Blizzard Respond to Class Action “False Information”

Blizzard has now responded to the action raised by Benjamin Bell, (we reported last week), in which he intends to sue Blizzard for “consumer fraud, unjust enrichment, negligence, breach of contract and bailment” .  In addition he charges them with “negligently, deliberately, and/or recklessly fail to ensure that adequate, reasonable procedures safeguard the private information stored on this website. As a result of these acts, the private information of plaintiffs and class members has been compromised and/or stolen since at least 2007”.

According to Blizzard the foundations of his claims are unsound in as much as they are based on “patently false information”.

We want to reiterate that we take the security of our players’ data very seriously, and we’re fully committed to defending our network infrastructure. We also recognize that the cyber-threat landscape is always evolving, and we’re constantly working to track the latest developments and make improvements to our defenses.

The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. You can read our letter to players and a comprehensive FAQ related to the situation on our website.

The suit also claims that the Authenticator is required in order to maintain a minimal level of security on the player’s account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Authenticator is an optional tool that players can use to further protect their accounts in the event that their login credentials are compromised outside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.

When a player attaches an Authenticator to his or her account, it means that logging in to will require the use of a random code generated by the Authenticator in addition to the player’s login credentials. This helps our systems identify when it’s actually the player who is logging in and not someone who might have stolen the player’s credentials by means of one of the external theft measures mentioned above, or as a result of the player using the same account name and password on another website or service that was compromised. Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account. However, we always strongly encourage it, and we try to make it as easy as possible to do.

Many players have voiced strong approval for our security-related efforts. Blizzard deeply appreciates the outpouring of support it has received from its players related to the frivolous claims in this particular suit. Source: IGN

The impetus behind this claim is the security breach back on August the 10th when data such as email addresses for users outside of China were taken, for North American servers the answer to the personal security question and information relating to Mobile and Dial-In Authenticators were accessed.  Blizzard maintained that this information alone was not enough to gain access to accounts.

Bell claims that players have to buy authenticators (sales of which grossed $26m) to keep their accounts secure when this level of security should be provided by Blizzard as a matter of course. Further that this information was not made clear at the time of purchasing the game. Blizzard counter that the authenticators are a secondary level of security protecting accounts that have had their password stolen outside of Blizzard, i.e email phishing, viruses and malicious code.

Related to this article
  • Blizzard wins $8.5m in damages from cheat maker in US courts
  • Diablo 3 Holiday Giveaway #3
  • Diablo 3 Holiday Giveaways

  • You're not logged in. Register or login to post a comment.

    32 thoughts on “Blizzard Respond to Class Action “False Information”

    1. I hope their lawyers are less conciliatory than their PR people, because at least as described here the complaint was a load of hogwash.

      • Authenticators are required, if you wish to add to rmah. They claim its a secondary form of security. When infact it is a primary form of security if you wish to use rmah

        Considering it was a an advertised feature, it appears the false advertising portion has some credibility. It also would appear that their response is not entirely credible for the same reasons.

        Of course blizzard will deny the claims, but again dishonesty is one of the claims.

        If the matter is pursued, discovery will be more reliable source of info.

        • It’s still secondary, it’s just not optional in the case of RMAH use. If you have a secure building with a gate at the parking lot and a lock on the door, the lock on the door is a secondary security measure (only those with a key should be able to open it), while the gate is the primary security measure (only authorized people can enter). The locked door prevents people who jump the fence from getting in. The gate still serves a purpose and usually works, but in the event that someone can get passed it by stealing an identity, the lock provides a second measure of prevention.

          The authenticator isn’t perfect, but when it comes to security nothing is. When it comes to computer security, nothing is impossible. That said, people shouldn’t be able to jack your account even with your information because you still have the physical device. Someone can still hack into Blizzard’s database, and if they get enough information, they may be able to generate a working authenticator code for your account, but that’s 100% inline with Blizzard’s remarks. The authenticator does very little to prevent account theft from an internal Blizzard security breach, but it does tons of good vs outside account theft like keylogging.

        • RMAH is an optional service that they provide, and in order to maintain the legitimacy of it they require you to have the optional additional security. So it’s still an optional security measure because it isn’t required to play the game.

