Blizzard hacked, warns users to change passwords

Blizzard Entertainment has revealed that it was hacked earlier this week, losing information that could undermine its mobile-based two-factor authentication system.

Blizzard Entertainment has fallen victim to a security breach and is warning customers to change their passwords.

In a statement issued by Blizzard's president and co-founder Michael Morhaime, the company said that it had discovered an "unauthorised and illegal access" into its internal network earlier this week, on 4 August, affecting accounts. So far, the company has found no evidence that financial or billing information was stolen, although it has confirmed that some data from its servers that was illegally accessed has some security implications.

For North American-based accounts, which will include players from Latin America, Australia, New Zealand and Southeast Asia, the attackers were able to access email addresses, answers to security questions, "cryptographically scrambled versions of passwords", information related to Blizzard's mobile and dial-in authenticators, and the Taiwanese phone lock security system.

Accounts located outside of China, including Europe and Russia, only had email addresses exposed. Chinese-based accounts were unaffected.

The company has stated that the mobile authenticator information has the potential to undermine the company's two-factor authentication scheme. Mobile authenticator works as a software-based two-factor authentication token, displaying a time-based code that players must enter during log-in, if they have opted into the additional security.

Despite the possibility that the authenticator's security may have been undermined, the company is not immediately revoking mobile authenticators as, even if they are flawed, they are an additional security measure and, by themselves, cannot be used to compromise customer accounts.

Blizzard is currently working to deploy new authenticator software, however, it has no timeframe for when this will be made available.

The scrambled passwords themselves are a result of Blizzard's use of the Secure Remote Password protocol, which involves both adding a salt and hashing the user's password. Implemented correctly, passwords are not even known to Blizzard, cannot be stolen and are extremely difficult to look up using rainbow tables.

Blizzard took five days until it announced that it had been breached; it said this was due to its need to, first, re-secure its network and simultaneously conduct an investigation, so that it had enough information to accurately inform its customers. Blizzard has since been able to close the method of entry that attackers had used, but it has not elaborated on how they gained access.

Blizzard is recommending that customers using North American servers change their passwords immediately. The company also said that it would be prompting users to change their secret questions and answers in the next few days.

So far, Blizzard has not seen any evidence that the stolen information has been shared or abused in the wild, however, it recommends all users continue to monitor their accounts and be wary of phishing attempts due to email addresses being exposed.

Morhaime apologised for the breach, stating "we take the security of your personal information very seriously, and we are truly sorry that this has happened".

Users are able to change their password online, and Blizzard has also put together a frequently asked questions page on its website regarding the incident.