Blizzard Sued Over Data Breach, Authenticator Sales

UPDATED–A group of customers is suing gaming giant Blizzard Entertainment in connection with a data breach in August that resulted in user email addresses, hashed passwords and other information being stolen by attackers. The suit claims that the company did not do enough to secure users’ accounts before the compromise and that the company now is forcing users to pay for a two-factor authentication system to increase the security on their accounts.

UPDATED–A group of customers is suing gaming giant Blizzard Entertainment in connection with a data breach in August that resulted in user email addresses, hashed passwords and other information being stolen by attackers. The suit claims that the company did not do enough to secure users’ accounts before the compromise and that the company now is forcing users to pay for a two-factor authentication system to increase the security on their accounts.

The data breach was discovered in early August and Blizzard, which makes a number of popular online games, notified customers within a few days. The company was not specific about the timing of the breach discovery, saying only that its security team had discovered the breach that week.

“At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed,” the company’s CEO, Mike Morhaime, said in a statement at the time

“Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.”

The Blizzard data breach was the latest in a long line of security incidents affecting gaming companies, a list that most notably includes the PlayStation Network hack from last year, which turned into a massive PR nightmare for Sony and caused the company to shut the network down for weeks.

Now, a class-action suit has been filed against Blizzard, claiming that the company is forcing users to pay $6.40 for a two-factor authentication solution called the Authenticator, to help secure their accounts. Blizzard has said that the Authenticator is an optional measure that users can employ to lock down their accounts. The lead plaintiff in the lawsuit against Blizzard is Benjamin Bell, according to a report by Courthouse News.

Blizzard officials say that the lawsuit has no merit and that its security measures are effective and the purchase of the Authenticator is optional, not mandatory, for players.

“This suit is without merit and filled with patently false information, and we will vigorously defend ourselves through the appropriate legal channels. We want to reiterate that we take the security of our players’ data very seriously, and we’re fully committed to defending our network infrastructure. We also recognize that the cyber-threat landscape is always evolving, and we’re constantly working to track the latest developments and make improvements to our defenses,” the company said in a statement. 

“The suit’s claim that we didn’t properly notify players regarding the August 2012 security breach is not true. Not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed. The suit also claims that the Battle.net Authenticator is required in order to maintain a minimal level of security on the player’s Battle.net account information that’s stored on Blizzard’s network systems. This claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromisedoutside of Blizzard’s network infrastructure. Available as a physical device or as a free app for iOS or Android devices, it offers players an added level of security against account-theft attempts that stem from sources such as phishing attacks, viruses packaged with seemingly harmless file downloads, and websites embedded with malicious code.”

Blizzard is the publisher of several popular online games, including World of Warcraft and Diablo III.

This article was updated on Nov. 12 to add Blizzard’s statement.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.