Usernames and encrypted passwords stolen but sensible security should limit damage
Games studio Blizzard has confirmed a security breach that has exposed user passwords and other private information. Blizzard is the company behind World of Warcraft and Diablo III.
In a post on the company’s blog it was confirmed that its Battle.net system was accessed illegally. Battle.net is the company’s online multiplayer service.
Email addresses for Battle.net users outside China were taken and users connected to its North American servers had the answer to their personal security question stolen.
The North American infrastructure serves players in that region as well as Latin America, Australia, New Zealand, and Southeast Asia.
Encrypted passwords for players on the North American servers were also taken. Finally, information relating to Mobile and Dial-In Authenticators were also accessed, Blizzard said.
Mike Morhaime, the company’s co-founder, said no financial information such as credit card details were taken and they believe the information that was accessed is not enough to enable a hacker to gain access to someone’s account.
Morhaime added that Blizzard uses Secure Remote Password protocol (SRP), which making it difficult to extract the actual password from what encrypted passwords that were taken.
However Blizzard is still recommending that users of its North American servers change their passwords, as well as their details on any other services where they may use the same information.
Morhaime also warned users to be on the lookout for phishing emails. "In the coming days, we’ll be prompting players on North American servers to change their secret questions and answers through an automated process."
"Additionally, we’ll prompt mobile authenticator users to update their authenticator software," he said. "As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you."
"We take the security of your personal information very seriously, and we are truly sorry that this has happened," the statement added.
The company has produced an in-depth Q&A providing more information to affected customers here.
There have been a number of high-profile hacks of successful online services recently.
Business social network LinkedIn was attacked in June this year, and 6.5 million passwords posted online. The company is currently facing a lawsuit over the incident, with users claiming that the company should have done more to protect its members. Not long after that online dating site eHarmony and music site Last.fm admitted breaches.
More recently online storage company Dropbox admitted that user email addresses had been compromised after a hacker broke in a stole and internal document. What’s interesting about this incident is that the hacker gained access to a Dropbox employee’s account because they had used the same password on another online service, which had been compromised.