Originally posted by expresso OK now Blizzard have been hacked, you see when Blizzard is really hacked they do tell people like all responsible companies do.
I'm happy that Blizzard is this quick with reporting the hack. But like all responsible companies do..? Most companies still won't report a hack to their customers, just look at $O€ last year. They waited over a month and only came out because Anonymous told the press...
The passwords taken were encrypted, no big deal but you should change it either way, plus if you an authenticator even if the password were plain text they could still not get into then account.
Originally posted by expresso The passwords taken were encrypted, no big deal but you should change it either way, plus if you an authenticator even if the password were plain text they could still not get into then account.
This, if you use the physical authenticator, they still cannot get into your account, even if they somehow manage to decrypt your password.
what more bad can happen than this? someone took my six toons in my absnce and this the message that they gave me : Hello,
Not a single World of Warcraft account compromise in the entire history of the game has been due to a result of a breach of security on our servers. In the event such a breach happened there is far more valuable, sensitive or disruptive data that could, and given the nature of breaches at other high profile companies recently; would be targetted. Account security is something of paramount concern to us.
Likewise actual malicious third parties steal accounts to strip them of gold which can easilly be traded onward. They do not steal accounts to continue playing them normally and wherever possible they make stringent efforts to avoid paying for anything - as this would incur rather serious legal ramifications for them otherwise.
So all in all considering all of these transfers were paid for using the same card that paid for *all* of the subscriptions on the account and furthermore said transfers were requested from the same geo-location that is regularly used on the account and said individual even contacted us verified all the security information. Unfortunately this leaves us two possible conclusions:
- You were sharing your account with someone else - Someone you knew did this
Or
- Both of the above
As previously advised sharing your account is against our policies and really clouds the support we are able to offer. As previously stated there is no evidence that your account was hacked - all of these services were performed legitimately and paid for legitimately and the contexts do not equate to being a malicious third party.
I realise it's disappointing and upsetting to have lost your characters in such away but due to the significant period of time that has elapsed since the incident occurred, and the lack of clearcut evidence, I will have to reiterate that these transfers will not be reverted.
Originally posted by lotaparty what more bad can happen than this? someone took my six toons in my absnce and this the message that they gave me :
/snip
So all in all considering all of these transfers were paid for using the same card that paid for *all* of the subscriptions on the account and furthermore said transfers were requested from the same geo-location that is regularly used on the account and said individual even contacted us verified all the security information. Unfortunately this leaves us two possible conclusions: /snip
Highlighted for emphasis.
I think you have bigger issues than your 'toon' and I find it entirely reasonable on Blizzard's side due to that highlighted text.
Gdemami - Informing people about your thoughts and impressions is not a review, it's a blog.
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.
Nice spin on things. SRP secures the exchange of passwords between a client and server. It's even used as a protocol to ensure that cryptographically weak passwords are incredibly difficult to sniff. As a protocol however, it has nothing to do with how securely passwords are stored. I'm not saying Blizzard DON'T store their passwords securely, but inferring that SRP makes their passwords secure is at best...misdirection.
Think of it this way - "we use envelopes to secure your letters". Great, that takes care of securing the exchange of the letter (password) between the sender (game client) and recipient (server). It doesn't mean a thing if someone breaks into your house and reads the letter because you just left it lying around, opened on the kitchen table.
Gotta be honest real fast - Not a fan of Blizzard, only briefly played WoW...but, you gotta give them some credit for getting the information out to their customers quickly, this is one of the fastest I've seen from any company.
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.
Nice spin on things. SRP secures the exchange of passwords between a client and server. It's even used as a protocol to ensure that cryptographically weak passwords are incredibly difficult to sniff. As a protocol however, it has nothing to do with how securely passwords are stored. I'm not saying Blizzard DON'T store their passwords securely, but inferring that SRP makes their passwords secure is at best...misdirection.
Think of it this way - "we use envelopes to secure your letters". Great, that takes care of securing the exchange of the letter (password) between the sender (game client) and recipient (server). It doesn't mean a thing if someone breaks into your house and reads the letter because you just left it lying around, opened on the kitchen table.
Ah...with SRP the server does not store straight password data since version 6.
How could a phishing scammer get your email if you only used it to register for WoW and never anything else? My email which I only checked when I forgot my password after a long break from WoW was filled with ONLY WoW phishing emails, so I know there had to be a leak or hack. How else would I only get WoW phishing emails and not the other junk normal spammers send? This was back when the Burning Crusade expansion was released.
I did just that. When Blizzard made the move to requiring you to use an email account as your login( I still consider this a retarded move), I made an email account just for that. The name@ on the email is not used for any other of my many email addresses. I never link emails or add aliases to them. The email provider has none of my real info. I have never used it for anything else even though I quit WoW well before Cata. I've gotten phishing emails for multiple games that I have never played let alone subbed to. I still get WoW phishing mails as well.
There are many ways for people to get the names of email addresses and they just hope you are playing popular games, won't check the header info, and will fall for their lame attempts. On one webmail account I have, I even get emails not addressed to that account routinely.
