Attention B2B Marketers: Access 30 Million IT Decision Makers with a Custom Lead Generation Program Click to Learn More!
Welcome Guest | Sign In

Hackers Raid Blizzard, Make Off With Answers to Secret Questions

By Richard Adhikari
Aug 11, 2012 5:00 AM PT

Hackers have hit Blizzard's online gaming network, stealing users' email addresses, the answers to their personal security questions, and information relating to mobile and dial-in authenticators.

Hackers Raid Blizzard, Make Off With Answers to Secret Questions

The intruders hit the company's North American servers, which support players in North America, Latin America, Australia, New Zealand and Southeast Asia.

Subscribers' credit card data, billing addresses and real names have apparently not been compromised, the "World of Warcraft" maker said. The combined data is not enough for anyone to gain access to accounts, Blizzard contended.

However, the security breach could still be troublesome due to the exposure of email addresses, Philip Lieberman, president of Lieberman Software, told TechNewsWorld.

"Combined with disclosure of their personal security answers, you have a pretty bad situation for many users, especially if these same questions are used for activities such as banking," Lieberman elaborated.

The company has published warnings on its sites about the hack and apologized to users. It also said it is working with law enforcement.

Evil Is Upon Us

The hackers "could use the email addresses for spearphishing campaigns," Frank Artes, a research director at NSS Labs, told TechNewsWorld.

"Any time you can gather critical personal information, you gain the upper hand in performing a social engineering exercise to gain control of an account," Artes continued.

Fear My Moo of Fury

Blizzard has recommended that subscribers change their passwords for It also suggests users who employ the same or similar passwords as on their accounts for other purposes change them as well.

Over the next few days, the company will prompt players on North American servers to change their secret questions and answers through an automated process.

"Blizzard users should change the answers to their personal security questions at all sites where they used the same question-and-answer pair," Randy Abrams, a research director at NSS Labs, told TechNewsWorld. Using the same answer to the same password reset questions at multiple sites is "almost exactly the same thing as using the same password again."

Blizzard will also prompt users of its mobile authenticator services to update their authenticator software.

The company reminded users that phishing emails will ask for their password or login information, and it pointed out that emails it sends will not ask for their passwords.

Why You Poking Me Again?

Blizzard's site was previously been hacked in May, and the company tightened up security in response.

However, "there is little that gamers or users of any other online service can do to prevent these attacks other than voting with their wallets to encourage online services to secure their data," Richard Wang, manager of SophosLabs U.S., told TechNewsWorld.

On the other hand, Blizzard's "is a massive network with very many portals and third-party interconnects, and its main purpose is to be used by the consumer market," NSS's Artes pointed out. "There is a balance between usability and lockdown that has to be maintained to keep it viable."

I Am Vigilant

Some questions were raised about why Blizzard announced the hack nearly a week after the attack was discovered.

However, "from [Blizzard's] announcement on the breach you see a lot of security maturity," NSS' Artes remarked.

Blizzard has a contingency and event plan "and have executed it," Artes continued. It "appears to have used encryption, not just a hash as others have, on the passwords."

The hackers obtained cryptographically scrambled versions of passwords rather than the actual passwords themselves.

Blizzard encrypted users' passwords using Secure Remote Pass Protocol. This protocol is resistant to dictionary by eavesdroppers and enables strong security using weak passwords.

Further, Blizzard "appears to have separated billing information from authentication and account data," which mitigates the damage from the breach, Artes stated. Finally, "they have notified customers and did it very clearly and quickly."

Blizzard did not respond to our request for further details.

Facebook Twitter LinkedIn Google+ RSS
Of the following CES 2018 crowd pleasers, which do you consider the most important or desirable new tech?
Google Assistant -- voice-activated AI on displays everywhere
Helite's Hip'Air - a hip-protecting airbag belt for seniors
HTC Vive Pro - a VR headset with way better resolution and sound
Samsung's 'The Wall' - a modular TV with MicroLED for consumers
Sony's Aibo -- a lovable AI-powered robotic pet dog
Toyota's e-Palette -- a self-driving van for deliveries and more