      • Which is almost entirely the fault of the player. People don’t get hacked, they go to stupid websites, click stupid links, or fall for stupid scams and end up having their information compromised with loggers. There’s also the brilliant crowd of people who use the same password for everything and end up getting compromised when somebody hacks or pays for the database of a forum to get all the passwords that way. Almost every single case of “hacking” is a player doing something stupid. Honestly, until anybody can actually prove they were hacked I would go so far as to say 100% of “hacking” cases with a players account security isn’t a case of hacking at all. The only case that could be made for hacking at all is in the case of a forum database being hacked, but even there, if you aren’t using the same password they don’t get into your account. People just have no concept about what online security is.

        • Blizzard was hacked in august. People seem to gloss that over. I see much venom in the direction of players who are “hacked”. But when blizzard security fails, where is that same venom. Additionally they charge you money for a service (two factor authentification), where other companies work to protect their clients security without extra charge (coinlock, steamguard)

          Why the double standard?

          • Can you measure the number of accounts that were compromised because of this security breach? No. It’s likely that not a single account was compromised just because someone managed to get into the Blizzard servers. Blizzard is warning their customers because of the possibility that the perpetrators got important information (possibly Blizzard knows that they did), and there is a possibility that this will be used for further malpractice. Just because you have a collection of hashed and salted passwords doesn’t mean you can instantly log into any account and steal everything. I change my password after the alert, and nobody ever got onto my account. It’s possible that some people were affected by this, but they probably didn’t change their password. The fact is, we have no way of knowing the reason for individual cases. All we can do is look at the number of reported incidents for 2 periods of time: before the incident and after. Unless someone has that data, there’s basically no claim against Blizzard having allowed for accounts to be compromised.

            Additionally, it’s impossible to be 100% secure, and Blizzard does their best. They’re also a freaking huge target, so stuff is going to happen now and then. You can’t fault Blizzard for security vulnerabilities: they are always going to be there one way or another.

            • Someone out there has my fullname and email… Information about my secret questions and info regarding the authenticator i use.

              As far as i know i have not been compromised. I have generally good security practices. But the fact that all of that info (unencrypted according to blizzard) is out there is un acceptable. Any one of those items being compromised is one thing… But blizzard let all of them be compromised… All at once… Not acceptable… They need to practice what they teach.

              The fact is.. You dont know if accounts were compromised. You are just making that up. Also, if accounts were compromised… Blizzard would blame it on the persons personal security habits.. And droves of fans like yourself would flock to their defense.

            • Companies will get hacked, regardless of how good their security is. A big company like Blizzard is a key target, and they had one security breach. Sure your name and e-mail were compromised, but you can certainly have a separate e-mail you use for online accounts or even for games, and what’s the big deal about someone knowing your name? What really matters is if someone gets your credit card # + your name, or your password + your account. Even if they got your authenticator information, that’s no different than them getting your password if you didn’t have one. The point of the authenticator is not to protect you from this type of account compromise (which it possibly can). The point of the authenticator is when you get keylogged or someone you know wants to log into your account, they can’t without the physical device. The authenticator is 100% for people who lose their accounts due to their own actions, and it works 100% at preventing those “hacking” occurences. Unless someone also manages to snatch your authenticator (which may be your phone), they can’t use your username and password.

              Blizzard has gone above the minimum for security, but breakins will happen and one did. They are not at fault for anything, and thus not responsible at all. The authenticator works as they say and works well, so this law suit is completely unjustified. Sadly, most judges don’t know anything about technology, so it’ll be hard for Blizzard to argue their case.

          • It isn’t a double standard at all, at least not for me. I am well aware that Blizzard got hacked, however, the point I was commenting on was that people without authenticators will always be hacked. There has yet to be a single proven case of a player being genuinely hacked, it has so far always been the player doing something stupid and getting their information compromised.

            Blizzard getting hacked is an entirely different topic that has nothing to do with personal account security. Blizzard getting hacked has to do with the companies own security and has nothing to do with the various steps a player should be taking to protect their own information, there is nothing a player can do about Blizzard themselves getting hacked.

    2. Blizzard is a victim of their own success really.

      Because there is such a huge demand for illegally obtained accounts, it means there are a lot of people making money at hacking into these accounts. If the demand or reward wasn’t there, then there wouldn’t be such a big issue with security.

