Security Experts:

Blizzard Entertainment Hacked, Issues Breach Notifications to Users

Blizzard Entertainment’s BattleNet (battle.net) portal, which allows gamers access to games such as Diablo III, World of Warcraft, and StarCraft II, has suffered a data breach, the company says. As a result, users are being encouraged to change their passwords.

A statement from Blizzard was thin on details, but the company stresses that at this point, “credit card and other customer payment data does NOT appear to have been accessed or affected.”

However, all other account information, including password hashes (SRP), email addresses, security question answers, and information relating to Mobile and Dial-In Authenticators was impacted by the breach.

Geographically, accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) were targeted, as well as “all regions outside of China,” Blizzard added.

For those unfamiliar, SRP (Secure Remote Password) is a zero knowledge authentication scheme. In short, only the user knows the password, and password files do not contain enough data to generate a crackable hash.

Blizzard likely chose this method of password storage for its ability to enable long passwords (up to 127 characters), and the boost to password protection in the event of a breach. However, while SRP can some many common password problems, it is still vulnerable to client-side attacks (keylogging, sniffing). The loss of the two-factor authentication data, until gamers update their software, in addition to the compromised SRP data may be problematic.

In the meantime, Blizzard is encouraging everyone to update their passwords to be on the safe side and watch for Phishing attacks targeting the compromised email addresses. Updates to the two-factor authentication software and security questions will be rolled out in the coming days.

“In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software,” Blizzard CEO, Mike Morhaime, said in a letter to players.

“As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions.”

We’ve reached out to Blizzard for more information, and will update this article as we learn more. The company boasts millions of players, but has not said how many of them were impacted by the breach.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.