and became a $250 thing. The rest is silence, progress, whatever you call it.

          Btw, boxed versions of the game should come with authenticators…

        • Far less than 1% of hacking incidents? Where the fuck are you getting this info? Oh that’s right, you just pulled it out of your ass. You don’t know shit about Blizzard’s internal network, and you know even less about hacking, so shut it. Bring factual values or shut it.

          • It’s not pulled out of my ass at all. Most uses of the phrase “my account got hacked” are completely inaccurate. People get malware, specifically keyloggers, and someone logs in normally with the correct authentication information and then takes your stuff. Incidents of hacking where someone gets through all of a company’s security and pulls a database of passwords or user information are rare with a company as large as Blizzard, and are they able to use the information they took? Possible, but we don’t know. If they weren’t hashed and salted sure, people would be hacked left and right, but they probably are. Not only that, but Blizzard let everyone know when it happened so they could change their password, thus the data stolen becomes useless.

            I don’t have any accurate statistics, but I don’t need them. The number of true hacking incidents that are not the result of either purposeful or unintentional password sharing to someone you associate with or keylogging are so incredibly small that I can safely say it’s under 1%. What happens when a game like diablo 3 comes out? Keyloggers target the players. All it takes is for someone to go to the wrong site or click on the wrong advertisement and their account is just waiting to be stolen.

            Blizzard is simply offering a physical object for adding security for those who desire or need it. Some people, like myself, don’t get hacked. I probably got hacked once in the many years I’ve played WoW since launch, never got hacked since D3 came out, and didn’t use an authenticator until a couple weeks ago. Friends of mine have been hacked on what seems like a yearly basis. These people should invest in an authenticator. If Blizzard didn’t offer it, they’d simply lose their stuff due to their unsafe behavior.

        • If ppl are getting hacked, let me guess, they are trying to hack themselves, and thus using 3rd party software, is whats givng them keyloggers or Trojans, makes them that less bright to even attempt trying 3rd party software. This is what makes me shake my head alot at ppl who do this. Oh wait, it wasn’t me who got into the kitchen and ate the plate full of stupid sandwiches. Stupid is, stupid does.

      • So you’re either an ATVI employee or contractor who has seen the numbers or an indiscreet lawyer in the discovery process on this?

        Because if you’re on this site, I can only assume that you’re smart enough not to take things from bliz at face value. OK, back to hot D3 PVP action while jumping over in-game obstacles!

        • Whether Blizzard profits a lot or a little by selling authenticators doesn’t seem real relevant to the lawsuit.

          That said, and aside from the fact that anyone can authenticator for free with their smart phone, we discussed the price of the devices times back around launch, and Bliz says they sell them for cost. Which seems realistic, given prices I could find online. Most places they’re $15-20 each in batches of 50 or 100. Obviously Bliz buys them in much larger quantities than that, but $8 is cost or right next to it, though they make a bit on the S&H.

          It’s certainly nothing compared to the profit they make selling a digital download of a game for $60, and bad publicity from hacked accounts and loss of repeat business is a much bigger concern for them than making a few bucks extra on authenticators.

      • That ‘at cost’ authenticator I *had* to buy ultimately cost me $27 or so. I had no other option.

        Other than that I don’t have any issues with this. I will be interested in seeing where it goes though.

    2. Get the free authenticator and stop whining. They should sue the people who hack instead.

      If someone rapes me, I’m gonna sue the company that makes rape whistles because they didn’t help me from getting raped.

      • It amazes me that people think sueing is the answer to everything. Sue the hacker for what? The $50 bucks he has to his name? Yeah thats worthwhile. You can sue anyone for a million bucks, but if they have no way of producing it, good luck ever seeing it.

    3. Good luck with this one.. burden of proof will be too much, I think. There is no way that this guy is gonna prove that Blizzard is at fault when Blizzard can wheel out countless examples of keyloggers and trojans and stuff that prove empirically that the people “hack” (not the right word but it’s the one they use) accounts are taking info directly from gamers’ PCs.

      So that’s consumer fraud, negligence, breach of contract and bailment out of the window.

      And Blizzard makes authenticator’s at a loss, so that rules out unjust enrichment.

      As for the “tacking on” thing, it was very well publicised that there would be internet-only DRM, and any consumer who can read knew this.

      I hope and expect that Blizzard will rip this guy to shreds for the bad publicity alone, make him publicly apologise, and then make him pay the cost of defense.

      • …Except that Blizz itself was hacked, where thousands of accounts were comprimised, including Authenticator information that can be bypassed once the accounts have been comprimised.

        Looks like I was right when I said Blizz was criminally liable for that breach. Now who was it that said I was wrong?

