Blizzard has declared that their Battle.net service has recently been attacked. Some information has been compromised and as such Blizzard will force users to change their security questions and answers in the next few days. Mobile authenticator users will also need to update the software on their second factor authenticator.
I think we all know the story by now: cloud services will be attacked, a lot, and some will succeed.
Blizzard has declared that their Battle.net service has been intruded upon. The invasion compromised the email addresses associated with your account as well as the answer to your security question. The second-factor authenticators were also attacked and will receive an update shortly. Attackers have also received passwords protected by the Secure Remote Password (SRP) protocol.
Blizzard clouds bring flurries.
Image credit: Blizzard Entertainment
Once again, this sort of thing happens all of the time. The key is to security in an age where information is transmitted and stored freely is to always keep in mind what you entrust each service with. If you give a service your email address you need to consider what an attacker could accomplish with this information. When combined with the email addresses of your friends an attacker could send you an email pretending to be one of those friends. They could also associate you with users on many other services to either make a more convincing spoof of you, or know who they are attacking somewhere else.
You must be responsible with your information and you must realize you are trusting the service to do the same.
In this case, Blizzard protected passwords using the SRP protocol. This protocol if properly implemented includes hashing and salting all passwords to make reversing a password incredibly difficult. It is possible to create a database of known scrambled messes in hopes that some user will have a password. The more obscure your password means it will be less likely to be available to be compared to.
If Blizzard implemented the protocol correctly then they did their part. Ultimately it is up to the user to have their trust match the likelihood and damage of one or more attacks. This is true whenever you handle your information – never become complacent or you will have to forgive yourself at some point.
While attackers getting innovative means they are losing economic viability – it also means users will need to consider all possible ways they can be compromised.