Blizzard's Hacked; Company Recommends All Users Change Their Passwords

Thursday August 9, 2012 4:54 PM PDT by Jordan Golson
NewImageBlizzard Entertainment, the company behind Warcraft, Starcraft and Diablo, today informed customers that their internal security network had been breached.

The company doesn't believe that financial information has been compromised but other data including email addresses for all non-China players and scrambled passwords were taken. The company believes it will be extraordinarily difficult for hackers to break into actual accounts, but is recommending that all users change their passwords.

Blizzard does offer the Mobile Authenticator [App Store], an iPhone app that dynamically generates a new six-digit code every minute. Users can't log into any account -- either through a game or on a website -- without the code. It virtually eliminates unauthorized access to the account and it is recommended for all accountholders.

Here is the letter from Blizzard CEO Mike Morhaime:
Players and Friends,

Even when you are in the business of fun, not every week ends up being fun. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

At this time, we've found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to accounts.

We also know that cryptographically scrambled versions of passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. Please click this link to change your password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well.

In the coming days, we'll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we'll prompt mobile authenticator users to update their authenticator software. As a reminder, phishing emails will ask you for password or login information. Blizzard Entertainment emails will never ask for your password. We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here.

We take the security of your personal information very seriously, and we are truly sorry that this has happened.

Mike Morhaime

Top Rated Comments

(View all)

30 months ago
I haven't anything worth stealing. My loot is crap.
Rating: 16 Votes
30 months ago
Like i never thought about this.

But its actually scary to leave electronic footprints with all the hacking going on these days.

Sony, blizzard, and many many others.

I want to a delete all button on the internett for my info
Rating: 10 Votes
30 months ago
One word: LOL
Rating: 9 Votes
30 months ago
And why do we always have to be "online" even when not doing anything multiplayer-related? Why doesn't Blizzard (or others such as Steam) explain that to us?

Ah, the good ol' days of true offline independence...
Rating: 9 Votes
30 months ago
Ouch, that's pretty bad news for a lot of people. I'm really happy I chose Computer Security and Forensics as my degree, hopefully I'll be able contribute ways to prevent this sort of thing in the future, really can't wait =D
Rating: 8 Votes
30 months ago
Eat that, blizzard for not letting us play single Diablo III offline. What the heck with privacy these days?

If people want to cheat and exploit single player session, so be it. They shelled out $60 just for the purpose, remember? So, aren't they supposed to like ... own the game? :rolleyes:
Rating: 6 Votes
30 months ago

Password Changed...just in case.

Thanks for letting us know.
Rating: 5 Votes
30 months ago

You don't understand what a MMORPG is.

Sure remove the Massively multiplayer Online part and you back with RPG ;)

You don't understand that Blizzard actually has 8 games on, not just World of Warcraft, and that the other 7 do have single player story lines.

(Diablo, Diablo 2, Diablo 3, Warcraft 2*, Warcraft 3, StarCraft, and StarCraft 2 are their 7 games that have both for online multiplayer as well as some form of single player mode. Only Diablo 3 and StarCraft 2 require an internet connection while playing in single player mode.)

*A re-release of the game, entitled " Edition" had the original did not.

As far as why Diablo 3 requires a constant internet connection, even when playing single player: it's to prevent cheating. Because you use the same characters/items both in single player and on, it's possible to indirectly cheat online by giving your character some crazy boosts in single player, and then taking him online in multiplayer. What's worse is they have the auction house, where real money is used in transactions. If you were permitted to cheat in single player, you could cause insanely good items to drop on your character, and then go online to the auction house and sell them for sad (stupidly high) amounts of money.

If someone could explain to me why StarCraft 2 requires a constant internet connection though, I'd appreciate that... other than achievements, nothing transfers with you from single player to multiplayer, does it? I don't know about custom games, I only ever play ladder.
Rating: 5 Votes
30 months ago
I have not received an email from them on this.
Rating: 3 Votes
30 months ago

For a couple of years I have been receiving e-mail from Blizzard telling me to update my account - although I do not have an account.

The IP address shows it came from Melbourne, Australia. Blizzard Entertainment is located in California.

It's a phishing email. I get them all the time. They are trying to steal your account.
Rating: 3 Votes

[ Read All Comments ]