Millions of gamer account details stolen in huge Blizzard attack

Millions of gamers have had their account details stolen in a hack on Battle.net, the online service used to store and manage the personal information of players of Blizzard games like World of Warcraft and Diablo 3.

Blizzard president Mike Morhaime confirmed the attack in a blog post, writing that “our security team found an unauthorized and illegal access into our internal network.”

“We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened,” he continued.

Morhaime advised users in North America to change the login information they use to access their Battle.net accounts, though he insisted that, so far, there has been no evidence that credit card information, addresses, or real names have been stolen.

The breach compromised a list of email addresses of players outside of China, as well as answers to personal security questions and information related to mobile and dial-in access to Battlet.net.

The hackers managed to gain access to a cryptographically scrambled list of passwords used by players in North America. Though the encryption technique makes it difficult to unscramble the passwords, those users are nonetheless recommended to change their details.

The company will begin prompting users in North America to update their account information, including security questions and answers, through an automated process. Those using mobile authentication will be asked to update their authenticator software, Morhaime said.

Sophos researcher Paul Ducklin has described the hack as “painful but probably not too bad.” In a post penned for the security firm’s blog, Ducklin praised Blizzard for its “sensible” storage and management of authentication data.

Meanwhile, Blizzard has created an FAQ page to answer any leftover questions users may have while the Battle.net investigation continues.