Blizzard Hacked And Scrambled Passwords Leaked
Passwords have been compromised but World of Warcraft creator took precautions to protect user accounts
Blizzard, the games developer behind major titles like World of Warcraft and Diablo III, has admitted its network was hacked and user login information was stolen.
It said there was no evidence credit card details or real names of customers were compromised, however the culprits managed to take “cryptographically scrambled” Battle.net passwords of North American users. Battle.net is Blizzard’s online multiplayer service, where players can compete with each other in some of the developer’s most popular titles.
US gamers’ answers to personal security questions were also stolen, as were mobile and dial-in authenticators. For global users, it seems that just some email addresses were illegally accessed.
“Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts,” said Blizzard co-founder and president Mike Morhaime.
“We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password.
“As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you.”
Another day, another password breach
There have been a number of significant password thefts this year. The biggest hit social network LinkedIn, which saw 6.5 million passwords leaked online. In that case, the passwords were hashed, but not salted, making it easier for hackers to figure out what the plain text was and potentially access user accounts.
Brian Spector, CEO of cloud security vendor CertiVox, believes the old model of username and password login does not work, largely because companies hold the details in one place online, sometimes without the right protection. That makes them a prime target for hackers.
“Hacking is a business, so hackers go for targets where they are likely to get a decent return on their efforts. For example, a website that has usernames and passwords stored on it in a vulnerable file, because that data can be used, in turn, to compromise many other user accounts,” Spector told TechWeekEurope.
“As long as the inherently weak username/password login method continues to be the norm for accessing websites, it will always be more productive for hackers to target user data, because it is very easy to translate into cold, hard cash.”
Games companies are a particularly attractive target. In November last year, Valve admitted attackers compromised some forum accounts on the Steam gaming service. That attack came seven months after Sony was hit, leaking data relating to over 100 million users.
The Information Commissioner’s Office (ICO) told TechWeekEurope a decision on Sony was expected soon. However, there appears to be something of a delay. The deputy commissioner David Smith said in late March that the decision was coming in six weeks, but nothing has yet emerged.
Think you know security? Test yourself with our quiz.