Security & Privacy

Blizzard’s Been Breached, But You Shouldn’t Panic

Posted on by

Blizzard Entertainment, creators of World of Warcraft and Diablo III, was hacked this week. As the creators of such incredibly popular games, you might think this would be the time where we would all be inundated with frothing articles about why this should cause you to run out and change the passwords on everything in sight. But thankfully, you’re unlikely to see that this time. Blizzard did one thing very right in terms of protecting their users’ passwords.

At this point, it looks like all that was taken was this:

  • A list of email addresses for global users, excluding China
  • Answers to personal security questions for players from North America, Latin America, Australia, New Zealand, and Southeast Asia
  • Information relating to Mobile and Dial-In Authenticators
  • Cryptographically scrambled versions of passwords for players from North America, Latin America, Australia, New Zealand, and Southeast Asia

It does not appear that this information that was taken is enough to gain access to accounts. And the best news is that last item. The passwords were not simply “hashed,” but also “salted.” For those of us who only know those two terms in the context of potato-y breakfast treats, here’s a very simplified explanation:

  • Salting involves adding random bits to your password
  • Hashing involves creating a digital fingerprint that represents your password

Each of these alone does not represent a sufficiently significant hurdle to someone being able to bulk process the list and get the passwords out again. But by combining them, it makes it so someone would have to individually process each password, and at a good cost of time for each password. So while this doesn’t mean the password list is useless, it does mean it’s unlikely the breach of this list will cause much harm. It’s still a good idea to change your security questions and password for Blizzard and any other site where you used the same question or password (and don’t forget to choose a strong password).