“This week, our security team found an unauthorized and illegal access into our internal network here at Blizzard,” says a security bulletin posted last night on Blizzard’s website.
“Some data was illegally accessed,” it adds, before listing what they think was compromised. It includes email addresses, personal security question answers and – worryingly – “information relating to Mobile and Dial-In Authenticators” which translates to hashed phone numbers.
Passwords were also accessed, although Blizzard use “cryptographically scrambled” passwords which use SRP to protect them, so they should hopefully remain encrypted. That said, Blizzard do recommend passwords are changed.
If you have used the same or similar passwords for other purposes, you may want to consider changing those passwords as well, says the bulletin. This is common sense – don’t reuse passwords.
There is no evidence that financial information was affected or accessed, says Blizzard. Thankfully, there’s also no evidence that personal information such as real names or billing addresses were accessed, which is hopefully some comfort.
China-based accounts appear to be unaffected by the hack.
For anyone still concerned that has a Blizzard account with Battle.net there’s a FAQ with additional information here that you should definitely read.