Battle.net suffered a massive security breach last Saturday, August 4, in which encrypted player passwords, a list of global email addresses, answers to personal security question and Authenticator information were all swiped. Blizzard maintain that only North American passwords were accessed, that they're still cryptographically scambled and that they're confident it would be "extremely difficult" to extract the actual password. Either way, if you're a Battle.net user you should change your password immediately, and the passwords of any other accounts that might've shared that password. Mike Morhaime's issued a statement on the Blizzard website, and Blizzard have posted a security FAQ that Battle.net users should probably take a look at.
Here's exactly what was accessed:
- A list of email addresses for global Battle.net users outside of China
- The answer to the personal security question of players on North American servers
- Encrypted passwords of players on North American servers
- Information relating to Mobile and Dial-in Authenticators
Blizzard say that this information alone would not be enough for anyone to gain access to Battle.net accounts. The company learned of the unauthorised access to player details on August 4, waiting until August 9 to reveal the extent of the hacking. "Our first priority was to re-secure our network," they write, "and from there we worked simultaneously on the investigation and on informing our global player base. We wanted to strike a balance between speed and accuracy in our reporting and worked diligently to serve both equally important needs."
The statement from Blizzard also warns of follow-up phishing attempts from faked sources. WoW, Diablo and Starcraft players should all read the full post here, and maybe start thinking of some especially funky new passwords with strange letters and symbols in it.