August 10, 2012

Blizzard Servers Hacked for Account Information

Enid Burns for - Your Universe Online

Blizzard, the publisher of popular computer games such as World of Warcraft, StarCraft and Diablo, discovered that its servers were hacked and certain account information was stolen. The company detailed the break in on its website.

The "Important Security Update" was addressed to players and friends. "This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened," said Mike Morhaime of Blizzard, in the letter posted to Blizzard users.

Data that was illegally accessed includes a list of all email addresses for global users outside of China. The company uses a third-party-run servers for users within China, Forbes reports.

Servers in North America typically support players in North America, Latin America, Australia, New Zealand and Southeast Asia. In addition to email addresses, hackers presumably gained access to the personal security question, and information relating to mobile and dial-in authenticators. Cryptographically scrambled versions of passwords, though not actual passwords, were accessed during this breach. Blizzard claims this is not enough information to gain access to accounts. The computer game publisher is still making recommendations for users to change their passwords. Blizzard will prompt players to change their secret questions and answers through an automated process when they log into the servers.

Blizzard uses Secure Remote Password protocol (SRP) to protect passwords. The protocol is designed to make pulling out an actual password "extremely difficult." It also requires that each password must be deciphered individually.

Blizzard had a close call in May. Security Researcher Cameron Camp writes on the ESET Threat Blog that individual user accounts were hacked and passwords were stolen. This attack was on Blizzard's servers, and much more serious. Camp maintains that Blizzard's swift response was good. "It seems they got the jump on things and responded quickly, a smart move," he says.

Camp credits Blizzard for its transparency in the attack. "Next they were specific with what classes of data were, and weren't compromised, another smart move."

In addition to the security post on the Blizzard website, Camp notes that Blizzard set up an FAQ, in a proactive move. "A lot of consumer-facing websites could learn from the things Blizzard is doing right," he says.

Advice for Blizzard users worried about the data leak? "If you are a Blizzard user, we have blogged advice on bad passwords to avoid. Go for a new password that is long (over 8 characters) and hard to guess (not based on things other people might know about you) and use a mixture of upper- and lower-case letters with numbers and punctuation characters if allowed." Camp provides a sample password of "KerAZg3nes!".

Blizzard brought in law enforcement. The game publisher also continues to look into the matter. "We take security of your personal information very seriously, and we are truly sorry that this happened," the security notice on closes.