Class Action Lawsuit Against Blizzard

Forum adverts like this one are shown to any user who is not logged in. Join us by filling out a tiny 3 field form and you will get your own, free, dakka user account which gives a good range of benefits to you:

No adverts like this in the forums anymore.
Times and dates in your local timezone.
Full tracking of what you have read so you can skip to your first unread post, easily see what has changed since you last logged in, and easily see what is new at a glance.
Email notifications for threads you want to watch closely.
Being a part of the oldest wargaming community on the net.

If you are already a member then feel free to login now.

**LordofHats**

A law firm specializing in consumer protection cases slapped Blizzard, the makers of World of Warcraft, StarCraft and Diablo III, with a class action lawsuit over its sale of two-factor account authenticators, a claim the company says is without merit.

Yes, you can get a completely free Battle.Net account authenticator through the use of a smartphone app, which Blizzard makes available for iOS, Android and Windows Phone. If you don't have a smartphone, you can purchase a keychain authenticator for $6.50. If you don't have a smartphone and don't want to pay money, you better use a unique password. Battle.Net was hacked back in August, exposing the email addresses of those on Blizzard's North American servers.

All of this equates to "negligent and deceptive practices related to [Blizzard's] customers' account security," according to Carney Williams Bates Pulliam & Bowman, PLLC, the firm litigating Benjamin Bell et al v. Blizzard Entertainment Inc. Kotaku was sent a copy of a news release about the lawsuit yesterday.

The claim draws on the Aug. 9 breach of Blizzard's servers to argue that, in order to truly secure their information, Blizzard customers must take extra steps, and the sale of authenticators—even if a free alternative is available—constitutes "deceptive upselling." The suit also is none too happy with "Blizzard's negligence in maintaining proper security protocols."

Pardon me, but this sounds like a bit of an overreach. For starters, there is a free option for two-factor authentication. And yes, ownership of a smartphone is not some mandatory citizenship requirement, but a lot of people have one. A lot of people also use Google Mail and Facebook, which also offer two-factor authenticator apps, as an optional security enhancement, which is exactly what Blizzard calls this extra step. That said, Blizzard has required that anyone selling items in Diablo III's real-money auction house must use an account authenticator. Again, there's a free option available.

Whatever, smarter legal minds than mine brought this suit and will fight it out. Blizzard, in a statement to Forbes, vowed to fight the suit. "This claim is also completely untrue, and apparently based on a misunderstanding of the Authenticator's purpose," it said. "The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard's network infrastructure."

Its about damn time. The authenticator thing is crap but negligent security defines Blizzard fairly well.

**Shredsmore**

LordofHats wrote:
Its about damn time. The authenticator thing is crap but negligent security defines Blizzard fairly well.

No. Just no. Blizz has done a phenomenal job of being secure. Their chief game, WoW, at one time peaked at 13 million players worldwide, and do you have any idea how to even try to be as secure as Blizz has been for the past 8 years?
Not very many player's accounts have been compromised when being compared with that big number, and if a player is hacked, Blizzard GM support restores everything.....
Also, I do not think that Blizz is in any way trying to force people to buys authenticators, they just encourage it as an extra means of security. Not many people would complain about being more secure, it's like complaining over having to pay for anti-virus software.

**LordofHats**

That's why I agree the 'conspiracy'' to sell authenticators is overreaching. If that were true, then they would offer free apps at all.

What I'm hoping for is that the lawsuit will force Blizzard to stop being so ignorant of several gapping security flaws apparently present in their system that hackers have been abusing for years.

**Shredsmore**

LordofHats wrote:
That's why I agree the 'conspiracy'' to sell authenticators is overreaching. If that were true, then they would offer free apps at all.

What I'm hoping for is that the lawsuit will force Blizzard to stop being so ignorant of several gapping security flaws apparently present in their system that hackers have been abusing for years.

Ok, I get it. I agree with how there are hackers that have been abusing the same systems for years, but I don't think that it is Blizzard being ignorant, I think Blizz knows that these hackers will just find a new way to proceed with their no-good shenanigans. I have heard that the WoW authenticators have already been cracked. This man is excellent on these issues, especially in WoW:

http://www.youtube.com/user/markeedragon

**Conrad Turner**

And has noone else had e-mails from 'blizzard' saying that their account has been hacked and to follow the link to change their password and log-in details? Or that your account was due to be suspended as they had information you were selling it?

