Blizzard Faces Class Action Over Security

Two gamers have filed a class action against Blizzard Entertainment last week on behalf of account holders, accusing the company of failing to properly secure players' personal information and requiring them to purchase a Authenticator "in order to have even minimal protection for their sensitive personal, private, and financial data."

The suit claims that the World of Warcraft and Diablo III maker "negligently, deliberately, and/or recklessly" failed to safeguard player information, which has been the target of repeated security breaches.

It goes on to allege that Blizzard engaged in fraud and "unjust enrichment: for requiring players to set up a account (in the process giving their personal and financial data) to play Blizzard's games, and then promoted their Authenticator as the best way to ensure adequate security. The Authenticator cost $6.50 on Blizzard's website, and generates codes that players must enter to log in to an account from a new computer. The suit claims the Mobile Authenticators were compromised in an August security breach, making the physical Authenticator the only real option players have to protect their information.

The plaintiffs are asking for damages, and that Blizzard be prevented from forcing players to create accounts to play its non-MMORPG games like Diablo III. They also ask that Blizzard be prevented "from tacking on additional, undisclosed costs to ensure security in the form of a post-point-of-sale Authenticator."

Source: GII

Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditEmail this to someone


  1. 0
    faefrost says:

    the online portions of WoW do not operate under a EULA. They are not considered a software product. They are considered a private subscription network service. As such the WoW and Battle.Net Terms of Service are the core documents. And these do hold up in court. Case in point. The Sony PSN case. 

    And there are TONS of cases supporting Network Service TOS's. TONS! Dating back to the early 70's or late 60's. Blizzard falls under the same rules and precedents as does your phone company, cable company, or bank or financial service. These twits might be able to sue if their personal information was compromised server side, and they suffered direct and quantifiable damages as a result. Anything else and the court is going to laugh itself silly.

  2. 0
    jedidethfreak says:

    This suit may be a bad idea, coming on the heels of the PSN suit, that threw out every claim of someone who didn't pay for the service (nobody pays for their account), and every claim of people who didn't lose CC info.  Not only that, but they pointed out that perfect security cannot be guaranteed. which was yet another reason the PSN suit went badly for the plaintiffs.

  3. 0
    Papa Midnight says:

    Not true. Blizzard indeed does promote the authenticator heavily, but not in the way described above. The $6.50 one is not the only recourse a user has in obtaining an authenticator. Blizzard also offers an authenticator app for Android platforms, and I believe for iOS as well (but don't quote me on that).

    In addition, Blizzard's password authentication schemes have been historically poor. In example, there is NO case-sensitivity check, and never has been (for as long as has been around in all of it's iterations going back to the original Diablo). If you wish to test this theory for yourself, go create an account for (It's free) and give it the most ridiculously case-sensitive password you can possibly come up with. Feel free to use a generator if it floats your boat (after all, this is a toss-away account). Now enter that same password in all lower-case, or all upper-case. It doesn't matter. Feel free to used mixed-case if you so see fit. Just don't use the exact same case that you entered it in. The password will still be accepted.

    The entire point of case-sensitivity is it increases the amount of time needed to brute-force, rainbow, or dictionary attack exponentially. The password "PaSSworD11!!" hashes very much differently from the password "Password11!!" or "password11!!", yet would accept all of them as the same password (which truthfully leads me to believe that Blizzard stores passwords in Plaintext – a belief which is substantiated by previous reports (

    Hate to tell you this, but you are most definitely incorrect in your statement here-in.

  4. 0
    Thomas P. says:

    When will people learn that their login credentials are their own responsibility?

    People never take any responsibility for their actions, but instead sue others saying its someone else's responsibility for the security of their login credentials.

    Its 100% possible to keep an account secure without an authenticator.

  5. 0
    Mr.Tastix says:

    I'm not entirely convinced that such a clause in any EULA would ever be discounted in a court of law, however, and it's hard to tell what'd happen when it's not exactly common that people try to fight some of a EULA's more bogus clauses.

    The worst part about this clauses is that most people can't be bothered fighting them (and it's not wonder why – a legal battle isn't a relaxing procedure) and so most of them go unnoticed, which could potentially make them even worse.

  6. 0
    Wymorence says:

    I'm pretty sure they've got little case here. I've heard of people attempting to hack, but not ever heard of an actual successful attack where they got away with CC #s and the like. These two were likely hacked due to something they themselves did (goldfarmer use?) and decided they wanted money from it. Everyone who has a large database of people's information will at some point or another have a hacking attempt upon them. It's the way things work nowadays unfortunately.

    Also, Blizzard doesn't force you to buy an authenticator either, they still have the very much free one for smartphones.

Leave a Reply