Blizzard Email Relating To Security Breach Last Year.

Silverrune · November 27, 2013

Just got an email from Blizzard and they are telling me information regarding my Email, an encrypted version of my password, and information related to my mobile authenticator might have been hacked.

Hello,

As you might be aware, last year on August 4, 2012, Blizzard’s internal security team discovered an unauthorized and illegal access into Blizzard’s internal network. Blizzard promptly launched an investigation to determine the scope of the unauthorized access and notified players of this incident on August 9, 2012 by placing a notification on its website located at www.blizzard.com and related posts linking to the full notification on each of Blizzard’s community websites—www.worldofwarcaft.com, www.starcraft2.com, and www.diablo3.com.

The following information was involved in the incident:

       Email addresses (user ID);

       Answers to secret security questions (no personally identifiable information involved);

       Cryptographically scrambled versions of Battle.net passwords (not actual passwords) which are protected by Secure Remote Password protocol; and

       Information associated with the Mobile Authenticator.

Our investigation has revealed that you had an active account with Blizzard at the relevant time and, in accordance with local regulations, we are providing you with this direct notice of this incident in addition to the notice we previously provided.

Based on an extensive investigation into this incident, Blizzard has no evidence that the information that was accessed has been misused. Further, we have found no evidence that actual passwords or financial information, such as credit cards, billing addresses, or real names, were compromised.

To help protect Battle.net passwords, we use Secure Remote Password protocol (SRP), which is designed to make it extremely difficult to extract the actual password. This also means that each password would have to be deciphered individually. As a precaution, however, we recommended at the time that you change your password. Please note that we advise players to change their Battle.net passwords regularly as a standard security measure. You can do so anytime by logging in to your account at www.battle.net and visiting the Account section. We also strongly advise players to use different passwords for different services. You can find further information on measures you can take to secure your computer and Battle.net account at www.battle.net/security.

As a further precaution at the time of the incident, specifically starting on August 15, 2012, players were prompted upon logging in to Battle.net to select a new secret question to be associated with their account and supply an answer. In addition, we reset players’ Mobile Authenticators (for those players who had one attached to their Battle.net accounts), requiring players to reattach their Mobile Authenticators in order to use them. Please note that we encourage all players to attach an Authenticator to their account for the added layer of protection that it provides. Details on how to add a digital Mobile Authenticator or physical keychain Authenticator to your account are also available at www.battle.net/security.

We take the security of your information very seriously. If you have any questions regarding this incident, please email us at privacy@.com. We want to again say that we regret any inconvenience this incident may have caused you, and we’re fully committed to ensuring you have the best experiences with our games and services.

Sincerely,

Blizzard Entertainment

This really sucks... Also is probably old news, but why now?

Askew · November 27, 2013

The most dangerous there is the answers to secret questions IMO, very likely to be re-used elsewhere by a lot of people, I know it says no personal info involved but if the email address was captured that is again likely to be re-used elsewhere.

Silverrune · November 27, 2013

The most dangerous there is the answers to secret questions IMO, very likely to be re-used elsewhere by a lot of people, I know it says no personal info involved but if the email address was captured that is again likely to be re-used elsewhere.

It is quite scary to know that this information is (or most likely is) out there and the users have no clue what the information is being used for. Users would never really have any idea of how bad their situation is until they get locked out of their email addresses etc.