Blizzard hacked for real this time -- change your passwords NOW!
In May we read that game maker Blizzard, developer of a series of popular games including World of Warcraft, Diablo III and Starcraft, was hacked, but that turned out to just be individual compromised accounts from some of its users. Now we read, from Blizzard itself rather than a third party, that they have been hacked and information compromised on their networks. So how are they doing with the breach?
"This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard", the company says. So did they respond well? It seems they got the jump on things and responded quickly, a smart move: "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened."
Next they were specific with what classes of data were, and weren’t compromised, another smart move: "Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China". Interesting data point: China users seemed to be exempt. Also they note: "We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken".
But what steps were in place to slow down or stymie would-be hackers? Blizzard continues: "We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually".
And Blizzard took precautions notifying their userbase: "As a precaution, however, we recommend that players on North American servers change their password". Blizzard includes a link to do so, which is helpful. They also suggest changing other passwords you may have used which are similar on other websites, which is a good idea.
While the exact details of the method of breaching their systems still remain to be investigated, it seems they are keeping their users well-informed and provide helpful recommendations, a step in the right direction. While no one wants to be on the receiving side of a breach, importantly, Blizzard pushes information out to the users from the source though a FAQ here, which is proactive. A lot of consumer-facing websites could learn from the things Blizzard is doing right.
If you are a Blizzard user, my colleague David Harley identifies passwords to avoid. Go for a new password that is long (over 8 characters) and hard to guess (not based on things other people might know about you) and use a mixture of upper- and lower-case letters with numbers and punctuation characters if allowed (KerAZg3nes!).
Reprinted with permission
Cameron Camp is a researcher for global security provider ESET and has played a critical role in building the ESET North America Research Lab. Cameron has been building critical technology infrastructures for more than 20 years, beginning as an assembly language programmer in 1987 and eventually becoming an evangelist for Linux and open-source technologies with an emphasis on the security sector. Prior to joining ESET, he founded Logical Web Host in 1998, a data-driven web services company.