      • Myself included. I had an authenticator, it wouldn’t properly work on my account even after spending multiple hours calling blizzard and several re-downloads of the app, and as a result I was hacked, and without the authenticator I assume i will be hacked again.

      • Out of the 20-30 people I know personally that bought the game at launch, not a single one has been hacked.

        As for the lawsuit: this is a joke, and a total waste of time. I hope this guy knows what he’s getting into when this gets thrown out, and Blizzard comes after him.

        I only have one problem with Blizzard’s security for accounts, but it does irritate me quite a bit. Anywho, I’m referring to the fact that passwords are NOT case-sensitive. Who the f*** doesn’t use case-sensitive passwords these days? It’s just as bad as a credit card company that I used at one time that didn’t allow symbols in their passwords either. How easy do you want to make it for hackers?

      • I have never been hacked and none of the two dozen or so people I know fairly well through this site, via the podcast, news contributors, etc, have been either, AFAIK. (D3 hacked. Several have been WoW hacked over the years.) Most have authenticators, some do not.

    4. LMAO this week’s gettin better and better, way to go Benji!!! about time someone held those useless dickwads accountable for being failtastic

      • Agreed, Id also like for him to sue car companies for their cars being stolen cause they won’t provide free guarded parking spots for every person who has their car .

      • I don’t think I’ve read a single constructive post from you throughout my duration of time at d3inc.

        I think your vendetta has run its course. Blizzard will win this case, clean cut and dry. (If it isn’t simply thrown out)

        • Agree. If there’s anything I would rather have here than an edit button, it’s an ignore button.

        • Nizaris, constructiveness is lost on a fansite, and especially on a dev team like Actiblizzard’s. it’s more fun bashing the hell outta them since they genuinely deserve it.

          kissing their ass won’t get you on their payroll, sweetie 🙂

      • The good news out of this is that even if(and most likely) Ben loses the case, it will let Blizzard know how lame they are.

    5. If you buy a game and you’re are obliged to play on the Internet, the company must assure your account is not going to be hacked in any case. The authenticator is a rip-off.

      And the bloke who compares being raped to having one’s account hacked is not a very intelligent or sensitive person.

      End of.

      • Blizzard cannot control consumer idiocy. Should Blizzard, or any company, be accountable for rootkits, keyloggers, and third-party site hacks that steal account credentials?

        There is a free authenticator option. Case closed.

        • No, but it falls to Blizzard to fight against them in order to protect the consumer. Unfortunately Blizzard take advantage of you and you sheeple fall for it.

          So if I’m hacked I’m stupid?

          Why don’t you buy an authenticator for google, gmail, etc.?

          • “Why don’t you buy an authenticator for google, gmail, etc.?”

            I don’t know, why don’t you? There is one (for Android, iOS, and Blackberry). And certainly plenty of people’s gmail accounts are broken into, with the potential for serious consequences than breaking into someone’s account.

            I suspect the reason that things like are perceived as being less secure than other accounts is more because the game has a community associated with it, through which information about hackings are spread. People probably use keyloggers, etc. to break into online accounts at my bank all the time, but the bank doesn’t have an online community so you never really finds out about it unless it happens to you or a friend.

            I certainly wouldn’t know about any hackings if it weren’t for the forums, as I don’t know anyone IRL who’s had problems with it.

          • I do have an authenticator for Google. I have one for all of my important sites – bank, e-mail, and Blizzard game accounts.

            Your information is all monetized on the black market. I take all measures to secure it. 😉

      • Your understanding of the law is worse than Todd Akin’s understanding of the female reproductive system.

          • I think he’s pointing out the fact that you’re mistaking “hacking” for “compromising.” There is a huge difference. People are not hacking Blizzard’s servers. They are required by law to report any such breach. (Yes, required by law as it pertains to personal information)

            What you are referring to is compromised accounts, which are accounts being hijacked through means I outlined in a previous post of mine.

    6. I’m surprised this guy hasn’t been laughed out of the court yet.

      Consumer Fraud: I’m failing to see any deceptive practices that would fall under any kind of fraud case. The authenticator was around before Diablo 3 was released, and is only required to use for Diablo 3 in the event you wish to use the RMAH, you are not required to use it otherwise. There was no hiding the fact the game was online only, they never tried to, no false advertisement or anything. The year long plan that gave you free access to D3 is still going strong, they specified nobody would get the game early and that it would be released upon it’s actual release date, they did not try to insinuate that you would get the game early for it, no fraud there. I fail to see where any kind of fraud on any front comes into play here.

      Unjust Enrichment: The authenticators, according to Blizzard, are actually sold at or below the cost of making them, costing them money for each one made. While only Blizzard can put out the numbers to prove this, if it is accurate, there is no case for unjust enrichment either.