I know I have. Didn't follow the link, but forwarded the mail to Blizzard security to find out if it was a phishing scam as I suspected it was. Had no reply, was left in the dark as to whether my account had been compromised or whether it was a mistake. As I was no longer able to play due to losing my connection, I wasn't particularly bothered. When I started getting mails on a daily basis, I added them to my blocked sender list, and it was then that I realised my initial thoughts were correct. The address was a very close copy, but was out in a single small detail.

So I wonder how many of the people who recon that their account has been compromised have actually given away their details in phishing scams like this! (Even if Blizzard have to shoulder some of the blame if they got hacked and people's e-mail addresses were stolen.)

**Kanluwen**

I get tons of those emails in my Spam filter.

All of them from China, Russia, or Romania.

**Lynata**

lol @ lawsuit

Let's just sue Google, Sony and Bioware as well while we're at it. And the banks! Some of them use authenticators for online banking, too, after all.

Seriously, this is why we can't have nice things. Kinda reminds me of Saul Goodman's airplane lawsuit in Breaking Bad.

Also, "negligient security"? We are all aware that there can be no such thing as a 100% safety from attacks, yes? Look at the host of other gaming companies, or ... hell, look at the friggin' Pentagon.
Authenticators work as they are supposed to, by adding another layer of security to your account. Unfortunately, many of the players are negligient and/or naive enough to need that.

PS: The "hackers" you see in the game have nothing to do with account security whatsoever.

**Palindrome**

Lynata wrote:
lol @ lawsuit
Let's just sue Google, Sony and Bioware as well while we're at it. And the banks! Some of them use authenticators for online banking, too, after all.

None of them sell authenticators though.

**Kanluwen**

Lynata wrote:
lol @ lawsuit

Let's just sue Google, Sony and Bioware as well while we're at it. And the banks! Some of them use authenticators for online banking, too, after all.

Seriously, this is why we can't have nice things. Kinda reminds me of Saul Goodman's airplane lawsuit in Breaking Bad.

Also, "negligent security"? We are all aware that there can be no such thing as a 100% safety from attacks, yes? Look at the host of other gaming companies, or ... hell, look at the friggin' Pentagon.
Authenticators work as they are supposed to, by adding another layer of security to your account. Unfortunately, many of the players are negligent and/or naive enough to need that.

PS: The "hackers" you see in the game have nothing to do with account security whatsoever.

Have fun.

The "main focus" of this is that Blizzard has repeatedly suffered intrusions to their network, where the personal information (in this case, personal email addresses) of its customers is stored. The other part of this is that Blizzard/Activision has--seemingly-- not done anything to secure their network and the personal information of their customers. Instead, they have chosen to sell authenticators--which as you noted, simply "adds another layer of security to your account".

The fact of the matter is that authenticators do nothing to secure your information in Blizzard's hands. Which is what the crux of the matter is here.

**LordofHats**

I think Kan has the heart of it. Blizzard has been very negligent with their security. Lets just remember the Diablo 3 hacking spree, where Blizzard remained adamant that no one could session spoof the game, even after video evidence was produced of hackers session spoofing. Blizzard-Activision has been extremely lax in their security standard and have been for a long time and when told they are lax refuse to admit there is a problem and their fans refuse to believe that Blizzard could do any wrong. Instead of tightening poorly protected servers they just throw out authenticators which have now been cracked by hackers (and actually have probably been cracked for a very long time).

**Lynata**

Palindrome wrote:None of them sell authenticators though.

http://www.soe.com/soeauthenticator/
http://www.swtor.com/info/security-key

These thingies are becoming fairly standard for popular online games these days - simply because so many people fall victim to phishing scam (or are even sharing their accounts, or are giving out their login information to power leveling services), thereby creating either an increase in customer support cost and/or a decrease in customer satisfaction when gamers find out their account has been accessed and stripped by a 3rd party.

Kanluwen wrote:The "main focus" of this is that Blizzard has repeatedly suffered intrusions to their network, where the personal information (in this case, personal email addresses) of its customers is stored. The other part of this is that Blizzard/Activision has--seemingly-- not done anything to secure their network and the personal information of their customers. Instead, they have chosen to sell authenticators--which as you noted, simply "adds another layer of security to your account".
The fact of the matter is that authenticators do nothing to secure your information in Blizzard's hands. Which is what the crux of the matter is here.

