Blizzard Compromise

[security curmudgeon <jericho () attrition org>]

http://us.blizzard.com/en-us/securityupdate.html


Important Security Update

Players and Friends,

Even when you are in the business of fun, not every week ends up being 
fun. This week, our security team found an unauthorized and illegal access 
into our internal network here at Blizzard. We quickly took steps to close 
off this access and began working with law enforcement and security 
experts to investigate what happened.

At this time, we.ve found no evidence that financial information such as 
credit cards, billing addresses, or real names were compromised. Our 
investigation is ongoing, but so far nothing suggests that these pieces of 
information have been accessed.

Some data was illegally accessed, including a list of email addresses for 
global Battle.net users, outside of China. For players on North American 
servers (which generally includes players from North America, Latin 
America, Australia, New Zealand, and Southeast Asia) the answer to the 
personal security question, and information relating to Mobile and Dial-In 
Authenticators were also accessed. Based on what we currently know, this 
information alone is NOT enough for anyone to gain access to Battle.net 
accounts.

We also know that cryptographically scrambled versions of Battle.net 
passwords (not actual passwords) for players on North American servers 
were taken. We use Secure Remote Password protocol (SRP) to protect these 
passwords, which is designed to make it extremely difficult to extract the 
actual password, and also means that each password would have to be 
deciphered individually. As a precaution, however, we recommend that 
players on North American servers change their password. Please click this 
link to change your password. Moreover, if you have used the same or 
similar passwords for other purposes, you may want to consider changing 
those passwords as well.

In the coming days, we'll be prompting players on North American servers 
to change their secret questions and answers through an automated process. 
Additionally, we'll prompt mobile authenticator users to update their 
authenticator software. As a reminder, phishing emails will ask you for 
password or login information. Blizzard Entertainment emails will never 
ask for your password. We deeply regret the inconvenience to all of you 
and understand you may have questions. Please find additional information 
here.

We take the security of your personal information very seriously, and we 
are truly sorry that this has happened.

Sincerely,
Mike Morhaime

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.