Blizzard Entertainment, developers of hit online games Diablo III and World of Warcraft, have alerted players this morning to a breach of account security that has resulted in the unauthorized release of some player information to outside sources.
The unauthorized access included email addresses associated with Battle.net accounts in all regions, outside of China. Additional information from accounts associated with the North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) was also accessed, including cryptographically scrambled versions of passwords (not actual passwords), the answer to a personal security question, and information relating to Mobile and Dial-In Authenticators.It’s important to note that at this time, Blizzard does not believe this information alone is enough to gain access to Battle.net accounts.
Blizzard don't currently believe that credit card or other payment-related information was lost in the breach, however they recommend that players change their Battle.net password and any similar passwords used for other purposes.
Update: Blizzard have put up a FAQ for the breach, which includes (amongst many other things) the following information:
Data accessed includes:
With regard to the mobile authenticator platform (a downloadable app that is meant to secure Battle.net accounts), Blizzard believe that - in the US at least - the data taken could potentially compromise the integrity of the system. They mention that there is no evidence that other regions are affected, however it's not clear if the term "region" in this context includes New Zealand (Kiwis generally play on US-region servers).
The physical authenticator (keychain based) system is not believed to have been compromised as a result of this security breach, despite related data being stolen.
While there is no current way to change the (compromised) secret question and answer pair for Battle.net accounts, Blizzard are working on building a system to allow that as a priority. In the meantime, they've left the old question & answer in place, in order to continue to provide a layer of protection from hackers that don't have access to the compromised data.
The security breach itself, the nature of which has not been disclosed, was discovered on August 4th.
We'll continue to bring you more information on this breaking story as it develops.