Patch 5.4 patch notes
Virtual Realms feature revealed
The Proving Grounds are coming
The latest patch 5.4 newsGawker hack prompts Blizzard to issue password reset
by Adam Holisky 
Dec 15th 2010 at 12:00AM
Earlier we reported these emails as phishing attempts. This turned out to be incorrect. At the time these emails were received by members of our staff, there was no word from Blizzard on them, and such attempts at phishing out WoW account passwords are common after well-known hacking attempts.
Nonetheless, it is imperative that everyone uses an authenticator and employs good password security. Always watch what the links you go to are, and don't use the same password for multiple sites -- especially for your WoW account. If you do have an account with a Gawker website, it's recommended that you reset your Battle.net / World of Warcraft password.
Blizzard's full statement after the break.
Blizzard EntertainmentAs some of you know, several Gawker Media websites, including Gawker, Gizmodo, Kotaku, Lifehacker, Jezebel, io9, Jalopnik, and Deadspin, were recently compromised. To help minimize the effects of this compromise -- namely for players who might be using the same login information for their Gawker Media accounts and their Battle.net accounts -- we recently issued password-reset emails for several accounts. If you've received an email from Blizzard Entertainment requesting a password reset as a result of the Gawker Media compromise, please click on the link included in the email's body to choose a new password. You can also log in to Battle.net Account Management to reset your password on your own ( https://us.battle.net/account/management ).
If you used your Battle.net email address to sign up with any of the Gawker Media sites listed above (for example, to post comments), we also recommend that you update your Battle.net email address as soon as possible via Account Management. If you are unable to complete this step or the password reset and believe your account might be compromised, please contact our customer support staff by using the Account Recovery Form ( https://us.battle.net/account/support/account-recovery.html ) and be sure to check out our Account Security Awareness guide ( http://us.battle.net/en/security/ ) for additional security tips and suggestions.
For more information about this situation, please visit Gawker Media's official announcement ( http://gawker.com/5713056/gawker-security-breach-were-here-to-help ) or Lifehacker's comprehensive FAQ ( http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media ).
If you used your Battle.net email address to sign up with any of the Gawker Media sites listed above (for example, to post comments), we also recommend that you update your Battle.net email address as soon as possible via Account Management. If you are unable to complete this step or the password reset and believe your account might be compromised, please contact our customer support staff by using the Account Recovery Form ( https://us.battle.net/account/support/account-recovery.html ) and be sure to check out our Account Security Awareness guide ( http://us.battle.net/en/security/ ) for additional security tips and suggestions.
For more information about this situation, please visit Gawker Media's official announcement ( http://gawker.com/5713056/gawker-security-breach-were-here-to-help ) or Lifehacker's comprehensive FAQ ( http://lifehacker.com/5712785/faq-compromised-commenting-accounts-on-gawker-media ).
Filed under: Account Security
Reader Comments (Page 5 of 6)
Agony Dec 15th 2010 3:06PM
"...the authenticator is just a cash grab..."
Except for the fact that it's free to download on an increasing number of cellular phone platforms...
rosencratz Dec 16th 2010 8:33AM
"Don't equate luck to skill, anyone can get hacked."
Don't equate someones bad luck as being everyone elses destiny.
The authenticator is a tool, a useful tool too but not a tool that i personally need and I get a bit bored with people telling me it is necessary or "imperative"
I shall reiterate that all i'd have to gain from it would be the pet.
VIV Dec 15th 2010 6:03AM
I feel hacked - IceT Plays a cop on TV after the Cop Killa album.
WTF I must be old and pay waaay too much for cable.
WoW has never represented that bad.
jrb Dec 15th 2010 6:44AM
it's about time Blizzard introudced password expiry on to battle.net accounts, to help minimise the hacks that are being carried by gold farmers hacking other community websites. it's common knowledge people (as in the general collective) use the same passwords everywhere, so helping minimise this by enforcing password expiry on battle.net will only help reduce account hackings, lower support costs, and restore faith in blizzard's security.
it's also a lot easier to introduce than enforcing a policy of requiring authenticators. In fact, WoW players in Taiwan already have password expiries in place, and suffer much much lower counts of account hacks.
