This is the world we live in now. A world where some service you've signed up with seems to get penetrated every couple of weeks, sending everyone into a password-changing frenzy. I bet the guys selling password-securing apps are stoked. This month's victim of unauthorized access is Blizzard, which disclosed yesterday that someone got into its network on or around August 4 of this year.
So what'd they take? According to Blizzard's FAQ on the matter, players in the North American region--which includes Australia for reasons that I'm sure would make sense if someone bothered to describe it--have the following items to worry about:
- Email addresses
- Answers to secret security questions
- Cryptographically scrambled versions of passwords (not actual passwords)
- Information associated with the Mobile Authenticator
- Information associated with the Dial-in Authenticator
- Information associated with Phone Lock, a security system associated with Taiwan accounts only
- In addition to this list of North American information, all users except those with China-based accounts had their email address taken.
So that means, at the minimum, your email address is out there. If you're part of what Blizzard considers its North American region, the answer to your secret security question is out there, too. Considering the number of sites that don't let you choose what your secret question is (if mine is any indication, Blizzard is among them), this may be an actual concern for you. Anyone that doesn't let you create your own custom secret question is a Bad Person. Blizzard says that an automated process to update secret questions and answers will be available in the near future. In the meantime, if you use the same secret question/answer combo on multiple sites, this might be a good time to tear your hair out and yell at the sky for a bit.
The FAQ goes on to say that the company believes that physical Blizzard Authenticators are secure, but app-based authentication will eventually require an update. For more details on how your password was stored and why it's unlikely that this will lead to your actual password getting out in the open, read the rest of Blizzard's FAQ... after you're finished changing your password, that is.