Security of Battle.net Email Accounts

Posted by Daeity On Wednesday, July 21, 2010

Something very interesting just happened to me. And coincidentally enough, this also fits in with the ongoing Blizzard Series.

Back in 2006, I created a highly unusual and unique Gmail account that was used strictly for one of my WoW accounts (I own many). I didn't want any spam sent to the account, hence the reason for it's length and unique name.

Think something like: kaba23.blaaey.sphlnxtoo.blzzmain@gmail.com (This isn't the actual email address.)

The only place the email account name was ever "shared" was on my WoW Account. That was the entire purpose for the email address actually, for WoW only. The email address is not public, never used, and highly unique.

I should note that it's been 4 years now and I have never received even a single spam message on the Gmail account.

So here's what happened:

  • I requested an automated password change from Battle.net (couldn't remember the WoW Login password).
  • I logged into the Gmail account to reset the BNet password.
  • I reactivated the old WoW account (which hasn't been active in 2.5 years mind you).
  • Although I haven't received any spam messages in 4 years, I suddenly received one from a WoW Spammer approximately 3 hours after activating my WoW Account. I was shocked.
  • This was all done from a very secure (and virtualized) PC and this is actually the very first WoW Spam message I've ever received on any of my Gmail accounts.

How on earth did they find me?

Is it possible that my email address was leaked by Blizzard (well, someone from Blizzard)? And why did I receive a spam message so quickly? Did I happen to request a password change at just the right time when transactions were being monitored?

One of the primary defenses that Blizzard supporters use (when questioned about internal account theft) is that GM/CS Forum Reps/etc do not ask for passwords, and that they do not have access to passwords and can only reset them.

I always get a chuckle whenever they use this defense.. mostly because their only exposure is to GMs/Support and they have no idea what goes on behind the curtain. GMs may not have access to passwords through their ugly-homegrown-support-interface, but they sure can see your email addresses or ask for them. Targeted WoW Account Phishing sure is a lot easier when you have a database of actual WoW users!

Sure, there are "security measures in place" for GMs/Support Users, but that same policy does not apply to the IT team, administrators, the policy creators, the CEO, and database admins who have raw access to account and billing information.

Are passwords actually encrypted at the database end? Consider this: the more complicated the encryption and security measures, the more time it takes to approve your password/account and login. How quickly can you login on a slow day? Also, certain email traffic isn't encrypted.. so it would be quite easy for an internal employee to sniff SMTP traffic for email addresses or intercept password reset URLs. Packet sniffing is monitored internally by the way, but there are always ways to avoid detection or at least capture. Some interesting things to think about.

On a related note, while digging through old Blizzard communications I came across some old work related to encryption that may interest you. A work colleague and I used to frequently discuss this topic and strategize new security methodologies. Right now he's doing some neat stuff that you should check out. Back around 2004-2005, I was on the hunt for a talented PHP coder to construct a web app built around a reputation system, where users could earn points much like Reddit. But, I wanted the points system to act as currency so that the users could trade or exchange the digital currency for merchandise. Security of the data was really important, and the site would need to reach a critical mass of users before ever being feasible however. Long story short, because it had to be decentralized, there was no way we would be able to do it through a website. We would need to potentially encrypt data amongst thousands of users so that records would be set in stone and ensure security of the points. Trust was paramount. I never ended up building the site, but a few months ago, he starting making some progress on the app thanks to some new stuff in peer-to-peer tech. He hacked some code together and has been working on an idea that we always wanted to do. It's like a P2P cash application and he explained in more detail here (it's only a few pages, and not a long read). If this interests you, you can download the latest 0.20 version here. Please note that this is still very early in development and buggy. But it's very cool to see this old idea some to fruition.

It's also interesting to note (while I'm on the subject of encryption and passwords) is that the reason GMs and Customer Support make a point that they'll "never ask for your account password" is because they already have FULL access to your account without your knowledge or permission. (As if your permission really matters though.)

It's actually quite common for a GM to login to your account to test issues, see if mods are interfering with your gameplay, or to fix problems while you're offline. So, if someone from Blizzard ever tells you that their employees don't have access to your account, that's completely untrue. They can login to and access it whenever they want.