I know of a *single* successful intrusion, which is a fairly low score considering how often this is happening throughout the gaming industry these days. So why is this company being singled out?

Furthermore, you do not know what they did or did not do in regards to their internal security. Authenticators have been sold before, they have nothing to do whatsoever with that attack - although they would still help to alleviate the risks.
In the end, no corporation, not even Blizzard Entertainment, can take your computer's security into their hands. As has been stated, the information that was stolen was not enough to access an account. A player would still need to fall for the phishing scam e-mail that was potentially sent to the e-mail address that was stolen as part of the hack.

Actually ... let me correct that, we *do* know that they ramped up some of their security in regards to user access. Apart from the continuously updated security checklist (which is more than I know from the vast majority of online game providers), have you heard of SMS Protect? It is a new service that was just launched about a month or so ago. Again just another layer of additional security, but I suppose it could help someone.

I have no idea what people do with their login information; I haven't been compromised anywhere since I went onto the internets. And I do not even use an authenticator!

**Kanluwen**

Lynata wrote:

Kanluwen wrote:The "main focus" of this is that Blizzard has repeatedly suffered intrusions to their network, where the personal information (in this case, personal email addresses) of its customers is stored. The other part of this is that Blizzard/Activision has--seemingly-- not done anything to secure their network and the personal information of their customers. Instead, they have chosen to sell authenticators--which as you noted, simply "adds another layer of security to your account".
The fact of the matter is that authenticators do nothing to secure your information in Blizzard's hands. Which is what the crux of the matter is here.
I know of a *single* successful intrusion, which is a fairly low score considering how often this is happening throughout the gaming industry these days. So why is this company being singled out?

Because there have been far more intrusions than that?

Before it became ActiBlizzard, there were some 3-4 intrusions over the lifetime of WoW.

As of why Blizzard got singled out?
They are now the only one which have a "real money" system which can result in people getting scammed for real cash values.

Furthermore, you do not know what they did or did not do in regards to their internal security. Authenticators have been sold before, they have nothing to do whatsoever with that attack - although they would still help to alleviate the risks.
In the end, no corporation, not even Blizzard Entertainment, can take your computer's security into their hands. As has been stated, the information that was stolen was not enough to access an account. A player would still need to fall for the phishing scam e-mail that was potentially sent to the e-mail address that was stolen as part of the hack.

And that's what you're not grasping.

The crux of the lawsuit is that Blizzard has not done enough to protect the email addresses of their customers. Those phishing emails that people are getting?

That is what is at the heart of the matter. The additional part of the case is that due to Blizzard's lax security measures, an authenticator is considered "required".

I have no idea what people do with their login information; I haven't been compromised anywhere since I went onto the internets. And I do not even use an authenticator!

I had my WoW account compromised a whopping five times...with the kicker being all five times were while the account was not active and I had no payment method set. That was with an authenticator, never sharing account info, etc.

The only reason I know about it is that the individual would consistently get messaged by friends of mine, who would talk to me outside of WoW as well and knew that my account was inactive.

**LunaHound**

LordofHats wrote:
That's why I agree the 'conspiracy'' to sell authenticators is overreaching. If that were true, then they would offer free apps at all.

What I'm hoping for is that the lawsuit will force Blizzard to stop being so ignorant of several gapping security flaws apparently present in their system that hackers have been abusing for years.

A company will let hackers slide for a few simple reason.
Because Blizzard can catch and contain known hacks, it takes less resource than say,
if the hacker's current hack was stopped. And then they came up with a new version next week, rinse repeat.

Not every hack users are programmers, alot of just DL the program and ran it.
This means Blizzard can easily catch the hack users.

The only type of hacks Blizzard is truly worried about are the one that gives out credit card info, customer info,
because it leads to real lawsuits.

I have been playing WoW for as long as Im on Dakka, no authenticator, simple password.

Never had any issues.

Blizzard you rock. keep up with making cool mmo, keep the bar high, I know WoW is old and ancient by now.
But you know, so far no other MMO comes close as "the game that killed WoW"

But of course, haters gonna hate, especially warhammer online's bitter fans.

**LordofHats**

especially warhammer online's bitter fans.

Well if we can agree on anything, its that Warhammer Online fans are bitter

**LunaHound**

LordofHats wrote:
especially warhammer online's bitter fans.

