Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.
At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.
Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.
In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.
We take the security of your personal information very seriously, and we are truly sorry that this has happened.
Is there anything that players need to do right now to protect themselves? While there is currently no evidence that any of the password or player data has been misused, we encourage our North American players to change their passwords. Click here to login and change your password.
In the coming days we will implement an automated process for all users to change their secret questions and answers, as a precautionary measure. We'll also prompt mobile authenticator users to update their authenticator software.
Additionally, while Blizzard has no indication that any of your information was shared with any other unauthorized parties or that there has been any unauthorized use of your data, we urge all members of our community to closely monitor all of their online accounts.
Players should also be wary of fraudulent emails (phishing). Unfortunately, because email addresses were exposed, it is entirely possible that this could result in an increased, targeted phishing campaign being sent to our users. Check this page for tips on how to spot and avoid these types of fraudulent emails.
What data was affected? Here's a summary of the data that we know was illegally accessed:
North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia
Email addresses
Answers to secret security questions
Cryptographically scrambled versions of passwords (not actual passwords)
Information associated with the Mobile Authenticator
Information associated with the Dial-in Authenticator
Information associated with Phone Lock, a security system associated with Taiwan accounts only
Accounts from all global regions outside of China (including Europe and Russia)
Email addresses
China-based accounts
Unaffected
At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information.
What information related to Mobile and Dial-In Authenticators was exposed? What about Phone Lock? With regard to Dial-In Authenticators, hashed (not actual) phone numbers were accessed. This is phone data from the relatively small number of people who opted into the program.
With regard to Mobile Authenticators, information was taken that could potentially compromise the integrity of North American Mobile Authenticators. We have no evidence that other regions were affected. We are working quickly to provide software updates to users. Back to top
Additionally we believe the integrity of the physical authenticators remains intact.
The information relating to Phone Lock represents a small number of hashed (not actual) phone numbers from Taiwanese players who opted into this service and had a North American Battle.net account.
Was the physical authenticator compromised? We believe the integrity of the physical authenticators remains intact.
How did this happen? Like all companies doing business online, it is not an uncommon occurrence to experience outside parties trying to illegitimately gain access to the operation’s structure at some level. We are continually upgrading our security technologies, policies, protocols and procedures to protect our customers and our games against the threats that increasingly arise in today’s online world.
When did Blizzard learn of the unauthorized access? The trespass into our internal network was detected by us on August 4, 2012.
Why did Blizzard announce this on August 9? We worked around the clock since we discovered the unauthorized user to determine the nature of the trespass and understand what data was accessed. Our first priority was to re-secure our network, and from there we worked simultaneously on the investigation and on informing our global player base. We wanted to strike a balance between speed and accuracy in our reporting and worked diligently to serve both equally important needs.
What action has Blizzard taken? Upon learning of the unauthorized access, we worked quickly to re-secure our network. Afterward, we immediately notified law enforcement as well as security experts and launched an ongoing investigation to determine what had occurred. We also took steps to notify players, which happened in a matter of days from the time we discovered the illegal access.
Was any personal or financial information accessed? At this time, there is no evidence that financial information was affected or accessed. There's also no evidence that personal information such as real names or billing addresses were accessed.
What can you tell us about the scrambled passwords that were accessed? Cryptographically scrambled versions of passwords for North American players were accessed, protected by Secure Remote Password (SRP) protocol. This information alone doesn't give unauthorized users the actual passwords -- each password would need to be deciphered individually. The added layer of protection from SRP makes that process computationally very difficult and expensive.
Why not immediately invalidate the secret questions and answers that were compromised? This was a difficult decision to make but in the end we believe that keeping the secret questions and answers in place still provides a layer of security against unauthorized users who don't have access to the compromised data. In the meantime, we are working quickly to create a mechanism for players to change the secret question and answer on their account. Our customer service staff will also know to use additional measures to verify player identities and not rely solely on secret question and answer.
Why not immediately revoke the mobile authenticators? Similar to the decision surrounding secret question and answer, we still believe that keeping mobile authenticators active provides a layer of security against unauthorized users who don't have access to the compromised data. In fact, the mobile authenticator information by itself won't grant access to a Battle.net account -- that still requires the actual password as well. We are working quickly to deploy new mobile authenticator software and will notify players to update as soon as it's available.
Are you taking additional security measures as a result of this occurrence? We are continually upgrading our security technologies, policies, protocols and procedures to help protect our customers and our games, and will continue to monitor the situation closely.
Teams have also been working around the clock in an ongoing investigation with law enforcement and security experts, to gain a more detailed understanding of what happened. As we conclude the investigation there will be lessons learned that can help strengthen our security going forward.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Damn. Well, at least Blizzard has a lot of resources at hand to make the issue go away as fast as possible. Glad they're being transparent (or are they?) about it
Things like this will happen, there are exxtraordinary good hacker groups out there and no security will ever protect completly against them.
Just make some safety changes to your accounts (like changing pw, Secret Q&A etc.) and all will most likely be fine. No reason to panic or bitch/whine about it.
On August 10 2012 07:34 juicyjames wrote: We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password
I remember Sony saying the same about their new discs...which were broken by hackers the day after.
Really, there is no protection technology that hackers can't break. It's only a matter of do they care enough to break it. So, basically, all hackers need to success is to breach to the network. What they did in this case.
Therefore, changing passwords is the only protection.
I feel bad for you guys in North America, I really do This might not be a time to talk about happiness, but I'm a tiny bit relived that this didn't also include EU as I have the same password for almost everything
Still, if anyone can fix this fast (with the law, i.e not mafia) it's probably Blizzard. My hearts to you in America <3
On August 10 2012 07:50 Kurumi wrote: So nothing "interesting" was accessed by the crackers? Weird.
They say that cause they want you to think that hackers can't use information they actually stolen. In reality, they could very well know your password already. All you need to decrypt an encrypted pass is a good machine.
On August 10 2012 07:50 Kurumi wrote: So nothing "interesting" was accessed by the crackers? Weird.
They say that cause they want you to think that hackers can't use information they actually stolen. In reality, they could very well know your password already. All you need to decrypt an encrypted pass is a good machine.
That's not really true. There are plenty of secure hashing/encryption routines that require a large cluster of computers to break through in a reasonable amount of time. Any somewhat sensible company will use encryption that is at least strong enough to not make it economically viable to bruteforce it.
On August 10 2012 07:56 ZerguufOu wrote: ok someone hacked into my high masters account, played a few games and got me demoted to platinum. I demand a promotion.
I will aid you in your quest! This needs to be fixed ASAP!
On August 10 2012 07:43 Hokay wrote: Noooo not my secret questions! A lot of sites ask the same secret security questions :X
This is awkward. I never remember the answer to my secret questions. But some complete stranger might...maybe I can finally access my old XBox Live account if I can find a way to contact this guy...
On August 10 2012 07:50 Kurumi wrote: So nothing "interesting" was accessed by the crackers? Weird.
They say that cause they want you to think that hackers can't use information they actually stolen. In reality, they could very well know your password already. All you need to decrypt an encrypted pass is a good machine.
That's not really true. There are plenty of secure hashing/encryption routines that require a large cluster of computers to break through in a reasonable amount of time. Any somewhat sensible company will use encryption that is at least strong enough to not make it economically viable to bruteforce it.
If you used the same password anywhere else, you should change it (and stop re-using passwords!). They have your email and password hash which is more than enough to wreck havoc, especially if it was your email account password. Props to Blizzard though for the announcement.
On August 10 2012 07:50 Kurumi wrote: So nothing "interesting" was accessed by the crackers? Weird.
They say that cause they want you to think that hackers can't use information they actually stolen. In reality, they could very well know your password already. All you need to decrypt an encrypted pass is a good machine.
What? No - it depends on how they hashed the password. Some hashes are vulnerable to being cracked just by a normal desktop computer with a decent GPU in a day, others aren't. Even ones that aren't designed to be resistant to brute force can have such a large input space it'll take too long to crack to matter really.
I'm not saying they aren't being stored using a weak hash function (something like md5 but that's old/outdated) but unless you know otherwise, why say that?
Assuming Blizzards implementation of the RSP-protocol is correct and they use sufficiently large numbers, and there is no reason to assume otherwise, then the passwords of the NA accounts are still just as safe as they were before, with the minor difference that more attempts at breaking them could now be made per second. However, for strong passwords this doesn't matter, as strong passwords take billions of years to break anyway.
On August 10 2012 07:43 Hokay wrote: Noooo not my secret questions! A lot of sites ask the same secret security questions :X
Which is one of many reasons why secret questions are not, like often claimed, an added layer of security, but instead a vulnerability.
[Edit] As a sidenote to what I said above the quote, I do have to note that almost nobody uses a secure password.
Well I wanted to let go off my old gmx account anyways I guess :/ (the biggest spammer on that one is gmx itself -.-)
Man this sucks, I hope they won't be able to do too much damage with the encrypted passwords. But eMail adresses, oh lord. Even more spam and phishing mails.
On August 10 2012 08:08 Shenghi wrote: Assuming Blizzards implementation of the RSP-protocol is correct and they use sufficiently large numbers, and there is no reason to assume otherwise, then the passwords of the NA accounts are still just as safe as they were before, with the minor difference that more attempts at breaking them could now be made per second. However, for strong passwords this doesn't matter, as strong passwords take billions of years to break anyway.
While SRP is very secure, there are many services (like the battle.net website) that can't use SRP, so it seems reasonable to conclude that some password-equivalent data is stored somewhere and that it could have been leaked.
Pretty sure this is different from the D3 issue that happened at launch and the following week. Even with authenticators that did nothing to solve the previous issue, the users were the ones getting compromised, not Battle.Net. This is different though.
On August 10 2012 08:17 shin_toss wrote: Ahhh hard to memorize diff passwords. :| . Better be safe than sorry
Write them down on some sheet of paper and put it away safely. I mean yeh, if that paper gets stolen / lost you're fucked but you gotta have it somewhere right? And while there are programs for all that stuff having it on a real-world piece of sheet is nice.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
That's pretty sad. I'm from Europe, so I guess I should'n worry. I'm one of those 'use 1 password for everything' guys. Well different versions of same password, to be more exact :D
For those of you having trouble remembering passwords, use a keyboard pattern instead of a mixture of letters/numbers/symbols that you can memorize. A few of my passwords are literally just patterns that I draw on my keyboard, mix in some Shift-key presses and you're set. I literally cannot tell you what my passwords are unless you put a keyboard in front of me.
On August 10 2012 08:19 MxGStreamA wrote: I was hit by this, someone hacked the account, changed the password, played some ladder games.
Unrelated, you probably had a bad / shared password beforehand. A hacking group advanced enough to break into Blizzard's network isn't really after your SC2 ladder rank.
On August 10 2012 08:06 R1CH wrote: If you used the same password anywhere else, you should change it (and stop re-using passwords!). They have your email and password hash which is more than enough to wreck havoc, especially if it was your email account password. Props to Blizzard though for the announcement.
Have a good password manager thingy that you recommend? My batle net is on a unique password but I tend to be lazy with services (so no battle net/steam/e-mails) I don't really care about.
On August 10 2012 07:43 Hokay wrote: Noooo not my secret questions! A lot of sites ask the same secret security questions :X
This is awkward. I never remember the answer to my secret questions. But some complete stranger might...maybe I can finally access my old XBox Live account if I can find a way to contact this guy...
LOL SO TRUE!
I seriously cannot have a password for each site because I cannot remember that many passwords. I have to change my password at work every 10 weeks, and I'm running out of options, I cannot use ANY password I've previously used... security questions I have a little trick for, that this hacker ruined. I always answer the same 3 things for security questions, and they are complete bullshit, so it doesn't matter what questions are asked, just the random answers i have selected, it makes it hard when sites ask me in random order.
Bleh, I guess I'll have to write down my passwords at home, and start making them different for everything. Luckily I already use seperate password for things i care about, like banking/personal email. Fuck you hackers
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
On August 10 2012 08:06 R1CH wrote: If you used the same password anywhere else, you should change it (and stop re-using passwords!). They have your email and password hash which is more than enough to wreck havoc, especially if it was your email account password. Props to Blizzard though for the announcement.
Have a good password manager thingy that you recommend? My batle net is on a unique password but I tend to be lazy with services (so no battle net/steam/e-mails) I don't really care about.
On August 10 2012 08:06 R1CH wrote: If you used the same password anywhere else, you should change it (and stop re-using passwords!). They have your email and password hash which is more than enough to wreck havoc, especially if it was your email account password. Props to Blizzard though for the announcement.
Have a good password manager thingy that you recommend? My batle net is on a unique password but I tend to be lazy with services (so no battle net/steam/e-mails) I don't really care about.
I use Keepass personally. It can be configured to login to games too.
On August 10 2012 08:17 shin_toss wrote: Ahhh hard to memorize diff passwords. :| . Better be safe than sorry
Write them down on some sheet of paper and put it away safely. I mean yeh, if that paper gets stolen / lost you're fucked but you gotta have it somewhere right? And while there are programs for all that stuff having it on a real-world piece of sheet is nice.
KeePass guys! :D
Give it a shot, there are portable versions as well (USB flash/iPhone etc)!
Funny, since my SC2/D3 account got hacked and stolen after not playing on either for a week. Someone put on an authentication device....that I've never put on.
I had to get blizzard to roll back my account into my hands, and changed my PW back to normal. Odd.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
Its so bad nobody would ever use it, so hackers won't even try it. Metagame.
So can we all expect to be added to a bunch more spam email lists because of this?
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
Typically passwords are hashed in combination with a username and other information. You can't simply hash "password123" and have thousands of results turn up. You'd have to know the hashing algorithm used by Blizzard, then for every individual user, hash "password123" and compare it to the stored hash. That still obviously wouldn't take a month to do with a single password, so you're right that it is probably feasible to do that for very common passwords and obtain a good amount of accounts. Still, if your password is even remotely unique, they will never realistically obtain it.
Ehh. Doesnt really affect me much considering I have diff passwords for all my email and other games. lol But I want to know if we need to know Previous Answer to Secret Question when they force us change it into new one. I forgot mine :/
On August 10 2012 08:30 netherh wrote: It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait.
if somebody gets the password case sensitivity is irrelevant and brute forcing is not how the vast majority of stolen b.net accounts are taken. it's kind of an irrelevant thing, and not a big deal at all that they don't do it
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them.
