breach prompts Blizzard Security Update

If you play World of Warcraft, Diablo III or StarCraft II, now would be a great time to change your password, as Blizzard announces a security breach hit the company’s servers this week. No financial data has been compromised.

World of Warcraft: Cataclysm - Goblins

World of Warcraft

We deeply regret the inconvenience to all of you and understand you may have questions.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Blizzard president Mike Morhaime explains in an open letter that the company’s security team discovered an “unauthorised and illegal access” into the developer’s internal network. Working closely with law enforcement and security experts, the access has now been closed, and people are investigating just what happened – and how it was possible.

At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

What Blizzard admits has been accessed includes a list of email addresses for users (outside of China). In addition to that, North American servers were also targeted, with information regarding mobile and dial-in authenticators accessed, as well as answers to personal security questions. (The North American servers typically include gamers from North America, Latin America, Australia, New Zealand and Southeast Asia.)

Blizzard reassures gamers that this information alone is not enough for the culprits to gain access to any accounts.

Your actual password has likely not been accessed or affected, with Blizzard keeping those things carefully cryptographically scrambled. However, the scrambled versions were accessed, so you’re advised to change your password. Morhaime explains:

We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password.

Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

Changing your password is the only action you should take at the moment, everything else is safe. “In the coming days,” says Morhaime, the company will contact players on the North American servers, prompting an automated change to secret security questions and answers.

If you use a mobile authenticator, there will be a software update rolled out in the near future also, with Blizzard advising caution.

As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password.

Tags: , , , , , , , , ,

Facebook Google+ Linkedin Pinterest Reddit Stumbleupon Tumblr N4G Twitter