Blizzard Entertainment, the online gaming company behind "World of Warcraft," "Starcraft" and "Diablo," is the latest big firm to fall victim to a data breach.
"This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard," wrote Blizzard president and co-founder Mike Morhaime in a posting on the company website last night (Aug. 9). "We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened."
The breach took place on the Battle.net servers, the overall authentication portal for online Blizzard games, on Aug. 4.
"At this time, we’ve found no evidence that financial information such as credit cards, billing addresses or real names were compromised," Morhaime said. "Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China."
Morhaime's note did not mention how many individuals were affected, but the number is likely to be in the millions. "World of Warcraft" alone has 9.1 million paying subscribers, and "Starcraft" is extremely popular in parts of East Asia.
"For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed," Morhaime added. "Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts."
Encrypted passwords for users on North American servers were also taken, but unlike some other companies that were recently breached, Blizzard used a very strong password-encryption algorithm called the Secure Remote Password protocol.
"[SRP] is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually," wrote Morhaime.
Nevertheless, Morhaime recommends that all Blizzard players who used the North American servers change their passwords — he provided a link — and their personal security questions. (Anyone who used the same email address, password and security question on any other sites ought to change them on those sites as well.)
Morhaime provided link to the password-reset page and to a list of frequently asked questions about the breach, and closed with a reminder to watch for criminals who'd seek to exploit the news of the data breach.
"As a reminder, phishing emails will ask you for password or login information," Morhaime wrote. "Blizzard Entertainment emails will never ask for your password."