Blizzard accused of disabling authentication; Medium app behaves like malware; and infosec help sought to settle ‘WAGatha Christie’ scandal

Caught in a storm

Blizzard Entertainment came under fire from all angles this week, as it emerged that the US gaming giant had suspended an esports competitor from its platform after he voiced support for pro-democracy protests in Hong Kong.

In a statement this week, Blizzard said pro gamer Chung Ng Wai violated the Hearthstone competition rules by voicing his political opinions in his post-match statement. As such, he will receive no prize money and has been banned from playing Hearthstone esports for a year.

The move sparked backlash from those in the gaming community and beyond, with the #BoycottBlizzard hashtag trending on social media and reports surfacing that some company employees staged a walk-out in protest of the decision to ban Chung.

RELATED China deploying troll army to save face over Hong Kong

If that wasn’t enough, the saga piqued the attention of security types, as unconfirmed reports started to swirl on social media that Blizzard had, according to one Twitter user, “disabled all four authentication methods to actively stop people from deleting their accounts”.

The Daily Swig has reached out to Blizzard for a statement regarding the allegations. We’ve received no word as of yet, although in a response to one user on Twitter, the company said it was aware of an “issue affecting the site”.

Outstandingly mediocre

In other news, security researchers cried foul this week after discovering that links shared through Medium’s official iOS app travel via a redirect that intermittently demands people’s phone numbers.

This malware-like behavior was not an intended feature, developers of the blogging platform confirmed, adding that they are working to fix the bug.

Hackers are the good guys!

The best and the brightest in anti-malware research were saluted at the Virus Bulletin conference last week.

The Péter Szőr award – named after an accomplished security researcher who sadly passed away in 2013 – honors the best technical security research from the previous year.

Szőr’s book, ‘The Art of Virus Research and Defense’, is still considered a foundational text in the field. Perhaps even more importantly, he is remembered for his generosity in sharing his technical expertise with young researchers and good humor.

Shortlisted candidates this year included Luca Nagy for her Matrix ransomware research and Cisco Talos.

Cisco Talos won this year’s Péter Szőr award for their SeaTurtle research into DNS attacks against core internet services.

Talos researchers Paul Rascagneres and Warren Mercer were there to receive the award, later blogging about the honor.

The Daily Swig was at Virus Bulletin last week. If you missed it, catch up with our coverage on how cyperspies are taking advantage of flaws in region-specific software, OpSec errors by botnet operators, and news of security vendor Kaspersky teaming up with charities to tackle the growing stalkerware threat.

Australia conference fallout

There was controversy down under this week, after CyberCon disinvited confirmed speakers to its events based on the content of their talks.

NSA whistleblower Thomas Drake and academic Dr Suelette Dreyfus were told just a week before the event that their proposed presentations were “incongruent” with the conference program, as reported by The Daily Swig.

Dr Dreyfus, who was planning to discuss her project on anonymous digital whistleblowing, presented her findings via online radio. 

Talks from Drake and Dreyfus are available online.

BA faces turbulence

An estimated 500,000 British Airways customers learned that they can sue the airline over a recent data breach that exposed payment card and banking information.

The miscreants behind the breach used the Magecart technique to plant malicious JavaScript code on payment pages.


UK infosec Twitter was agog this week about a conflict between the wives of two England football players over accusations that material from private social media accounts had been fed to the press.

Coleen Rooney, wife of former England striker Wayne, laid a trap by feeding a series of false titbits through her private Instagram account.

Rooney claimed to have narrowed down access to this fake information to the point where it was only accessed and viewed by an account maintained by Rebekah Vardy, wife of England forward Jamie. 

Stories about these false rumors appeared in The Sun newspaper, prompting Rooney to go public with her accusations.

Vardy, who strenuously denies any wrongdoing, has suggested that someone else with access to her Instagram account may have leaked the leads.

She is reportedly looking to hire forensic IT experts to confirm her innocence.

No word on who that might be, much less the result of the probe, but in the meantime infosec Twitter is making merry with the funnies.

In other Instagram news, the social media platform added a phishing detection feature this week.

Security firm Tripwire, which broadly welcomed the feature, said that users should consider enabling two-factor authentication as another defense against account hijack.