Security of Battle.net Email Accounts

Posted by Daeity On Wednesday, July 21, 2010

Something very interesting just happened to me. And coincidentally enough, this also fits in with the ongoing Blizzard Series.

Back in 2006, I created a highly unusual and unique Gmail account that was used strictly for one of my WoW accounts (I own many). I didn't want any spam sent to the account, hence the reason for it's length and unique name.

Think something like: kaba23.blaaey.sphlnxtoo.blzzmain@gmail.com (This isn't the actual email address.)

The only place the email account name was ever "shared" was on my WoW Account. That was the entire purpose for the email address actually, for WoW only. The email address is not public, never used, and highly unique.

I should note that it's been 4 years now and I have never received even a single spam message on the Gmail account.

So here's what happened:

  • I requested an automated password change from Battle.net (couldn't remember the WoW Login password).
  • I logged into the Gmail account to reset the BNet password.
  • I reactivated the old WoW account (which hasn't been active in 2.5 years mind you).
  • Although I haven't received any spam messages in 4 years, I suddenly received one from a WoW Spammer approximately 3 hours after activating my WoW Account. I was shocked.
  • This was all done from a very secure (and virtualized) PC and this is actually the very first WoW Spam message I've ever received on any of my Gmail accounts.

How on earth did they find me?

Is it possible that my email address was leaked by Blizzard (well, someone from Blizzard)? And why did I receive a spam message so quickly? Did I happen to request a password change at just the right time when transactions were being monitored?

One of the primary defenses that Blizzard supporters use (when questioned about internal account theft) is that GM/CS Forum Reps/etc do not ask for passwords, and that they do not have access to passwords and can only reset them.

I always get a chuckle whenever they use this defense.. mostly because their only exposure is to GMs/Support and they have no idea what goes on behind the curtain. GMs may not have access to passwords through their ugly-homegrown-support-interface, but they sure can see your email addresses or ask for them. Targeted WoW Account Phishing sure is a lot easier when you have a database of actual WoW users!

Sure, there are "security measures in place" for GMs/Support Users, but that same policy does not apply to the IT team, administrators, the policy creators, the CEO, and database admins who have raw access to account and billing information.

Are passwords actually encrypted at the database end? Consider this: the more complicated the encryption and security measures, the more time it takes to approve your password/account and login. How quickly can you login on a slow day? Also, email traffic isn't encrypted.. so it would be quite easy for an internal employee to sniff SMTP traffic for email addresses or intercept password reset URLs. Packet sniffing is monitored internally by the way, but there are always ways to avoid detection or atleast capture.

Something to think about.

It's also interesting to note (while I'm on the subject of passwords) is that the reason GMs and Customer Support make a point that they'll "never ask for your account password" is because they already have FULL access to your account without your knowledge or permission. (As if your permission really matters though.)

It's actually quite common for a GM to login to your account to test issues, see if mods are interfering with your gameplay, or to fix problems while you're offline.