Not the first, and not the last account security alert for a game company came yesterday from Blizzard. In short – their systems were significantly compromised sometime around Aug 4 2012, and while no credit card information, billing addresses, or real names were exposed, the basic message is that everyone needs to change their passwords and account information. Details here.
Honestly I think that this is a mess, and a mess that demonstrates a few points worth noting for organisations which have either a vocal population or sensitive information (yes, everyone):
- Anyone is vulnerable to a hack, even the monolithic software devs. Consider that the larger the company, the larger the revenue, and the larger the honeypot of information is that could be obtained. That makes Blizzard an exceedingly juicy target.
- Good tools and development principals can assist in protecting customers. The authenticator makes a big difference. The password storage mechanism inside the system/DB makes a huge difference.
- Telling customers the open truth will garner the best reaction. Following up with extra news and responses to questions will save the share price.
- Telling customers quickly is critical. If a customer finds out late then the vendor is on the hook for every poor experience in the customers mind from that point forward, however illogical they are.
- Always provide a plan of what to do next, and what is happening next.
It is not that companies need good security (they do), but they also need excellent protocols for security events. A gaff in dealing with a breach in security will hurt a long after the actual systems are restored. The public has a long memory.
This means that while trying to patch the issue Blizzard are also considering the PR damage control. It appears from my first review that Blizzard took the honest path – they spoke clearly about what happened. I think I read elsewhere that they also have involved external consultants to help. Even bloody better. Nothing makes a systems or a dev person stand up like having another techie review how you do things. In spite of the hack, its good to see.
So go update your passwords, I’m not sharing a “password reset” link as I distrust any links like this that I don’t type out myself. Continue reading
Cryptic tell me via email today that my password and some user credentials might have been compromised.
“The unauthorized access included user account names, handles, and encrypted passwords for those accounts. Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database.
All accounts that we believe were present in the database have had the passwords reset, and customers registered to these accounts have been notified via e-mail of this incident.”
I want details, more detail than they supplied. It is a huge concern when the gaming market is going for micro-transactions, and those accounts can store credit cards, especially for inactive games. This event apparently only directly relates to Star Trek Online and Champions Online, but any breach is serious.
Cryptic are doing the right thing by owning up to it, and making channels available to the community affected. They’re doing the minimum right thing. But sheesh Cryptic – how many times has this happened to game companies in the past, and why is it so ungodly difficult to establish a secure database system? Continue reading
What the hackers want your account for
After two more guildmates got hacked last week, I decided to check and change my account security. I’ve used an authenticator since shortly after they were released, which I think is 90% of the protection that can be applied.
The other 10% is a combination of obvious email addresses, spyware, and repeated passwords for different purposes.
If for whatever reason you don’t have an authenticator then please get one. I really believe that if the hackers find an account with an authenticator then they’ll think about an easier target. Even if there are only 5% of players who don’t have them (only blizzard knows I guess), then that is still 550,000 of 11 million accounts. Would you rather be in the group that are easy targets, or the group that are significantly harder to hack?
Like most folks ReadID and the BattleNet integration was not around when I picked which email address to use, and my Warcraft account name was not too crazy, but still in the bounds of something I could remember. When we all changed to using our email addresses to login I kept with the default one I’d used for sign-up.
This is a bad idea, and needed to be changed.