I don't play wow, have not played in years. however I do play diablo III and that is tied to m wow account.
So I got to ask why I had to find out about this here and not dirrectly from blizzard. It has been weeks since I logged into diablo III. Those who are not playing on a regular basis probably have no idea they might be hacked.
Oh well blizzard just shows that they don't care about their customers. All it would take is one email to let folks know they might be compromised.
Originally posted by Acornia with emails having my email address in both the from and to slots.
That's because they use the incorrect format/put wrong info in the wrong order when they forge information from their local mta or mta proxy to make it appear to come from the gaming company. They just rely on people not checking headers and the links in the email. Which, sadly, works for them pretty often.
I would have to write that untill Blizzard can secure their online Battle.net better then it is very risky to trust them with your personal or credit card information.
I can see it now. A flood of "my WoW account was hacked" on youtube. Meanwhile, 3 chinese guys are sitting somewhere saying, "I watch on youtube. We hack their WoW account and cause Americans to commit suicide."
The only secure computer is the one that is powered off with no connection to the internet and is locked in a nuke proof safe. Given enough time, a hacker will get into your system, otherwise.
I would have to write that untill Blizzard can secure their online Battle.net better then it is very risky to trust them with your personal or credit card information.
They were hacked very easily it seems.
Where are you getting your information? If they could be hacked "very easily" it would have happened a long time ago. You have no idea how the system was hacked. It could be a very easy fix. Stop trying to act like it's some catastrophic security issue.
I would have to write that untill Blizzard can secure their online Battle.net better then it is very risky to trust them with your personal or credit card information.
They were hacked very easily it seems.
Where are you getting your information? If they could be hacked "very easily" it would have happened a long time ago. You have no idea how the system was hacked. It could be a very easy fix. Stop trying to act like it's some catastrophic security issue.
Well, Battle net 2.0 is only a couple of years old. And, yes, if a company can be hacked and its customers personal info including password security info is stolen then the underlying cause is most likely poor security. Sorry, but you have to point the finger at Activision Blizzard here.
I would have to write that untill Blizzard can secure their online Battle.net better then it is very risky to trust them with your personal or credit card information.
They were hacked very easily it seems.
Where are you getting your information? If they could be hacked "very easily" it would have happened a long time ago. You have no idea how the system was hacked. It could be a very easy fix. Stop trying to act like it's some catastrophic security issue.
Well, Battle net 2.0 is only a couple of years old. And, yes, if a company can be hacked and its customers personal info including password security info is stolen then the underlying cause is most likely poor security. Sorry, but you have to point the finger at Activision Blizzard here.
No, I point the finger at you. It makes almost as much sense.
I want a mmorpg where people have gone through misery, have gone through school stuff and actually have had sex even. -sagil
This reminds me of when the Cataclysm download went live. I downloaded it and my account was somehow hacked during the download process, all my items gone from most characters. Took about a week to get it all back.
I would have to write that untill Blizzard can secure their online Battle.net better then it is very risky to trust them with your personal or credit card information.
They were hacked very easily it seems.
Where are you getting your information? If they could be hacked "very easily" it would have happened a long time ago. You have no idea how the system was hacked. It could be a very easy fix. Stop trying to act like it's some catastrophic security issue.
Well, Battle net 2.0 is only a couple of years old. And, yes, if a company can be hacked and its customers personal info including password security info is stolen then the underlying cause is most likely poor security. Sorry, but you have to point the finger at Activision Blizzard here.
No, I point the finger at you. It makes almost as much sense.
Only the most bewildered of fanbois would excuse a company for not protecting its cutomers scure data well enough. Just as Sony was found to have really sloppy security of their cusotmer information I will bet you it's the same old story with Activision Blizzard.
I asked them how safe their security was and our account info several months back and had my posts deleted/locked. Asked this back when SoE and Rift and other companies had been hacked. Looks like that didnt scare blizzard at all, looks like they are a little nieve themselves.
Online nothing is safe at all. Ok NA had most info taken, EU only had e-mails taken (as they know of) and china has nothing taken (must be from this region then that the hacker/s are from).
Comments
I'm happy that Blizzard is this quick with reporting the hack. But like all responsible companies do..? Most companies still won't report a hack to their customers, just look at $O€ last year. They waited over a month and only came out because Anonymous told the press...
This, if you use the physical authenticator, they still cannot get into your account, even if they somehow manage to decrypt your password.
Not a single World of Warcraft account compromise in the entire history of the game has been due to a result of a breach of security on our servers. In the event such a breach happened there is far more valuable, sensitive or disruptive data that could, and given the nature of breaches at other high profile companies recently; would be targetted. Account security is something of paramount concern to us.
Likewise actual malicious third parties steal accounts to strip them of gold which can easilly be traded onward. They do not steal accounts to continue playing them normally and wherever possible they make stringent efforts to avoid paying for anything - as this would incur rather serious legal ramifications for them otherwise.