      As such an Authenticator is an absolute must for people who aren’t big on security. It is unfortunate that Blizzard is making money off of it though. I have no smart phone or anything so I had to get the physical one and it ended up costing me $27 without there being any other postage option. I wasn’t impressed, but what can you do?

      • The authenticator is provided at cost. The authenticator app is free if you have a smart phone. You paid extra due to shipping, not due to Blizzard’s mark-up.

        Your statement that Blizzard is making money off authenticator sales is false (unless you have some proof otherwise).

    3. An email has still not been sent out to everyone informing them of the hacking incident in August. Funny, I’ve gotten plenty of advertisements since then.

    4. Given that Blizz can’t add more stash tabs because of sever space, and the fact that they require authenticators and user-implemented security measures to remain secure, I’d say their servers are rusty buckets of sh!

      What if banks required authenticators, were hacked, then blamed customers?

      • Thanks to the RMAH, Blizzard effectively *is* a bank, or at least a broker.

        They perform trading services, take cash in and dispense it.

    5. I don’t suppose Blizzard would have gone to expense by simply stuffing an authenticator into the game box let the customer decide whether they want the extra login step or not. Considering the actual production cost of one such device, it wouldn’t even had to have an impact on the game’s retail price.

      Selling an ‘absolutely essential’ chunk of plastic for 10 euros (with a whopping two – in numbers: 2 – months of gurantee) separately instead though, might indeed cast an unfavorable light on the company.

      • Aren’t they legally obliged to provide 2 year warranty for developed countries?

        Europe, at least…

        (captcha: wild west)

      • And then Diablo 3 would’ve launched with a retail price of 65.99 instead of 59.99. Then you’d complain that you had to pay 6 extra dollars for something “you’d never use, because your personal internet security is top notch. You dont visit any sites you’re not supposed to!”

      • Adding a $6.50 (USD) Authenticator in the retail box without changing the price (if that’s what you’re inferring) would hurt their profit juuuust a skosh. That’s say that, if you buy a retail copy, the Authenticator is in the box, and if you buy it digitally, you enter your shipping information at the time of purchase, and Blizzard ships one to you. Since as of right now, there have been over 10 million copies of D3 sold, that would cost Blizzard around $65 million in profits. Prolly not happening.

        Even if we were to assume that just 25% of total Diablo 3 sales thus far have been retail boxed copies, and that those were the only ones that include the Authenticator, that would mean that:

        – 75% of sales, or over 7.5 million players would still need to order one
        – Blizzard would’ve lost $16,250,000 in profits
        – A LOT of players who don’t need the physical device would still receive one, causing an unnecessary loss in profits

        And as Daltin mentioned already, if they had adjusted the price to reflect the addition of the Authenticator, well… saying there would be a “public outcry” is probably the understatement of the year.


    6. I hope the guy wins the case. Dont rly care for it, but I just want to see Blizzard burn for what they have done with Diablo.

    7. I hope Benjamin wins. He is brave for doing what everyone wants to do but might not have the courage for it.

      • ‘Everyone’ is quite a bit of a stretch. I for one, and all of my gaming friends, think this court case is rubbish. Perhaps there is some potential for a case in everything that’s happened since the game’s release, but this case does not realize it – I will be very surprised if Blizzard loses this one.

        The plaintiff would have to show, among other things, that (1) the security breach at Blizzard directly resulted in compromised accounts (2) the authenticator should be considered primary account security, despite no gaming industry precedent.

        Either one would be difficult, both together is going to be virtually impossible.

      • I just don’t have the courage to file a frivolous suit against a billion-dollar corporation and the accompanying million-dollar lawyers. It will be funny if they manage to slap him with their legal fees.

    8. The authenticator is good. I agree it should be primary account security just because it is so powerful.

    9. While I haven’t read the ToS, I would have thought that Blizzard would have jumped on the “do away with someone’s rights” and shit can these types of lawsuits in favor of binding arbitration? Hell, every other company has because I get all these emails stating so.

    10. This will go nowhere. The authenticator is clearly an extra level of security, it’s not in place of a robust system that should already built in. He is wasting his money.

    Comments are closed.