Blizzard sued over security and authenticators

Written by: Olivia Grace (@oliviadgrace) | November 12, 2012 2:32 pm

48 Comments

“Consumer protection attorneys with the law firm Carney Williams Bates Pulliam & Bowman, PLLC filed a class action lawsuit against video game developer Blizzard Entertainment, Inc. and its parent company, Activision Blizzard, Inc., on behalf of millions of American customers who have been harmed by Blizzard’s negligent and deceptive practices related to its customers’ account security.”

The suit alleges that Blizzard fails to disclose to consumers that additional products must be acquired after buying the games in order to ensure the security of information stored in online accounts that are requisites for playing. Essentially, what it boils down to, is that Blizzard are being sued for not telling people at the time of purchasing one of their games that they’ll need a battle.net account to play them, and that, in order to keep that battle.net account secure, they ought to have an authenticator.This is referred to as “deceptive upselling” despite the fact that anyone with a smartphone has access to authenticators for free. The suit goes on to add that “Blizzard’s negligence in maintaining proper security protocols compromised millions of customers’ email addresses, passwords, answers to personal security questions, and other items of sensitive information.”

But that’s not the key grounds of the suit, from the press release sent to GAMEBREAKER by Carney Williams. To quote:

“The bottom line,” says Carney Williams’ representative, “is that Blizzard should not be passing the costs of basic account security on to consumers after selling them these games. They need to be honest if they’re going to saddle people with additional costs. They need to be up front about the level of protection they will provide to their customers, and they cannot be negligent in maintaining proper security protocols.”

NielsenWire, technology analyst group, assert that 50.4% of US residents use smartphones. The percentage is as high as 80% in people aged between 18 and 34, arguably the majority of Blizzard’s customer base for its games, and to whom it provides the completely free-of-charge battle.net authenticator, downloadable onto any smartphone. The suit further claims that these Smartphone authenticators were rendered useless by the security breach in August, but this doesn’t seem to be supported by any evidence.

The suit itself is filed principally by two plaintiffs, one of which is a Diablo III player whose complaint was that his account, which didn’t have an authenticator, was compromised, but Blizzard didn’t contact him directly in order to inform him of this compromise. The plaintiff asserts that, despite having a Diablo III subscription, he “does not use [Blizzard's] MMORPG products.” The second plainitiff plays Warcraft, Starcraft and Diablo, and has several authenticators. His account was among those breached in August, and also asserts that he was not personally informed of the breach.

GAMEBREAKER doesn’t pretend to be lawyers, but we certainly received notice via our battle.net registered email addresses as well as on the Blizzard website. Whether this is sufficient, we’re not sure!

What’s your take on this, though? Reasonable? The only thing I can get out of it that might be worth debating is whether authenticators should come free with games for those without smartphones. Because they’re already free for those with smartphones.

UPDATE

The latest news on this is that Blizzard has released a statement in response. To cut a long story short, the suit is without merit, and based on false allegations, and untrue or incorrect information. Blizzard’s team intend to fight this, and it seems like a lot of loyal fans will be on their side. See Blizzard’s full statement below:

This suit is without merit and filled with patently false information, and we will vigorously defend ourselves through the appropriate legal channels.

We want to reiterate that we take the security of our players’ data very seriously, and we’re fully committed to defending our network infrastructure. We also recognize that the cyber-threat landscape is always evolving, and we’re constantly working to track the latest developments and make improvements to our defenses.

The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. You can read our letter to players and a comprehensive FAQ related to the situation on our website.

The suit also claims that the Battle.net Authenticator is required in order to maintain a minimal level of security on the player’s Battle.net account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.

When a player attaches an Authenticator to his or her account, it means that logging in to Battle.net will require the use of a random code generated by the Authenticator in addition to the player’s login credentials. This helps our systems identify when it’s actually the player who is logging in and not someone who might have stolen the player’s credentials by means of one of the external theft measures mentioned above, or as a result of the player using the same account name and password on another website or service that was compromised. Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account. However, we always strongly encourage it, and we try to make it as easy as possible to do.

Many players have voiced strong approval for our security-related efforts. Blizzard deeply appreciates the outpouring of support it has received from its players related to the frivolous claims in this particular suit.

Blizzard sued over security and authenticators

World of Warcraft

Patch 5.3 Release Date Confirmed

Patch 5.3 Release Date Is Confirmed By Blizzard on TwitterRead more »

68 comments
4:06

World of Warcraft

Patch 5.3: Purely Pandaria Profession Leveling!

