In a press release, Blizzard said the unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers.
The company stressed that credit card and other customer payment data has not been accessed or affected at this time.
Blizzard first detected the intrusion into its network on August 4, but chose not to disclose the information until today.
“This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard,” Blizzard president Mike Morhaime wrote in a blog post. “We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.”
Mr. Morhaime claims that Blizzard uses Secure Remote Password protocol (SRP) to secure user’s passwords. SRP uses a password-authenticated key agreement method, which makes it possible for a man-in-the-middle attack to intercept enough information to decrypt the passwords. This also means that passwords should be hashed and salted, but until a hash-dump appears online this cannot be verified.
“As a precaution, however, we recommend that players on North American servers change their password. Moreover, if you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well”, Mr. Morhaime wrote. “In the coming days, we’ll be prompting players on North American servers to change their secret questions and answers through an automated process. Additionally, we’ll prompt mobile authenticator users to update their authenticator software.”
“We take the security of your personal information very seriously, and we are truly sorry that this has happened.”