Blizzard warns of Battle.net security breach, data theft
If you use Battle.net, change your password: a security breach has led to the leaking of personal data to unknown individuals.
According to a statement from the company, responsible for the recently-launched Diablo III action-RPG as well as MMORPG giant World of Warcraft and popular RTS Starcraft II, attackers unknown perpetrated an 'unauthorised and illegal access into our internal network here at Blizzard.' The goal? Players' personal data.
'Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China,' company founder and president Michael Morhaim goes on to admit in his statement to press and customers. 'For players on North American servers - which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia - the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed .We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken.
'At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.'
The loss of the passwords is serious, but mitigated by Blizzard's claimed use of the Secure Remote Password protocol, which is an augmented password-authenticated key agreement protocol designed to make it near-impossible to brute force a password.
While that provides protection, some in the industry are suggesting it won't be enough. 'Sniffing SRP traffic tells you nothing about the user's password, and stealing the server's authentication database doesn't directly reveal any password secrets either,' explains Sophos's Paul Ducklin on the matter. 'Nevertheless, since Blizzard's servers hold enough data to verify that you know your password and can type it in correctly at your end, anyone who has a clone of Blizzard's authentication system has what he needs to run a password-guessing attack.'
Others are warning that the loss of personal security question answers are more significant. 'The secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge,' warns security researcher Kevin Liston - suggesting that attackers can simply change users' passwords in order to gain access to the compromised accounts. Sadly, changing the personal security question is not actually possible at present - an oversight on Blizzard's part - with the company stating that a solution will be developed as quickly as possible.
Blizzard's recommendation is for all users to change their passwords immediately, with Liston further suggesting that the personal security question be changed as well once that facility becomes available. Those who aren't using Blizzard's two-factor authentication system for Battle.net are advised to consider changing their minds on the matter, too.
With Blizzard presiding over a real-world-cash economy in its latest Diablo series entry, this latest security breach raises some serious questions.
Previous Article
24 Comments
Discuss in the forums ReplySeems like they acted quickly with information though, guess they learnt from the Sony et al debacle..
So I should change my password :/
Many thanks Bit Tech :)
http://us.blizzard.com/en-us/securityupdate.html
dated 9th august....
Yeah so i see , but something as important as this , an email letting us know should have been sent.....
do you play on US servers then?
Yep, much better that they don't mention anything that might increase the security of people's accounts. Especially when their suggestion is an authenticator which i'm sure is a massive cash-cow for them....
For how often they're suggested by Blizzard as the best way to secure one's account it's a joke to have to buy one separately.
And I suppose it costs Blizzard nothing to ship them either to themselves or to customers? And if authenticators are a scam to make money why would they provide a mobile authenticator for free?
HUH?
the authenticator is FREE
The free mobile authenticator is a nice feature, there's some customer courtesy, but not everyone will have that option. The basic authenticator feature, the physical device, is still a hauntingly Activision-y separate cost to their games which are already top-dollar priced.
EDIT: Harlequin, check Blizzard's store. It's $6.50.
If you have a smartphone there is a FREE authenticator ap for that.
At the end of the day, it turns out very little is unhackable and there are always going to be ways to circumvent security precautions if you are clever enough, which alot of people are! Blizzard could not have the authenticator system if you prefer...
The best way to secure your bike is with a lock but very few come with one. The best way to secure your laptop is with one of those things that attaches it to stuff, but very few come with one. etcetera.
edit: and also, why shouldnt they make money on something? The initial reason that they started with authenticators is because people were too lax with their own system security and were getting passwords stolen, and then accounts hacked. Blizzard then had to spend ridiculous amounts of money on staffing getting it sorted, which is when authenticators were introduced. Why should blizzard give something out for free when the person mostly responsible for an unsecured account is the user themself?
But it isn't in a Steam sale!
However, you do not pay a monthly fee for your BIKE, or your laptop for that matter.
What's that got to do with anything?
you dont pay a monthly fee for diablo 3 or starcraft 2 either......given it was bnet not just wow accounts....
But if you did, say, rent your bike so you paid a monthly fee for it - would you expect that if you left it unsecured in your garage, and your house got broken into and it got stolen, that the guy at the bike shop would forgive you because you thought it was secure in your garage? Or you left it locked at the train station with the key in the lock?
If users get their own passwords stolen and their accounts hacked I cannot see how you would ever think its blizzards fault. Moreso I cant understand why you think they should shell out their own money to make up for your own mistakes. Sure authenticators are cheap to them, but they are a business and are thus out to make money.