Benjamin Bell and Christopher Spellman have filed suit in California district court, alleging that Blizzard has "failed to take the necessary measures to secure the private information of their customers, as stored on a website owned and administered by [Blizzard]."
The allegations revolve around Blizzard's Authenticator service, which is a token authenticator device that comes either as a keychain or mobile app: it generates dynamic passwords for Blizzard games like Diablo, Starcraft, and World of Warcraft.
"The authenticator greatly reduces the chance of someone else gaining access to your account, and we strongly recommend you add this measure to your account today," Blizzard says on its website.
The problem, the lawsuit argues, is that Blizzard charges $6.50 extra for the protection. Citing a data breach at Battle.net over the summer, which came just before an online massacre, in which hackers wiped out whole cities in the game, the suit said that Blizzard’s track record of failing to identify hacks and protect users from them is evidence that the company does not have adequate base-level security – essentially forcing gamers into paying extra for peace of mind.
The lawsuit alleges that the company “fails to disclose to consumers that additional products must be acquired after buying the games in order to ensure the security of information stored in online accounts that are requisites for playing,” according to a statement from law firm Carney Williams Bates Pulliam & Bowman PLLC. “This deceptive upselling, coupled with Blizzard’s negligence in maintaining proper security protocols, compromised millions of customers’ email addresses, passwords, answers to personal security questions, and other items of sensitive information.”
Blizzard wasted no time fighting back. In its own statement provided by email to media outlets, it said that "this suit is without merit and filled with patently false information, and we will vigorously defend ourselves through the appropriate legal channels."
As far as the data breach, "not only did Blizzard act quickly to provide information to the public about the situation, we explained the actions we were taking and let players know how the incident affected them, including the fact that no names, credit card numbers, or other sensitive financial information was disclosed," the company said.
In terms of the Authenticator, Blizzard said the lawsuit does not accurately frame the role of the device/app. "The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard's network infrastructure," the company noted.
"Considering that players are ultimately responsible for securing their own computers, and that the extra step required by the Authenticator is an added inconvenience during the log in process, we ultimately leave it up to the players to decide whether they want to add an Authenticator to their account," Blizzard added. "However, we always strongly encourage it, and we try to make it as easy as possible to do."