Blizzard Hack: A Security Guide For Users

Diablo III and World of Warcraft players should change their passwords and protect their e-mail accounts now

If you play PC games from Blizzard Entertainment such as Diablo III and World of Warcraft you need to review your account security as soon as you can.

Blizzard has confirmed a security breach compromised a large amount of user account data for gamers. Blizzard is warning players on North American servers (including players from North America, Latin America, Australia, New Zealand, and Southeast Asia) that hackers have nabbed user e-mail addresses, answers to security questions, a database of cryptographically scrambled passwords, and as sensitive data related to dial-in and smartphone app-based two-factor authentication.

[RELATED: Apple and Amazon Hacks: How to Minimize Your Risk]

Blizzard says the purloined information alone isnt enough to crack into accounts. The scrambled passwords, for example, were protected by the Secure Remote Password (SRP) protocol, a key-based authentication system. The company says anyone trying to crack the passwords would have to decipher the passcodes one by one.

Nevertheless, gamers are being advised to change their passwords, as well as take a number of other security measures. If youre a gamer, heres what you need to know about securing your account and what to expect from Blizzard in the coming days.

Change Your Password

Blizzard is recommending that all users change their account passwords.

You can do that by clicking here. Or, log into and click on the Account link at the top of the page. On the next page click Settings and select Change Password from the drop-down menu.

Expect a Security Question Change

Blizzard does not yet have a mechanism in place to let you change your security question, a measure for account recovery and identity verification, which is a real bummer considering hackers have your answers. But the company says it is working to create a feature that will let you change your question through the account management site. Once the new measure is active, you will be automatically prompted to change your security question.

Blizzard said it didnt immediately revoke users security questions because it believes keeping the secret questions and answers in place still provides a layer of security against unauthorized users who don't have access to the compromised data. The problem, however, is that some bad guys do have access to your security question answers. Color me unimpressed.

Two-Factor Authentication App Update Due

Its not clear what kind of information was stolen, but sensitive data relating to Blizzards free two-factor authentication smartphone app, Mobile Authenticator, was also compromised. Blizzard says the data could potentially compromise the integrity of North American Mobile Authenticators. Blizzard also says hashed phone numbers were compromised for users of Dial-in Authenticator, a service that is no longer available to new users.

Mobile Authenticator users should be on the lookout for an update to the mobile app. Its not clear whether Blizzard has any plans to deal with compromised data for dial-in authentication users.

Enable Two-Factor Authentication (Eventually)

Yes, potentially damaging information was stolen for Blizzards two-factor authentication system, but in the long run its still more secure to use a two-factor log-in system. By using two-factor authentication you are creating one more hurdle for hackers to get past, and most of the time this will make it much harder to compromise your account. But users might be wise to wait to enable this feature until Blizzard releases its software update.

Blizzard offers users two-factor authentication through a $6.50 keychain attachment that supplies a log-in code or the Mobile Authenticator app. You can buy the physical authenticator directly from Blizzard. Mobile Authenticator is available for iOS, Android, Windows Phone 7, and BlackBerry.

Consider SMS Protect

Blizzard offers another security option called SMS Protect that will send a text to your mobile phone if suspicious account activity is detected or any significant changes are made such as password changes. You can also use SMS Protect to unlock your account, remove an authenticator, recover your account name, and reset your password.

Review Your E-Mail Security

The recent hack that tore apart the digital life of Wired reporter Mat Honan reminds us that compromised accounts can often snowball across connected services. So you should review the security surrounding the e-mail address for your account.

First, you should make sure the password for your e-mail address isnt the same as your password. If it is, you should change it immediately. For password creation tips check out Password Management: Idiot-Proof Tips and Google Offers Advice on Secure Passwords. A password manager such as KeePass, LastPass, or 1Password can also save you if you forget your new e-mail password.

Second, you should check to see that your e-mail accounts recovery options are up to date, including any security questions and alternate e-mail addresses. Honan lost control of his digital life after hackers were able to access the back-up e-mail address for his Gmail account. Hackers already know the e-mail address connected to your account, so be wary of attempts to break into your e-mail via account recovery options.

Finally, if your e-mail provider offers it, you should also enable two-factor authentication for added protection.

Watch Out For Phishing E-mail

Blizzard is advising its users to watch out for e-mail purporting to come from Blizzard in an attempt to steal your account credentials. Blizzard says it will never ask for your password or log-in information via e-mail.

Connect with Ian Paul (@ianpaul) on Twitter and Google+, and with Today@PCWorld on Twitter for the latest tech news and analysis.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place