The latest Patch 5.3 PTR build is up, and has brought some fairly major changes to the leveling process of Mining and Herbalism. Read more »

25 comments
9:55

World of Warcraft

Preparing for Patch 5.3

Patch 5.3 is coming and Blizzard have created a guide to the changes!Read more »

8 comments

http://www.facebook.com/rammur65 Roger Means

thats bullcrap my account got hacked and when i got my account back they gave me a authenticator for free lol.
http://twitter.com/Luke_Malcolm Luke Malcolm

Ya I found this lawsuit very funny. When I seen this on MMO- Champ I thought oh shit what did they do now. but turns out its just a useless case.
http://twitter.com/AnesthesiaOlogy Josh E

When I first started watching and reading GBTV, it was all about the players. Now, everytime I see a post from Blizzard, it’s all on the company’s side. This one may be that way, but it seems as though every post I read has almost a “Blizzard can do wrong stop whining” feel to it. Kinda wish it was still all about the players, not afraid to say that the companies have only their bottom line as their goal, not their players, and that sometimes there’s a conflict of interest.
- http://twitter.com/dularr Dularr
  
  I just think Olivia is a really nice person that really enjoys playing WoW. We seem to be uses to a little more sarcasm from our Gamebreaker writers.
- Kagitaar
  
  Because it’s entirely impossible for Blizzard to be right ever, right?
http://twitter.com/AnesthesiaOlogy Josh E

I got an authenticator for free when I got mine, but only because I’d had the dial-up authenticator previously (because it was the only free option) and I’d still been hacked.
http://twitter.com/AnesthesiaOlogy Josh E

Accidental double post, was displaying weird on my screen (that is, not as a reply to the comment it was in reply to).
http://www.facebook.com/people/Kris-Yeisley/554290488 Kris Yeisley

Blizzard may have notified their players in August when they realized they had been hacked but the hack happened all the way back in 2011 as evidenced by the hackers looking for ways to quickly decrypted hashed password keys.
Laurence Hill

They have to be careful technically Blizzard is in its rights to counter-sue for defamation from patently untrue information.
- Kagitaar
  
  Indeed. I’ve always hoped that in cases like this, the offending lawyers would, at very least, get disbarred as well. The less ambulance chasing idiots like these guys, the better.
Suicideking666

I kind of hope that Blizzard bans all people who get in on this.
- http://profiles.google.com/gunslinger1985 Roland Deschain
  
  That’s fine my blizzard acct got hacked and all i want to do is delete the acct because i no longer play. they should send an email to you when ever acct info gets changed, or when you log in from someplace new. Or for example when the region of ypur account changes
  - Suicideking666
    
    They do, I was hacked, but I was out to sea and didn’t get the messages that told me my contact email had been changed for a few months. When I got back I did have a pleasant surprise, my account was locked, but the hacker had been farming on my character and hadn’t sold everything yet and my game time expired, so when I got in touch with Blizzard and got my account back I had full bags and most of my stuff still. This whole lawsuit is bogus though, online games have been getting hacked forever, the only difference here is that Blizzard is one of the biggest names in online gaming, this is really just someone trying to give Blizzard a black eye.
http://www.facebook.com/profile.php?id=21003660 Keith William Gretton

There are too many lawyers and law firms in the US; there are different types of lawsuits but one’s like this deserve a new title: D.E.R.P (defamatory, erroneous, retarded, pieces-of-sh@#)
- http://twitter.com/Luke_Malcolm Luke Malcolm
  
  lmao
- Kagitaar
  
  We really need to adopt that designation.
http://twitter.com/Vermikz Verm

It’s a bunch of complete bulls***! They stretched hard, but these people/lawfirm filing this lawsuit are clearly just looking for a way to legally exploit money out of a very successful company. I am sure blizz will win this, none of their claims sound cedible enough.
http://www.facebook.com/chad.pittman.184 Chad Pittman

I hope blizzard counter Sues these people on the grounds of them being so stupid. Anyone that has half a brain knows that its not Blizzard responciblity to make sure you pick a good password and protect your account. I’m sure Its problably part of the EULA somewhere. They may offer ways to help protect your account better but its ultimately up to you to use those as Blizzard pointed out ” Tools” .These People really need to watch what they are saying before they stick their foot in their mouth and piss blizzard off.
http://www.facebook.com/people/Jason-Quinn/504633100 Jason Quinn

