Battle.net Hack May Be More Serious Than Blizzard Lets On

At risk of sounding like a doomsday herald, software engineer Jeremy Spilman has written an in-depth analysis discussing why he thinks the data of Blizzard customers may not be as safe as the games company claims following a recent security breach of their servers. Though the article gets a little technical, it effectively boils down to the fact that the Secure Remote Password (SRP) system Blizzard uses for their security is vulnerable to dictionary attacks, and Spilman posits that at this time, potentially “millions” of passwords could have already been discovered.

Unless Blizzard has previously strengthened their verifier database by selecting their own, more expensive hashing algorithm such as bcrypt set at an onerous difficulty then each users’ password can be individually dictionary attacked at well over 100k guesses per second. Combined with Blizzard’s reduced entropy password policy (all lower-case, no symbols), this means that it is highly likely that the vast majority of passwords stored in their database have already been cracked by the attacker.

The prospect of an attacker holding your email address, password, and security question/answer is troublesome, to put it mildly. Blizzard is incorrect in claiming that SRP (is designed to make it extremely difficult to extract the actual password.) That they would make this statement is at best misleading and inaccurate, and dangerous if users believe their passwords are still actually safe.

I implore anyone who is a member of Battle.net: immediately ensure your old Battle.net password is not being used on any other sites, and you should never use that same password again. You should also verify your secret question/answer that you used on Battle.net is not reused elsewhere as well.

Spilman goes on to ask that Blizzard be more open about the details of the attack, and suggests they outright admit that passwords have been compromised. While it might sound a bit like Spilman is looking to bring more traffic to his own site, it’s also believable Blizzard would understate the severity of the hack.

Meanwhile, Blizzard have released an FAQ on the security breach, though it doesn’t appear to deny any of the claims made by Spilman outright.

Share this article:
Eric Schwarz
Eric Schwarz
Articles: 199

Leave a Reply

Your email address will not be published. Required fields are marked *