Blizzard has confirmed a security breach compromised a large amount of user account data for Battle.net gamers. Blizzard is warning players on North American servers (including players from North America, Latin America, Australia, New Zealand, and Southeast Asia) that hackers have nabbed user e-mail addresses, answers to security questions, a database of “cryptographically scrambled” passwords, and as sensitive data related to dial-in and smartphone app-based two-factor authentication.
Blizzard says the purloined information alone isn’t enough to crack into accounts. The scrambled passwords, for example, were protected by the Secure Remote Password (SRP) protocol, a key-based authentication system. The company says anyone trying to crack the passwords would have to decipher the passcodes one by one.
Nevertheless, Battle.net gamers are being advised to change their passwords, as well as take a number of other security measures. If you’re a Battle.net gamer, here’s what you need to know about securing your account and what to expect from Blizzard in the coming days.
Change Your Password
Blizzard is recommending that all Battle.net users change their account passwords.
You can do that by clicking here. Or, log into Battle.net and click on the “Account” link at the top of the page. On the next page click “Settings” and select “Change Password” from the drop-down menu.
Expect a Security Question Change
Blizzard does not yet have a mechanism in place to let you change your security question, a measure for account recovery and identity verification, which is a real bummer considering hackers have your answers. But the company says it is working to create a feature that will let you change your question through the account management site. Once the new measure is active, you will be automatically prompted to change your security question.
Blizzard said it didn’t immediately revoke users’ security questions because it believes “keeping the secret questions and answers in place still provides a layer of security against unauthorized users who don't have access to the compromised data.” The problem, however, is that some bad guys do have access to your security question answers. Color me unimpressed.
Two-Factor Authentication App Update Due
It’s not clear what kind of information was stolen, but sensitive data relating to Blizzard’s free two-factor authentication smartphone app, Battle.net Mobile Authenticator, was also compromised. Blizzard says the data “could potentially compromise the integrity of North American Mobile Authenticators.” Blizzard also says hashed phone numbers were compromised for users of Dial-in Authenticator, a service that is no longer available to new users.
Mobile Authenticator users should be on the lookout for an update to the mobile app. It’s not clear whether Blizzard has any plans to deal with compromised data for dial-in authentication users.
Enable Two-Factor Authentication (Eventually)
Yes, potentially damaging information was stolen for Blizzard’s two-factor authentication system, but in the long run it’s still more secure to use a two-factor log-in system. By using two-factor authentication you are creating one more hurdle for hackers to get past, and most of the time this will make it much harder to compromise your account. But users might be wise to wait to enable this feature until Blizzard releases its software update.
Blizzard offers Battle.net users two-factor authentication through a $6.50 keychain attachment that supplies a log-in code or the Mobile Authenticator app. You can buy the physical authenticator directly from Blizzard. Battle.net Mobile Authenticator is available for iOS, Android, Windows Phone 7, and BlackBerry.
Consider SMS Protect
Blizzard offers another security option called SMS Protect that will send a text to your mobile phone if suspicious account activity is detected or any significant changes are made such as password changes. You can also use SMS Protect to unlock your Battle.net account, remove an authenticator, recover your account name, and reset your password.
Review Your E-Mail Security
The recent hack that tore apart the digital life of Wired reporter Mat Honan reminds us that compromised accounts can often snowball across connected services. So you should review the security surrounding the e-mail address for your Battle.net account.
First, you should make sure the password for your e-mail address isn’t the same as your Battle.net password. If it is, you should change it immediately. For password creation tips check out “Password Management: Idiot-Proof Tips” and “Google Offers Advice on Secure Passwords.” A password manager such as KeePass, LastPass, or 1Password can also save you if you forget your new e-mail password.
Second, you should check to see that your e-mail account’s recovery options are up to date, including any security questions and alternate e-mail addresses. Honan lost control of his digital life after hackers were able to access the back-up e-mail address for his Gmail account. Hackers already know the e-mail address connected to your Battle.net account, so be wary of attempts to break into your e-mail via account recovery options.
Finally, if your e-mail provider offers it, you should also enable two-factor authentication for added protection.
Watch Out For Phishing E-mail
Blizzard is advising its users to watch out for e-mail purporting to come from Blizzard in an attempt to steal your account credentials. Blizzard says it will never ask for your password or log-in information via e-mail.