Activision-Blizzard talks circles around Battle.net account hacking

There’s been numerous reports of account hacking (and certainly there are a lot of bad hats out there phishing and poking at Battle.net accounts and servers since Diablo 3 swept onto the scene days ago.

Lylirra, a community manager for Activision-Blizzard posted an circuitous non-acknowledgement of the account thefts:

We’d like to take a moment to address the recent reports that suggested that Battle.net® and Diablo® III may have been compromised. Historically, the release of a new game — such as a World of Warcraft® expansion — will result in an increase in reports of individual account compromises, and that’s exactly what we’re seeing now with Diablo III. We know how frustrating it can be to become the victim of account theft, and as always, we’re dedicated to doing everything we can to help our players keep their Battle.net accounts safe — and we appreciate everyone who’s doing their part to help protect their accounts as well. You can read about ways to help keep your account secure, along with some of the internal and external measures we have in place to help us achieve our security goals, at our account security website here: www.battle.net/security.

We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them. In addition, we also recently introduced a new service called Battle.net SMS Protect, which allows you to use your text-enabled cell phone to unlock a locked Battle.net account, recover your account name, approve a password reset, or remove a lost Authenticator. Optionally, you can set up the Battle.net SMS Protect system to send you a text message whenever unusual activity is detected on your account, keeping you aware of important (and possibly unwanted) changes.

For more information on the Authenticator, visit http://us.battle.net/support/en/article/battle-net-authenticator-faq

For more on the Battle.net Mobile Authenticator, visit http://us.battle.net/support/en/article/battle-net-mobile-authenticator-faq

For more on Battle.net SMS Protect, visit http://us.battle.net/support/en/article/battlenet-sms-protect

We also have other measures built into Battle.net to help protect players. Occasionally, when Battle.net detects unusual login activity that differs from your normal behavior — such as logging in from an unfamiliar location — we may prompt you for additional information (such as the answer to one of your security questions) and/or require you to perform a password reset through the Battle.net website. World of Warcraft players might be familiar with this security method already, and Diablo III players may begin to encounter it as well.

As always, if you think you’ve been the victim of an account compromise, head to the “Help! I’ve Been Hacked!” tool at http://us.battle.net/en/security/help for assistance.

This statement, independent of whoever delivered it, was written by a real pro.

At no point does it actually say “Yes, Battle.net accounts are being hacked” or “No, Battle.net accounts aren’t being hacked.” Read it again. If you thought it said either of those things, you imagined it.

“if you think you’ve been the victim of an account compromise” (emphasis mine) – well, they’re not saying you really have been. You just might think you have been.

Other bits are not also what they appear if you just gave it a cursory skim. Take this part:

“We also wanted to reassure you that the Battle.net Authenticator and Battle.net Mobile Authenticator (a free app for iPhone and Android devices) continue to be some of the most effective measures we offer to help players protect themselves against account compromises, and we encourage everyone to take advantage of them.”

Every single word of that is evidently true. That doesn’t mean your account can’t get hacked or stolen if you’re using them (there’s anecdotal evidence to suggest that it is possible despite using an authenticator). It carefully avoids saying that you can’t. In fact, it’s working so hard not to say it, that I must infer that they’re not actually 100% effective.

Does that mean that you shouldn’t have one? No. If you don’t have a Battle.net authenticator, and you care about your account, you should get one. It’s not a guarantee, but it improves your odds.

The whole piece is classy work. It says absolutely nothing that isn’t true, but can leave you coming away with the impression that it said something other than what it actually did.

Outstanding.

2 thoughts on “Activision-Blizzard talks circles around Battle.net account hacking”

  1. While I agree that that post is expertly crafted and carefully worded, I don’t feel that there is malice aforethought. And there have been more posts by Blizzard employees in the same thread:

    http://us.battle.net/d3/en/forum/topic/5149619846?page=29#571

    “We’ve been taking the situation extremely seriously from the start, and have done everything possible to verify how and in what circumstances these compromises are occurring. Despite the claims and theories being made, we have yet to find any situations in which a person’s account was not compromised through traditional means of someone else logging into their account through the use of their password. While the authenticator isn’t a 100% guarantee of account security, we have yet to investigate a compromise report in which an authenticator was attached beforehand.”

    (Which, I suppose technically doesn’t come right out and state that ‘yes, accounts have been hacked’, but… that seems a bit nitpicky to me.)

    1. Indeed, I don’t believe any actual malice is involved. Such communications have become de rigueur in the tech industry over the years, where things seem to have gone from “never admit liability” to “never admit anything at all”. So I found it a little strange reading so many pieces that said “Activision-Blizzard acknowledges/admits-to account hacks” that I had to go read exactly what was said – and found something quite different.

Comments are closed.