Blizzard Confirms Battle.Net Hacked: Here's What We Know So Far

Blizzard announced yesterday that its popular service has been compromised. The company's investigation is ongoing, but Blizzard has released some early details on what's been taken and what the theft means for its users.

First off, the company doesn't believe any credit card information, Paypal addresses, or similar data was seized. No billing addresses or real names have been accessed, either. What was taken includes:
  • Email addresses for non-Chinese users
  • Personal security questions and answers
  • Information related to Mobile and dial-in Authenticators
  • Cryptographically hashed passwords
Those last two items are worrisome, and Blizzard's Mike Morhaime addresses it directly, stating that "Based on what we currently know, this information alone is NOT enough for anyone to gain access to accounts... We also know that cryptographically scrambled versions of passwords (not actual passwords) for players on North American servers were taken. We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually."

No "I told you so"

As tempting as it is to claim we saw this coming back in May, we're going to refrain. Here's why: hacking has become an even hotter topic in the Blizzard community since the launch of Diablo III. There are people who will read this news and immediately assume that the company launched some enormous cover-up, that the hacks go all the way back to launch, and that Blizzard was blowing smoke up our posteriors about the whole thing.

Sure. That could be true. But there's no proof of it. Security break-ins don't necessarily map to external issues. It's possible that Blizzard caught this almost as soon as it occurred. It could turn out that the hack occurred months ago, but data was only transferred recently. It's absolutely possible that the hack occurred months ago, but that Blizzard was being 100% honest when it said that no one with a Diablo III authenticator had ever been hacked.

If this blows up as big as the Sony hack did, or involves the same sort of blatant stupidity, we'll be there. For now, we recommend resetting your passwords, keeping an eye out for the company's updated Authenticator software (if you use one) and checking the FAQ if you have additional questions.