Virus.Org

It seems that Blizzard have had a data breach, during which customer information for Battle.net users in North America has been stolen. The information lost includes email addresses and the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators.

Blizzard

Blizzard president, CEO and co-founder Michael Morhaime penned a statement here to explain the issue. According to the statement no customer financial information has at this time been accessed (however, we all know as investigations continue this may change).

“At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.

Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.”

Blizzard also state they know that the stored password information was taken, however Blizzard use Secure Remote Password protocol (SRP) to store password information. SRP offers in-transit security (like SSL/TLS or Diffie-Hellman-Merkle) and at-rest security (like hashing-and-salting), so it should help reduce any risk of the raw password information falling into the wrong hands. That said Blizzard have recommended users change their password and if there has been any reuse of the passwords elsewhere that users change the passwordselsewhere too, as is good practice when dealing with this type of information loss.

As with everything, the information held by Blizzard is enough for them to verify a password and nothing is really a match for the brute force approach to guessing a password. So armed with the information stolen and time to burn anyone could set themselves up to brute force the account information. So anyone with a weak password would be at risk of their password being guessed.