If you play World of Warcraft, Diablo III or StarCraft II, now would be a great time to change your Battle.net password, as Blizzard announces a security breach hit the company’s servers this week. No financial data has been compromised.
We deeply regret the inconvenience to all of you and understand you may have questions.
We take the security of your personal information very seriously, and we are truly sorry that this has happened.
Blizzard president Mike Morhaime explains in an open letter that the company’s security team discovered an “unauthorised and illegal access” into the developer’s internal network. Working closely with law enforcement and security experts, the access has now been closed, and people are investigating just what happened – and how it was possible.
At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.
What Blizzard admits has been accessed includes a list of email addresses for Battle.net users (outside of China). In addition to that, North American servers were also targeted, with information regarding mobile and dial-in authenticators accessed, as well as answers to personal security questions. (The North American Battle.net servers typically include gamers from North America, Latin America, Australia, New Zealand and Southeast Asia.)
Your actual password has likely not been accessed or affected, with Blizzard keeping those things carefully cryptographically scrambled. However, the scrambled versions were accessed, so you’re advised to change your password. Morhaime explains:
We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password.
Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.
Changing your password is the only action you should take at the moment, everything else is safe. “In the coming days,” says Morhaime, the company will contact players on the North American Battle.net servers, prompting an automated change to secret security questions and answers.
If you use a mobile authenticator, there will be a software update rolled out in the near future also, with Blizzard advising caution.
As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password.