Recent security breaches spur new Battle.net phishing emails
by Basil Berntsen 
Dec 14th 2010 at 7:00PM
This story has been redacted after new facts have been brought forth. Please see the latest news concerning Blizzard's password reset in response to the Gawker hack.
Reader Comments (Page 1 of 3)
Perenoldian Dec 14th 2010 7:04PM
Thankfully I already had an iPhone, so my authenticator was free, but I'd pay the what, $6? $7? Dollars to get one, except that I just know I'd lose it and have to make a very embarrassing call to Blizzard...
Safety first kids! (was that too creepy? Wait it's the internet. So? Still creepy! Why am I talking to myself..? *fades*)
Robert Powell Dec 14th 2010 9:25PM
until something happens to you like did me....iPhone went haywire and ....oh, no authenticator, embarrassing call to Blizz...............and 3days later, finally able to play
Snuzzle Dec 14th 2010 10:33PM
I keep mine on my keychain. That way, I always know where it is (since my keys are something that's too important to lose) and it's always with me. I know some people who live alone who've duct-taped it to their monitor or just keep it on their desk.
I bought my Authenticator the moment they were announced, and it was the best money I've ever spent on the game. Well, aside from the race-change on my shaman to a goblin, that is ;)
bluespacecow Dec 14th 2010 11:03PM
Perenoldian I'mma let you finish but ...
Official confirmation.
http://us.battle.net/wow/en/forum/topic/1536333940
[quote]As some of you know, several Gawker Media websites, including Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, and Deadspin, were recently compromised. To help minimize the effects of this compromise -- namely for players who might be using the same login information for their Gawker Media accounts and their Battle.net accounts -- we recently issued password-reset emails for several accounts[/quote]
So the battle.net reset emails were real folks.
bluespacecow Dec 14th 2010 11:06PM
Sorry Perenoldian I replied to your comment so that link would be on the front page.
The Gawker media compromise is real. So rather silly people were using the same email on the Gawker sites as their battle.net email.
So Blizzard sent out password reset emails to affected customers
jfofla Dec 14th 2010 7:06PM
I could give a rat's ass if they know my email.
I use an Authenticator.
wow Dec 14th 2010 7:10PM
Its probably a larger concern to most wow players that EJ got owned that gawker...
Rendus Dec 14th 2010 7:11PM
Here's a fun fact:
These are legit. They'll probably be mimiced by phishers, but Blizzard has actually sent out these messages.
tafuub Dec 14th 2010 7:22PM
I think you missed the point my man. On a side note thought I always thought the authenticators were easy to bypass. I don't know much about the general security of it but I do know about "breaking-in" through these kinds of securities and I always thought they were bogus. It's like a lock on the front door of your house that switches keys all the time, all you have to do is snatch the key away from the person (digital sense not physical sense). So I'm pretty iffy on the authenticator and actually I purchased it for the pet not the security if that shows my opinion of them.
Res Dec 14th 2010 7:30PM
I believe if you log in to a spoof site using your authenticator and they are able to then log into your account nearly immediately before the number changes, that's the only way they can get around it. I could be totally off, but even in that case it's still very time sensitive so it seems to be a fairly strong security measure considering.
Basil Berntsen Dec 14th 2010 7:33PM
That one wasn't- when I logged in with my real password on the real site, there was no "change your password please" message.
sean.aikins Dec 14th 2010 7:44PM
Rendus is actually correct. I have one sitting in my inbox that is verifiably from Blizzard. That looks JUST like the one shown in the image above. His point was that WoW Insider should probably note that there are legit and illegit e-mails floating about.
Amaxe Dec 14th 2010 8:31PM
Why the hell are you providing a link to a phishing site? That strikes me as kind of reckless.
Task Dec 14th 2010 8:47PM
@Amaxe
I can see your point about what I did yes, but I was providing an example of what I've been getting nearly everyday.
icepyro Dec 14th 2010 8:58PM
Whether it's legit, illegit, or too legit to quit, it's way better to manually go to us.battle.net and login and verify what's going on than it is to click on a link in email. In fact everything in this article is my protocol, even if the email is verified valid and contains no phishing links or anything. Better safe than not.
Prophetik Dec 14th 2010 7:24PM
I've started using the LastPass website/extension now after this Gawker thing. What a mess.
Malkil Dec 14th 2010 7:25PM
For gmail users:
Gmail will ignore periods in email addresses. For example, if your email account is youraddress@gmail.com all of the following will be routed to your address:
your.address@gmail.com
yo.uradd.ress@gmail.com
your.a.ddress@gmail.com
etc
Alternately, gmail will also ignore anything after a plus sign. For example, the following will be routed to your address as well:
youraddress+wowinsider@gmail.com
Use either, or both, of these methods when registering email addresses with various sites. This will allow you to tell if a "Blizzard" email is legitimate or not at a glance.
MikeLive Dec 14th 2010 7:38PM
This is a flawed sense of security. Any well-programmed scanner will know this and be able to pull out your original email.
wow Dec 14th 2010 7:53PM
A well programmed email scammer is like finding a quality pug.
99.999% of the time it runs regex over a database/website, and starts shooting of emails. End of story.
Tom Dec 14th 2010 8:14PM
I too highly recommend this in general, as I have a similar setup on my own domain. It's helped me over the years to know that the following sites have all been hacked at some point. Once that happens, I just toss the e-mail unique to them into my block list.
1. Curse.com
2. MMORPG.com
3. Microsoft (more specifically, the Office 11 beta site)
4. Shockwave (back when it was still under Macromedia)
5. Kotaku (in the recent hack)
6. Walgreens
(Probably a few more, just thinking of major ones of the top of my head)
And if an e-mail scanner somehow detects my trick and strips the domain unique part off, it turns into an invalid e-mail address.