Diablo 3, Starcraft II, and World of Warcraft players: Changed your password lately?
Battle.net’s internal systems were illegally accessed on Aug. 4 and player account information was stolen, Blizzard co-founder Mike Morhaime said in a statement posted on the company website earlier today. Encrypted passwords and answers to the security questions were among the data stolen, along with email addresses for players outside of China, according to the statement.
Blizzard uses Battle.net for authenticating users, matching players with other likeminded players, and processing payments. Battle.net’s North American servers, which actually hosts accounts from North America, Latin America, Australia, New Zealand, and Southeast Asia were the most significantly impacted in this breach, Blizzard said.
“Even when you are in the business of fun, not every week ends up being fun,” said Morhaime.
There is no evidence so far to suggest financial data such as credit card numbers, real names, or billing addresses were among the information stolen, Blizzard said.
Are User Accounts Safe?
Players who use Battle.net’s dial-in authentication service had their hashed phone numbers stolen. Information relating to Mobile Authenticators, an iPhone app that adds two-factor authentication to accounts, was taken “that could potentially compromise the integrity” of the authenticators, Blizzard said on its website.
Blizzard is working on a software update to address the situation. “We believe the integrity of the physical authenticators remains intact,” Blizzard said.
Even so, it doesn’t appear the thieves grabbed enough account data to be able to access player accounts and profiles, Morhaime said. The company will prompt players on the North American servers to change their passwords and answers to their security questions over the next few days.
Customer service staff will also be instructed to use additional measures to verify player identity.
Blizzard considered automatically revoking mobile authenticators and all security questions and answers, but chose not to. Keeping these measures would provide “a layer of security against unauthorized users who don’t have access to the compromised data,” Blizzard said.
This is the second attack against Blizzard this year. The gaming company was breached in May when criminals stole game items and currency. It is believed the attackers broke in via a SQL injection attack.
The company waited five days before reporting the latest breach because it was investigating the incident and securing its network, Blizzard said. Law enforcement agencies have also been notified. It’s not known how the attackers broke in this time around.
“Our first priority was to re-secure our network, and from there we worked simultaneously on the investigation and on informing our global player base,” the company said.
Players should also be wary of fraudulent emails purporting to be from Blizzard or other trusted sites. Because email addresses were exposed, it is entirely possible that this could result in an increased, targeted phishing campaign sent to Blizzard users, the company said.
When it comes to security answers, security experts recommend not answering them honestly. Attackers have various social engineering tricks up their sleeve to ferret out the answers, whether it’s by sending you an email or looking at your social networking profiles. Coming up with fake answers makes it all that much harder to break in.