Never had an issue with password or login, used the same password for 6 years. Get at me.
http://www.facebook.com/people/Magus-Hrist/100003601604634 Magus Hrist

This lawsuit seems pretty weak, but I don’t trust Blizzard security at all. A year after I quit playing WoW, my account was compromised. I went through the process of getting it back and I changed the password to a random string of 20 characters. About a year later it was compromised again. Since I never logged into the account during that period, I highly suspect a failure on Blizzard’s part.
- http://openid.aol.com/jpuffer87 Justin Pfeifer
  
  Yes because its not possible at all that your computer had spyware on it at all.
  - http://www.facebook.com/people/Magus-Hrist/100003601604634 Magus Hrist
    
    Yeah that’s correct. I know my security. Daily malware scans, script & ad blockers, never download any plugins or executables unless proven 100% clean, avoid shady websites. If in doubt I use a sandboxed browser in a VM. In 10+ years I’ve never had malware make it onto my PC. Never been hacked in any online game.
    
    And the secure password for my WoW account was only used once when setting it and hasn’t been used since. I’d bet my life that it wasn’t swiped from my PC.
    - http://twitter.com/dularr Dularr
      
      Sounds like you PC got hacked.
      - http://www.facebook.com/people/Magus-Hrist/100003601604634 Magus Hrist
        
        LOL are you a Blizzard fanboi? Or do you have a legitimate reason for thinking my PC was hacked despite there being no evidence whatsoever? If you can suggest something reasonable then I’ll give Blizzard the benefit of the doubt.
        
        After my account was compromised the first time I did a full sweep for malware with 3 separate scanners. I even checked every single Windows background process to insure they were all 100% legit. And then wiped my HDD and re-installed Windows to be sure. My PC was clean when I changed to the 20-digit password.
        
        So no more ‘herp derp you were hacked.’
      - http://www.youtube.com/user/cpjontek cpjontek
        
        Stop lying and just admit you d/l animal porn.
      - http://twitter.com/dularr Dularr
        
        It sounds like your email account was hacked. The hacker found you have a battlenet account, email address and email password. Hacked your email account and now periodically resets your password.
        
        It is very unlikely the hackers are repeatly stealing your battlenet password from blizzard. They probably stole your email password (Blizzard does not have your email password. Unless you use the same password for both.) and some personal information and using that to change your gaming passwords.
        
        Sadly, I create a brand new email address for each large game I play (i.e. large target) and never, ever use that email address with any other game or website.
        
        With battletnet (I really enjoy WoW, but not a fan of battlenet, that group is borderline dumb. See D3 launch day) I took it a step further, I have one email address for the launcher log in screen and a second email address for billing and account info.
        
        So let me update. HERP DERP YOUR EMAIL WAS HACKED.
      - http://www.facebook.com/people/Magus-Hrist/100003601604634 Magus Hrist
        
        Valid point but doesn’t apply in my case. I use Gmail two-factor authentication and regularly check the IP access logs.
      - http://profile.yahoo.com/APHJB3QZIDC34QYRLE2RAUSLMU TJ
        
        If u think your pc is impossible to hack you are a fool and u prolly already have been
      - http://www.facebook.com/people/Magus-Hrist/100003601604634 Magus Hrist
        
        I know very well how easy it is for a PC to get hacked which is why I take extra precautions to ensure mine isn’t and regularly review logs for suspicious activity.
        
        Regardless, you are ignoring the fact that I used a totally fresh Windows install (i.e. no time for it to have been hacked) to set the secure password. I never entered that password again so there never was another change to steal it.
- http://twitter.com/cipero Matt Cipriano
  
  I love how the blizz fanboys all tell you it’s your pc and not blizzard, as if your the only account that has ever been hacked! hahaha
http://www.facebook.com/profile.php?id=1653322492 Kevin J. Redmond

I have always felt that Blizzard is lax on their own security, and that they use the authenticators as a crux for having to secure their own servers. The biggest account hackers in the game also make up a large chunk of subs, so I don’t think they have a vested interest in really removing them. Having said all of that, though, this is hardly lawsuit worthy. I hate to agree with Blizzard, but the suit just has no merit.
- Kagitaar
  
  So you are saying that every Chinese player is out to steal your account?
ReAlIzEr

A free layer of security is always nice for absent minded people who are continuely giving out their passwords and email address like it was candy to every tom, dick and hair hacker there is.

As for the individuals backing this the most – maybe they did find the loop hole that makes them right and blizzard wrong. Or maybe this is a large scale gimik to sell more authenticator’s to scared little sheep to help them sleep at night while hackers work all the back doors reguardless what security you have.

Now don’t mind me, I am just going to go watch some live stream WoW porn, toss about a dozen hacker freely cookies and cream into my system and let them record all my keystrokes over the 12mins it will take me to finish. LOL.
http://www.facebook.com/people/Travis-John-Professør-Christensen/1665136666 Travis John-Professør Christen

This is stupid. People need to leave Blizzard alone. If you don’t buy an authenticator (which is like $7 chump change) then you deserve to be hacked. There is only soo much that security on their side can do.
- Nick Cattane
  
  If you own an iphone it’s free!
http://twitter.com/dularr Dularr

Wonder what are the damages. Hmm, $6.50 for an authenticator.
http://twitter.com/scoutzknight Jones

Nice! Fuck Blizzard all the way!!!
Logun 24×7

For the love of god I’ve never heard of anything more ridicules
…. What happened? .. was it a slow week for the ambulance chasing lawyers.

You know, between the entitlement mentality of MMO players,
payment models in flux and entertainment developers being sued for trying to
bring us hours of joy and a few memories I fear for this genre’s future…….. all
these players on board with this should be ashamed of themselves.
- http://twitter.com/scoutzknight Jones
  
  One day when u got your account hacked even using an authentication, maybe u will see what is ridicule! u dumb ass noob!
http://www.facebook.com/Vaayne Donald Whitman

its true this is a lawsuit will win i called before i bought my key when i was hacked and the guy on the phone said buy a key to protect your account and i changed my password a billion times
- http://www.youtube.com/user/cpjontek cpjontek
  
  This lawsuit will win when you learn grammar.
- http://profile.yahoo.com/APHJB3QZIDC34QYRLE2RAUSLMU TJ
  
  This will be thrown out of court… its like sueing a bank, which allows the use of an authenticator for their accounts. Yes it is an extra layer of security… no it is not required
squzy

Never hacked in 5 years, no authenticator used. Why did i not use authenticator? I didn’t want to bare the costs to provide secure access. So in comments you can see mixed reactions, from blizzard saying go buy authenticator if u dont want get hacked again, towards people getting an authenticator for free after being hacked.

I think this is a moving transition from Blizzard over time they realize indirectly costs of dealing with hacks will come back at them. Hence since a year or so there is now free authenticator app on your smartphone. Not everybody has a smartphone … yet. So 10 mill account x $6.5 = 65 million savings on their security infrastructure. (hell no not all 10 mill have secured account now)Ever seen a bank with internet saving account charge for authenticator, or other ways to leverage costs of their security infrastructure to the customers? Atleast mine are included with the costs for having a banking account mentioned in contract before signing it.Lawsuit seems 2 years late, back when their stance was; go buy an authenticator after being hacked, when they didnt provide the free authenticator app, or free authenticators after a hack.
http://twitter.com/cipero Matt Cipriano

I like Olivia but we are discussing player security and the whole time she’s laughing like it’s a joke topic. Kind of discrediting if this is supposed to be unbiased reporting.
- http://twitter.com/lifensoul Steven Whiting
  
  Laughing because it’s a joke of a lawsuit. You’re not forced to purchased authenticators and more, so they essentially have no case.
Ravenstorm

Gary! Make Olivia appear in the second video box like you do with Monty when giving dem topics! We wanna see that smilez! Gary!

edit: and QuintLyn and Jason too! And anyone I forgot! Gary!
edit: that last Gary was too much. Apologies.
http://twitter.com/lifensoul Steven Whiting

Will be thrown out of court. Authenticators are a choice, two factor authentication but aren’t needed. Fools.
Jeff Weller

Does Blizzard have a username and password protection? Yes
Does Google have a username and password protection? Yes

Does Blizzard have an authenticator security option? Yes
Does Google have an authenticator security option? Yes

Does Blizzard promote the OPTIONAL added authenticator security? Yes
Does Google promote the OPTIONAL added authenticator security? Yes

Does Blizzard require authenticator security? No
Does Goodle require authenticator security? No

—————————————————————————–

Based on the information above… I’m assuming that Google should be expecting a similar lawsuit very soon. (From these same idiots!)

Blizzard sued over security and authenticators

Patch 5.3 Release Date Confirmed

Patch 5.3: Purely Pandaria Profession Leveling!

Preparing for Patch 5.3

Monday

Tuesday

Wednesday

Thursday

Friday

Sign in to your account