It's been a while since I studied this stuff, of course, so I could be wrong.
I noticed that in the past 2 days or so, I went from getting ~5 spam mail a day on my bnet email to 20. I have an Auth and use different PW's for different things, but now I gotta change it >_<
Does anyone know if my credit card number is somewhere in Blizzard's datas if I used it only to buy StarCraft 2, and not for any monthly payment ? Edit : Yes, my question probably sounds pretty noob but I am clueless concerning hacks t.t
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them.
It's been a while since I studied this stuff, of course, so I could be wrong.
Given that there exist many extremely common passwords like 'password', it is not unreasonable to assume that rainbow tables might exist for a large number of possible salts per common password.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them.
It's been a while since I studied this stuff, of course, so I could be wrong.
Passwords in practice are frequently suitably weak and amendable to cracking (e.g., via a dictionary attack). Knowing how the passwords were salted --- or at least narrowing it down to a small set of salting schemes --- makes things more tractable as well.
So theoretically intractable. Practically hard to do, but not impossible.
I went to a talk at DEFCON about fuzzing d3, where they showed just how secure blizzard's password system is. I would not be worried about them breaking you password hash (a properly salted and hashed password is a difficult thing to unravel). The security questions are a real risk though.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them.
It's been a while since I studied this stuff, of course, so I could be wrong.
They actually tell us the method by which they encrypt the passwords in the faq:
On August 10 2012 08:43 EleanorRIgby wrote: damn this sucks but i think hackers usually go for wow/d3 accounts, sc2 accounts are probably the least profitable
Likely that they can't differentiate without cracking the account. And besides, your email address and secret answers can be enough to do damage. For example, some (badly designed) sites will let your reset a password immediately after you successfully answer a secret question without sending email to your account first.
Also this should serve as a reminder of how stupid the concept of secret questions is. Fill in garbage or otherwise meaningless words for those fields and safeguard your passwords via other means, e.g., with a program like keepass or service like 1password.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
yeah. they store only the hash values of passwords, that are attained through the use of a one-way function. its actually pretty safe stuff. to break them hackers would need to be either better at math than the worlds best mathematicians, or have access to currently non-existent amounts computing power.
On August 10 2012 08:30 netherh wrote: It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait.
Usually at this point after a hack, case of the characters in your passwords doesn't matter. They are just going to brute force (Try every possible combination of characters for a certain length) and when a computer is just calculating hashes and comparing them it doesn't make it harder or easier. Thankfully, it seems like Blizzard's password storage protocol is a lot better than most encryption methods at standing up to brute forcing their hashes. (Might even be impossible.)
Still, when it comes to passwords length is all that matters. I work for a company that audits IT and when we get hashes of passwords like these guys did, we can usually crack all of an institutions passwords in a day. The only ones we can't crack no matter how long we try are are ones that are long (Something like 13-15 characters or longer). The best passwords are ones that are long and easy for you to remember/type but that are also hard for people who have information about you to guess and are not used for multiple accounts/sites. R1CH has pointed out that last bit before; If you have a different password for everything, one compromised site like this won't matter.
People only use short passwords because they are usually forced to used ridiculous cases and special characters that make the password hard to type quickly. If you just make a password that is long, has a few spaces, and only uses lower case letters, you'll be more secure than someone who has an 8 character long password that has a capital letter, special character, and a number and much more likely to be able to remember it and type it quickly.
*Edited part of my second paragraph. It now correctly says that "The only ones we can't crack no matter how long we try are the ones that are long(Something like 13-15 characters or longer)"
No worries, changed password, and will change security question later. Also changed password to related email address to my Bnet account, just in case.
On positive note, its nice to see that Blizzard really has put their mind into the protection part (their security, judging by their post is pretty dammn hard to actually crack even if you got the information), they even went out and were totally transparent about the whole thing. Curdos to Blizzard about this.
On August 10 2012 08:48 Bagration wrote: Hmm, so everyone outside of China was hit? Interesting
So could we infer that the hackers are based from China, or is that just simply a red herring to scapegoat?
The hacker could very well be from china, but I don't think you can infer that from the information, blizzard gets a different company to run all of it's mainland china business and they probably have seperate authentication servers that weren't hit.
On August 10 2012 08:55 Na_Dann_Ma_GoGo wrote: @ Virtue
Reminds me of this:
Have you ever heard of the Greenhorsewanking off at the prairie? GreenHorseWankingPrairie, you'll never forget that password, and its hard as hell to break
On August 10 2012 08:30 netherh wrote: It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait.
Usually at this point after a hack, case of the characters in your passwords doesn't matter. They are just going to brute force (Try every possible combination of characters for a certain length) and when a computer is just calculating hashes and comparing them it doesn't make it harder or easier. Thankfully, it seems like Blizzard's password storage protocol is a lot better than most encryption methods at standing up to brute forcing their hashes. (Might even be impossible.)
Actually, case does help. They are going to brute force it and if they have to take into account the case, it will increase the number of possibilities by A LOT.
On August 10 2012 08:49 Kambing wrote: Also this should serve as a reminder of how stupid the concept of secret questions is. Fill in garbage or otherwise meaningless words for those fields and safeguard your passwords via other means, e.g., with a program like keepass or service like 1password.
I think it's time to just start treating the secret answer as another unique password. You can't actually answer the question correctly, as anyone who knows you well enough will be able to guess the answer and you can't use the same answer for all questions as these attacks are becoming increasingly more common.
Fortunately my b.net password is isolated. Still, I'll be changing it when I get home from work. I had an e-mail account stolen from me once. It was a huge headache to get secure again.
Mike Morhaime the person i respect most in the world! Hopefully this will be sorted out and fixed, but i won´t lose any trust for blizzard. This happens to everyone even the greatest, just make sure to fix it.
Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
On August 10 2012 08:30 netherh wrote: It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait.
Usually at this point after a hack, case of the characters in your passwords doesn't matter. They are just going to brute force (Try every possible combination of characters for a certain length) and when a computer is just calculating hashes and comparing them it doesn't make it harder or easier. Thankfully, it seems like Blizzard's password storage protocol is a lot better than most encryption methods at standing up to brute forcing their hashes. (Might even be impossible.)
I'm by no means an expert, so I'm wondering if you could explain how a storage protocol could be better or worse against brute force. Do you mean things like individual salts or increased entropy?
Because all I'm thinking is that once someone has the actual hash you can't slow their velocity when it comes to brute-force attacks (which Blizzard does when you enter passwords through the game client / web).
Edit: I do agree that case actually is a red herring here, because the allowable character set and password lengths already have plenty of permutations to prevent someone easily cracking one password let alone all of them.
On August 10 2012 09:17 v3chr0 wrote: My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though.
Why risk it? Using a new password takes minutes, getting a stolen account and all the other bullshit that comes with it could take you quite a lot of stressful hours.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
On August 10 2012 09:11 Corrosive wrote: If you want to see how long it would take your password to be cracked check this out http://howsecureismypassword.net/
On August 10 2012 09:06 MyLastSerenade wrote: unbelievable......
Why is this unbelievable? Security is a really hard problem of asymmetric warfare. At least Blizzard, as far as we know, didn't make any obvious mistakes like keeping passwords in plaintext. As the Apple/Amazon story from a few days ago reinforced, users have to share the responsibility of security (don't reuse passwords, use strong passwords, keep backups etc)–you can't expect even the largest corporations to keep out all attackers all the time.
On August 10 2012 09:11 Corrosive wrote: If you want to see how long it would take your password to be cracked check this out http://howsecureismypassword.net/
1 million years.
I'll take my chances.
128 decillion years Possible Combinations: 16 sexdecillion
On August 10 2012 09:17 v3chr0 wrote: My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though.
That is not how passwords work, if you have a crazy long and difficult password and someone steals it, they don't care how long or complicated it is, they will more likely be copy/pasting it.
And to the other post about using a webpage to check how secure your password is, i seriously hope you didn't use your real one, how secure is a secret you told someone about to see if they have heard it?
On August 10 2012 08:08 Shenghi wrote: Assuming Blizzards implementation of the RSP-protocol is correct and they use sufficiently large numbers, and there is no reason to assume otherwise, then the passwords of the NA accounts are still just as safe as they were before, with the minor difference that more attempts at breaking them could now be made per second. However, for strong passwords this doesn't matter, as strong passwords take billions of years to break anyway.
While SRP is very secure, there are many services (like the battle.net website) that can't use SRP, so it seems reasonable to conclude that some password-equivalent data is stored somewhere and that it could have been leaked.
Even so, it can reasonably assumed that Blizzard sufficiently salts and otherwise obscures the password before hashing it with a safe hash, so the point stands. Weak passwords remain weak, strong ones remain strong.
Nevertheless, everyone affected should of course still change their passwords, just to make sure.
On August 10 2012 08:26 thurst0n wrote: LOL SO TRUE!
I seriously cannot have a password for each site because I cannot remember that many passwords. I have to change my password at work every 10 weeks, and I'm running out of options, I cannot use ANY password I've previously used... security questions I have a little trick for, that this hacker ruined. I always answer the same 3 things for security questions, and they are complete bullshit, so it doesn't matter what questions are asked, just the random answers i have selected, it makes it hard when sites ask me in random order.
Bleh, I guess I'll have to write down my passwords at home, and start making them different for everything. Luckily I already use seperate password for things i care about, like banking/personal email. Fuck you hackers
The sad part is that changing your password every 10 weeks doesn't even increase security. If your password is strong, then it's strong. If it's weak, then it's weak. In fact, having to change it often will probably lead to much weaker passwords, such as "thissux10" and then just increment it every time you are forced to change it.
As for security questions, don't get me started. They are pretty much the bane of my existence. If I can avoid having to answer them, I will. If that means I have to avoid a certain service, so be it.
Don't write your passwords down. Use KeePass, like some people have already suggested.
This happens to every major company and every government. Nothing you can do about it. Attackers are always ahead of defenders. Not Blizzards fault, and in fact, as far as we can tell they're handling it better than most.
On August 10 2012 08:45 RoyGBiv_13 wrote: I went to a talk at DEFCON about fuzzing d3, where they showed just how secure blizzard's password system is. I would not be worried about them breaking you password hash (a properly salted and hashed password is a difficult thing to unravel). The security questions are a real risk though.
On August 10 2012 08:30 netherh wrote: It's lucky they don't do anything stupid like make all the passwords case insensitive... Oh wait.
<snip>
Still, when it comes to passwords length is all that matters. I work for a company that audits IT and when we get hashes of passwords like these guys did, we can usually crack all of an institutions passwords in a day. The only ones we can't crack no matter how long they are are ones that are long (Something like 13-15 characters or longer).
<snip>
Even if the hashing algorithm is known and only lower-case characters (no uppercase, no digits, no special characters, etc.) are used, then at 1 billion (1 000 000 000) attempts per second it takes ~50 000 years to break 15-character password, assuming the hash is safe (no collisions are known, or are expected to be found within that time frame.)
For a 20-character password, this would be ~631 billion years.
Note: The (possibly) fastest computer on earth can make about 75 billion attempts per second.
(Reinforcing your point here, not disputing it)
On August 10 2012 09:01 DertoQq wrote: Actually, case does help. They are going to brute force it and if they have to take into account the case, it will increase the number of possibilities by A LOT.
It helps, but it won't change much for a password of desirable length. If it's impossible to get in a few billion years, then one way or the other, you'll be fine.
On August 10 2012 09:20 Sikly wrote: Why risk it? Using a new password takes minutes, getting a stolen account and all the other bullshit that comes with it could take you quite a lot of stressful hours.
Memorizing a new, strong password takes more than minutes.
On August 10 2012 09:25 achristes wrote: Did anyone know that if you type your bnet password on TL it automatically turns into stars? Here's mine: ******* Pretty sick.
On August 10 2012 08:48 Bagration wrote: Hmm, so everyone outside of China was hit? Interesting
So could we infer that the hackers are based from China, or is that just simply a red herring to scapegoat?
The hacker could very well be from china, but I don't think you can infer that from the information, blizzard gets a different company to run all of it's mainland china business and they probably have seperate authentication servers that weren't hit.
Yeah, true. I just hope the hacker does get due punishment. I just found it interesting that China was spared.
On August 10 2012 09:17 v3chr0 wrote: My password is pretty crazy, I think I'll be alright. Will be changing my secret q/a when prompted though.
That is not how passwords work, if you have a crazy long and difficult password and someone steals it, they don't care how long or complicated it is, they will more likely be copy/pasting it.
And to the other post about using a webpage to check how secure your password is, i seriously hope you didn't use your real one, how secure is a secret you told someone about to see if they have heard it?
I also gave them my email to make sure they wouldn't have to bother finding it otherwise. Then I sent them my SSnumber and a photocopy of my passboard.
Also, no one has stolen anyone's password through blizzard since they aren't stupid enough to store them as plain text (take that sony!) They got a hashed version, so a more secure password will indeed help you against getting hacked.
Does this tie in with me getting an email from Blizzard saying that they think I'm trying to sell my WoW account (when I don't even have one) then linking me to a random page? Or is that something different?
Let's hope it stops here, and we don't get a PSN redux. God, it seems there's so many of these incidents these days. Has it always been like this, or is it just happening now because some jackasses showed it was possible, and, indeed, easy?
Does un-checking the little box that says "Remember payment information" help at all with this sort of thing? Or is it gonna be in their database anyway?
On August 10 2012 09:43 RiceAgainst wrote: Does this tie in with me getting an email from Blizzard saying that they think I'm trying to sell my WoW account (when I don't even have one) then linking me to a random page? Or is that something different?
That's an age old phishing scam. It's not really from Blizzard even though sometimes they look really convincing. When Blizzard thinks you've sold/are selling an account they just outright ban you, they don't bother telling you that they suspect you.
As an PSN user, I had to changed my passwords then GomTV comes along and now Blizzard. Got damn hackers, LEAVE ME ALONE . Thanks for the heads up though.
On August 10 2012 07:34 juicyjames wrote: When did Blizzard learn of the unauthorized access? The trespass into our internal network was detected by us on August 4, 2012.
Why did Blizzard announce this on August 9? We were debating whether to sweep it under the rug or not.
But seriously, what is the reason for taking such a long time?
