Blizzard Entertainment concludes its data breach investigation – fifteen months later!

Just over fifteen months ago, we reported on a data breach at online entertainment company Blizzard.

We were complimentary to Blizzard back then, even though it had just let its customers down.

That’s because the company tried to make the best out of a bad situation.

In particular, Blizzard:

  • Owned up within three days of finding there was a problem.
  • Got the CEO himself, not a PR person or a lawyer, to announce, explain and apologise.
  • Gave some technical details about how it had stored its customers’ passwords.
  • Argued that the risk was low without claiming there was no risk at all.
  • Didn’t trot out excuses such as the sophistication of the attackers.
  • Left the bit about how seriously it takes security until the very end.
  • Said sorry in a way that we were inclined to believe and accept.

Blizzard’s follow-up, however, hasn’t been quite as swift or impressive.

There is, of course, the possibility that Russell from Vancouver (the Naked Security reader who reported this to us) has an email server that is stuck in some kind of Whovian time-warp.

But if not, Blizzard has taken a whopping fifteen months, two weeks and two days to provide its follow up.

In fact, even if Russell’s email server takes ages to deliver messages, Blizzard took at least five-and-a-half months to get back to him, because the message explicitly refers to the breach from “last year”:

As you might be aware, last year on August 4, 2012, Blizzard’s internal security team discovered an unauthorized and illegal access into Blizzard’s internal network. Blizzard promptly launched an investigation to determine the scope of the unauthorized access and notified players of this incident on August 9, 2012. [...]

The following information was involved in the incident:

1. Email addresses (user ID);
2. Answers to secret security questions (no personally identifiable information involved);
3. Cryptographically scrambled versions of passwords (not actual passwords) which are protected by Secure Remote Password protocol; and
4. Information associated with the Mobile Authenticator.

Our investigation has revealed that you had an active account with Blizzard at the relevant time and, in accordance with local regulations, we are providing you with this direct notice of this incident in addition to the notice we previously provided.

Based on an extensive investigation into this incident, Blizzard has no evidence that the information that was accessed has been misused. Further, we have found no evidence that actual passwords or financial information, such as credit cards, billing addresses, or real names, were compromised.

Never was the word “extensive” used so appropriately in respect of a password breach notification!

What can we learn from this investigation?

Blizzard uses the Secure Remote Password (SRP) protocol, which lets you keep your salted-and-hashed passwords on a server of their own, so that login verification is not handled directly on your edge servers.

One of the features of SRP is to keep the password database at arm’s length, so that a network request (something that can be rate limited and controlled) is needed to perform each password check, thus greatly inhibiting dictionary or brute force attacks.

But because the actual scrambled passwords were stolen, it sounds as though the SRP server itself was breached.

That makes a password cracker’s job easier by allowing him to cut out any network latency or rate limiting that a customer-facing system would implement.

The fact that Blizzard lost unencrypted answers to its customer’s “secret security” questions is also a matter of concern.

Although Blizzard describes those secret security answers as not involving personally identifiable information, some users may well have used answers with a personal angle simply to make those answers more memorable.

After all, secret security questions are infrequently asked, but the answers are vitally important.

Even though Blizzard required its users to reset their passwords and their secret questions-and-answers back when the breach happened, that couldn’t retrospectively change the secret answers that users had already uploaded.

(If you’d factored your birthday into the answer, for example – no matter how ill-considered that might have been – then the reset would have changed your answer, but obviously not your birthday. Crooks recognising a birthday in your stolen answer would therefore acquire some usable information about you.)

Nevertheless, Blizzard’s follow-up is better late than never.

And perhaps there’s a silver lining: given the circumstances, Blizzard’s appeal to its customers to adopt its Mobile Authenticator solution may carry more weight

Blizzard’s Mobile Authenticator is what you and I call 2FA, or Two Factor Authentication.

You can remind yourself why 2FA is a good idea (or revise the argument you’ll put to your CTO and CFO to convince them why it’s a good idea) with this Techknow podcast:

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)