Blizzard has confirmed that their security team recently discovered their internal network had been compromised. The team says they quickly took steps to seal off access and opened an investigation with security experts and law enforcement to uncover exactly what happened.
As of writing, Blizzard is saying that there’s no evidence that financial data like credit cards, billing addresses or real names were compromised. Other data, however, including a list of email addresses for global Battle.net users, answers to the personal security question and information related to mobile and dial-in Authenticators was accessed. The developer and publisher points out that this information alone isn’t enough for anyone to gain access to a Battle.net account.
Furthermore, cryptographically scrambled versions of Battle.net passwords (but not actual passwords) for players on North American servers were taken. Since they use Secure Remote Password protocol to protect these passwords, it would be incredibly difficult for someone to extract a password from a scrambled version and each one would have to be done individually.
Blizzard is urging all players on North American servers to change their passwords immediately. They will also be prompting these same gamers to change their secret questions and answers through an automated process in the near future. Software updates are also in the works for mobile Authenticators.
Following up on Blizzard’s suggestion, it’s probably a good idea for anyone that has a Blizzard account to go ahead and change your password, regardless of which regional server you play on.