Blizzard, the well known publisher of super-popular games such as World of Warcraft and Diablo 3, has suffered a breach—as a result, before jumping back into the game (or if you’re a hardcore gaming before doing anything) you should log into the web page and change your Battle.net password. This week, Blizzard published a security update and warning outlining the effects of the breach and what information they believe was accessed.
Another interesting spin on this is that Blizzard’s much vaunted “Authenticators” had information filched by the attackers. These Authenticators are ever-shifting cryptographic number generators built into a dongle keychain fob for players who want extra security (similar to RSA SecurID authenticators) enabling a sort of two-factor security.
The jist of the hack is that no financial information was accessed, but usernames, e-mails, security questions, and cryptographically protected passwords for some users would have been compromised:
At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.
Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken.
The takeaway from this breach is that everyone who logs into a Blizzard game via a North American server should get on right now and change their passwords.
Sometime this week the game will probably push users to change their passwords and potentially also their security questions. Although security questions are simple (often relating to first pet or mother’s maiden name) I would urge users to follow Bruce Schneier’s rule about them and do not answer them honestly—security questions have a thoughtful function but are too easily socially engineered by hackers. Your first pet, mother’s maiden name, or first school can easily be sassed out by a hacker who has access to your social media if you’ve ever brought the subject up.
If you’d like to know more about the hack and what Blizzard says you can do to protect yourself, read up on the “Important Security Update FAQ” on Blizzard’s battle.net support site.
High value targets as MMO game players with poor passwords are low hanging fruit
This comes after rumors circulating in May that Diablo 3 accounts were being hacked; but it appears to bear no relation to that era in Blizzard’s history.
Video games and their players are high value targets for hackers because in many established MMO game worlds the game currency (called gold) is highly valuable on the resale market. This is amplified by the fact that Diablo 3 has a real-money-transfer auction house where virtual goods earned in the game can be bought and sold for real money. Hacking World of Warcraft accounts and liquidating them for their gold has been an effect every since the very launch of the game in 2004.
As a result, once those cryptographic passwords are broken by the hackers they will become a very lucrative bargaining chip on the gold black market.