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Not saying you shouldn't change your password just to be completely sure, but if you'd know anything about the hashes used to encrypt passwords and how long it takes to decipher even a single password you would know that it's practically impossible for the people that have stolen the hash to obtain even a single password from that information within a month (and even that is stretching it as they'd need a cluster of powerful machines brute forcing the hash constantly for the duration), let alone retrieving a decent amount of stolen passwords. It's honestly not even close to being worth the power/rental costs of doing so to obtain an account worth maybe 100$. This is obviously assuming Blizzard doesn't use horribly outdated encryption, though.
I don't think you're aware of how password hashing works. Do you not think there are millions of people with "password123" or equally terrible passwords in those stolen hashes? Why would you need a month to break that?
Wouldn't salting the hashes make this sort of thing impossible? I have in mind the sort of attack where the attacker computes the hash of "password123" and compares it to all the hashes to see if it matches any of them (which is only O(log N)), which would be foiled by salts -- in that case they've got to do the hash algorithm N times instead of just once to check N hashes against each dictionary word. Of course, if the passwords are suitably weak then you can probably afford this -- just check the simplest ones against all of them.
It's been a while since I studied this stuff, of course, so I could be wrong.
According to Imperva, about 30% of the passwords in the hacked list were six characters or smaller, while 60% were passwords created from a limited set of alphanumeric characters. Nearly 50% of the users had used easily guessable names, common slang words, adjacent keyboard keys and consecutive digits as their passwords.
All I can think of really(*after changing my password) is that I forgot my current security question, so my Bnet account has been stuck on an email I don't want it to be. Hopefully, I will be able to change the email with this serendipitous change!
Also sux that blizz was accessed. Can't put too much blame, not all companies can be permanently on the ball.
Lol I'm glad this happened after all the blind fanboys were saying THERE WAS ABSOLUTELY NO WAY the huge amount of D3 accounts getting hacked was a problem on blizzard's end.
Also stupid, unless he doesn't want to play SC2 anymore. He probably forgot that we can do more than just bomb his MMR, such as changing his password and information.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
On August 10 2012 07:34 juicyjames wrote: When did Blizzard learn of the unauthorized access? The trespass into our internal network was detected by us on August 4, 2012.
Why did Blizzard announce this on August 9? We were debating whether to sweep it under the rug or not.
But seriously, what is the reason for taking such a long time?
1 business week isn't all that long. What they said is pretty reasonable at face value.
After all, the PSN mess was exacerbated by them claiming that no personal data was lost, then no financial data was lost, then 'actually they got everything'. That's not just bad PR, it also prevents customers from actually doing anything about the security breach in a timely manner (unless they just didn't trust PSN's everything's fine message, which why not, doesn't hurt to be extra safe).
If Blizzard knew that sensitive data was compromised, then that's something you can just say. But if you're affirming that no sensitive data was compromised, you'd better be damned sure before you say anything.
Plus, it's entirely possible that they were busy closing security breaches and just didn't get around to checking what was stolen until after the fact, after all you have to stop the problem rather than make press releases. Not to mention it would probably take a company as large as blizzard a non-trivial amount of time to verify what was and was not accessed by the hackers.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
Thanks! 63 million years. I'm good XD Edit: bank acc is good against 38 septillion years worth of a desktop. Good to know. Thing is, how much time would 5 servers crunching in tandem save?
God damn it blizzard there is no end of problems with your sites.
I think in the last 10~ years of playing Blizzard games the only issues I had with their out of game stuff was this, which I understand happening as it's happened to several larger corporations in the last couple years, and battle.net emails would get lost routinely several years back. Their website is down for maintenance a lot, but that's not usually problematic. Sometimes they have what feels like excessive downtime on the games. What problems with their sites are you running into? O.o
On August 10 2012 10:08 JJH777 wrote: Lol I'm glad this happened after all the blind fanboys were saying THERE WAS ABSOLUTELY NO WAY the huge amount of D3 accounts getting hacked was a problem on blizzard's end.
Did you even read the announcement? This has nothing to do with the D3 accounts. They got encrypted passwords. Not only that, there's no way for the hackers to know who had D3 or not. They couldn't pick and choose D3 accounts with this stolen information.
Only D3 accounts start getting stolen right after release? Far more likely that people are clicking stuff they shouldn't be.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
I feel like you're somewhat overdoing it ^^ Do you really feel like typing 29 characters just to enter bnet? According to that website my bnet password is crackable in 19 seconds... I use this password for most stuff I don't care about. But my "secure" password feels somewhat weak, too. 345k years for a regular desktop... I guess it's time to add a number and a special character.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
I feel like you're somewhat overdoing it ^^ Do you really feel like typing 29 characters just to enter bnet? According to that website my bnet password is crackable in 19 seconds... I use this password for most stuff I don't care about. But my "secure" password feels somewhat weak, too. 345k years for a regular desktop... I guess it's time to add a number and a special character.
Pick a random year. There's four numbers. Then sum up what that year is to you in a few words. Example: 1972lotof$$GAS would take 2 billion.
Granted mine is 25+ characters but that's my bank acc! Sc2 is still over 16 though.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
I feel like you're somewhat overdoing it ^^ Do you really feel like typing 29 characters just to enter bnet? According to that website my bnet password is crackable in 19 seconds... I use this password for most stuff I don't care about. But my "secure" password feels somewhat weak, too. 345k years for a regular desktop... I guess it's time to add a number and a special character.
Please just don't use the same password on every site, that's it. Even if your password takes trillions years to decipher, things like key-loggers or someone behind you at a cafe or any over mean of getting your ULTIMATE PASSWORD would just wreck your world. At least use "base password+last letters of the site's url", or something.
Was about to type my password on that site that measures how safe it is, but if i type on such a random site, doesn't it make much less safe ? :D
Unless there's a hack to send password hashes directly, they will crack the simplest and most common passwords. Instead of decrypting the hashes, they will encrypt a vocabulary of most commonly used passwords and find the ones with the same hash. So, if you're password wasn't secure, there's a good chance it's compromised.
I'm in Europe so according to Blizzard nothing from there was compromised except emails (still bad if i'll get phishing emails now).
On August 10 2012 10:53 Ganondorf wrote: Was about to type my password on that site that measures how safe it is, but if i type on such a random site, doesn't it make much less safe ? :D
Unless there's a hack to send password hashes directly, they will crack the simplest and most common passwords. Instead of decrypting the hashes, they will encrypt a vocabulary of most commonly used passwords and find the ones with the same hash. So, if you're password wasn't secure, there's a good chance it's compromised.
I'm in Europe so according to Blizzard nothing from there was compromised except emails (still bad if i'll get phishing emails now).
That site just downloads a Javascript code on your computer that does the math on your end; your password's never transmitted across the network.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
This takes into account a basic desktop server..... which can do roughly I think 25k passwords a second with standard bruteforcing it really depends... while our system at work using 4 gpus (mmm cuda) can do 1.7 billion a second... there are custom password cracking machines such as Reliks which does 25 billion a second http://www.hackingtheuniverse.com/infosec/tools/gpu-password-cracking
Now... yes brute forcing takes forever, and its not the most effective, the most effective way is to use rainbow tables... so a standard 8-14 character password can be cracked relatively quickly usually between 5-10 minutes...
so while these websites are nice and give decent ideas.. the numbers are completely wrong...
but remember .. when creating passwords.. complexity is important but the most important aspect of creating a password is length...
the difference between 14 characters and 18 characters is exponential... (30 minutes to 3 months)...
I always recommend using a passphrase... something simple like H! my name is Johny Mc Johnson and I am 24 years old
simple to remember... hardddddd to crack unless u have a specifically tuned list
On August 10 2012 10:53 Ganondorf wrote: Unless there's a hack to send password hashes directly, they will crack the simplest and most common passwords. Instead of decrypting the hashes, they will encrypt a vocabulary of most commonly used passwords and find the ones with the same hash. So, if you're password wasn't secure, there's a good chance it's compromised.
Not if there's a salt, which there should be, considering that they actually thought about password security and didn't store them in plaintext. Assuming the salt wasn't compromised.
I kinda expected this to happen so I used a unique password for bnet. 1 point for me.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
I feel like you're somewhat overdoing it ^^ Do you really feel like typing 29 characters just to enter bnet? According to that website my bnet password is crackable in 19 seconds... I use this password for most stuff I don't care about. But my "secure" password feels somewhat weak, too. 345k years for a regular desktop... I guess it's time to add a number and a special character.
Pick a random year. There's four numbers. Then sum up what that year is to you in a few words. Example: 1972lotof$$GAS would take 2 billion.
Granted mine is 25+ characters but that's my bank acc! Sc2 is still over 16 though.
just for the record.. a recent client has something a lot like this their DoB then some standard text and "1337" speak.. it was 2 characters longer and we popped that sucker soooo fast
my truecrypt password for my work system is 34 characters, my keepass password is 44 and all my accounts are stored in there... random passwords generated with the max length I can use on the website...
On August 10 2012 08:19 MxGStreamA wrote: I was hit by this, someone hacked the account, changed the password, played some ladder games.
Unrelated, you probably had a bad / shared password beforehand. A hacking group advanced enough to break into Blizzard's network isn't really after your SC2 ladder rank.
You are wrong, I don't not share my account. He was giving my password to everyone.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
I feel like you're somewhat overdoing it ^^ Do you really feel like typing 29 characters just to enter bnet? According to that website my bnet password is crackable in 19 seconds... I use this password for most stuff I don't care about. But my "secure" password feels somewhat weak, too. 345k years for a regular desktop... I guess it's time to add a number and a special character.
Pick a random year. There's four numbers. Then sum up what that year is to you in a few words. Example: 1972lotof$$GAS would take 2 billion.
Granted mine is 25+ characters but that's my bank acc! Sc2 is still over 16 though.
just for the record.. a recent client has something a lot like this their DoB then some standard text and "1337" speak.. it was 2 characters longer and we popped that sucker soooo fast
my truecrypt password for my work system is NN characters, my keepass password is MM and all my accounts are stored in there... random passwords generated with the max length I can use on the website...
I do hope you made those numbers up, as the length of a password being unknown is a huge part of its strength.
I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
On August 10 2012 08:19 MxGStreamA wrote: I was hit by this, someone hacked the account, changed the password, played some ladder games.
Unrelated, you probably had a bad / shared password beforehand. A hacking group advanced enough to break into Blizzard's network isn't really after your SC2 ladder rank.
You are wrong, I don't not share my account. He was giving my password to everyone.
R1CH is right (OBVIOUSLY). But those email addresses may have traveled around in those 5 days since the attack. Let's see...
On August 10 2012 11:13 Nosferatos wrote: I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
Personally I have had those e-mails since forever on multiple e-mail accounts, two of them not linked to any battle.net account. I do not think that this is a good way of judging when the breach actually occurred.
On August 10 2012 11:13 Nosferatos wrote: I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
That is just age old physhing scam, nothing to do with the current problem.
On August 10 2012 11:13 Nosferatos wrote: I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
Personally I have had those e-mails since forever on multiple e-mail accounts, two of them not linked to any battle.net account. I do not think that this is a good way of judging when the breach actually occurred.
True, but this is the first time in the 8 years I've had such an e-mail from a fake Blizzard, and then I get one just a week before the breach. might be an coincidence or maybe it's more.
People should learn to use passphrases. Contrary to popular belief having numbers and symbols in your password does not make it more difficult to crack. Adding length to your password is the only way to make it more secure.
On August 10 2012 11:13 Nosferatos wrote: I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
Personally I have had those e-mails since forever on multiple e-mail accounts, two of them not linked to any battle.net account. I do not think that this is a good way of judging when the breach actually occurred.
True, but this is the first time in the 8 years I've had such an e-mail from a fake Blizzard, and then I get one just a week before the breach. might be an coincidence or maybe it's more.
If they hacked Blizzard to send out emails they would NOT use a fake email they would use the real one -.-
On August 10 2012 08:19 MxGStreamA wrote: I was hit by this, someone hacked the account, changed the password, played some ladder games.
Unrelated, you probably had a bad / shared password beforehand. A hacking group advanced enough to break into Blizzard's network isn't really after your SC2 ladder rank.
You are wrong, I don't not share my account. He was giving my password to everyone.
R1CH is right (OBVIOUSLY). But those email addresses may have traveled around in those 5 days since the attack. Let's see...
Lol stop it R1CH, you're not saying the world revolves around him you silly silly man, of COURSE they're after his ladder rank/account ^^.
On August 10 2012 11:28 SigmaoctanusIV wrote: Oh noes someone might change my portrait and lose me some ladder games!!
In all seriousness Blizzard is pretty good about getting these things fixed.
Also what about authenticators don't they pretty much make this point mute? Well if you have one I guess.
It's pretty huge if authenticators have been compromised(according to blizzard), especially for some players with highly valuable WoW accounts(with legendary items, achievements, titles, mounts, pets...).
On August 10 2012 11:13 Nosferatos wrote: I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
Personally I have had those e-mails since forever on multiple e-mail accounts, two of them not linked to any battle.net account. I do not think that this is a good way of judging when the breach actually occurred.
True, but this is the first time in the 8 years I've had such an e-mail from a fake Blizzard, and then I get one just a week before the breach. might be an coincidence or maybe it's more.
If they hacked Blizzard to send out emails they would use a fake email they would use the real one -.-
Oh, it looks real and all, but one of the links in the e-mail goes to a fake "blizzard" acount site, the rest looks "real" enough to fool a "ignorant" person.
On August 10 2012 11:13 Nosferatos wrote: I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
Personally I have had those e-mails since forever on multiple e-mail accounts, two of them not linked to any battle.net account. I do not think that this is a good way of judging when the breach actually occurred.
True, but this is the first time in the 8 years I've had such an e-mail from a fake Blizzard, and then I get one just a week before the breach. might be an coincidence or maybe it's more.
If they hacked Blizzard to send out emails they would use a fake email they would use the real one -.-
Oh, it looks real and all, but one of the links in the e-mail goes to a fake "blizzard" acount site, the rest looks "real" enough to fool a "ignorant" person.
I forgot a NOT in there.
If they compromised the site why would they use fake anything? They have the site lol.
Phishing has been going on forever, this is entirely unrelated. The only relation is that now youll get more phishing emails trying to phish for people changing there passwords from what happened.
Also stupid, unless he doesn't want to play SC2 anymore. He probably forgot that we can do more than just bomb his MMR, such as changing his password and information.
Someone did change the password and it took me less than a minute to recover it....
