Feeds

Blizzard pwned: Gamers' email, encrypted passwords slurped

Millions of World of Warcraft players raided

Choosing a cloud hosting partner with confidence

Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers.

The gaming outfit said in a lengthy statement on its website that its security team had spotted "unauthorised and illegal access" into its system.

It said: "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened."

Blizzard said it was yet to uncover evidence that sensitive financial data, including gamers' credit cards and billing addresses, had been compromised. "Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed," the company added.

However, a list of email addresses for Battle.net users across the globe, excluding those based in China, had been lifted in the hacking. And it gets worse:

For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

Blizzard, whose Battle.net service requires gamers to be online while they cast spells and argue over items, eased the pain a little bit:

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.

Stamford University's Thomas Wu explained in a paper about SRP that an "attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host".

Despite Blizzard's reassurance to its users, the gaming firm went on to warn:

As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers. It will also nudge its mobile authenticator users, who use a phone-based two-factor authentication system to log into Battle.net.

The company signed off with a snivelling apology: "We take the security of your personal information very seriously, and we are truly sorry that this has happened."

Blizzard has a detailed FAQ about how its network was compromised here. ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.