      Negligence: This will most likely hold no water in court either since the burden of proof is going to be on the accuser. While there is always room to improve your defenses so to speak, almost every case of “hacking” is going to come down to people being stupid and downloading loggers and spyware, which isn’t even hacking. From what we’ve been told there has been only a single successful hacking attempt against Diablo 3 and it was squashed very quickly. Even the authenticators are not 100% foolproof as proven by the worm that was released during WoW that allowed a middleman to grab your numbers, however, this was again not hacking, it was the user going somewhere stupid, clicking something stupid, and infecting themselves. I do not believe there has been a single proven hacked user account as of yet, but I could be wrong.

      Breach of Contract: What contract exactly are they breaching? The ToS? The EULA? This isn’t really specific enough to give any thoughts on, and I honestly don’t have the time to read through them right now.

      Bailment: What personal property has Blizzard taken away from people exactly? It is already a known thing that you do not technically own Diablo 3, you are paying for a license to play on their game. This is becoming more and more common with modern games, and although I do not agree with it, they are currently within their rights to run the game this way. People getting “hacked” does not constitute Blizzard taking anything away from a player, it is a player losing their account through their own actions by exposing their computer and their accounts to security risks. Again, until there is actual proof of a hacked account, there is nobody to point the blame at except the user here.

      Anyway, bored now, going to go play some D3 😛

    7. I’ll add my claim. Damage to me due to having to have an authenticator now amounts 1.5b$ and counting.

    8. the only one who would bennefit from winning the lawsuit is the lawyer. Everyone in the lawsuit would might get a dollar and the lawyer would get a slice of that dollar. So even if the shithead would win the case, players wouldent get any justice or money

      i say shoot him

      • Yep, I’m being 100% serious, unfortunately. If you created your password with both upper and lower-case letters like I did, go enter it as all upper or all lower. Works everytime. 🙁 Some people may not think that is a big deal, but in my opinion it is a VERY big deal. That removes 26 characters and however many billions or trillions of variations of passwords that people don’t have to “test” for.

        Well, I guess it’s nice that at least numbers and symbols work correctly… but as someone who likes the security of all four, that’s a small consolation.


    9. Blizzard’s servers have not been breached. Anything beyond that is not their responsibility. Period, the end. They offer additional solutions to help safeguard against client-side compromises, but they’re not obligated to do it for free. As it so happens, the app is free and the physical dongle is sold at cost.

      Time for people to have a little self accountability. I hope this case gets thrown out on its ass.

    10. Don’t forget to sign up to get your $25 for the $1.1 billion settlement on lcd screens. Less the $300 million the lawyers got. Take that money and buy an authenticator. And look both ways before crossing the street.

    11. I don’t have a problem with Blizzard selling authenticators.
      “Most recently, on or about May 19, 2012, reports proliferated that class members’ accounts had suffered a security breach (‘hack’) at the hands of unknown parties (‘hackers’), and on or about August 4, 2012, hackers massively breached’s security and acquired the private information of all of defendants’ customers in the United States, as well as the remainder of North America, Latin America, Australia, New Zealand, and Southeast Asia.”
      Though account details for millions of gamers were compromised or stolen, Bell says, neither Activision nor Blizzard took “the legally required steps to alert” gamers.[/quote]

      The irony is that even with this authentificator device several accounts details were compromised.

      Not only that, but also Blizzard CHOSE NOT to inform US at the time when our account information and PERSONAL INFORMATION SUCH AS NAMES AND ADDRESSES was compromised on THEIR servers.
      Instead, THEY CHOSE to wait until August before taking any action. Also, when there were players who reported getting hacked, even though they had secure PCs and authenticators attached to their accounts, Blizzard CHOSE to call those players LIARS instead to admit that THEIR servers with OUR PERSONAL INFORMATION SUCH AS NAMES AND ADDRESSES.
      It is for these reasons that Blizzard should face a class action law suit.

    12. lol this is a joke right ? anyone thinking that anyone except lawyer will benefit from it is just stupid.

      On the other hand ppl are stupid and its for their own good that they require auth before ppl start shooting themselves coz they lost x thousands worth of gear. Banks use those for a reason and you should think of your acc as bank one coz hackers sure do.

    13. The fact that they still have yet to send out an e-mail notifying that they were hacked is sickening.

      The comments here, too, are laughable. I guess the only people left here are Blizzard nut-suckers, which includes Flux since he realized he has to pretend to like this shitty game because his job depends on it.

      If it is found that encrypted credit card information was also compromised, not sending out an e-mail is not going to hold up in a court of law. I hope this guy is able to find out the truth, but I doubt it.

    14. What a douche… If some leet dude wants your password and he knows he has a live computer. Guess what? He’s gettin himself a password… Authenticator’s are brilliant…

    Comments are closed.