I used one of my best and probably my most commonly used password for relevant things like e-mail and maybe even paypal. Extremely irritating that I will need to switch all these passwords, but can't really blame blizzard, these things happen to everyone eventually.
Good thing this was posted on TL or I probably wouldn't have noticed it.
On August 10 2012 10:08 JJH777 wrote: Lol I'm glad this happened after all the blind fanboys were saying THERE WAS ABSOLUTELY NO WAY the huge amount of D3 accounts getting hacked was a problem on blizzard's end.
Did you even read the announcement? This has nothing to do with the D3 accounts. They got encrypted passwords. Not only that, there's no way for the hackers to know who had D3 or not. They couldn't pick and choose D3 accounts with this stolen information.
Only D3 accounts start getting stolen right after release? Far more likely that people are clicking stuff they shouldn't be.
All blizzard accounts are linked. My point was that if it happened now it could have happened before.
On August 10 2012 10:30 Wuster wrote: 1 business week isn't all that long. What they said is pretty reasonable at face value.
After all, the PSN mess was exacerbated by them claiming that no personal data was lost, then no financial data was lost, then 'actually they got everything'. That's not just bad PR, it also prevents customers from actually doing anything about the security breach in a timely manner
So does not saying anything for a week...
On August 10 2012 10:58 Sir.Kimmel wrote: This takes into account a basic desktop server..... which can do roughly I think 25k passwords a second with standard bruteforcing it really depends... while our system at work using 4 gpus (mmm cuda) can do 1.7 billion a second... there are custom password cracking machines such as Reliks which does 25 billion a second http://www.hackingtheuniverse.com/infosec/tools/gpu-password-cracking
Their time numbers are based off of 4 billion passwords/sec.
On August 10 2012 11:30 Sinensis wrote: People should learn to use passphrases. Contrary to popular belief having numbers and symbols in your password does not make it more difficult to crack. Adding length to your password is the only way to make it more secure.
That's not true! It's barely even partly true.
Common substitutions like "1" for "l" and "0" for "o" don't add nearly as much security as you might think, nor do non-alphanumeric characters stuck at the beginning or end of you passwords. However, "not adding as much as you think" is still adding some, and better application of symbols can add quite a bit of extra strength without adding length.
(Now, that said... I have pass "phrases" (somewhere between a phrase and an XKCD-style "correct horse battery staple" collection of unrelated words) that I use for a couple of my higher-value accounts. (That is, those that I don't use "hunter2" on. :-)) So I'm not dissing the idea -- in fact, I'd recommend it. Though I'd go for a much less common phrase than any of your examples.)
this was bound to happen sooner or later. the sheer ammount of ignorance and arrogance blizzard was posing with there security has finnally backfired on them. the thousands of hacks D3 got during the first few weeks/months of D3s released was brushed aside by blizzard saying "lol get an authenticator." at times they act like they couldnt be breached just because of the fact that "we have never been breached before in all of blizzards history".
maybe now blizz will finnally step up there damn security instead of telling everyone and there mom to "get a authenticator and u will be 99.99% safe derp".
On August 10 2012 12:23 TheEmulator wrote: This is so annoying. I have to spend 3 minutes changing my password.
I spent 30 minutes changing passwords and security questions connected in any way to my blizzard account. Now all I need to do is change my security questions for battlenet itself. Too bad there wasn't an option to change the security questions in the first place.
edit: I'd really like Blizzard's password character limit to be much, much higher.
On August 10 2012 11:13 Nosferatos wrote: I've been e-mailed by an "fake" blizzard e-mail account since the 25th of last month, with new mails every 3rd day since. Asking me to give up personal/account info, because im trying to "Sell my Diablo 3 Account". I venture to guess that the breach must have happend around the 25th of July, if so the detection time was pretty slow....
If I was in your situation, I'd troll them back. Give them some derogatory message in the form of a password.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Salted hashes of passwords are still easy to crack if the password itself is common (read: if it can be found on a password dictionary that hackers use to brute force passwords), and Battle.net passwords are capped at 16 characters for some stupid reason, so I'd wager that a large percentage of these "cryptographically scrambled" versions of passwords can and will be cracked.
On August 10 2012 12:28 Ballistixz wrote: this was bound to happen sooner or later. the sheer ammount of ignorance and arrogance blizzard was posing with there security has finnally backfired on them. the thousands of hacks D3 got during the first few weeks/months of D3s released was brushed aside by blizzard saying "lol get an authenticator." at times they act like they couldnt be breached just because of the fact that "we have never been breached before in all of blizzards history".
maybe now blizz will finnally step up there damn security instead of telling everyone and there mom to "get a authenticator and u will be 99.99% safe derp".
Well, if you have an authenticator you would be safe even if they did get your password.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
maybe if they try cracking it on one computer with a single core
On August 10 2012 12:28 Ballistixz wrote: this was bound to happen sooner or later. the sheer ammount of ignorance and arrogance blizzard was posing with there security has finnally backfired on them. the thousands of hacks D3 got during the first few weeks/months of D3s released was brushed aside by blizzard saying "lol get an authenticator." at times they act like they couldnt be breached just because of the fact that "we have never been breached before in all of blizzards history".
maybe now blizz will finnally step up there damn security instead of telling everyone and there mom to "get a authenticator and u will be 99.99% safe derp".
Nothing is ever completely secure. Anything can be hacked. Using an authenticator is just common sense for anything you want to protect on the internet.
It's not a big deal getting hacked if your bnet acct only has sc2, or you didn't invest too much into WoW/D3. There's nothing valuable in a sc2 acct. Just don't have your bnet password link to your more personal accounts, and you can easily recover it back.
All in all, I learn quite a few things about passwords in this thread though :D
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
I feel like you're somewhat overdoing it ^^ Do you really feel like typing 29 characters just to enter bnet? According to that website my bnet password is crackable in 19 seconds... I use this password for most stuff I don't care about. But my "secure" password feels somewhat weak, too. 345k years for a regular desktop... I guess it's time to add a number and a special character.
I'm a IT specialist, so its a habit from work. My normal passwords (yes I have a different password for each website and program I use) usually are around 50 letters. All websites can't take those kinds of passwords though. And the time constraints is no problem for me since I'm a seasoned programmer, I type fairly fast, hell it happens that I even use programming code, like parts of functions as my passwords Think I used some newly developed php code I made for the simpleMachine forum as my password for my twitter account, lol
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
maybe if they try cracking it on one computer with a single core
Actually, if you're serious about cracking a large number of passwords then you don't care so much about your processor, you'll get a high-end graphics card to do the brunt of the work because they have orders of magnitude more computing power for this purpose. Also, in its estimate, that site makes the rather huge (and probably incorrect) assumption that the programs hackers use will be sequentially trying completely random sequences of characters, when there are substantially more efficient ways to crack more than enough bad passwords to make it worth your while.
The good part of this is it finally kicked me to go fix my password situation a bit. I was using the same password on Battle.Net as a few other, moderate-importance sites, including my Google account. So I went through and fixed those and now they have different and stronger passwords.
And that password strength site says that my new Google password will take 97,807,199,722,288,020,000,000,000,000,000,000,000,000,000 (97 tredecillion) years to crack :-).
On the downside, I also figured I'd bump up the length on the password for my bank, and... it has a max length of 10 characters. That just boggles my mind, especially because otherwise they're really quite good and have a pretty sophisticated and nice web banking setup.
To the people speculating whether the phishing emails are related to the breach, or wondering if when you first received such an email was the start of the "breach": No. If that were the case the breach occured back in 2005. That's when WoW players started getting spammed with those emails. So no. That's just pretty standard phishing stuff that's not related. They seem to send those out at random. I know people that get those and don't even have WoW or Diablo accounts or even Battle.net accounts.
"cryptographically scrambled versions" "each password would have to be deciphered individually"
And why the hell are the passwords ciphered and not hashed ? There is absolutely no reason to store ciphered passwords because there is even less reason to decipher a password.
Anyway Blizzard seems to have reacted in a good and quick way, that's nice.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
maybe if they try cracking it on one computer with a single core
Actually, if you're serious about cracking a large number of passwords then you don't care so much about your processor, you'll get a high-end graphics card to do the brunt of the work because they have orders of magnitude more computing power for this purpose. Also, in its estimate, that site makes the rather huge (and probably incorrect) assumption that the programs hackers use will be sequentially trying completely random sequences of characters, when there are substantially more efficient ways to crack more than enough bad passwords to make it worth your while.
I know. I'm just saying that site is unrealistic which probably is a simulating a computer that can only work on one thing at a time rather than e.g. multithreading cracking, using dictionary tables, etc.
On August 10 2012 09:11 Corrosive wrote: Stuff like this happens often to companies like this. As long as blizzard didn't store everything in plaintext like Sony did, everything should be fine.
according to this website it will take them 40 undecillion years or in numbers:40,464,702,078,891,060,000,000,000,000,000,000,000 years to crack my password... goodluck with that.
maybe if they try cracking it on one computer with a single core
Actually, if you're serious about cracking a large number of passwords then you don't care so much about your processor, you'll get a high-end graphics card to do the brunt of the work because they have orders of magnitude more computing power for this purpose. Also, in its estimate, that site makes the rather huge (and probably incorrect) assumption that the programs hackers use will be sequentially trying completely random sequences of characters, when there are substantially more efficient ways to crack more than enough bad passwords to make it worth your while.
I know. I'm just saying that site is unrealistic which probably is a simulating a computer that can only work on one thing at a time rather than e.g. multithreading cracking, using dictionary tables, etc.
(read: sarcasm)
Actually the chinese with their supercalculator may be able to break his password in a few months xD (can't remember how many units of 16 cores they have).
On August 10 2012 13:41 Clazziquai10 wrote: And blizzard screws up again. How surprising.
No. You're wrong. When you're a multibillion dollar corporation which operates with user information online, there are people constantly targeting you.
Bank vaults can be opened. Safes can be cracked. Door knobs can be picked. Email passwords can be stolen.
So long as locks continue to have the singular flaw of allowing authorized users to bypass their security nothing which is kept behind locked doors will ever be completely safe. Imagine the number of attempts they have halted. Imagine how many times people have tried to access this data. Considering the frequency of their success, I would say Blizzard is doing a damned good job.
On August 10 2012 13:41 Clazziquai10 wrote: And blizzard screws up again. How surprising.
No. You're wrong. When you're a multibillion dollar corporation which operates with user information online, there are people constantly targeting you.
Bank vaults can be opened. Safes can be cracked. Door knobs can be picked. Email passwords can be stolen.
So long as locks continue to have the singular flaw of allowing authorized users to bypass their security nothing which is kept behind locked doors will ever be completely safe. Imagine the number of attempts they have halted. Imagine how many times people have tried to access this data. Considering the frequency of their success, I would say Blizzard is doing a damned good job.
regarding security. never assume you're 100% safe.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Cryptographically scrambled passwords aren't unbreakable, it just takes too much computational effort to unscramble the entire database. Cherry picked accounts can still easily be unscrambled.
It effectively means they have your password if they're willing to devote effort to acquiring it. If there are other places of significance where you use the same password and your identity is traceable through your account data, change those passwords as well.
So if you use your blizzard password as your bank password, and your email is basically your real name, change that shit.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
I felt like Battle.net e-mails were leaked long before this. I kinda doubt it's a coincidence when I start getting blizzard-game-related spam mail a while after using the e-mail for a battle.net account.
On August 10 2012 13:12 sudosu wrote: "cryptographically scrambled versions" "each password would have to be deciphered individually"
Andwhy the hell are the passwords ciphered and not hashed ?
I'd guess that's what Blizzard actually does, and their webpage has simplified the description so that people who haven't gone through a CS undergrad know what it means. :-) (OK, that's an exgeration a bit, but I still think it's mostly true.)
Besides, the first quote is perfectly applicable to the hashing scenario anyway (and in fact the weird wording of the first quote just makes me more sure of my guess).
There is absolutely no reason to store ciphered passwords because there is even less reason to deciphered a password.
(The following isn't really meant to say you're wrong per se -- and definitely not in this scenario -- just to add some additional information that the above isn't some inviolable rule.)
So it's pretty inapplicable to the WWW scenario, but by my understanding there is actually one reason that storing passwords in encrypted (and not hashed) form is a fairly legitimate tactic: it allows mutual authentication without a trusted third-party.
Alice wants to talk to Bob, so Alice picks a random secret key to use in future messages (the "session key") and encrypts that key with her password, and forwards it off to Bob, along with "I'm Alice!" in plaintext. Bob looks up Alice's password (decrypting it if necessary), uses that to decrypt the session key. Now both Alice and Bob know the session key, and no one else can subject to the strength of Alice's password. They can then handshake to make sure they have the same session key -- if they do, then mutual authentication is successful. Mallory can't mimic Alice because he can't encrypt the session key without Alice's password, nor can he mimic Bob because he can't decrypt it for the same reason.
My understanding (though this is weak and stuff I learned quite a long time ago so I could be wrong) is this idea is behind Kerberos. Kerberos adds a bunch of additional layers (and protections against other attacks like replays), and calls the "password" the "password hash" -- but it's basically how it works. (What I mean by that password vs password hash comment is that everything you need to do to authenticate yourself in Kerberos -- if I'm right -- you can do with the password hash. The extra hash step bascially provides no protection except that an attacker would have a hard time reversing to the actual input from the user to try to apply to other sites.)
(SSL gets around this by having "trusted" third parties -- e.g. Verisign -- attest to the identity of one of the parties via its public key.)
(I'd appreciate any comments about how much of what I say here is correct. :-))
I would never have expected Blizzard to be exploited in this way! Man, the site is such a rich hacking field, so many accounts reside on it. I'm like ... surely they've seen everything, are prepared against everything ... but wow, how meddlesome are the bugs that remain.
At least the passwords had cryptographic protection unlike controversies like Sony.
I just received recently a warning on my Battle.net email that someone unauthorized was trying to access it from North America. So these hackers are actively trying to break the emails, beware.
I was wondering how a hacker could even find this particular email, because I don't use it in any public forms, only for Battle.net.
yeah... I got several (I think 6?) emails from Blizzard last week saying my bnet account was being hacked.... Idk if this and that are the same, but wtf man...
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
I do, but I'm still going to change my password and security questions because its incredibly easy
No EU acion needed? Phew, last time GOM TV needed this it was a hassle to memorize the new pass.
