Attention: Battle.net security breach

[Ruvanal]

See http://us.blizzard.com/en-us/securityupdate.html
and http://battle.net/support/en/article/6327

[LavCat]

See http://us.blizzard.com/en-us/securityupdate.html
and http://battle.net/support/en/article/6327

Wow/W, thanks, Ruvanal! Off to change my password.

[shoju]

It's times like this that I wish that I could remove my battle.net account. I don't play WoW, I don't have any plans to come back to wow, and I don't play either of the other b.net tied titles.

[kandrathe]

It's times like this that I wish that I could remove my battle.net account. I don't play WoW, I don't have any plans to come back to wow, and I don't play either of the other b.net tied titles.

Go in to your account -- associate it with some e-mail you hardly use (hotmail, or gmail perhaps). Edit your account information to remove anything you can -- like active credit cards, addresses, name, etc. Change your password to something impossible to guess, then write it on a note card, tape your authenticator to it. Put them in a safe place and forget about them.

If you ever change your mind some day (bequeath your characters to your kids, or grandkids), you can resurrect your battle.net account. If it does somehow get compromised while you are away, there is nothing they can do with it unless they go so far as to tie it to another credit card.

Or, you can e-mail privacy@blizzard.com from the address associated with your account to make the request.

Note that this will still not "delete" your account, but it will permanently remove your identifying information from it. It will still exist (as will your characters, etc.), but they will not be accessible to you or anyone else either.

[shoju]

I've never had a credit card associated with my account.

It's more that I would probably feel physically ill to know that someone else played on my account. I don't know. I can't explain it. It's just.... not something I've been cool with since I let someone use a "second" account of mine, and they screwed it all up.

[LavCat]

It's more that I would probably feel physically ill to know that someone else played on my account. I don't know. I can't explain it. It's just.... not something I've been cool with since I let someone use a "second" account of mine, and they screwed it all up.

Magicbag once let me play with his Wasteland characters and I got them all killed.

[shoju]

I had a friend who wanted to do a RAF, so I started a second account, and did all the stuff, and let him RAF some characters. Once he got stuff up to 55, we went ahead and made DK's. Well, then he went and did something stupid, and got us both hacked. When I finally got that account back, My DK was sitting in Ironforge, Naked, No money, no bags, nothing, and the RAF accounts were similarly naked and broke.

BLizz did not help us get the gear and gold back. They considered the matter closed.

So.... I got the account back, changed my password, and info on the account as much as possible, and moved off server.

[Occhidiangela]

I don't have anything worth looting.

I have changed my email pword, even though there is NO evidence of anything untoward.

Authenticator: worth it, or just one more false sense of security?

[Mavfin]

Authenticator: worth it, or just one more false sense of security?

If you're sure you're absolutely careful and don't reuse your bnet password, you don't have to have it. Having said that, if your secret answers were exposed in the breach, and someone uses them to reset your password, which *could* happen, having an authenticator would mean they still couldn't get into your account. Without one, they'd own it as quick as they could log in with the new password.

I've had one since about a month after they came out, because my teenagers use my computer and have a B.net account, too, and I've watched people around me get hacked left and right w/o authenticators, while I've soldiered on w/o any kind of issue for years. I do work in IT security, so, I can't point to the authenticator and say that it actually did anything for me, but, it makes you a harder target. The main thing is that if your password *does* get compromised somehow, you aren't automatically screwed.

As far as the latest issue, I've changed my password, and my daughters changed their password. Things are moving forward as normal.

[shoju]

Authenticator for iPhone: Free peace of mind. I like the idea of an authenticator. I like that it is that added level of security. That being said, I would never have bought one. I use the app, and I was perfectly happy with it. Even now that I don't play, I haven't unhooked my authenticator from my account. It's still tucked away in a folder.

[RTM]

There is no reason NOT to have an authenticator IMO. Even if you don't have a smartphone apparently you can easily find Android emulators and use the mobile Android version. It can be set to only ask for token authentication once per week or when logging in from a new location so the annoyance factor is minimal.

Mav is right though- having a unique B.net password will go a long way towards ensuring that you're protected. I think a large majority of Blizzard hacking victims use the same password on other websites, and when THOSE websites get hacked, their B.net account is a casualty. So you can have a unique B.net password, or use the same password as other places and have an authenticator. Do both to be more fully protected.

Somewhat off topic but it may be helpful: my email got hacked awhile ago through the method above (an unrelated site had their password DB stolen) and I stupidly used the same password on multiple other sites, most notably Facebook and Gmail. Commence the whole "help I'm stuck in London plz send money" scam, jeering from my friends & relatives, etc etc etc. Lesson learned, don't use the same password everywhere. I sat down and made a list of sites that I have accounts at, and holy cow there are a lot. So I came up with a password scheme that let me have different passwords at every site but was still easy to remember: a passphrase + name of the site. So my passphrase, for example, might be the first characters of each word in the sentence "This is my super-secure password for Battle.net!" (Timsspfb!). Swap out Battle.net for whatever site you need a password for (Timsspfg! for Gmail, etc), and voila! a fairly easy to remember password scheme that can be relatively unique amongst all websites. Obviously you'll have to modify the scheme slightly for some sites that start with the same letter, but it's a good base to start with.

/derail

[Mavfin]

I think a large majority of Blizzard hacking victims use the same password on other websites, and when THOSE websites get hacked, their B.net account is a casualty.

