Top 5 Stories


World of Warcraft maker hit with lawsuit over data breach, authentication

12 November 2012

World of Warcraft creator, Blizzard, has been slapped with a class-action lawsuit initiated by two gamers who feel that the company's security policies are geared to be for-profit and “deceptive” in terms of users understanding just how secure – or insecure as the case may be – their information is.

Benjamin Bell and Christopher Spellman have filed suit in California district court, alleging that Blizzard has "failed to take the necessary measures to secure the private information of their customers, as stored on a website owned and administered by [Blizzard]." 

The allegations revolve around Blizzard's Authenticator service, which is a token authenticator device that comes either as a keychain or mobile app: it generates dynamic passwords for Blizzard games like Diablo, Starcraft, and World of Warcraft.

"The authenticator greatly reduces the chance of someone else gaining access to your account, and we strongly recommend you add this measure to your account today," Blizzard says on its website

The problem, the lawsuit argues, is that Blizzard charges $6.50 extra for the protection. Citing a data breach at over the summer, which came just before an online massacre, in which hackers wiped out whole cities in the game, the suit said that Blizzard’s track record of failing to identify hacks and protect users from them is evidence that the company does not have adequate base-level security – essentially forcing gamers into paying extra for peace of mind.

The lawsuit alleges that the company “fails to disclose to consumers that additional products must be acquired after buying the games in order to ensure the security of information stored in online accounts that are requisites for playing,” according to a statement from law firm Carney Williams Bates Pulliam & Bowman PLLC. “This deceptive upselling, coupled with Blizzard’s negligence in maintaining proper security protocols, compromised millions of customers’ email addresses, passwords, answers to personal security questions, and other items of sensitive information.”

Blizzard wasted no time fighting back. In its own statement provided by email to media outlets, it said that "this suit is without merit and filled with patently false information, and we will vigorously defend ourselves through the appropriate legal channels."

As far as the data breach, "not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed," the company said.

In terms of the Authenticator, Blizzard said the lawsuit does not accurately frame the role of the device/app. "The Authenticator is an optional tool that players can use to further protect their accounts in the event that their login credentials are compromised outside of Blizzard's network infrastructure," the company noted.

"Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account," Blizzard added. "However, we always strongly encourage it, and we try to make it as easy as possible to do."

This article is featured in:
Application Security  •  Data Loss  •  Identity and Access Management  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×