Blizzard pwned: Gamers' email, encrypted passwords slurped
Millions of World of Warcraft players raided
Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers.
The gaming outfit said in a lengthy statement on its website that its security team had spotted "unauthorised and illegal access" into its system.
It said: "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened."
Blizzard said it was yet to uncover evidence that sensitive financial data, including gamers' credit cards and billing addresses, had been compromised. "Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed," the company added.
However, a list of email addresses for Battle.net users across the globe, excluding those based in China, had been lifted in the hacking. And it gets worse:
For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.
Blizzard, whose Battle.net service requires gamers to be online while they cast spells and argue over items, eased the pain a little bit:
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.
Stamford University's Thomas Wu explained in a paper about SRP that an "attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host".
Despite Blizzard's reassurance to its users, the gaming firm went on to warn:
As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.
Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers. It will also nudge its mobile authenticator users, who use a phone-based two-factor authentication system to log into Battle.net.
The company signed off with a snivelling apology: "We take the security of your personal information very seriously, and we are truly sorry that this has happened."
Blizzard has a detailed FAQ about how its network was compromised here. ®