Feeds

Blizzard pwned: Gamers' email, encrypted passwords slurped

Millions of World of Warcraft players raided

Protecting against web application threats using SSL

Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers.

The gaming outfit said in a lengthy statement on its website that its security team had spotted "unauthorised and illegal access" into its system.

It said: "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened."

Blizzard said it was yet to uncover evidence that sensitive financial data, including gamers' credit cards and billing addresses, had been compromised. "Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed," the company added.

However, a list of email addresses for Battle.net users across the globe, excluding those based in China, had been lifted in the hacking. And it gets worse:

For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

Blizzard, whose Battle.net service requires gamers to be online while they cast spells and argue over items, eased the pain a little bit:

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.

Stamford University's Thomas Wu explained in a paper about SRP that an "attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host".

Despite Blizzard's reassurance to its users, the gaming firm went on to warn:

As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers. It will also nudge its mobile authenticator users, who use a phone-based two-factor authentication system to log into Battle.net.

The company signed off with a snivelling apology: "We take the security of your personal information very seriously, and we are truly sorry that this has happened."

Blizzard has a detailed FAQ about how its network was compromised here. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.