Diablo developer Blizzard has warned gamers that their personal information may have been leaked, after the company was the target of a network hack. No financial information is believed to have been stolen, Blizzard said in a statement on the data breach, but some email addresses, personal security question answers, and authentication details for some types of connections were all extracted before the unauthorized access was blocked.
The investigation is still ongoing, Blizzard concedes, but so far has found "no evidence that financial information such as credit cards, billing addresses, or real names were compromised." What did get poached were cryptographically scrambled versions of Battle.net passwords for those on North American servers, which includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia.
"We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password ... Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well" Blizzard
According to an FAQ on the breach, the most likely result is that users could see an uptick in phishing emails as the list of addresses is worked through. Only China-based accounts are unaffected; all accounts outside of the country saw email addresses leaked, and those on the North American servers had the most data leaked:
- Email addresses
- Answers to secret security questions
- Cryptographically scrambled versions of passwords (not actual passwords)
- Information associated with the Mobile Authenticator
- Information associated with the Dial-in Authenticator
- Information associated with Phone Lock, a security system associated with Taiwan accounts only
Blizzard will be automatically prompting those on North American servers to change secret questions and matched answers in the coming days, while those using mobile authenticator will get an update. Although actual passwords have not been leaked, it's perhaps advisable to change those too: you can do that here.
The attack was first identified on August 4, Blizzard said, with the company then working "to re-secure our network" before proceeding "simultaneously on the investigation and on informing our global player base." Blizzard is working with law-enforcement agencies and security experts to investigate the potential hackers and look at further securing systems to avoid repeats of the breach in future.