Also, "kudos" on the "scrambled" passwords. Even if anyone who knows computer security has it as no-brainer step to protecting data, it seems that people neglect it IRL more often than not.
To state the obvious: if both your email account and (a hashed version of) your password has leaked, AND you use that combination of mail address and password elsewhere (e.g. your webmail, or facebook) then make sure to change your login details on those sites too!
(GOM leaking all their passwords *plaintext* made me aware of how dangerous password reuse is)
Holy shit. I knew of someone who bragged to me about getting account information of the #1 US Warrior in WoW and then used it to strip him of all his gear and stuff to allow himself to achieve the #1 rank. This was just a couple of days ago. Holy shit.
Ahh wtf! Blizzard has dropped the ball big time. I'm more worried about them getting my email than the password I have a lot of stuff going on with that email.
So uh, I have a secondary account on the US server, but it came after my EU account and uses the exact same login as my eu account, would I need to reset my password as well?
On August 10 2012 07:51 SomeONEx wrote: I feel bad for you guys in North America, I really do This might not be a time to talk about happiness, but I'm a tiny bit relived that this didn't also include EU as I have the same password for almost everything
Still, if anyone can fix this fast (with the law, i.e not mafia) it's probably Blizzard. My hearts to you in America <3
Don't be so sure you're safe.
If you've ever accessed a Blizzard beta, you've logged on via the US authentication server.
On August 10 2012 16:21 ravemir wrote: No EU acion needed? Phew, last time GOM TV needed this it was a hassle to memorize the new pass.
Also, "kudos" on the "scrambled" passwords. Even if anyone who knows computer security has it as no-brainer step to protecting data, it seems that people neglect it IRL more often than not.
Make sure you don't use your GOMTV password anywhere else, they literally have zero encryption on their passwords when you log in. They made no changes to their security the first time they sent out the big notice that passwords had been compromised, I haven't bothered paying attention sense then. No point in changing the password if the new one is sent in plain text again every time I log in.
If the passwords they stole are encrypted, the chances of breaking the cypher on an 8 letter password are about zero. They'd be better off just trying to guess your password ^^. Still worth changing the secret question though.
Every month another company loses customer data, when will this trend stop?
I use unique email adresses for everything i register to and it's funny to see new spam popping up all the time. The worst offenders are my sc2replayed@, buffed@ and startrekonline@ adresses, it got so annoying that i started blocking those completely since i stopped using those month before i started getting spam. I guess my blizzard[1-3]@ adresses will be next for the spam flood. I hope i'll never see the day where i have to block teamliquid@... but well, this site is protected by a wizard so it's unlikely to happen.
Well, at least on the other hand it shows me that some other companies are as bad as the one i work for.
Well, at least i live in EU and i have a unique pas for blizzard. But yeah, they are to incompetent to build an anti hack for there game and now they can't even protect customer info... Are there no good gaming companies left out there ? When you start failing at game design that's one, when you fail at protecting customer info and not fixing bug that's another thing. Oh well, CD projekt red for new blizzard ?
On August 10 2012 16:48 Morfildur wrote: Every month another company loses customer data, when will this trend stop?
I use unique email adresses for everything i register to and it's funny to see new spam popping up all the time. The worst offenders are my sc2replayed@, buffed@ and startrekonline@ adresses, it got so annoying that i started blocking those completely since i stopped using those month before i started getting spam. I guess my blizzard[1-3]@ adresses will be next for the spam flood. I hope i'll never see the day where i have to block teamliquid@... but well, this site is protected by a wizard so it's unlikely to happen.
Well, at least on the other hand it shows me that some other companies are as bad as the one i work for.
+ trick for the win
I don't think you can call it a trend though, hackers finding a way in is like a fact of life.
On August 10 2012 16:43 RoberP wrote: If the passwords they stole are encrypted, the chances of breaking the cypher on an 8 letter password are about zero. They'd be better off just trying to guess your password ^^. Still worth changing the secret question though.
Actually wrong. It depends on what kind of hashed passwords they got. Seeing as they mention SRP i guess the hacker was eavesdropping the login information in that protocol, or else it makes no sense for blizzard to mention the protocol.
If it was the actual database of the passwords, which might be because they got hold of other account information, the standard way of hashing passwords was considered broken by the author 2 months ago. Then blizzard should have be scared.
But my money is still on the eavesdropping of the SRP which means blizzards security office isn't fired this time around.
On August 10 2012 16:43 RoberP wrote: If the passwords they stole are encrypted, the chances of breaking the cypher on an 8 letter password are about zero. They'd be better off just trying to guess your password ^^. Still worth changing the secret question though.
If it was the actual database of the passwords, which might be because they got hold of other account information, the standard way of hashing passwords was considered broken by the author 2 months ago. Then blizzard should have be scared.
MD5 hasn't been the "standard way of hashing passwords" for years now. Some websites with terrible security may still use it, but anyone who knows anything about securing a system will have moved away from MD5 a long time ago.
this entirely defeats the intent and purpose of an authenticator. the only reason to ever use one of these was the fact that it was completely secure and sold as an absolute level security. i am beyond annoyed by this and blizzard should kill themselves. teehee.
On August 10 2012 16:48 Morfildur wrote: Every month another company loses customer data, when will this trend stop?
I use unique email adresses for everything i register to and it's funny to see new spam popping up all the time. The worst offenders are my sc2replayed@, buffed@ and startrekonline@ adresses, it got so annoying that i started blocking those completely since i stopped using those month before i started getting spam. I guess my blizzard[1-3]@ adresses will be next for the spam flood. I hope i'll never see the day where i have to block teamliquid@... but well, this site is protected by a wizard so it's unlikely to happen.
Well, at least on the other hand it shows me that some other companies are as bad as the one i work for.
It won't...
I see one main reason for that (though I'm sure that there are more than one, I'm not sure which...)
The fact that companies sometimes overlook security to gain efficiency is playing a role. I think you know what happened with LinkedIn and the leaked hashed password, they were hashed with SHA1 without what we call a "salt" (a random sequence of numbers/letters attached to the hash of the password in order to make this hash unique, even for 2 identical passwords).
SHA1 is a hashing algorithm that we know since 2005 that it has security flaws ( for those interested in the details : http://en.wikipedia.org/wiki/SHA-1). Not adding a salt to the hashs also makes the security very weak. This weak security can be seen (personal opinion there) as either linkedIn wanting a fast encryption method, or plain stupidity. Moreover, those password were stolen thanks to an SQL injection, a common security flaw that is now known for a long time.
Since we still have in 2012 companies that overlook security to gain efficiency, or just by plain stupidity, it won't help stopping this trend. I don't know if you remember Lulzsec, but they weren't "that" good as hackers. They just found very simple security breaches in companies that were quite carefree BEFORE being targeted by hackers. Today, any website that isn't secured against SQL injection is vulnerable to very simple (and easy to find) intrusive methods...
Then, I don't think Blizzard was quite lazy, but a thing they say in the FAQ is that being a huge company on the internet makes you a target tested and tested again on security, either by Black hats or (unofficial) white hats (that first crack, and then contact the company to reveal the flaw).
On August 10 2012 16:43 RoberP wrote: If the passwords they stole are encrypted, the chances of breaking the cypher on an 8 letter password are about zero. They'd be better off just trying to guess your password ^^. Still worth changing the secret question though.
Actually wrong. It depends on what kind of hashed passwords they got. Seeing as they mention SRP i guess the hacker was eavesdropping the login information in that protocol, or else it makes no sense for blizzard to mention the protocol.
If it was the actual database of the passwords, which might be because they got hold of other account information, the standard way of hashing passwords was considered broken by the author 2 months ago. Then blizzard should have be scared.
But my money is still on the eavesdropping of the SRP which means blizzards security office isn't fired this time around.
MD5 has been considered unsafe for a long while now. Already in 1996, a researcher wrote:
"The presented attack does not yet threaten practical applications of MD5, but it comes rather close ... in the future MD5 should no longer be implemented...where a collision-resistant hash function is required."
And in 2005:
Later that year, MD5's designer Ron Rivest wrote, "md5 and sha1 are both clearly broken (in terms of collision-resistance)."
I guess, the point is: Don't use MD5 (or SHA1, or any hash function that you can evaluate very quickly) for hashing passwords, not even a salt value will help you out because MD5 is broken. Use Bcrypt or something similar instead.
On August 10 2012 16:48 Morfildur wrote: Every month another company loses customer data, when will this trend stop?
This will never end and it is not a trend, it is a criminal act. The question is: how save were for example the passwords stored. Save (like Blizzard says for itself, but better change the password for more safety) or unsave (like Sony/PSN).
I'm honestly surprised it took this long. With 8 years of paying customers' info from WoW, I would imagine they have been a prime target for a long time.
By the way I'm a bit confused. How can they say that, with the hackers possessing E-Mails AND security questions' answers, the accounts are safe... ? (Well, even before changing the answer...)
On August 10 2012 17:41 Ragnarork wrote: By the way I'm a bit confused. How can they say that, with the hackers possessing E-Mails AND security questions' answers, the accounts are safe... ? (Well, even before changing the answer...)
I'm not sure how it works on Blizzard, but some sites ask for your email and the answer for your security question. If you provide them correctly, they send you an email with a link to reset your password. So the hacker would still need access to your email.
so i am looking for a way to change my security question and am not finding it online. does this require a phone call for all of my accounts? that is further disappointing if the case... i don't even remember the questions atm, let alone the answers.
I was baffled when people slammed Sony when the PSN thing happened, claiming that Sony didnt know what they were doing and how every other company knew better.
Yet its only a matter of time before someone breaches even Steam, people are trying on a daily basis and one day it will succeed, thats just the nature of the beast.
On August 10 2012 17:58 Tyree wrote: I was baffled when people slammed Sony when the PSN thing happened, claiming that Sony didnt know what they were doing and how every other company knew better.
Yet its only a matter of time before someone breaches even Steam, people are trying on a daily basis and one day it will succeed, thats just the nature of the beast.
On August 10 2012 17:58 Tyree wrote: I was baffled when people slammed Sony when the PSN thing happened, claiming that Sony didnt know what they were doing and how every other company knew better.
They actually didn't know what they were doing. Sony's security flaws were very, very bad. Not updating there servers for over 6 months? Not good, not good.
On August 10 2012 17:58 Tyree wrote: I was baffled when people slammed Sony when the PSN thing happened, claiming that Sony didnt know what they were doing and how every other company knew better.
Yet its only a matter of time before someone breaches even Steam, people are trying on a daily basis and one day it will succeed, thats just the nature of the beast.
I thought Sony stored some of their information in plain text? ~~
On August 10 2012 17:54 multiversed wrote: so i am looking for a way to change my security question and am not finding it online. does this require a phone call for all of my accounts? that is further disappointing if the case... i don't even remember the questions atm, let alone the answers.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
You can not change that ^^ LOL, he suggest to enter SMS alert. Prioblem: your data on blizzard got compromised Solution: give blizzard more personal data Oo
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
as someone qualified to give advice on such matters, the faster you change the e-mail password associated to your battle.net account as well as your actual account password, the less chance you have to be compromised. if your account password and e-mail account password are/were unique, you were at very little risk to begin with.
if they were the same password, there was a small window of risk. if you have changed your passwords, that window is now closed. if someone does not have access to your e-mail account, your battle.net account cannot be stolen (in relation to this matter only.)
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
as a programmer, yes.
As a programmer who's done cryptography work, it depends on the algorithm used. If its a properly salted non reversible algorithm then yes, but we don't know that... Plus It sounds like they may have used reversable encryption, so no. Change your passwords.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
You can not change that ^^ LOL, he suggest to enter SMS alert. Prioblem: your data on blizzard got compromised Solution: give blizzard more personal data Oo
well, tbf, that does seem to be a good short term solution to the problem. unless the hackers are good enough to hack your phone network and divert your texts, or actually steal your phone, it would work. and since the data breach has been fixed, its not gonna get stolen again before blizzard fixes this shit, at which point you can probably remove it
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
as a programmer, yes.
As a programmer who's done cryptography work, it depends on the algorithm used. If its a properly salted non reversible algorithm then yes, but we don't know that... Plus It sounds like they may have used reversable encryption, so no. Change your passwords.
even non reversible algorithms can have dictionaries
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
You can not change that ^^ LOL, he suggest to enter SMS alert. Prioblem: your data on blizzard got compromised Solution: give blizzard more personal data Oo
eh. of course that's a good idea, the more personal information you give them, the better chances of recovering a lost account (in case that happens)
I'm just wondering what exactly could the "hackers" do even if they catch my password ? I mean, if someone steals my account to ladder with it I won't be to mad, and aside from that what are the risks ?
On August 10 2012 18:54 Maluk wrote: I'm just wondering what exactly could the "hackers" do even if they catch my password ? I mean, if someone steals my account to ladder with it I won't be to mad, and aside from that what are the risks ?
For accounts with just SC2, there's not much to be gained. WoW and D3 accounts are rather interesting though, since they contain tradeable items and currency, making it easy to strip the account of valuable commodities to be sold for actual money at some later time.
On August 10 2012 18:54 Maluk wrote: I'm just wondering what exactly could the "hackers" do even if they catch my password ? I mean, if someone steals my account to ladder with it I won't be to mad, and aside from that what are the risks ?
it isn't really with battle.net, you only really risk the standard wow/diablo account steal if your e-mail had a unique password. the real risk would be if your battle.net password happened to be your paypal password and you hadn't changed it when it came time to farm this data.
we don't like to collect risk potential. we tend to try to stomp it out even if only a minor potential threat caused by user stupidity.
I'm always wondering about using Brute Force stuff for this. How do you know if a password is correct unless you have it checked on the servers? I mean wouldn't someone who using that method have to register millions of BNet enquiries, which would make it easy to prevent that? Some explanation on how that stuff works would be appreciated
I started receiving regular fake MoP invites to my mail about 2 months ago. I believe that Blizzard was hacked around the time of D3's release, and they found out just now about it "The trespass into our internal network was detected by us on August 4, 2012."
I remember reading official D3 forums when there was a mass of users going: "Blizz, I take every possible precaution and I lost all my gear and gold, your servers have been hacked!" and the massive amount of verbal abuse they received. They should feel vindicated now.
i will explain in broad general terms... brute forcing is most often done with a botnet (a large network of hacked computers.) if a single user attempted to enter 5 million passwords into a server, it would to get noticed. if 200,000 computers try 1-2 times each in a controlled method, the associated IP doesn't get flagged, logged, and banned. *this more the general theory, than the actual practice...*
i'd rather not go into more detail, as this is all stupidly easy to begin with. all it really requires is teenaged angst, or the equivalent.
edit: update for clarity. account was a poor choice of words.