Well if we can agree on anything, its that Warhammer Online fans are bitter

Because I can relate.... for I was one lol....

**dogma**

Kanluwen wrote:

They are now the only one which have a "real money" system which can result in people getting scammed for real cash values.

Which creates some very interesting property law issues, especially given the international scope of Blizzard's games.

For example, how does Blizzard deal with the implied warranty of merchantability in a case where illegitimately obtained items were exchanged for real money?

**Lynata**

Kanluwen wrote:And that's what you're not grasping.
The crux of the lawsuit is that Blizzard has not done enough to protect the email addresses of their customers. Those phishing emails that people are getting? That is what is at the heart of the matter. The additional part of the case is that due to Blizzard's lax security measures, an authenticator is considered "required".

I am getting these phishing e-mails, which have been sent out ever since WoW existed, as well. I am even getting phishing e-mails for games that I have never, ever played in my life - and guess what, all of them land on an e-mail address not associated with my Battle.net account. In fact, that one never got any phishing scams, as I only use that for Battle.net and nothing else. How's that for a wedge in this silly theory?

What you are apparently "not grasping" is that 100% security is an illusion. It is, however, in these cases much easier for the customer to take appropriate measures than the company on the other end. Of course that would require getting rid of this sense of entitlement and actually studying the issue rather than just pointing fingers at someone else, so I suppose humanity will be stuck with this problem for the coming decades at least. Cyber criminality is an emerging business sector, after all, even moreso as a large number of people (ironically including those who complain about phishing and botting) are perfectly willing to buy gold as if they wouldn't know where it's from.

Kanluwen wrote:I had my WoW account compromised a whopping five times...

Ahhh ... now I get it.

Well, all I can say is fix yer leaks - and be glad that so far it has only been your WoW account and not something more important.

**Kanluwen**

You really need to read things more carefully, Lynata.

I get that 100% security is an illusion. I really do.

What I also understand though is that a company like Blizzard, which is responsible for the personal information of its customers, has a responsibility to up its game and should not be surprised when people bring lawsuits against them for having to failed to take the necessary actions beforehand.

**dogma**

Lynata wrote:
Of course that would require getting rid of this sense of entitlement and actually studying the issue rather than just pointing fingers at someone else, so I suppose humanity will be stuck with this problem for the coming decades at least.

Which, funnily enough, is the single most important reason that Blizzard should revisit its security.

Right or wrong they have, by far, the most to lose in this situation.

**Manchu**

Lynata wrote:
What you are apparently "not grasping" is that 100% security is an illusion.

TBF, I doubt plaintiffs allege Blizzard failed to provide the tightest security imaginable; rather, I'd bet the allegation is that Blizzard failed to provide reasonable security or whatever security it is obliged to provide under existing consumer protection laws.

**KalashnikovMarine**

I was ready to get in on this thread, but all my arguments have already been made, and they were way more articulate then I would have made them. So... good job everyone?

**VermGho5t**

I doubt Blizzard is wholly negligent in their duties to protect cardholder data. The fines are so steep and severe, depending on the scale of the violation and frequency of a breach of cardholder data, it scares any business into making sure their networks are secure.

**Aldarionn**

I would be willing to wager that the vast majority of all MMO players who have their account hacked are participating in one or more risky behaviors online with their gaming computers, such as playing flash games or looking at porn on less than reputable websites. They also may have unsecured e-mail clients and use those accounts for less than reputable transactions. These sorts of things invite keylogger trojans which are responsible for logging passwords to numerous websites, accounts or other sensitive information which hackers can sell/use as they see fit.

I played WOW for a number of years, and EverQuest II before that, and the original EverQuest before that, and I have never had an issue with my account security being compromised. I run security software on my computer, and I started using a system for entering my password which has protected my account. I typed half of my password into a document on a different computer and e-mailed it to myself, and I copy-paste that half into the password field. I then type the other half. That means a person must be using MULTIPLE forms of malware in order to get my account information.

As for the other kind of hacking which stems from phishing e-mails, they are so easy to spot it's not even funny. People who get hacked that way are literally asking for it, and inviting scammers to take their money. Blizzard's security aside, you are your own last line of defense. If something looks "phishy", DON'T #*$(%ING OPEN IT! Blizzard is NOT the only company to have their servers hacked. My bank had that happen and they are a top end respectable financial institution with a long track record of excellent service. I don't blame the bank for that, because it's GOING to happen SOMETIME.

