Yesterday Mike Morhaime, president of Blizzard Entertainment, announced a security breach via a ‘Blue Post’ on Blizzard’s official web site citing “an unauthorized and illegal access into our internal network here at Blizzard.” In the wake of the shaky Diablo III launch, and with the release of Mists of Pandaria looming so close upon the horizon, Blizzard really doesn’t need any more on their plate but they can’t seem to catch a break.
Morhaime goes on to state that “for players on North American servers, the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.” It should be noted at this time Blizzard doesn’t believe that any credit card information was accessed, and what was taken was simply e-mail addresses and SRP-encoded (Secure Remote Password protocol) versions of user passwords.
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.
So in reality there are a few things to think about. First and foremost, change your password. While it seems unlikely, there’s a chance that these data thieves would really go through all the work it would take to extract SRP encrypted passwords. I mean, they already went to the trouble of breaching Blizzard’s internal security. Next, if you don’t already use a Blizzard Battle.net Authenticator you may want to pick one up. Alternately, if you have a smartphone, I suggest that you go ahead and download their Mobile Authentication App. It’s free.
Over the course of the next month Blizzard intends to set up something that will automatically ask you to change your Security question. So at least they’re being proactive about account protection.
Reality: Expect to see phishing attempts continue, and a flood of cheap currency to hit the diminished gold farming market of Warcraft.
The full Blue Post on this security issue can be seen here.