Categories: SecurityWorkspace

Blizzard Hacked And Scrambled Passwords Leaked

Blizzard, the games developer behind major titles like World of Warcraft and Diablo III, has admitted its network was hacked and user login information was stolen.

It said there was no evidence credit card details or real names of customers were compromised, however the culprits managed to take “cryptographically scrambled” Battle.net passwords of North American users. Battle.net is Blizzard’s online multiplayer service, where players can compete with each other in some of the developer’s most popular titles.

US gamers’ answers to personal security questions were also stolen, as were mobile and dial-in authenticators. For global users, it seems that just some email addresses were illegally accessed.

“Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts,” said Blizzard co-founder and president Mike Morhaime.

“We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password.

“As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you.”

Another day, another password breach

There have been a number of significant password thefts this year. The biggest hit social network LinkedIn, which saw 6.5 million passwords leaked online. In that case, the passwords were hashed, but not salted, making it easier for hackers to figure out what the plain text was and potentially access user accounts.

Brian Spector, CEO of cloud security vendor CertiVox, believes the old model of username and password login does not work, largely because companies hold the details in one place online, sometimes without the right protection. That makes them a prime target for hackers.

“Hacking is a business, so hackers go for targets where they are likely to get a decent return on their efforts. For example, a website that has usernames and passwords stored on it in a vulnerable file, because that data can be used, in turn, to compromise many other user accounts,” Spector told TechWeekEurope.

“As long as the inherently weak username/password login method continues to be the norm for accessing websites, it will always be more productive for hackers to target user data, because it is very easy to translate into cold, hard cash.”

Games companies are a particularly attractive target. In November last year, Valve admitted attackers compromised some forum accounts on the Steam gaming service. That attack came seven months after Sony was hit, leaking data relating to over 100 million users.

The Information Commissioner’s Office (ICO) told TechWeekEurope a decision on Sony was expected soon. However, there appears to be something of a delay. The deputy commissioner David Smith said in late March that the decision was coming in six weeks, but nothing has yet emerged.

Think you know security? Test yourself with our quiz.

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

13 hours ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

13 hours ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

13 hours ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

1 day ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

1 day ago