Blizzard Entertainment hacked – this time for real (lessons learned)

In May we read that game maker Blizzard, developer of a series of popular games including World of Warcraft, Diablo III and Starcraft, was hacked, but that turned out to just be individual compromised accounts from some of its users. Now we read, from Blizzard itself rather than a third party, that they have been hacked and information compromised on their networks. So how are they doing with the breach?

From their account on their website we read “This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard.” So did they respond well? It seems they got the jump on things and responded quickly, a smart move: “We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.”

Next they were specific with what classes of data were, and weren’t compromised, another smart move: “Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China.” Interesting data point: noting that China users seemed to be exempt. Also they note: “We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken.”

But what steps were in place to slow down or stymie would-be hackers? They continue: “We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.”

And Blizzard took precautions notifying their userbase: “As a precaution, however, we recommend that players on North American servers change their password.” Blizzard included a link to do so, which is helpful. They also suggest changing other passwords you may have used which are similar on other websites, which is a good idea.

While the exact details of the method of breaching their systems still remain to be investigated, it seems they are keeping their users well-informed and providing helpful recommendations, a step in the right direction. While no one wants to be on the receiving side of a breach, importantly, Blizzard are pushing information out to the users from the source though a FAQ here, which is proactive. A lot of consumer-facing websites could learn from the things Blizzard is doing right.

If you are a Blizzard user, we have blogged advice on bad passwords to avoid. Go for a new password that is long (over 8 characters) and hard to guess (not based on things other people might know about you) and use a mixture of upper- and lower-case letters with numbers and punctuation characters if allowed (KerAZg3nes!).

Cameron Camp
Security Researcher
P.S.

Read also https://blog.eset.ie/2012/08/10/battle-net-breached-by-hackers/


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s