Feeds

Blizzard pwned: Gamers' email, encrypted passwords slurped

Millions of World of Warcraft players raided

Seven Steps to Software Security

Blizzard Entertainment, which makes World of Warcraft, Diablo III and other games, has coughed to a security breach of its internal network. Email addresses, answers to security questions and encrypted passwords linked to player accounts are believed to have been lifted by hackers.

The gaming outfit said in a lengthy statement on its website that its security team had spotted "unauthorised and illegal access" into its system.

It said: "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened."

Blizzard said it was yet to uncover evidence that sensitive financial data, including gamers' credit cards and billing addresses, had been compromised. "Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed," the company added.

However, a list of email addresses for Battle.net users across the globe, excluding those based in China, had been lifted in the hacking. And it gets worse:

For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.

Blizzard, whose Battle.net service requires gamers to be online while they cast spells and argue over items, eased the pain a little bit:

We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.

Stamford University's Thomas Wu explained in a paper about SRP that an "attacker who captures the password database cannot use it directly to compromise security and gain immediate access to the host".

Despite Blizzard's reassurance to its users, the gaming firm went on to warn:

As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

Blizzard also plans to automatically prompt its players on North American servers to change their secret questions and answers. It will also nudge its mobile authenticator users, who use a phone-based two-factor authentication system to log into Battle.net.

The company signed off with a snivelling apology: "We take the security of your personal information very seriously, and we are truly sorry that this has happened."

Blizzard has a detailed FAQ about how its network was compromised here. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.