It’s getting so companies that haven’t been hacked are probably starting to feel left out: Blizzard just announced that it recently discovered an “unauthorized and illegal access” to its internal network — a breach that included access to sensitive personal data.
While the company says it currently has no evidence enough information was taken to allow someone to access a Battle.net account (the company’s catchall network for its games, including World of Warcraft, Starcraft II and Diablo III), Blizzard president Mike Morhaine is recommending that users change their Battle.net passwords immediately as a precautionary measure.
In a security update posted to Blizzard’s website, Morhaine wrote that — so far at least — the company doesn’t believe sensitive financial information was snatched, while admitting:
Some data was illegally accessed, including a list of email addresses for global Battle.net users, outside of China. For players on North American servers (which generally includes players from North America, Latin America, Australia, New Zealand, and Southeast Asia) the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed. Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts.
In a FAQ that offers further information about the security breach, Blizzard says it discovered the intrusion on Aug. 4 (last Saturday). It describes the reason for waiting to go public until Aug. 9 as follows:
We worked around the clock since we discovered the unauthorized user to determine the nature of the trespass and understand what data was accessed. Our first priority was to re-secure our network, and from there we worked simultaneously on the investigation and on informing our global player base. We wanted to strike a balance between speed and accuracy in our reporting and worked diligently to serve both equally important needs.
That’s a little vague, of course, and the five-day delay seems a little much. All Blizzard needed to do, 24 hours in (say by Monday morning) was issue a few terse lines admitting the company was investigating a security breach while advising what Morhaine wound up saying anyway: Change your password as a purely precautionary measure.
Any reactionary “panicking” is going to happen whether a company waits a day or a year to inform its customer base of a potentially impactful security breach. Wouldn’t you rather know sooner, so you can take self-protective action, whether the breach proves serious or not?
Speaking of common sense: Take Morhaine’s advice and change your Battle.net password pronto, just to be safe, since — like Sony, Valve and so many others before it — Blizzard’s still assessing the scope of the breach. You don’t want to be on the receiving end of a future “whoops, we didn’t know about that” security update.