Change Your Passwords (Again): Battle.net Breached
I, like many of the highly evolved, vaguely human terminal cyborgs that we otherwise refer to as "Internet users," perhaps somewhat unwisely use the same few passwords for, well, a lot of things. But damn it, I crafted those passwords. I didn't use wars or stars, but they're mine - forged through years of slight tweaks and realizations that my birthday and number sequences I'd learned in pre-school, in fact, presented sort of crackable codes. So I really wish videogame companies would stop losing track of them. But alas, it keeps happening. The most recent victim? Blizzard. Fortunately, it sounds like our most important info (credit card, address, real name, etc) is still safe and sound, but you'll probably want to toss your password masterworks and start anew all the same. Same with mobile Authenticators - which Blizzard notes "could potentially" be compromised. Ruh-roh.
Blizzard put up a statement on its website admitting to a breach of Battle.net this week. Here are the key bits:
"This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened. At this time, we’ve found no evidence that financial information such as credit cards, billing addresses, or real names were compromised. Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed."
"Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts."
Scrambled passwords, meanwhile, were also snatched from North American servers, but Blizzard notes that "We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually."
Regardless, CHANGE YOUR PASSWORD AND SECRET QUESTION ASAP. Blizzard, at least, will be taking care of the latter via an "automated process" in the coming days. There will also be an update for mobile Authenticator software very soon. If you're not clear about anything, there's also a detailed FAQ.
So then, it's a pain, but odds are, most of you will remain unaffected. I'd be remiss, however, if I didn't point out that this is yet another crack in the paper-and-ash armor of Blizzard's online requirement - at least, when it comes to series that used to be playable entirely offline like Diablo. Yes, I'm beating a dead horse and then spending hundreds of hours farming it for more loot while complaining about a lack of endgame, but it needs to be said all the same. Believe me: no one (except maybe the hackers) is happy about this, but I imagine people who just wanted a single-player experience with no muss or fuss are the angriest of all.
That said, kudos to Blizzard for leaping on this one quickly and putting together a plan of action to help affected customers. For now, this is just a minor inconvenience, and here's hoping it stays that way.