Hackers Raid Blizzard, Make Off With Answers to Secret Questions
Aug 11, 2012 5:00 AM PT
Hackers have hit Blizzard's Battle.net online gaming network, stealing users' email addresses, the answers to their personal security questions, and information relating to mobile and dial-in authenticators.
The intruders hit the company's North American servers, which support players in North America, Latin America, Australia, New Zealand and Southeast Asia.
Subscribers' credit card data, billing addresses and real names have apparently not been compromised, the "World of Warcraft" maker said. The combined data is not enough for anyone to gain access to Battle.net accounts, Blizzard contended.
However, the security breach could still be troublesome due to the exposure of email addresses, Philip Lieberman, president of Lieberman Software, told TechNewsWorld.
"Combined with disclosure of their personal security answers, you have a pretty bad situation for many users, especially if these same questions are used for activities such as banking," Lieberman elaborated.
The company has published warnings on its sites about the hack and apologized to users. It also said it is working with law enforcement.
Evil Is Upon Us
The hackers "could use the email addresses for spearphishing campaigns," Frank Artes, a research director at NSS Labs, told TechNewsWorld.
"Any time you can gather critical personal information, you gain the upper hand in performing a social engineering exercise to gain control of an account," Artes continued.
Fear My Moo of Fury
Blizzard has recommended that subscribers change their passwords for Battle.net. It also suggests users who employ the same or similar passwords as on their Battle.net accounts for other purposes change them as well.
Over the next few days, the company will prompt players on North American servers to change their secret questions and answers through an automated process.
"Blizzard users should change the answers to their personal security questions at all sites where they used the same question-and-answer pair," Randy Abrams, a research director at NSS Labs, told TechNewsWorld. Using the same answer to the same password reset questions at multiple sites is "almost exactly the same thing as using the same password again."
Blizzard will also prompt users of its mobile authenticator services to update their authenticator software.
The company reminded users that phishing emails will ask for their password or login information, and it pointed out that emails it sends will not ask for their passwords.
Why You Poking Me Again?
Blizzard's site was previously been hacked in May, and the company tightened up security in response.
However, "there is little that gamers or users of any other online service can do to prevent these attacks other than voting with their wallets to encourage online services to secure their data," Richard Wang, manager of SophosLabs U.S., told TechNewsWorld.
On the other hand, Blizzard's "is a massive network with very many portals and third-party interconnects, and its main purpose is to be used by the consumer market," NSS's Artes pointed out. "There is a balance between usability and lockdown that has to be maintained to keep it viable."
I Am Vigilant
Some questions were raised about why Blizzard announced the hack nearly a week after the attack was discovered.
However, "from [Blizzard's] announcement on the breach you see a lot of security maturity," NSS' Artes remarked.
Blizzard has a contingency and event plan "and have executed it," Artes continued. It "appears to have used encryption, not just a hash as others have, on the passwords."
The hackers obtained cryptographically scrambled versions of passwords rather than the actual passwords themselves.
Blizzard encrypted users' passwords using Secure Remote Pass Protocol. This protocol is resistant to dictionary by eavesdroppers and enables strong security using weak passwords.
Further, Blizzard "appears to have separated billing information from authentication and account data," which mitigates the damage from the breach, Artes stated. Finally, "they have notified customers and did it very clearly and quickly."
Blizzard did not respond to our request for further details.