Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Blizzard Entertainment Hacked, Issues Breach Notifications to Users

Blizzard Entertainment’s BattleNet (battle.net) portal, which allows gamers access to games such as Diablo III, World of Warcraft, and StarCraft II, has suffered a data breach, the company says. As a result, users are being encouraged to change their passwords.

A statement from Blizzard was thin on details, but the company stresses that at this point, “credit card and other customer payment data does NOT appear to have been accessed or affected.”

Blizzard Entertainment’s BattleNet (battle.net) portal, which allows gamers access to games such as Diablo III, World of Warcraft, and StarCraft II, has suffered a data breach, the company says. As a result, users are being encouraged to change their passwords.

A statement from Blizzard was thin on details, but the company stresses that at this point, “credit card and other customer payment data does NOT appear to have been accessed or affected.”

However, all other account information, including password hashes (SRP), email addresses, security question answers, and information relating to Mobile and Dial-In Authenticators was impacted by the breach.

Geographically, accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) were targeted, as well as “all regions outside of China,” Blizzard added.

For those unfamiliar, SRP (Secure Remote Password) is a zero knowledge authentication scheme. In short, only the user knows the password, and password files do not contain enough data to generate a crackable hash.

Blizzard likely chose this method of password storage for its ability to enable long passwords (up to 127 characters), and the boost to password protection in the event of a breach. However, while SRP can some many common password problems, it is still vulnerable to client-side attacks (keylogging, sniffing). The loss of the two-factor authentication data, until gamers update their software, in addition to the compromised SRP data may be problematic.

In the meantime, Blizzard is encouraging everyone to update their passwords to be on the safe side and watch for Phishing attacks targeting the compromised email addresses. Updates to the two-factor authentication software and security questions will be rolled out in the coming days.

Advertisement. Scroll to continue reading.

“In the coming days, we’ll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we’ll prompt mobile authenticator users to update their authenticator software,” Blizzard CEO, Mike Morhaime, said in a letter to players.

“As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions.”

We’ve reached out to Blizzard for more information, and will update this article as we learn more. The company boasts millions of players, but has not said how many of them were impacted by the breach.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...