Blizzard's Network Breached, Australian Emails Accessed

We've just received word from Blizzard locally that Battle.net has been compromised, with some account details from all regions -- including Australia -- being accessed. At the stage it seems like no financial information was accessed, and that only email addresses associated with Battle.net accounts, and some cryptographically scrambled versions of passwords, were accessed.

"Even when you are in the business of fun, not every week ends up being fun," began a statement posted on Blizzard's official website. This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.

"At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

"Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts."

The access to emails occurred throughout the whole network, but Blizzard believes that the additional information (which includes the cryptographically scrambled passwords -- not actual passwords) was limited to players using the North American servers. If you're an Australian player who uses these servers, Blizzard is recommending that you change your password, which you can do from this link here.

Blizzard claimed the system they use to protect passwords is secure, and this password change should be thought of as a precaution.

"We use Secure Remote Password protocol (SRP) to protect these passwords," said the statement, "which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually."

Still, in these situations it pays to play it safe. If you play on any of Blizzard North American servers, it's probably best to change your passwords immediately.


Comments

    Scary huh - all of the big players have been hacked now isn't it? or am I missing a few?

    Go straight to battle.net and change your password. Don't click the link - never click the link, even if Kotaku is probably safe, it's a bad habit to get into.

    Obligatory XKCD on secure passwords:
    http://xkcd.com/936/

    Long password is better than a complex password. If a hacker gets hold of the hashed password, anything 8 characters or less can be easily broken with a rainbow table. The more characters, the harder it will be to break, assuming a quality hash and not something like MD5.

      Additionally, everyone should enable 2-step authentication on b.net and email accounts.

      Infuriatlingly, so many places still have a max limit on passwords. eg the Commonwealth Bank's Netbank password is max 12 characters. I discovered this when my old 13-character password didn't work until I counted the number of *s that were being shown. raaaaage

    Done. People who do this kind of crap should get a life.

    Wow. To me, this really puts Sony's response into perspective. Horrible, ugly perspective.
    Blizzard have handled this incredibly well - they have informed what information has been accessed, who is likely affected, and make a show of being confident that the hole has been plugged and authorities have been consulted.

      Although it can be said that it's most likely due to the response that Sony got that other companies have started being a little more transparent. It is entirely possible that had Sony not been hacked, Blizzard would have provided an entirely different and more vague response.

        Indeed. A wake up call.

      It still took 4 days for them to inform people, and can't guarantee that no personal or billing data was accessed.

      Not being able to find any evidence is not the same as knowing something hasn't happened.

    A long time ago, people would do this sort of thing to make companies improve their security. How that was a beautiful time, they didn't steal just proved you aren't safe so increase your security

    Times like these I'm extremely glad of the extra effort I take to never use the same password at multiple places.

    This shit is starting to get old...Linkedin, Bigpond, Valve/Steam, Sony, Battlefield Heroes, I've lost count of how many times I've had to go through a massive list of accounts and amend things due to shit like this, including changing entire email address' zzz

      It's best to keep a variety of passwords. Having a single password across multiple accounts is a bad idea, for reasons you've just specified.

      Even if you stick to a blanket protocol for passwords (eg: banking password = bankeffektd, blizzard password = battleeffektd) it ensures different passwords, while remaining memorable.

        Yeah. I find figuring out a formula for password generation and then adding a random element to it works well (provided it's not simple enough to see a pattern). The only problem is I encounter a different set of password rules for everything I do. The stronger the password the less likely it'll work on any given system.

    Wtf, my mose secure, favourite, etc password, that I have had to change in years and now i have to change it, FUARRKK >_

    I haven't logged into my b.net account for a long time, my authenticator battery is dead and I've been getting spam emails from people because my D3 account has been compromised since it came out.
    I haven't played D3 on my account, ever. For some reason this doesn't faze me as much as it should.

    maybe that explains how i got 70 e-mails from blizzard saying my account was compromised?

    Well even though I have an authenticator & SMS notification on my bnet account, I think i'll just change the password anyway, maybe my email too..

    Erm mer gerd. ther clerd

    So Blizzard had to call in security experts to investigate what happened. This implies the Blizzard security team are not experts. I'm willing to assume that the 'unathorised and illegal' access has been going on for a while on account of the Blizzard security team being a bunch of banana eating monkeys.

      Calling in specialists isn't abnormal. There's a big gap between day-to-day security and 'holy crap we just had someone ram the door in and potentially take everything' security, especially when day-to-day security still has their normal job to do.

    oh crud just got blue set on my night elf female warrior, hit silver league in starcraft and up to nightmare in d3. Hope my life is safe

    Great now I gotta try and remember my Battlenet password so I can change it. Bloody FWP's

    Real money auction house seemed to attract the wrong kind of attention huh Blizzard?
    Didn't see that one coming at all....noooo.....

    Arenanet wins

    Dont care, my finacel details that are under battle.net are all expired details, and i sort of given up on Blizzard now, will still properly change the password but meh

    they got my real name, been getting spam addressed to me bout free mounts and such

Join the discussion!

Trending Stories Right Now