Blizzard Entertainment, creators of World of Warcraft and Diablo III, was hacked this week. As the creators of such incredibly popular games, you might think this would be the time where we would all be inundated with frothing articles about why this should cause you to run out and change the passwords on everything in sight. But thankfully, you're unlikely to see that this time. Blizzard did one thing very right in terms of protecting their users' passwords.
At this point, it looks like all that was taken was this:
- A list of email addresses for global Battle.net users, excluding China
- Answers to personal security questions for players from North America, Latin America, Australia, New Zealand, and Southeast Asia
- Information relating to Mobile and Dial-In Authenticators
- Cryptographically scrambled versions of Battle.net passwords for players from North America, Latin America, Australia, New Zealand, and Southeast Asia
It does not appear that this information that was taken is enough to gain access to Battle.net accounts. And the best news is that last item. The passwords were not simply "hashed," but also "salted." For those of us who only know those two terms in the context of potato-y breakfast treats, here's a very simplified explanation:
- Salting involves adding random bits to your password
- Hashing involves creating a digital fingerprint that represents your password
Each of these alone does not represent a sufficiently significant hurdle to someone being able to bulk process the list and get the passwords out again. But by combining them, it makes it so someone would have to individually process each password, and at a good cost of time for each password. So while this doesn't mean the password list is useless, it does mean it's unlikely the breach of this list will cause much harm. It's still a good idea to change your security questions and password for Blizzard and any other site where you used the same question or password (and don't forget to choose a strong password).