Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blizzard Compromise-- what they missed in their user communication

Published: 2012-08-10
Last Updated: 2012-08-10 01:51:02 UTC
by Kevin Liston (Version: 2)
5 comment(s)

James brought this to my attention shortly after I checked in for my shift: http://us.blizzard.com/en-us/securityupdate.html

There are a few more details here: http://us.battle.net/support/en/article/important-security-update-faq

I'm going to repeat a little of what they said about what was accessed:

Here's a summary of the data that we know was illegally accessed:
North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia

Email addresses
Answers to secret security questions
Cryptographically scrambled versions of passwords (not actual passwords)
Information associated with the Mobile Authenticator
Information associated with the Dial-in Authenticator
Information associated with Phone Lock, a security system associated with Taiwan accounts only

Accounts from all global regions outside of China (including Europe and Russia)

Email addresses

China-based accounts

Unaffected

At this time, there’s no evidence that financial information of any kind has been accessed. 
This includes credit cards, billing addresses, names, or other payment information. 

Note the bit in bold: "Answers to secret security questions."  As we saw with Mat Honan's ordeal earlier this week (http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard) the secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge.

So, Blizzard's recommendation to "change your password" is largely ineffective for North American customers.  If you're concerned about your account, change your security questions, and go with their two-factor solution too.

UPDATE: After spending 15 minutes on the battlenet website I couldn't find an easy way to change/update the security question.  The best I could do was add SMS alerts to authorize any password resets.

Keywords:
5 comment(s)
Diary Archives