On August 10 2012 19:06 Na_Dann_Ma_GoGo wrote: I have a question to the "experts" here.
I'm always wondering about using Brute Force stuff for this. How do you know if a password is correct unless you have it checked on the servers? I mean wouldn't someone who using that method have to register millions of BNet enquiries, which would make it easy to prevent that? Some explanation on how that stuff works would be appreciated
If you have the hash and know the algorithm, you can hash millions of possible passwords and as soon as your hash and the password hash matches, you have the correct password. No need to check with the server, it will just do the same algorithm and will consider both equal.
There are databases of password/hash combinations - called rainbow tables - where the cleartext password is already matched to the hash in the database, so you can just search for the hash and get the cleartext as result. To counteract those, it is common practice to add a "salt", i.e. some additional data, to the password which makes it harder to get the correct result in the rainbow table.
Depending on the algorithm, salt, password length, etc., there is an infinitely small chance of two different passwords generating the same hash (0.000....01%) but that actually won't matter because as long as the end result is the same, the server will still accept it as valid because it doesn't know the difference either.
On August 10 2012 19:12 greendestiny wrote: I started receiving regular fake MoP invites to my mail about 2 months ago. I believe that Blizzard was hacked around the time of D3's release, and they found out just now about it "The trespass into our internal network was detected by us on August 4, 2012."
I've been receiving these phising mails for years, so they're not really new. They tend to pop up whenever a new expansion/game is in beta. I use different email addresses for different websites and I've only ever received these fake mails on 2 addresses I used for some community websites that are known to have been compromised (since they announced it to their users). I have never received any such mail on the address I use for my Battle.net account.
I remember reading official D3 forums when there was a mass of users going: "Blizz, I take every possible precaution and I lost all my gear and gold, your servers have been hacked!" and the massive amount of verbal abuse they received. They should feel vindicated now.
Except that they're not vindicated. The people that lost their D3 account back then simply didn't have the appropriate security measures. It didn't help that Blizzard gave their SMS service that didn't work with D3 the name "SMS Authenticator", which was the main source of people saying that they did have an authenticator and still lost their account. Blizzard has since then renamed the thing to something like SMS Protect or so.
I must say it's quite contrasting when comparing SC2 gamer's response with D3 gamer's response on this Blizzard security breach. From what I see in this thread, most people are being quite objective and understanding of it however on the D3 forum, the general opinion is "LOL BLIZZARD SUX DIX SO BAD FAIL".
I only just changed my password a couple of months ago and I'm not playing SC2 often nowadays, so stuff it until I get reason to get them to lock it. I have no money on the account.
But then there shouldn't be much to worry about at the moment since acquiring the algorithm should be night impossible right? I mean it shouldn't be straight away available to the hackers and reverse engineering is one hell of a task I'd imagine.
Very unfortunate that this happened however I'm really happy with how honest Blizzard are being telling customers exactly what information was compromised and steps to protect your account rather than avoiding what information was compromised or keeping it to themselves.
Horrible that it has happened, however kudos to Blizzard for handling it the best way possible.
On August 10 2012 19:39 Na_Dann_Ma_GoGo wrote: @ Morfildur Aye thanks.
But then there shouldn't be much to worry about at the moment since acquiring the algorithm should be night impossible right? I mean it shouldn't be straight away available to the hackers and reverse engineering is one hell of a task I'd imagine.
Companies all use standard algorithms and with some practice you can limit the amount of possible algorithms by just looking at the hash, the only factor that can make it hard is the salt and the password complexity.
The more complex the password is, the less likely it's in a rainbow table and the harder it is to brute force.
A more in-depth Explanation: A password of length 1 that consists of only lowercase characters (a-z) has a complexity of 26^1, i.e. 26. A password of length 1 that consists of lower- & uppercase has a complexity of 52 A password of length 1 that consists of lower- & uppercase & numbers and a selection of 50 special characters has a complexity of 112. A password with those properties but of length 2 has a complexity of 112^2, i.e. 12 544 A password of length 10 with only lowercase characters just has a complexity of 26^10, i.e. 141 167 095 653 376 A password of length 10 with the 112 characters has a complexity of 112^10, i.e. 310 584 820 834 420 916 224
complexity means the range of possible passwords that have to be hashed to find the correct password.
If you add a salt of 10 characters from a selection of 112 characters, it suddenly becomes 112^20 which is a 40 digit number.
Now as for the actual time it takes to hash the password and brute force it, the stronger algorithms take longer than simple algorithms like MD5. You can calculate several million up to several billion ( http://www.codinghorror.com/blog/2012/04/speed-hashing.html ) MD5 hashes per second depending on your PC, so to definitively crack the lowercase-only password, it takes a few hours or at most a few days. To crack the complex password it still takes a few weeks. Other algorithms like SHA256, etc. are slower, so it takes 10-100 times longer to brute force passwords. Add the salt and it suddenly becomes an eternity.
That is why the rainbow tables exist. Basically each lower- & uppercase only combination for passwords of up to 10-15 characters in length is included in rainbow tables which makes a search for it a matter of seconds.
Most of those that steal a huge amount of password hashes don't bother brute forcing, if it's not in the rainbow tables, they ignore those but still might sell or release those users&hashes. That means that someone who targets a specific user/group can still try to brute force the passwords.
So in summary the best way to protect your password is: 1. Have long password using special characters, numbers and a mix of upper and lower characters to maximize it's complexity 2. Hope that the one storing your password uses a strong salt 3. Hope that the one storing your password uses a strong&slow algorithm.
On August 10 2012 19:26 Dakkas wrote: I must say it's quite contrasting when comparing SC2 gamer's response with D3 gamer's response on this Blizzard security breach. From what I see in this thread, most people are being quite objective and understanding of it however on the D3 forum, the general opinion is "LOL BLIZZARD SUX DIX SO BAD FAIL".
That's because a lot of people were hacked when D3 launched, because they were too stupid to protect their accounts from keyloggers and phishing scams. They blamed Blizzard. They accused Blizzard of being hacked, even though Blizzard had never been hacked at that time.
They said it was greedy and unfair they had to buy an authenticator to secure their accounts, without realizing that you don't need an authenticator if you're not stupid.
And now that Blizzard has been "hacked", they've actually been proven completely wrong. Blizzard got hacked and nothing that would allowed unauthorized access to any account has been compromised. No account will be hacked as a direct result of Blizzard getting hacked.
The D3 community -- what were you expecting from a bunch of people with no internet skills who were dumb enough to get phished and hacked?
On August 10 2012 20:01 paralleluniverse wrote: This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime.
The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
On August 10 2012 19:26 Dakkas wrote: I must say it's quite contrasting when comparing SC2 gamer's response with D3 gamer's response on this Blizzard security breach. From what I see in this thread, most people are being quite objective and understanding of it however on the D3 forum, the general opinion is "LOL BLIZZARD SUX DIX SO BAD FAIL".
I honestly feel that the response here is influenced by a lot on how blizzard has handled this. They came clean and divulged quite a lot of info on what was taken and how it was stored.
I feel that the response would have been a lot less friendly if for example they stored their passwords in plain text (like GOMTV) or if credit card information had been taken.
On August 10 2012 20:01 paralleluniverse wrote: This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime.
The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack.
And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about.
Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever.
it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bane of every network administrator everywhere.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
On August 10 2012 19:39 Na_Dann_Ma_GoGo wrote: @ Morfildur Aye thanks.
But then there shouldn't be much to worry about at the moment since acquiring the algorithm should be night impossible right? I mean it shouldn't be straight away available to the hackers and reverse engineering is one hell of a task I'd imagine.
Companies all use standard algorithms and with some practice you can limit the amount of possible algorithms by just looking at the hash, the only factor that can make it hard is the salt and the password complexity.
The more complex the password is, the less likely it's in a rainbow table and the harder it is to brute force.
A more in-depth Explanation: A password of length 1 that consists of only lowercase characters (a-z) has a complexity of 26^1, i.e. 26. A password of length 1 that consists of lower- & uppercase has a complexity of 52 A password of length 1 that consists of lower- & uppercase & numbers and a selection of 50 special characters has a complexity of 112. A password with those properties but of length 2 has a complexity of 112^2, i.e. 12 544 A password of length 10 with only lowercase characters just has a complexity of 26^10, i.e. 141 167 095 653 376 A password of length 10 with the 112 characters has a complexity of 112^10, i.e. 310 584 820 834 420 916 224
complexity means the range of possible passwords that have to be hashed to find the correct password.
If you add a salt of 10 characters from a selection of 112 characters, it suddenly becomes 112^20 which is a 40 digit number.
Now as for the actual time it takes to hash the password and brute force it, the stronger algorithms take longer than simple algorithms like MD5. You can calculate several million up to several billion ( http://www.codinghorror.com/blog/2012/04/speed-hashing.html ) MD5 hashes per second depending on your PC, so to definitively crack the lowercase-only password, it takes a few hours or at most a few days. To crack the complex password it still takes a few weeks. Other algorithms like SHA256, etc. are slower, so it takes 10-100 times longer to brute force passwords. Add the salt and it suddenly becomes an eternity.
That is why the rainbow tables exist. Basically each lower- & uppercase only combination for passwords of up to 10-15 characters in length is included in rainbow tables which makes a search for it a matter of seconds.
Most of those that steal a huge amount of password hashes don't bother brute forcing, if it's not in the rainbow tables, they ignore those but still might sell or release those users&hashes. That means that someone who targets a specific user/group can still try to brute force the passwords.
So in summary the best way to protect your password is: 1. Have long password using special characters, numbers and a mix of upper and lower characters to maximize it's complexity 2. Hope that the one storing your password uses a strong salt 3. Hope that the one storing your password uses a strong&slow algorithm.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
It pisses you off when they force you to use 1 upper-case letter, and still, it makes your password gain a few magnitudes of security. They don't do that just to piss you off actually...
An uppercase letter doesn't have the same ASCII code than a lowercase letter.
And actually, if you use a 12 character long password with only lowercase letters, it will be less secured than say a 10 character long password with mixed characters. It's just maths.
EDIT : the previous repost explains way better with numbers, if you don't trust this...
Ugh. I was hit by this. My account had been locked and all my game accounts were locked as well. I needed to unlock ALL my game accounts, one by one. I had to bind my account with an authenticator because those blizzard folks won't let me unlock my accounts without one. There you go.
On August 10 2012 20:01 paralleluniverse wrote: This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime.
The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack.
And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about.
Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
It pisses you off when they force you to use 1 upper-case letter, and still, it makes your password gain a few magnitudes of security. They don't do that just to piss you off actually...
An uppercase letter doesn't have the same ASCII code than a lowercase letter.
And actually, if you use a 12 character long password with only lowercase letters, it will be less secured than say a 10 character long password with mixed characters. It's just maths.
EDIT : the previous repost explains way better with numbers, if you don't trust this...
Yes, it is just math, and it's well known that an exponential function, x^a, increases more rapidly as a function of the exponent, a, than it does as a function of the base, x.
On my keyboard I count 32 symbols, 26 letters, and 10 numbers, which is a total of 68. So there are 68^x passwords of length x if we don't allow for upper case. If we do allow for upper case, there are 94 characters, so 94^x passwords of length x.
Now, how much more characters does a password excluding upper case characters need to have before it becomes stronger than one with upper case characters? Well, just solve 68*(x+e) > 94^x for e. The solution is e > x*log(94/68)/log(68) = 0.0767x.
So a 10 letter password allowing for upper case characters has equal strength as a 10.767 password disallowing upper case characters, which means an 11 letter password not allowing upper case characters is better.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
It pisses you off when they force you to use 1 upper-case letter, and still, it makes your password gain a few magnitudes of security. They don't do that just to piss you off actually...
An uppercase letter doesn't have the same ASCII code than a lowercase letter.
And actually, if you use a 12 character long password with only lowercase letters, it will be less secured than say a 10 character long password with mixed characters. It's just maths.
EDIT : the previous repost explains way better with numbers, if you don't trust this...
Yes, it is just math, and it's well known that an exponential function, x^a, increases more rapidly as a function of the exponent, a, than it does as a function of the base, x.
On my keyboard I count 32 symbols, 26 letters, and 10 numbers, which is a total of 68. So there are 68^x passwords of length x if we don't allow for upper case. If we do allow for upper case, there are 94 characters, so 94^x passwords of length x.
Now, how much more characters does a password excluding upper case characters need to have before it becomes stronger than one with upper case characters? Well, just solve 68*(x+e) > 94^x for e. The solution is e > x*log(94/68)/log(68) = 0.0767x.
So a 10 letter password allowing for upper case characters has equal strength as an 10.767 password disallowing upper case characters, which means an 11 letter password without upper case is better.
thus not making you an idiot. the math checks out.
On August 10 2012 20:01 paralleluniverse wrote: This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime.
The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack.
And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about.
Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever.
On August 10 2012 20:01 paralleluniverse wrote: This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime.
The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack.
And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about.
Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever.
Meh, even if they got everything from the Europe users it wouldnt effect me much, my account has no payment info linked to it because i bought a physical copy of SC2, the only blizzard game i own. Also pretty sure i registered it with an email account i almost never use.
On August 10 2012 20:01 paralleluniverse wrote: This has got to be the most weaksauce hack ever.
Literally nothing of value was taken. No accounts will directly be compromised by this.
I will do nothing, I'm not even going to change my password. It would take supercomputers to crack encrypted data.
If you read the thread, that's not certain. Depending how strong the encryption is, the time it takes to bruteforce it can go from a few hours to a few days, or if they really updated the encryption to modern standards, then not even a supercomputer could crack in our lifetime.
The danger lies of course in emails, since alot of people will use the same password and secret question for their email, and maybe even paypal/bank accounts etc..
Given Blizzard's (previously) flawless history with security, I would expect that the passwords would take thousands of years to crack.
And assuming that the passwords are not cracked, which is a very good assumption, as I've never heard of hackers cracking stolen encrypted data, then there is nothing to worry about.
Also, using the same password for email and anything else is highly stupid, as email is nearly always used to verify the account. Security tip: never use your email password for anything else, ever.