Blizzard has had an excellent record of security, and simply having their e-mail servers hacked, which is not an uncommon occurrence for any company these days, is not enough to warrant a class action lawsuit. If you pay real money online for anything, expect to have to take extra security measures to protect that money, and if you fall for a scam, that's your own damn fault. It's not like Blizzard is handing those e-mails out to anyone that wants them, or selling them to the highest bidder.

**Lynata**

Kanluwen wrote:You really need to read things more carefully, Lynata.

But I do. I read that your account was compromised multiple times, which for you is proof that Blizzard has a horrible security since of course it cannot be something on your end.

As far as the lawsuit is concerned, it is always easy to play Captain Hindsight, but I would be very surprised if it actually leads anywhere. Aldarionn's opinion mirrors my own.

dogma wrote:Which, funnily enough, is the single most important reason that Blizzard should revisit its security.
Right or wrong they have, by far, the most to lose in this situation.

Aye, that's true. Right now they seem to be a bit stuck in a "damned if they do, damned if they don't" situation, for even now there are countless people complaining about their accounts getting auto-locked every day due to "suspicious behaviour". Apparently, their Warden software (assuming that it's this that does it) has been very aggressive the past few weeks.

But what's more, people need to understand that phishing e-mails and trojans are entirely different issue compared to the network intrusion on their servers. One needs to be tackled on the customer side, where Blizzard can help with publishing security checklist and advice articles / guidelines or selling / handing out authenticators and similar services, but ultimately it is the user who has to fall for something to have their account "hacked". I'm not sure what more they could possibly do - especially as most people only read their advice after the hack already happened.

I suppose one solution would be to make authenticators mandatory and include one in every box. Personally, if I were still playing, I'd dislike this as I still feel safe without using one (this arrogance may bite me in the arse some day, but for all those years so far it has not) - but it would increase security across the populace a lot. Then again, if someone has a trojan on their machine, there still would be the risk of a "man in the middle" attack where the data gets transmitted the moment it is entered by the user. So not even authenticators offer full protection.

Thinking about it, if I were a bigwig in Blizz, what I would probably do would be a crackdown on both the goldsellers as well as the people that buy it, and let everyone know what happens to an account that violates this policy. Disrupt this business, and you take away the incentive for people to invest in account theft operations. It'd probably still happen, but it would not be as rampant as it is right now.

**Kanluwen**

My credit card details, Amazon account details, etc have never been compromised from the same email address that was associated with Battle.Net

And as you so pointedly ignored:
The account was only compromised when it was inactive. What a severe coincidence!

**dogma**

Lynata wrote:

I suppose one solution would be to make authenticators mandatory and include one in every box.

That was my initial thought as well, though I suspect Blizzard would prefer that people used smart phone apps so that they could increase their exposure to a proven customer base; hence the app is free and the authenticator is not.

Its a form of the "Like us on Facebook!" syndrome.

Lynata wrote:

So not even authenticators offer full protection.

True, but the suit appears to be about Blizzard selling security in a way that is deliberately misleading.

Lynata wrote:

Thinking about it, if I were a bigwig in Blizz, what I would probably do would be a crackdown on both the goldsellers as well as the people that buy it, and let everyone know what happens to an account that violates this policy. Disrupt this business, and you take away the incentive for people to invest in account theft operations. It'd probably still happen, but it would not be as rampant as it is right now.

Nah, just go the D3 route and get your cut. The house always needs its rake.

**Lynata**

dogma wrote:True, but the suit appears to be about Blizzard selling security in a way that is deliberately misleading.

Apparently the intended result - aside from making loads of cash in damages in damages (my Saul Goodman reference was spot on, it seems) - is to make the sale of authenticators illegal. It boggles the mind.

dogma wrote:Nah, just go the D3 route and get your cut. The house always needs its rake.

Mhm, that would be another way, though personally I do not like it that a player's real world income would affect his standing in the virtual world.
On the other hand, WoW isn't exactly a game where "P2W" would even be remotely a concern (unless a player is one of those "achievement-whores" - I could see much drama arise from the supposed gap), so ... meh, why not. Both options would put a dent in the goldsellers' business, so that's cool. Guess I'm just driven by a sort of righteous zeal when I see how certain types of players are sabotaging a game with their actions, harming everyone's enjoyment (and possibly even funding human exploitation and abuse, depending on how the resources were obtained).