Blizzard was hacked – now what?

So, another day, other new (publicly known) ”big” hack. This time, it was Blizzard who got swung at by the hacker axe. Someone had access to their internal network, and that they detected this about a week ago.

Blizzard says in response to the hack:

While there is currently no evidence that any of the password or player data has been misused, we encourage our North American players to change their passwords.

And as always, remember that there’s an increased risk of a targeted phishing attack on players since they had access to account data.

They also say:

We’ll also prompt mobile authenticator users to update their authenticator software.

This is probably to cause a ”re-seed” of the authenticator. Ususally, a secret ID or number is used as a ”seed value” for such authenticators. If someone has access to the algorithm generating the numbers, and which ID/seed an account has, they should be able to calculate the new authentication numbers. Blizzard says they believe the people with physical authenticators are still safe, but that the mobile authenticators are at risk.

However, one of the more important things is this:

In the coming days we will implement an automated process for all users to change their secret questions and answers, as a precautionary measure.

As we all got reminded from the Mat incident, a chain is only as strong as it’s weakest link. I fail to understand why some people highly praise their ”encrypted session blah, blah, hashed passwords” security measures, when all it takes to gain access is knowing ones favorite teacher, mother’s maiden name or a phone call to support?

Security questions are generally stupid. Everyone says ”Oh, you must have a password which is so-and-so, shame on you if you don’t!!” but, then they add ”By the way, as a second way to access your account, what is your pet’s name?”. Sometimes you get to choose your own questions, which is often not better since people don’t realize the inherent dangers of them. A friend of mine had the security question ”Write poo three times” (in Swedish) as a security question, thinking that ”an evil hacker won’t understand Swedish”, and perhaps not realizing when the question is used. Granted, he was much younger when he created the account, but, still…

Generic account recommendations:

  • Use secure passwords
    Passwords are currently the most common way of authenticating to online services, and it’s easy to understand why. Everyone can do it, and it’s easy to understand the concept. I strongly encourage using a password manager (e.g. KeePass or 1Password) both on your computer, and on your mobile phone.
  • Use better security questions/answers
    Realize that people WILL spend time trying to figure out the answer to your ”secret/security questions” to gain access to your account. Personally, I prefer to treat it as a secondary password field when required, and use my password manager to generate a new unique password for it. Please note that the answers are usually always stored in plain-text, so never ever re-use a regular password here.
  • Use two-factor authentication if possible
    Some services offer two-factor authentication via physical devices, mobile authentication, SMS, etc. Use those features! With Gmail, you can use either SMS, or a mobile app. Blizzard has both a physical device, and a mobile app, however, due to that statement, I’m uncertain how ”secure” it currently is..
  • Secure your e-mail account
    Most often, if people gain access to your e-mail, they can get access to all your accounts. Either via social engineering, or just simply using a ”I forgot my password, please send a reset link to me” function. It’s critical that you secure your e-mail account. If you HAVE to use passwords you can memorize, instead of using a password manager, always ALWAYS use a unique password for your e-mail. It should never ever be used anywhere else. Also, does your current e-mail account have an old out-dated ”secondary e-mail account”? (also used for password-reset) Perhaps it’s set to an old Yahoo e-mail address you no longer use/have access to? Change it, or delete it!


Missa inget!

Prenumerera på Säkerhetsbloggen via e-post!

No comments

Your email address will not be published.