Tokkar Dec 15th 2010 3:11PM
This actually wasn't gold farmers hacking in to steal account information, this was a complete server compromise where considerably sensitive information was made public - to include user names and passwords. What this is concerning is for those who use those same user names (in the way of email addresses) and passwords on those forums and on WoW.
The lesson here is to use different passwords for everything, but not many do as it's inconvenient or difficult to remember. Blizzard is being cautious and ensuring that people don't get screwed over.
Password expiry? Not a bad idea really, but people will complain about it - guaranteed.
jrb Dec 16th 2010 5:22AM
the point was Blizzard sent out a warning because they realise that people use the same passwords from site to site, from service to service. Enforcing password expiry would get around this obvious security flaw.. not only that, but they already do it in one of their territories and it has proven a successful way to combat gold farmers / account hackers.
Tokkar Dec 17th 2010 6:17AM
Oh, I can definitely relate and I agree with your suggestion. I've worked in the IT field enough to know that passwords should be changed every...well I wouldn't go 30 days, but every 60 days, which is what we used, is a great way to ensure that sensitive information stays where it belongs, and not posted on the Internet for everyone to see.
Still, we're talking about WoW players, and if regular [2. Trade] contributors (and some of the comments on this thread) are any indication, people will be complaining to their senators and congresspersons if Blizzard instituted a password expiry.
/sigh
Sir Broose Dec 15th 2010 7:37AM
The really unfortunate thing here is that I DID receive a phishing email regarding this. There were several improper uses of the English language in the email, which made it an obvious scam (to me), but other than that, it appeared to be official. I knew better than to click the link, but with this new advice from Blizz, some people may not.
Sir Broose Dec 15th 2010 7:48AM
Tried to replay to this and it failed. See the email in new thread post below.
Sir Broose Dec 15th 2010 7:45AM
Dug through my trash folder and found it. You will see I wasn't kidding about the slaughtered English. You would think no one would believe this, but when Blizz gives that kind of advice, there will be those who don't think and just click - especially with the warning (threat) at the end of the email:
From: noreply@battle.net
Subject: Battle.net Account Management
Date: December 14, 2010 5:42:05 AM EST
Greetings!
Recently, the Gawker problem of account invasion is getting worse and worse which cause enormous player’s equipments and virtual currency stolen. This severely damages the benefits of mass players, also causes our company lose a lot of customers.
Our company has to adopt some measures to safeguard our common benefits in order to strengthen the safety of mass players'accounts, and firmly resist the account to be stolen again.Through our company's research and investigation to xxx customers,we will make the following decisions: we launch a package of updated Battle.net Mobile Authenticator and dynamic code protection card which can effectively prevent the accounts invaded. We will send this package of code protection system to players free of charge.
Please open this connection:
https://us.battle.net/login/en/?ref=https%3A%2F%2Fus.battle.net%2Faccount%2Fmanagement%2Fadd-game.html&app=bam&cr=true
If your account passes the check successfully, we will send this package of dynamic Battle.net Mobile Authenticator to you in the form of e-mail.
In 3 days after you receiving the e-mail, if you don't submit your information, we have right to freeze your account, every player is obligated to protect the safety of the account. You must work together with us to be determined to crack down all the behaviors of destroying games.
If you had already authenticator your account, please disregard this automatic notification.
Regards,
The World of Warcraft Support Team
Blizzard Entertainment
langiszero Dec 15th 2010 8:13AM
Wow, Gawker sites are branching from reporting biased news to reporting biased news and causing security complications for their users.
Fortunately I swore off Gawker's nonsense websites long ago.
Authenticator still not required and still the biggest BS scare tactic employed by a game developer since... ever? Yeah, ever.
Vote it down, fanboys.
Peepers Dec 15th 2010 8:43AM
[Oprah]
A tinfoil haaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaat!
You get a tinfoil hat! You get a tinfoil hat! And you get a tinfoil hat!