So all in all considering all of these transfers were paid for using the same card that paid for *all* of the subscriptions on the account and furthermore said transfers were requested from the same geo-location that is regularly used on the account and said individual even contacted us verified all the security information. Unfortunately this leaves us two possible conclusions:
- You were sharing your account with someone else
- Someone you knew did this
Or
- Both of the above
As previously advised sharing your account is against our policies and really clouds the support we are able to offer. As previously stated there is no evidence that your account was hacked - all of these services were performed legitimately and paid for legitimately and the contexts do not equate to being a malicious third party.
I realise it's disappointing and upsetting to have lost your characters in such away but due to the significant period of time that has elapsed since the incident occurred, and the lack of clearcut evidence, I will have to reiterate that these transfers will not be reverted.
Regards,
Game Master Alliynnah
Customer Services
Blizzard Entertainment
http://eu.blizzard.com/support
Highlighted for emphasis.
I think you have bigger issues than your 'toon' and I find it entirely reasonable on Blizzard's side due to that highlighted text.
Gdemami -
Informing people about your thoughts and impressions is not a review, it's a blog.
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.
Nice spin on things. SRP secures the exchange of passwords between a client and server. It's even used as a protocol to ensure that cryptographically weak passwords are incredibly difficult to sniff. As a protocol however, it has nothing to do with how securely passwords are stored. I'm not saying Blizzard DON'T store their passwords securely, but inferring that SRP makes their passwords secure is at best...misdirection.
Think of it this way - "we use envelopes to secure your letters". Great, that takes care of securing the exchange of the letter (password) between the sender (game client) and recipient (server). It doesn't mean a thing if someone breaks into your house and reads the letter because you just left it lying around, opened on the kitchen table.
~ Hobyah Press ~ Wyldlands Celtic & Iron Age RPG ~
Ah...with SRP the server does not store straight password data since version 6.
If the report in the the tech section of BBC web page this morning is correct. They got away with millions of unencrypted email address.
This maybe way I am seeing a huge increase in spam mail the last few days with emails having my email address in both the from and to slots.
Good chance this was a possible target. Lots of money selling Email lists. If you have a big enough list.
I did just that. When Blizzard made the move to requiring you to use an email account as your login( I still consider this a retarded move), I made an email account just for that. The name@ on the email is not used for any other of my many email addresses. I never link emails or add aliases to them. The email provider has none of my real info. I have never used it for anything else even though I quit WoW well before Cata. I've gotten phishing emails for multiple games that I have never played let alone subbed to. I still get WoW phishing mails as well.
There are many ways for people to get the names of email addresses and they just hope you are playing popular games, won't check the header info, and will fall for their lame attempts. On one webmail account I have, I even get emails not addressed to that account routinely.
I don't play wow, have not played in years. however I do play diablo III and that is tied to m wow account.
So I got to ask why I had to find out about this here and not dirrectly from blizzard. It has been weeks since I logged into diablo III. Those who are not playing on a regular basis probably have no idea they might be hacked.
Oh well blizzard just shows that they don't care about their customers. All it would take is one email to let folks know they might be compromised.
@Horusra
In which case I stand corrected, thanks for that!
~ Hobyah Press ~ Wyldlands Celtic & Iron Age RPG ~
NP
That's because they use the incorrect format/put wrong info in the wrong order when they forge information from their local mta or mta proxy to make it appear to come from the gaming company. They just rely on people not checking headers and the links in the email. Which, sadly, works for them pretty often.
I would have to write that untill Blizzard can secure their online Battle.net better then it is very risky to trust them with your personal or credit card information.
They were hacked very easily it seems.
I can see it now. A flood of "my WoW account was hacked" on youtube. Meanwhile, 3 chinese guys are sitting somewhere saying, "I watch on youtube. We hack their WoW account and cause Americans to commit suicide."
The only secure computer is the one that is powered off with no connection to the internet and is locked in a nuke proof safe. Given enough time, a hacker will get into your system, otherwise.
Where are you getting your information? If they could be hacked "very easily" it would have happened a long time ago. You have no idea how the system was hacked. It could be a very easy fix. Stop trying to act like it's some catastrophic security issue.
Well, Battle net 2.0 is only a couple of years old. And, yes, if a company can be hacked and its customers personal info including password security info is stolen then the underlying cause is most likely poor security. Sorry, but you have to point the finger at Activision Blizzard here.
No, I point the finger at you. It makes almost as much sense.
I want a mmorpg where people have gone through misery, have gone through school stuff and actually have had sex even. -sagil
Only the most bewildered of fanbois would excuse a company for not protecting its cutomers scure data well enough. Just as Sony was found to have really sloppy security of their cusotmer information I will bet you it's the same old story with Activision Blizzard.
I asked them how safe their security was and our account info several months back and had my posts deleted/locked. Asked this back when SoE and Rift and other companies had been hacked. Looks like that didnt scare blizzard at all, looks like they are a little nieve themselves.
Online nothing is safe at all. Ok NA had most info taken, EU only had e-mails taken (as they know of) and china has nothing taken (must be from this region then that the hacker/s are from).