Blizzard warns of Battle.net security breach, data theft

August 10, 2012 // 10:39 a.m.

Tags: #battlenet #battlenet-authenticator #blizzard #diablo-iii #michael-morhaim #password #security #two-factor-authentication #vulnerability #world-of-warcraft

Blizzard is advising its Battle.net users to change their passwords following a security breach which saw numerous pieces of personal data leaked to attackers unknown.

According to a statement from the company, responsible for the recently-launched Diablo III action-RPG as well as MMORPG giant World of Warcraft and popular RTS Starcraft II, attackers unknown perpetrated an 'unauthorised and illegal access into our internal network here at Blizzard.' The goal? Players' personal data.

'Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China,' company founder and president Michael Morhaim goes on to admit in his statement to press and customers. 'For players on North American servers - which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia - the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed .We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken.

'At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.'

The loss of the passwords is serious, but mitigated by Blizzard's claimed use of the Secure Remote Password protocol, which is an augmented password-authenticated key agreement protocol designed to make it near-impossible to brute force a password.

While that provides protection, some in the industry are suggesting it won't be enough. 'Sniffing SRP traffic tells you nothing about the user's password, and stealing the server's authentication database doesn't directly reveal any password secrets either,' explains Sophos's Paul Ducklin on the matter. 'Nevertheless, since Blizzard's servers hold enough data to verify that you know your password and can type it in correctly at your end, anyone who has a clone of Blizzard's authentication system has what he needs to run a password-guessing attack.'

Others are warning that the loss of personal security question answers are more significant. 'The secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge,' warns security researcher Kevin Liston - suggesting that attackers can simply change users' passwords in order to gain access to the compromised accounts. Sadly, changing the personal security question is not actually possible at present - an oversight on Blizzard's part - with the company stating that a solution will be developed as quickly as possible.

Blizzard's recommendation is for all users to change their passwords immediately, with Liston further suggesting that the personal security question be changed as well once that facility becomes available. Those who aren't using Blizzard's two-factor authentication system for Battle.net are advised to consider changing their minds on the matter, too.

With Blizzard presiding over a real-world-cash economy in its latest Diablo series entry, this latest security breach raises some serious questions.

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU