Gaming company Blizzard has confirmed that hackers have stolen some account details of its users.
Blizzard – the makers of 'StarCraft', 'Diablo' and 'World of Warcraft' – announced on its website that its security team had found “unauthorized and illegal access” into its internal network.
“We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened,” the post by Blizzard’s co-founder Mike Morhaime said.
Morhaime, who apologised for the breach, said the company had found no evidence that financial details, billing addresses or real names were compromised. However, data including a list of email addresses for global Battle.net users outside of China was accessed.
For players on North America servers the answer to the personal security question and information relating to mobile and dial-in authenticators were also accessed, but based on what the company knew so far, this information was not enough for someone to gain access to Battle.net accounts, Morhaime said.
“We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken.”
Blizzard used Secure Remote Password protocol, which was designed to make it “extremely difficult” to get the actual password, he said.
Blizzard recommended that players on North American servers, which generally included those from North America, Latin America, Australia, New Zealand, and south east Asia, changed their passwords. The company would also be prompting players on North American services to change their secret questions and answers through an automated process.
Paul Ducklin, from security firm Sophos, said in a blog post that the breach was “painful but probably not too bad”. One of the silver linings was that Blizzard had stored and managed its authentication data sensibly, he said.