Blizzard owns up to data haemorrhage – painful but probably not too bad

Big-time online entertainment outfit Blizzard has just owned up to a data haemorrhage.

One silver lining here (and you know how much I like to find those in any security calamity) is that there doesn’t seem to be any weasel-wording going on.

Blizzard president, CEO and co-founder Michael Morhaime himself has taken up his virtual pen to explain that:

Some data was illegally accessed, including a list of email addresses for global users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to accounts.

Blizzard strongly suggests – but manfully doesn’t pretend to guarantee – that financial data such as credit cards, billing addresses, and real names weren’t got at.

(As you can imagine, the conundrum at the heart of any breach is working out what didn’t happen. Breaches invariably lead to a lot of “what ifs”, including, “What if the crooks covered their tracks or left a false audit trail?”)

A second silver lining is that Blizzard stored and managed its authentication data sensibly.

There are numerous ways to do this; Blizzard chose to use the Secure Remote Password (SRP) protocol, which offers the double whammy of in-transit security (like SSL/TLS or Diffie-Hellman-Merkle) and at-rest security (like hashing-and-salting).

Greatly, if not excessively, simplified, SRP uses public-key-crypto-style calculations so that:

* The client and the server are able to exchange authentication data securely.

* Data packets from an authentication session cannot be reused.

* No hashes or dictionary-attackable data are visible in the client-server exchange.

* The server never needs to write the user’s password to disk.

* The server needs a copy of the user’s password in memory only once, at password setup time.

In short: sniffing SRP traffic tells you nothing about the user’s password, and stealing the server’s authentication database doesn’t directly reveal any password secrets either.

Nevertheless, since Blizzard’s servers hold enough data to verify that you know your password and can type it in correctly at your end, anyone who has a clone of Blizzard’s authentication system has what he needs to run a password-guessing attack.

So the usual advice applies:

1. If you chose unwisely, your password could be guessed quickly. Stop choosing unwisely!

2. It’s worth changing your Blizzard password right away, even if you did choose wisely.

3. If you’ve used the same password elsewhere, change that one too, and don’t reuse passwords again.

4. If you store authentication data for your users, using solid cryptography to protect it in case it’s stolen is good, but not losing it in the first place is even better.

And, even though it doesn’t get the data back:

5. If you do suffer a security breach, a sincere apology like Mike Morhaime’s goes a long way.

Thanks to Naked Security readers Krazymouse and Matt B for the heads-up on this story.