[/Oprah]
What exactly does Blizzard gain from this "scare tactic"?
Tokkar Dec 15th 2010 3:16PM
"Vote it down, fanboys"
"Suck it, fanboys"
"Make it gray, fanboys"
Do you actually contribute anything of interest, or are you just here to be a nuisance?
Just curious.
Zaniac Dec 15th 2010 8:30AM
Soooo... Just to clarify here:
This is all about the US realms, even though no one even mentions that...
Am I right?
Just sitting over here in the rest of the world and wondering what the heck you're all talking about. There's absolutely nothing going on here, no emails from Blizzard anywhere, and no mention of nothing. I don't even know what Gawker is.
Some people might be panicking over something they shouldn't even be concerned about, and a simple mention of which areas this was relevant to, or a little more background information might help put them at ease...
Samuel Reese Dec 15th 2010 12:43PM
While Blizzard is only taking action on the US Realms (I suppose, haven't confirmed this myself?), the breach of Gawker's servers is on a worldwide scale since the site is not limited to American users.
Gawker, aka Kotaku, aka Gizmodo, aka Lifehacker, aka Consumerist, aka Jalopnik. If you used any of their sites, it'd be best to reset your passwords now. Blizzard is doing the smart move here doing the reset (though I question their e-mails really...).
Radiophonic Dec 15th 2010 8:46AM
If they would just utilize the verified sender system for their emails they wouldn't be discarded as phishing scams all the time. I receive 20+ fake blizzard emails a day and quite frankly, I get tired of digging through them to weed out the real one.
Stormsurge Dec 15th 2010 9:19AM
I posted something on the official forums after I received this email pondering whether or not it was real. I was called a moron and a retard by the other posters for thinking that this lame attempt at a phishing email could have really come from Blizzard. I said it would at least be nice for Blizzard to address the Gawker situation on their official boards. Now it turns out that the email was real? WTF?!?! Can't Blizzard at least post something official on the boards before sending out the email so we can at least have something to reference on their site?
ducss750 Dec 15th 2010 10:04AM
Actually I've found Blizzard's service to be excellent. The ingame GMs are invariably polite and thorough, only 1 incident has required a second review.
The account support has also been exemplary. My afore-mentioned nephew (soon to be a proud parent of a core-hound pup) has been compromised twice. First time he had talked his parents into a powerleveling service for one of his alts, second time was his foray into the world of RealID. Each time Blizzard restored or reimbursed his account with equivalent items, the first compromised his guild bank and from what I understand the majority of the items there were also restored.
The glaring problem with Blizzard support is not ability or attitude; it is the overwhelming shortage of warm bodies. Every call goes on hold, every email sits unanswered for an extended length of time, every GM request ingame sits on screen real-estate as an irritating reminder. When the help finally does arrive it is prompt, professional and usually refreshingly witty.
The most easily controlled business expense is personnel. Period. Payroll is a quantifiable metric in a corporate balance sheet. What is NOT measurable easily is the perception your customers have when you do not have adequate support personnel.
tldr
The peeps are great, just not enough of them. Blizz, hire some more warm bodies.
salaccia Dec 15th 2010 10:10AM
I guess I'm the only commenter here who actually was a registered Gawker user and got the Blizz email? In any case, thanks for correcting the previous story. The email from Blizz went out at about the same time the official Gawker email did (which is to say about a day after Google figured out some Gmail users, like myself, were involved).
I too found it quite odd that Blizz asked us to click a link in their email, as other commenters had noted. Especially since I'm sure people are going to try to mine our compromised accounts for all they can get. In any case, I'm definitely buying an authenticator - I've made my password 20 chars+ long, complex, non-dictionary, the works, but frankly I'm not sure how much that's going to help. Anybody can get hacked, especially if their email address has been served up to the interwebs on a silver platter.
threesixteen Dec 15th 2010 11:05AM
never had an authenticator. will never get one. don't need it. if it was a mandatory part of the game, it should come included with subscription fee or with the game package purchase. it's just a money grab. i won't buy it. been playing since 2006. never had a problem.