Blizzard password breach not as bad as originally feared

News by Dan Raywood

Gaming company Blizzard has said that it uses the Secure Remote Password protocol (SRP) to protect passwords that were stolen last week.

Gaming company Blizzard has said that its uses the Secure Remote Password protocol (SRP) to protect passwords that were stolen last week.

The company behind World of Warcraft, StarCraft and Diablo admitted that its security team found an unauthorised and illegal access into its internal network and while there was no evidence that financial information such as credit cards, billing addresses or real names were compromised, a list of email addresses, the answer to the personal security question and information relating to Mobile and Dial-In Authenticators were also accessed.

Mike Morhaime, president and a co-founder of Blizzard, said in a blog post that the details were for, the account management and login service gamers use to play Blizzard games. The security questions and account authenticators were used by players on North American servers that also included players from the US and Canada and in Latin America, Australia, New Zealand and Southeast Asia.

However Morhaime also said that ‘cryptographically scrambled versions of passwords (not actual passwords)' for players on North American servers were also taken. He also said that as it uses SRP, it would make it extremely difficult to extract the actual password as each password would have to be deciphered individually.

Morhaime said that Blizzard will prompt users to change their passwords and secret questions, while mobile authenticator users will be encouraged to update their authenticator software.

“We deeply regret the inconvenience to all of you and understand you may have questions. Please find additional information here. We take the security of your personal information very seriously, and we are truly sorry that this has happened,” he said.

Writing on the blog for Mac security firm Intego, Lysa Myers said: “Blizzard did one thing very right in terms of protecting their users' passwords. The passwords were not simply ‘hashed', but also ‘salted'.

“Each of these alone does not represent a sufficiently significant hurdle to someone being able to bulk process the list and get the passwords out again, but by combining them, it makes it so someone would have to individually process each password, and at a good cost of time for each password.

“So while this doesn't mean the password list is useless, it does mean it's unlikely the breach of this list will cause much harm. It's still a good idea to change your security questions and password for Blizzard and any other site where you used the same question or password (and don't forget to choose a strong password).”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews