Thursday, August 9, 2012

The Great Battle.net Compromise

Blizzard has recently announced that their battle.net database, the database that holds all of their usernames and password for games such as World of Warcraft and Diablo, has been compromised:
Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts. We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password. 

What are the implications of this?


  1. Your battle.net ID/email address are now out there - not only does this put your account at more direct risk from a targeted attack, if the email lists fall into the hands of the bad guys then you are much more likely to receive phishing emails.
  2. Your personal security questions/answers are out there - making a social engineering attack on your account, like the recently published attack on Apple, somewhat easier.  Blizzard have vowed to get us all to enter new security questions and answers shortly - let's hope they also advise their tech support teams to be especially vigilant in the meantime.
  3. It appears that the Mobile Authenticator serial numbers/seeds and account link information has been stolen - if this is the case then it is quite feasible that mobile authenticator codes could be generated and used for users with mobile authenticator accounts.  Authenticators rely on the account link info and serial numbers to be kept secret for them to be effective - the algorithm for such schemes is often available in the public domain.  While this type of attack would require some level of sophistication, it is not out of the realm of possibility for modern-day hackers.

What should you do?


First and foremost, go and change your battle.net password.  Yes, the stolen passwords were hashed, but there are techniques for comparing the frequency of hashed passwords to work out which passwords are more likely to be one of the more commonly used passwords.  A "salted" password helps protect against this but we don't know exactly what form Blizzard stores their passwords in (other than they are "cryptographically scrambled").

Second, go buy a hardware authenticator.  The hardware authenticator serial numbers were reportedly not stolen and the technology is developed by a security vendor (Vasco) as opposed to the mobile authenticator app which was developed by Blizzard.  This is not to say the mobile authenticator is bad - it is certainly better than not having an authenticator at all, but the hardware authenticator is the best.  I certainly have one on my account!

Third, be particularly wary of phishing emails.  If your email is now in the hands of the bad guys then you will certainly get hammered with more of these. 

Lastly - don't stress too much.  Our good friends at Blizzard will restore accounts that have been compromised and given that raiding is currently in a quiet time, I am sure that your guild will forgive you.