Not the first, and not the last account security alert for a game company came yesterday from Blizzard. In short – their systems were significantly compromised sometime around Aug 4 2012, and while no credit card information, billing addresses, or real names were exposed, the basic message is that everyone needs to change their passwords and account information. Details here.
Honestly I think that this is a mess, and a mess that demonstrates a few points worth noting for organisations which have either a vocal population or sensitive information (yes, everyone):
- Anyone is vulnerable to a hack, even the monolithic software devs. Consider that the larger the company, the larger the revenue, and the larger the honeypot of information is that could be obtained. That makes Blizzard an exceedingly juicy target.
- Good tools and development principals can assist in protecting customers. The authenticator makes a big difference. The password storage mechanism inside the system/DB makes a huge difference.
- Telling customers the open truth will garner the best reaction. Following up with extra news and responses to questions will save the share price.
- Telling customers quickly is critical. If a customer finds out late then the vendor is on the hook for every poor experience in the customers mind from that point forward, however illogical they are.
- Always provide a plan of what to do next, and what is happening next.
It is not that companies need good security (they do), but they also need excellent protocols for security events. A gaff in dealing with a breach in security will hurt a long after the actual systems are restored. The public has a long memory.
This means that while trying to patch the issue Blizzard are also considering the PR damage control. It appears from my first review that Blizzard took the honest path – they spoke clearly about what happened. I think I read elsewhere that they also have involved external consultants to help. Even bloody better. Nothing makes a systems or a dev person stand up like having another techie review how you do things. In spite of the hack, its good to see.
So go update your passwords, I’m not sharing a “password reset” link as I distrust any links like this that I don’t type out myself.
From the release: Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.
We also know that cryptographically scrambled versions of Battle.net passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually.
- Blizzard Network Breached; Change Your Battle.Net Passwords [Blizzard] (kotaku.com)
- Blizzard servers hacked; emails, hashed passwords stolen (electronista.com)
- Important Security Update (Battle.net user information compromised) (us.blizzard.com)
- Blizzard internal servers hacked: User account details compromised (thegadgetsite.com)
- E-mail lists, encrypted passwords stolen in Battle.net hack (news.cnet.com)
- Hackers collect significant account details from Blizzard servers (arstechnica.com)
- Blizzard Hacked, Emails and Secret Question Answers Stolen (tomshardware.com)
- Blizzard security breach, no evidence that financial data was compromised (wow.joystiq.com)
- Blizzard’s Battle.net Hacked; Company Recommends All Users Change Their Passwords [Mac Blog] (macrumors.com)