Flawless or not (define 'flawless' in the context first...), your attempts at taking cheap points by posting links about any possible Blizzards mistakes are quite petty. The last one isnt even about Blizzard but about Blizzards employees. Do yourself a favor and stop.
Of course Blizz arent perfect, no one is. But flawless or not, Blizz has very good security in place.
On August 10 2012 19:28 Fuchsteufelswild wrote: I only just changed my password a couple of months ago and I'm not playing SC2 often nowadays, so stuff it until I get reason to get them to lock it. I have no money on the account.
The people who need to be most concerned are those who use 1 password for everything. At this point, you should consider your username/email and password in the property of criminals, which means you now should change that password everywhere you've used it where you don't want to lose personal data.
I don't care too much, for example, if someone hacks my team liquid account, but if I believed someone had the capability of accessing my banking data I would be remiss to not change that password.
Are we supposed to change our secret question/answer? It is not immediately obvious to me on how to do it myself, does Blizzard expect we contact them and do it or will that not be necessary?
On August 10 2012 22:27 Ryder. wrote: Are we supposed to change our secret question/answer? It is not immediately obvious to me on how to do it myself, does Blizzard expect we contact them and do it or will that not be necessary?
Players with accounts in the NA region will have their secret question reset by Blizzard in a few days or so. There is no regular option to change your SQ/SA.
If I was a hacker or hacking group, I'd probably target the company who released a patch with EPM and APM backwards and it remained like that for months and had the successor to their massive RPG crash all day, every day for like the first week of it's release too.
Looks like nothing of value was taken. Hackers already know my e-mail address because I stupidly used it to register an account with mmo-champion. And since Blizzard doesn't use case sensitive passwords, I've been using the least secure of the passwords I have memorized for their service.
If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.
If you have any questions regarding your Battle.net account, click here for answers to frequently asked questions and contact information for the Blizzard Billing & Account Services team.
Sincerely, The Battle.net Account Team Online Privacy Policy
Hackers are going to be hacking every site we know. I'm very glad that Blizzard protected its information well enough so that none of my critical info is out there. Thank you, Blizzard.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities.
It pisses you off that websites forces you not to use a retarded password ? some ppl...
who uses upper cases letter in their passwords ? smart ppl do.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities.
It pisses you off that websites forces you not to use a retarded password ? some ppl...
who uses upper cases letter in their passwords ? smart ppl do.
Actualy it barely matters at all. Brute forcing passwords (the only situation in which A/a matters) is just not viable. Keyloggers / man in the middle / other security breaches are how passwords get stolen. Not some computer trying out a trillion possible combinations.
Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash.
The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly.
Long story short - it would be best for everyone affected to change the password everywhere they are using it .
On August 10 2012 16:43 RoberP wrote: If the passwords they stole are encrypted, the chances of breaking the cypher on an 8 letter password are about zero. They'd be better off just trying to guess your password ^^. Still worth changing the secret question though.
Actually wrong. It depends on what kind of hashed passwords they got. Seeing as they mention SRP i guess the hacker was eavesdropping the login information in that protocol, or else it makes no sense for blizzard to mention the protocol.
If it was the actual database of the passwords, which might be because they got hold of other account information, the standard way of hashing passwords was considered broken by the author 2 months ago. Then blizzard should have be scared.
But my money is still on the eavesdropping of the SRP which means blizzards security office isn't fired this time around.
MD5 has been considered unsafe for a long while now. Already in 1996, a researcher wrote:
"The presented attack does not yet threaten practical applications of MD5, but it comes rather close ... in the future MD5 should no longer be implemented...where a collision-resistant hash function is required."
Later that year, MD5's designer Ron Rivest wrote, "md5 and sha1 are both clearly broken (in terms of collision-resistance)."
I guess, the point is: Don't use MD5 (or SHA1, or any hash function that you can evaluate very quickly) for hashing passwords, not even a salt value will help you out because MD5 is broken. Use Bcrypt or something similar instead.
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
This is only true when the password is hashed without any added salt. Once you add salts to the hashing function, the use of rainbow tables becomes far less effective. Sophisticated salting techniques can negate pretty much any efficient attack with rainbow tables. Consequently, any well-designed authentication system uses salts in their hashing function.
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash.
The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly.
Long story short - it would be best for everyone affected to change the password everywhere they are using it .
i was just explaining the other half of the process. i got lazy. thank you.
On August 10 2012 16:43 RoberP wrote: If the passwords they stole are encrypted, the chances of breaking the cypher on an 8 letter password are about zero. They'd be better off just trying to guess your password ^^. Still worth changing the secret question though.
Actually wrong. It depends on what kind of hashed passwords they got. Seeing as they mention SRP i guess the hacker was eavesdropping the login information in that protocol, or else it makes no sense for blizzard to mention the protocol.
If it was the actual database of the passwords, which might be because they got hold of other account information, the standard way of hashing passwords was considered broken by the author 2 months ago. Then blizzard should have be scared.
But my money is still on the eavesdropping of the SRP which means blizzards security office isn't fired this time around.
MD5 has been considered unsafe for a long while now. Already in 1996, a researcher wrote:
"The presented attack does not yet threaten practical applications of MD5, but it comes rather close ... in the future MD5 should no longer be implemented...where a collision-resistant hash function is required."
Later that year, MD5's designer Ron Rivest wrote, "md5 and sha1 are both clearly broken (in terms of collision-resistance)."
I guess, the point is: Don't use MD5 (or SHA1, or any hash function that you can evaluate very quickly) for hashing passwords, not even a salt value will help you out because MD5 is broken. Use Bcrypt or something similar instead.
MD5crypt and the MD5 hash function is 2 different algorithms for 2 different problems. So what you are linking too is like comparing apples and oranges. MD5crypt was the defacto standard to password hashing until 2 months ago, and most systems which are older still uses it because it. The MD5crypt weakness was first discovered by the author after Linkedin was hacked and their hashed passwords got hacked...
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash.
The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly.
Long story short - it would be best for everyone affected to change the password everywhere they are using it .
Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything)
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities.
It pisses you off that websites forces you not to use a retarded password ? some ppl...
who uses upper cases letter in their passwords ? smart ppl do.
Actualy it barely matters at all. Brute forcing passwords (the only situation in which A/a matters) is just not viable. Keyloggers / man in the middle / other security breaches are how passwords get stolen. Not some computer trying out a trillion possible combinations.
This thread is clearly talking about some hackers managing to get the hash pw of users. Brute Force / Dictionary attacks / Rainbow tables is not only "viable", but it is the only way to use those hash. Having a complicated password is the only thing you can do to prevent having issues with that.
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash.
The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly.
Long story short - it would be best for everyone affected to change the password everywhere they are using it .
Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything)
it is pretty big.
for example, a Rainbow table for password of length 9 (or less) containing numbers and upper case would be a file of ~800GB.
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash.
The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly.
Long story short - it would be best for everyone affected to change the password everywhere they are using it .
Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything)
rainbow tables are really really big. But they don't have all possible combinations. But the more storage you have the more combinations you will have in the table.
But people are stupid, so you don't need all possible combinations. People are really really bad at remembering passwords, so a very larger portion of the passwords are made up of a string of number (birthdays/phone number) words in dictionnaries, or combinations of those two. Heck even "secure" passwords which in theory is "impossible" to bruteforce often has a system for people in which you can then generate all possible combination for.
But the beauty of rainbow tables is they are structered in a way which gives really good storage and search times. So you would be surprised how many passwords you can store with a table of only 20 gb.
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash.
The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly.
Long story short - it would be best for everyone affected to change the password everywhere they are using it .
Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything)
What a lot of rainbow tables did when they started a long time ago is not to randomly generate stuff but instead gather cleartext passwords from a lot of sources and then started from there. Since a lot of people use similar passwords it already covered 75% of all passwords that way.
Now that storage has become cheap those databases are so huge that basically any <8 character password is covered for most of the common hashing algorithms and the only thing you can hope for if your password is that short is that the password has a good salt.
If you no longer wish to make the above change, or if you did not initiate this request, please disregard and/or delete this e-mail.
If you have any questions regarding your Battle.net account, click here for answers to frequently asked questions and contact information for the Blizzard Billing & Account Services team.
Sincerely, The Battle.net Account Team Online Privacy Policy
I suppose this might be connected.
i got this too. can anyone confirm if its legit?
Did you click on the "reset password" button? If not, delete that mail.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities.
It pisses you off that websites forces you not to use a retarded password ? some ppl...
who uses upper cases letter in their passwords ? smart ppl do.
It basically says that the SRP protocol, which is what Blizzard uses to encrypt passwords, is very easy to crack.
This article is true, as I said before, SRP is just a protocol which "carry" your password to Blizzard.
Imagine you want to send a message to your friend few blocks away. You tell this message to your fellow postman. The postman is very relliable, and even if someone kidnaps him, bits him, and torture him for several days, he wont tell anyone your message. When postman arrives in your friends home, he writes down this message and leaves it on his table.
The SRP is that relliable postman. What hackers stole, is the message that postman left on your friends table. They dont need to crack "postman" to read out your messaage.
Of course the password are probably salted, and it might be that salt is keept seperately from passwords. But all they need now is perform a dictionary attack or maybe use a rainbow table if there is no salt or the salt is really weak.
Also, lest not forget that hackers has access to some big botnets, whichs computing power might challange best super computers, but this is just assumption.
tbh given the extent they were compramised they seem to of actually got their security right
good job blizz.
The point is the security bought TIME. That is all it can buy. Your accoutn could be hacked directly through permutations of passwords directly ito the client... that would take hundreds of years. This gives them a short cut but it still gives users a decent amount of time untill a significant proportion of passwords get cracked
Personally i use bcrypt on one of its hardest settings to hash things ... but that is because i can afford to.
As a developer who comes down on any security breach like a ton of bricks (we havent found out how and if it turns out to be a sql injection attack i will reverse this statement VERY quickly) - it seem like blizzard has done a lot of what is reasonable to secure things.
SHA1 is recognised as a good strong hash. Its only weakness is that it is quite a quick hash and so not the best choice for password hashing (it is great for h ashing LARGE file streams) - where you want to choose a slow algorithm as that massivley reduces number of guesses pe5r second.
The problem with slow algorithms is that they EAT cpu ... and go back to D3 release when authentication servers kept falling over. You see the really hard spot they were in ... ie they seemingly couldn't afford to use blowfish due to the scale of their operations as their servers cant cope with a fast sha1 algorithm.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities.
It pisses you off that websites forces you not to use a retarded password ? some ppl...
who uses upper cases letter in their passwords ? smart ppl do.
Actualy it barely matters at all. Brute forcing passwords (the only situation in which A/a matters) is just not viable. Keyloggers / man in the middle / other security breaches are how passwords get stolen. Not some computer trying out a trillion possible combinations.
This thread is clearly talking about some hackers managing to get the hash pw of users. Brute Force / Dictionary attacks / Rainbow tables is not only "viable", but it is the only way to use those hash. Having a complicated password is the only thing you can do to prevent having issues with that.
The thing is, if your password is 8+ characters of only lower case and numbers, adding another character adds more complexity than adding case sensitivity.
On August 10 2012 20:21 multiversed wrote: it should also be noted that blizzard passwords are not case-sensitive. based on this alone i would be skeptical to leave my well-being in their hands.
i won't bother even adressing those with too much pride to simply change their passwords in these situations, as they will learn the hard way eventually. if not here, elsewhere. everyone does. i've said before and i'll say it again. it's that attitude that is by far the biggest risk to network security and the bain of every network administrator everywhere.
Who cares if their passwords is not case-sensitive. Who uses upper-case letters in their passwords anyway?
In fact, it pisses me off when websites force me to use at least 1 upper-case letter. Why is an upper case letter any more secure than a punctuation mark, a number or even just an extra normal letter. It's well-known that longer passwords with just letters are better than shorter passwords with mixed characters.
hahaha. goes to show how clueless you are. case sensitive passwords are allot harder to crack then case insensitive since 'a' and 'A' are 2 different letters therefore u have exponentially more possibilities.
It pisses you off that websites forces you not to use a retarded password ? some ppl...
who uses upper cases letter in their passwords ? smart ppl do.
Actualy it barely matters at all. Brute forcing passwords (the only situation in which A/a matters) is just not viable. Keyloggers / man in the middle / other security breaches are how passwords get stolen. Not some computer trying out a trillion possible combinations.
This thread is clearly talking about some hackers managing to get the hash pw of users. Brute Force / Dictionary attacks / Rainbow tables is not only "viable", but it is the only way to use those hash. Having a complicated password is the only thing you can do to prevent having issues with that.
The thing is, if your password is 8+ characters of only lower case and numbers, adding another character adds more complexity than adding case sensitivity.
True, but I was responding to a post saying that password complexity doesn't matter because hackers won't brute force it, which is completely false.
Password complexity is really important. Upper case DO increase it, even though it is not needed because you can achieve better results by increasing the length.
On August 10 2012 23:20 rast wrote: Most peaple here doesn't realise the fact that their stolen hashes are probably decyphered into their passwords already by said hackers. Nowadays hackers doesn't needs to crack your hash to get the passwords. There's a thing called "rainbow tables", which is basically hugh dictionary containing the password and its possible hash. Those tables are traded between hacking organisations. If somebodie acuires your hash and has access to this rainbow table all he needs to do is look up possible password which generate mentioned hash. Also as someone stateb before, the algorithm used to hash the password can be determined just by looking at sample hashes, to some extent.
Also there's a confusion in this topic between the protocol and actual authenticatuion. SRP is just a protocol which "carry" your password between diffrent services, similar to SSH. It has no use in authentication process, which essentially checks if your password is correct or not. Whether Blizz implemented any kind of protocol is irrelevant to actual authentication mechanism, which tends to be just converting your password into hash.
The true question is how good is Blizz mechanism of storing passwords is, does the hashes ware generated using "salt", are salt stored in same DB etc. No info given by them on this matter and unfortunately the IT tends to treat such matters really poorly.
Long story short - it would be best for everyone affected to change the password everywhere they are using it .