Just for the uninitiated: I work in IT security for a 15K-student regional community college, and I see lists by the thousands a couple times a week of email/password pairs from various websites. We just grep through them for any of our local domain emails to keep an eye on compromises here, but, we might find one or two of ours out of four thousand or ten thousand on the list. This is why you don't want to share email/bnet passwords with other passwords around the internet.

I know people have heard that this happens, but you have to see the scale and frequency of these lists to truly understand the problem.

[Kevin]

Somewhat off topic but it may be helpful:

I can't recommend Password Safe or KeePass enough. I trust Password Safe enough that I store the DB on my Google Drive and do the access to it from there. I know there is a risk if my gmail password is ever compromised, but it's on an account with the 2-step verification. I've got an Android version of the app that I can use from my tablet as well.

I actually don't know what some of my passwords are anymore. Sure that has potential issues too but I've just got so used to PW Safe usage.

[Ruvanal]

Authenticator for iPhone: Free peace of mind. I like the idea of an authenticator. I like that it is that added level of security. That being said, I would never have bought one. I use the app, and I was perfectly happy with it. Even now that I don't play, I haven't unhooked my authenticator from my account. It's still tucked away in a folder.

Note to you and others that Blizzard stated that the mobile authenticator data for North America was also compromised and that they will be prompting you to update that for your accounts.

[RTM]

I can't recommend Password Safe or KeePass enough. I trust Password Safe enough that I store the DB on my Google Drive and do the access to it from there. I know there is a risk if my gmail password is ever compromised, but it's on an account with the 2-step verification. I've got an Android version of the app that I can use from my tablet as well.

I actually don't know what some of my passwords are anymore. Sure that has potential issues too but I've just got so used to PW Safe usage.

I've had quite a few people recommend those types of services & programs, but call me paranoid, I'm kind of leery giving the keys to my kingdom to a third party no matter how encrypted or obfuscated it is. Plus I access websites from all manner of devices and computers (home & work PC's, tablet, phone, etc). I know it's supposed to work cross-platform, but still... Plus, what if the company goes out of business?

Yeah, just call me paranoid. I can deal with it.

[Mavfin]

I can't recommend Password Safe or KeePass enough. I trust Password Safe enough that I store the DB on my Google Drive and do the access to it from there. I know there is a risk if my gmail password is ever compromised, but it's on an account with the 2-step verification. I've got an Android version of the app that I can use from my tablet as well.

I actually don't know what some of my passwords are anymore. Sure that has potential issues too but I've just got so used to PW Safe usage.

I've had quite a few people recommend those types of services & programs, but call me paranoid, I'm kind of leery giving the keys to my kingdom to a third party no matter how encrypted or obfuscated it is. Plus I access websites from all manner of devices and computers (home & work PC's, tablet, phone, etc). I know it's supposed to work cross-platform, but still... Plus, what if the company goes out of business?

Yeah, just call me paranoid. I can deal with it.

Keepass is local on your machine, so no one else has the keys.

We use it at work, with over 100 VMs/servers to access.

[shoju]

Authenticator for iPhone: Free peace of mind. I like the idea of an authenticator. I like that it is that added level of security. That being said, I would never have bought one. I use the app, and I was perfectly happy with it. Even now that I don't play, I haven't unhooked my authenticator from my account. It's still tucked away in a folder.

Note to you and others that Blizzard stated that the mobile authenticator data for North America was also compromised and that they will be prompting you to update that for your accounts.

Yeah, this is the part that really surprised me. HOW THE !#*()% do you get that hacked? It does make the whole idea of the authenticator less enticing to be sure.

[Kevin]

I've had quite a few people recommend those types of services & programs, but call me paranoid, I'm kind of leery giving the keys to my kingdom to a third party no matter how encrypted or obfuscated it is. Plus I access websites from all manner of devices and computers (home & work PC's, tablet, phone, etc). I know it's supposed to work cross-platform, but still... Plus, what if the company goes out of business?

Yeah, just call me paranoid. I can deal with it.

Mav covered KeePass. Password Safe is the same, it lives on the local machine (or network drive or thumb drive). I'm not sure which came out first they have very similar interfaces. We use PW Safe at work which is why I adopted it. Storing the safe on my Google Drive is what allows me to access the same safe from anywhere, though many just keep the safe on the thumb drive. That's the only real danger of giving the keys to someone else in my set-up. If someone hacks my google account, and gets the safe and then spends the HUGE amount of effort to crack that, then yep I've compromised a ton of stuff. Same if someone gets the safe off my local machine, etc.

It's a different set of dangers, but I've had too many IT security professionals sign off on the products to really worry too much about it.

[Mavfin]

Yeah, this is the part that really surprised me. HOW THE !#*()% do you get that hacked? It does make the whole idea of the authenticator less enticing to be sure.

Probably got some of the Blizzard-end keys/serials exposed on some of the mobile authenticators. So, not 'hacked' as in hacked the authentication itself, but they may have the 'shared secret' for it. Whether that means they know the algorithm used from there is anyone's guess.

I'm sure they'll have people with the mobile authenticators affected reset their keys somehow, and that will fix any issue. I'm guessing that just having that key doesn't give the hackers access to the accounts w/o knowing *how* to use the key to generate the code on demand, or we'd have a bunch of new hacks from that. Also, they don't have passwords, just SRP hashes. Basically, they didn't get enough to hack any one account with the information stolen from Blizzard.

[shoju]

I guess the part that surprised me, was that this information, which is supposed to help keep accounts safe, was in some way shape or form exposed to a hack/loophole/open door.

I wont pretend to understand how they have it set up, but it seems.... less than optimal.