Blizzard Entertainment Hack Hits Battle.net Users

Video game maker Blizzard Entertainment revealed Aug. 9 its security team had discovered an “unauthorized and illegal access” to its internal network Aug. 4.

So far, there is no indication that financial information such as credit card numbers or customers’ real names were compromised. According to the company, the intruder was able to get access to email addresses for global Battle.net users outside of China as well as answers to personal security questions for users in North America, Latin America, Australia, New Zealand and Southeast Asia. The attack also yielded information related to mobile and dial-in authenticators.

“Based on what we currently know, this information alone is not enough for anyone to gain access to Battle.net accounts,” Mike Morhaime, CEO of the company, said in a statement.

“We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken,” he said. “We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password.”

The company said in a FAQ that it waited five days to notify the public because it wanted to determine what data was stolen and the nature of the attack. The company has contacted law enforcement to investigate the matter.

“In the coming days, we’ll be prompting players on North American servers to change their secret questions and answers through an automated process,” Morhaime said.

“Additionally, we’ll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password.”

Tim Keanini, nCircle Chief Research Officer, said users should create secret questions with security in mind.

“For example, your mother’s maiden name is a ridiculously weak question because the answer is so readily available. Anyone can get this on almost any genealogy Website,” he said. “I can pick a half dozen other metadata points about the average Internet user that are just as easy to access, including where you were born and your favorite movie. Instead, users should make these question and answer pairs somewhat nonsensical. For example, don’t use the answer ‘blue’ for your favorite color. Instead, use a non-color related response.”

Blizzard did not offer any information about how exactly the attack occurred.