Not sure if I understand what a "rainbow table" is, but if your password isn't a word of the dictionnary, how can thoses tables can store all the passwords and his hash ? I understand if the pass is less than 6 caracter long, but beyond it just look like this kind of table would just be way too big...(as, too big to be stored on anything)
What a lot of rainbow tables did when they started a long time ago is not to randomly generate stuff but instead gather cleartext passwords from a lot of sources and then started from there. Since a lot of people use similar passwords it already covered 75% of all passwords that way.
Now that storage has become cheap those databases are so huge that basically any <8 character password is covered for most of the common hashing algorithms and the only thing you can hope for if your password is that short is that the password has a good salt.
To simplify the difference between bruteforce and rainbow tables. Bruteforce uses process power to calculate various test passwords and then compare them with the real password to be cracked, what Rainbow tables does is that each test password is already saved in a database table. Then Instead of using raw process power you simply have huge tables of already pre-calculated test passwords that you simply fetch from the table instead of generating new ones. to simply fetch already created passwords goes allot faster compared to computing new ones each time. Bruteforce requires allot of process power while rainbow tables requires allot of HD space.
And that is the difference between brute force and rainbow tables.
It basically says that the SRP protocol, which is what Blizzard uses to encrypt passwords, is very easy to crack.
This article is true, as I said before, SRP is just a protocol which "carry" your password to Blizzard.
Imagine you want to send a message to your friend few blocks away. You tell this message to your fellow postman. The postman is very relliable, and even if someone kidnaps him, bits him, and torture him for several days, he wont tell anyone your message. When postman arrives in your friends home, he writes down this message and leaves it on his table.
The SRP is that relliable postman. What hackers stole, is the message that postman left on your friends table. They dont need to crack "postman" to read out your messaage.
Of course the password are probably salted, and it might be that salt is keept seperately from passwords. But all they need now is perform a dictionary attack or maybe use a rainbow table if there is no salt or the salt is really weak.
Also, lest not forget that hackers has access to some big botnets, whichs computing power might challange best super computers, but this is just assumption.
But then again this article assumes that the hacker got the verifier database, which isn't totally clear from the blizzard statement if this is true. The statement could just be a eavesdrop of the data between the machine who has the verifier database and the login service. But anyway people should still not believe their password to be secure.
It basically says that the SRP protocol, which is what Blizzard uses to encrypt passwords, is very easy to crack.
It's still difficult. Unless you're using a common password found in that list of 1,000,000 the attacker wants to test, you have nothing to worry about.
Each digest must be brute-forced individually. Even 1billion computations/day doesn't come close to the number of possible alphanumeric, lowercase, 8-character passwords for a single user.
36^8 = Nearly 3-trillion possible combinations. Even if the attacker finds a match 50% through the attack, it would still cost him just under $1,500 to recover a single user's password via Amazon EC2.
As for rainbow tables, this method uses individual salts. Rainbow tables are useless.
On August 11 2012 03:00 rast wrote: This article is true, as I said before, SRP is just a protocol which "carry" your password to Blizzard.
Imagine you want to send a message to your friend few blocks away. You tell this message to your fellow postman. The postman is very relliable, and even if someone kidnaps him, bits him, and torture him for several days, he wont tell anyone your message. When postman arrives in your friends home, he writes down this message and leaves it on his table.
The SRP is that relliable postman. What hackers stole, is the message that postman left on your friends table. They dont need to crack "postman" to read out your messaage.
Of course the password are probably salted, and it might be that salt is keept seperately from passwords. But all they need now is perform a dictionary attack or maybe use a rainbow table if there is no salt or the salt is really weak.
Also, lest not forget that hackers has access to some big botnets, whichs computing power might challange best super computers, but this is just assumption.
Pretty over-simplified here. Salts are considered public data. They aren't meant to be private, they're meant to make 2 identical passwords produce different digests. Unique salts are part of SRP, so it's pretty safe to assume they were used.
The analogy is a terrible one, and flat out wrong. The same message given to the postman is written on the paper. The postman doesn't know what the original message even was, and that's the point of SRP.
Finally, botnets aren't usually used to harness CPU power... the idea is for the zombie computer to never realize they're infected. Stealing CPU cycles isn't a good way to do this. You're much better off simply renting a cluster of high-powered floating point processors and using that.
in the last day my cell phone has been spammed with telemarketers (hasn't happened ever) and im getting spam emails. is this coincidence or due to this security breach?
On August 11 2012 07:53 Kvz wrote: in the last day my cell phone has been spammed with telemarketers (hasn't happened ever) and im getting spam emails. is this coincidence or due to this security breach?
No, if you had your phone registered in the battle.net database, it's likely that this isn't a coincidence. Contrary to destroying someones ladder rank for fun, which isn't profitable, selling stolen addresses and phone numbers to advertisers actually does generate profits for the hackers, so those are some of the things to be expected.
On August 11 2012 07:53 Kvz wrote: in the last day my cell phone has been spammed with telemarketers (hasn't happened ever) and im getting spam emails. is this coincidence or due to this security breach?
No, if you had your phone registered in the battle.net database, it's likely that this isn't a coincidence. Contrary to destroying someones ladder rank for fun, which isn't profitable, selling stolen addresses and phone numbers to advertisers actually does generate profits for the hackers, so those are some of the things to be expected.
I've had my account hacked twice. The first time, I was supposedly selling gold to friends on WoW, and the 2nd time, some one was trying to sell a D3 account under my user name.
On August 11 2012 12:07 Elegance wrote: "At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised"
But they probably don't have evidence that they weren't compromised right?
In this case, the lack of evidence (yet) could be evidence that they weren't compromised
On August 11 2012 05:01 discomatt wrote: Finally, botnets aren't usually used to harness CPU power... the idea is for the zombie computer to never realize they're infected. Stealing CPU cycles isn't a good way to do this. You're much better off simply renting a cluster of high-powered floating point processors and using that.
Botnets are mainly used to send tone of spam or perform DDoS attacks, which essentially steals CPU cycles, so I assume they wont be concerned to add some additional CPU overhead to their zombie net . Essentially they can do what they want with botnets, and this include hash cracking. And for them its free, so its quite cheaper than renting a cluster of servers.
My account got hacked that day. Only good thing about it the guy reactivated my WoW account and paid 55$ for a server/race transfer. I'm enjoying some free time -_-
On August 11 2012 22:04 KoiKetv wrote: My account got hacked that day. Only good thing about it the guy reactivated my WoW account and paid 55$ for a server/race transfer. I'm enjoying some free time -_-
Thats the good guy hacker, he just gives you free stuff while you try to figure out what happened
On August 11 2012 22:04 KoiKetv wrote: My account got hacked that day. Only good thing about it the guy reactivated my WoW account and paid 55$ for a server/race transfer. I'm enjoying some free time -_-
The email I used for my Battle.net account got hacked either today or not much longer ago, I can't access that email anymore. That can't be a co-incidence, it must be due to this Battle.net server hack.
On August 12 2012 15:29 Zzoram wrote: The email I used for my Battle.net account got hacked either today or not much longer ago, I can't access that email anymore. That can't be a co-incidence, it must be due to this Battle.net server hack.
Did you use the same secret question and answer on the B.net account and email account?
On August 13 2012 16:41 KaluGOSU wrote: I lose all my items on WoW and D3 thanks blizzard
This is most likely unrelated. Those who are capable of breaching Blizzard security, are not interested in your game accounts. They have better things to gain.
This besides the fact that, if you had a decent password to begin with, there is no way that it could have been breached already.
move along people theres nothing to see here, this happens all the time and ive yet to hear from anyone that has actually been affected by this, but its still a nuisance for blizzard that there is people that constantly tries to do this.
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Me too. I had a WoW account linked to my mainstream email and I got an email informing me that blizzard was aware that I was trying to sell my account.
Funny thing is I never actually paid cash to play WoW, and only spent enough time to produce a single level 23 Night Elf Hunter.
On August 10 2012 07:42 mataxp wrote: As a PSN user, dejá vu
Doesn't sound as bad as the PSN breach. Just Emails and hashed passwords being compromised. That being said I'm still changing my password.
The PSN breach was awful, I don't even know how you get that complacent in the first place as a group that just mass produces high end technology. I can't even remember how long PSN was down, wasn't it around 2 or 3 months?
Whats real funny is ... Did Blizz just name the protocol they use on these password protections ? Secure Remote Password protocol (SRP) - wouldn't that provide the intruders a would be starting point on cracking ? ... Or is that actually mis-information ?
EVEN MORE LOL - is if I look it up and see ITS A WINDOWS TECHnology!!!! xD ROFL
On August 14 2012 10:09 jinglesassy wrote: No, SRP is just a generic term for a few hundred different encryption protocols. It wouldnt help the hackers at all.
I guess I will be searching for the Microsoft one then ? And then Microsofts excuse is its to be patched shortly ?
On August 10 2012 07:38 Probe1 wrote: So change your passwords. Got it.
(Before anyone says "Oh no Probe u sux at reading", cryptographically scrambled versions.. do you trust your account and information on that? Do you?")
Me too. I had a WoW account linked to my mainstream email and I got an email informing me that blizzard was aware that I was trying to sell my account.
Funny thing is I never actually paid cash to play WoW, and only spent enough time to produce a single level 23 Night Elf Hunter.
Even if they had my password info from Blizz, I wouldn't care. They will in all probability not break the encryption, and if they do, my authenticator already makes sure they can't do crap.
On August 14 2012 19:09 Tobberoth wrote: Even if they had my password info from Blizz, I wouldn't care. They will in all probability not break the encryption, and if they do, my authenticator already makes sure they can't do crap.
Thats exactly how I feel about this as well. Yeah sure let them steal all the shit, thats what I got a authenticator for in the first place anyways...
I was about to post this same link until I saw your post. The article says that Blizzard's claim that the passwords are safe is not verifiable because we don't have enough public information about their security setup. It goes on to speculate how much processing power would it require to crack the passwords in a couple scenarios. According to their exercise, with the information we have available it would not be overly difficult to crack the weakest passwords in a relatively short period of time.
If I were to venture a guess, I'd say most weak passwords were cracked even before we were informed of the breach (remember there was a gap between the time Blizzard found out and the public announcement). There are bound to be some compromised accounts where Bnet password is the same as the Bnet email and those would be first to fall.
So who benefits? Easiest way to cash up on this is by quickly transferring gold/items to farmer accounts, since there's already an "infrastructure" to handle this (WoW hackers have a lot of experience in this regard). Rainbow tables and dictionaries will improve by adding thousands of new passwords to their databases, facilitating future hacks. People may have further non-Bnet accounts compromised if hackers gain access to their emails. And remember we don't know yet whether billing information was also accessed.
So no, I don't feel this is a non-issue as others in this thread do.
Hey guys, battle.net sent me an email, saying someone changed the account email address, and i can no longer log into battle.net, or SC2, is my only option to Call up Blizzard support? tried making a ticket, but its asking me to log in to make the support ticket, so, i cant do it obviously. any help is appreciated.
Blizzard told me there was suspicious activity with my account, so I changed my password again. I think this means that they might have been trying to access my account, but couldnt get the password. Any thoughts?
On August 17 2012 22:56 Nick_54 wrote: Blizzard told me there was suspicious activity with my account, so I changed my password again. I think this means that they might have been trying to access my account, but couldnt get the password. Any thoughts?
Same here. At least they have a way to change the secret question now, although it is terrible (I couldn't even read the whole question). It was a hassle, but makes me glad I changed my password when I did.
I too have gotten an email saying my email was being changed. Tried to log in, password/email wasnt working. Tried to answer my security question but that one was changed.
Time to call blizzard as soon as their support line opens tomorrow morning....
omg, calling blizzard support to try and get my account back, they tell me, sorry our queues are full, than it hangs up on me. Call back 5 mins later, it says estimated 25 mins wait. Jesus christ, i hope call support cost you a lot of money Blizz, tired of your bullshit.
Just tried to login and this is what I am greeted with...
Due to suspicious activity, this account has been locked. A message has been sent to this account’s email address containing details on how to resolve this issue. Visit http://us.battle.net/account/locked.html for more information.
Lovely... I was just on it a little over an hour ago too.. x.x
My account was one of the ones that got hacked. I had changed my password a little bit shortly after seeing the news but it wasn't enough for me.
I was playing sc2 one of the nights a little while ago. Then next day I got home from work and found that they had changed my email used to login. I was able to get my account back by doing the 'I think I got hacked'.
I am pleased to have gotten a response and a fix, pretty much, after about 8 hours. My sc2 was still locked for about a day after but I was able to play sc2 again after a short while.
So is just like a single guy/group hacking into accounts and stripping them? Why would anyone bother stealing an SC2 account, especially when it's so easy to get it returned back to you?
On August 27 2012 14:35 Belial88 wrote: Should I change my pass still?
So is just like a single guy/group hacking into accounts and stripping them? Why would anyone bother stealing an SC2 account, especially when it's so easy to get it returned back to you?
I would to be safe. I saw this announcement the very day it came about and never changed mine and almost lost my account today all because i thought "Oh it could never happen to me, my account isn't worth anything, just an SC2 account."
On August 27 2012 14:35 Belial88 wrote: Should I change my pass still?
So is just like a single guy/group hacking into accounts and stripping them? Why would anyone bother stealing an SC2 account, especially when it's so easy to get it returned back to you?
I would to be safe. I saw this announcement the very day it came about and never changed mine and almost lost my account today all because i thought "Oh it could never happen to me, my account isn't worth anything, just an SC2 account."
You can't think that you "just have an SC2 account," because the hackers have no idea what's on your account. All they know is an account name and a password. If there is nothing to steal, they will use your account as a botting account, where they'll buy a game and start using it.
My brother got his level 47 Witch Doctor account hacked, and the hackers leveled his character to 60, decked him out in full GF% gear and farmed for a couple of days before my brother figured out that he had been hacked.
wow, didnt really expect anyone to get hacked i already changed my password what else can i do to make sure i dont get hacked?(only have sc2 acc btw) and what do i need to get my acc back if i do get hacked?
On August 27 2012 15:51 Csong wrote: wow, didnt really expect anyone to get hacked i already changed my password what else can i do to make sure i dont get hacked?(only have sc2 acc btw) and what do i need to get my acc back if i do get hacked?
Get an authenticator. If you do get hacked, contact blizzard with proof that the account is yours (picture of your game box with key, receipts,...).
EPT
![[image loading]](http://cache.gawkerassets.com/assets/images/17/2011/08/passwords.jpg)
![[image loading]](http://imgs.xkcd.com/comics/cia.png)
