Blizzard Faces Class Action Over Battle.net Security

November 9, 2012 -

Two gamers have filed a class action against Blizzard Entertainment last week on behalf of Battle.net account holders, accusing the company of failing to properly secure players' personal information and requiring them to purchase a Battle.net Authenticator "in order to have even minimal protection for their sensitive personal, private, and financial data."

The suit claims that the World of Warcraft and Diablo III maker "negligently, deliberately, and/or recklessly" failed to safeguard player information, which has been the target of repeated security breaches.

It goes on to allege that Blizzard engaged in fraud and "unjust enrichment: for requiring players to set up a Battle.net account (in the process giving their personal and financial data) to play Blizzard's games, and then promoted their Battle.net Authenticator as the best way to ensure adequate security. The Authenticator cost $6.50 on Blizzard's website, and generates codes that players must enter to log in to an account from a new computer. The suit claims the Mobile Authenticators were compromised in an August security breach, making the physical Authenticator the only real option players have to protect their information.

The plaintiffs are asking for damages, and that Blizzard be prevented from forcing players to create Battle.net accounts to play its non-MMORPG games like Diablo III. They also ask that Blizzard be prevented "from tacking on additional, undisclosed costs to ensure security in the form of a post-point-of-sale Authenticator."

Source: GII


Comments

Re: Blizzard Faces Class Action Over Battle.net Security

This suit may be a bad idea, coming on the heels of the PSN suit, that threw out every claim of someone who didn't pay for the service (nobody pays for their battle.net account), and every claim of people who didn't lose CC info.  Not only that, but they pointed out that perfect security cannot be guaranteed. which was yet another reason the PSN suit went badly for the plaintiffs.

--- With the first link, the chain is forged.

Re: Blizzard Faces Class Action Over Battle.net Security

When will people learn that their login credentials are their own responsibility?

People never take any responsibility for their actions, but instead sue others saying its someone else's responsibility for the security of their login credentials.

Its 100% possible to keep an account secure without an authenticator.

Re: Blizzard Faces Class Action Over Battle.net Security

Not true. Blizzard indeed does promote the Batte.net authenticator heavily, but not in the way described above. The $6.50 one is not the only recourse a user has in obtaining an authenticator. Blizzard also offers an authenticator app for Android platforms, and I believe for iOS as well (but don't quote me on that).

In addition, Blizzard's Battle.net password authentication schemes have been historically poor. In example, there is NO case-sensitivity check, and never has been (for as long as battle.net has been around in all of it's iterations going back to the original Diablo). If you wish to test this theory for yourself, go create an account for battle.net (It's free) and give it the most ridiculously case-sensitive password you can possibly come up with. Feel free to use a generator if it floats your boat (after all, this is a toss-away account). Now enter that same password in all lower-case, or all upper-case. It doesn't matter. Feel free to used mixed-case if you so see fit. Just don't use the exact same case that you entered it in. The password will still be accepted.

The entire point of case-sensitivity is it increases the amount of time needed to brute-force, rainbow, or dictionary attack exponentially. The password "PaSSworD11!!" hashes very much differently from the password "Password11!!" or "password11!!", yet Battle.net would accept all of them as the same password (which truthfully leads me to believe that Blizzard stores passwords in Plaintext - a belief which is substantiated by previous reports (http://arstechnica.com/security/2012/08/hacked-blizzard-passwords-not-ha...)).

Hate to tell you this, but you are most definitely incorrect in your statement here-in.

----
Papa Midnight

Re: Blizzard Faces Class Action Over Battle.net Security

The "Class Action Lawsuit Waiver" in any EULA would be tossed out in court anyway. None of the bogus junk in EULA's has been tested in court.

Re: Blizzard Faces Class Action Over Battle.net Security

the online portions of WoW do not operate under a EULA. They are not considered a software product. They are considered a private subscription network service. As such the WoW and Battle.Net Terms of Service are the core documents. And these do hold up in court. Case in point. The Sony PSN case. 

And there are TONS of cases supporting Network Service TOS's. TONS! Dating back to the early 70's or late 60's. Blizzard falls under the same rules and precedents as does your phone company, cable company, or bank or financial service. These twits might be able to sue if their personal information was compromised server side, and they suffered direct and quantifiable damages as a result. Anything else and the court is going to laugh itself silly.

Re: Blizzard Faces Class Action Over Battle.net Security

It sadly has, and passed the test of the Supreme Court. One of GPs article a while back was about that and the consequences we could expect.

Re: Blizzard Faces Class Action Over Battle.net Security

I'm pretty sure they've got little case here. I've heard of people attempting to hack Battle.net, but not ever heard of an actual successful attack where they got away with CC #s and the like. These two were likely hacked due to something they themselves did (goldfarmer use?) and decided they wanted money from it. Everyone who has a large database of people's information will at some point or another have a hacking attempt upon them. It's the way things work nowadays unfortunately.

Also, Blizzard doesn't force you to buy an authenticator either, they still have the very much free one for smartphones.

Re: Blizzard Faces Class Action Over Battle.net Security

I can't believe Blizzard wouldn't already have the "No Class Action" clause in its EULA

Re: Blizzard Faces Class Action Over Battle.net Security

I'm not entirely convinced that such a clause in any EULA would ever be discounted in a court of law, however, and it's hard to tell what'd happen when it's not exactly common that people try to fight some of a EULA's more bogus clauses.

The worst part about this clauses is that most people can't be bothered fighting them (and it's not wonder why - a legal battle isn't a relaxing procedure) and so most of them go unnoticed, which could potentially make them even worse.

Re: Blizzard Faces Class Action Over Battle.net Security

It's already been tested in SCotUS and passed. That's why companies are adding this to their EULA now en masse.

 

Re: Blizzard Faces Class Action Over Battle.net Security

Not completely accurate.

The Supreme Court case you refer to is a case against AT&T over the use of mandatory binding arbitration in an explicit contract. Not an EULA. The contract was signed by the customer. An EULA is not explicitly signed. 

So no, this has not yet been fully tested in court.

Re: Blizzard Faces Class Action Over Battle.net Security

When it's a recurring charge, I'm sure they can argue that a contract exists.

 
Forgot your password?
Username :
Password :

Poll

Will the FCC preempt state laws that limit municipal broadband services?:
 

Be Heard - Contact Your Politician