updated 09:25 pm EDT, Thu August 9, 2012
Lost data reportedly insufficient to allow illicit battle.net access
World of Warcraft and Diablo III developer Blizzardhas announced an intrusion into its internal network. Some data was illegally accessed, including the global Battle.net user email list outside of China, the answer to personal security questions on North American servers, encrypted Battle.net passwords, and information relating to Mobile app and Dial-in authenticators. According to Blizzard, the information alone isn't sufficient for unauthorized parties to gain access to Battle.net accounts.
Blizzard's use of the Secure Remote Password protocol (SRP) makes it difficult to extract, and would require attackers to decrypt each password individually before use. As a precaution, Blizzard is recommending that users change passwords immediately, as well on any servers that have the same password as used on Blizzard's service.
North American users will be prompted over the next several days to change authentication secret questions. Mobile users will be prompted to update the authenticator software. Blizzard believes that the integrity of the keychain physical authenticators remains intact.
The intrusion began on August 4, and was announcedtoday. Blizzard reports that their first priority "was to re-secure our network, and from there we worked simultaneously on the investigation and on informing our global player base." In waiting five days to inform the public of the breach, Blizzard wanted to "strike a balance between speed and accuracy in our reporting and worked diligently to serve both equally important needs."