Blizzard announced Thursday that it had discovered and closed a Battle.net security breach, and is now working with law enforcement and security experts to determine what happened. Among the illegally accessed data was a list of email addresses for global Battle.net users outside of China, and the cryptographically scrambled versions of Battle.net passwords for players on North American servers.
Blizzard uses Secure Remote Password Protocol (SRP) to protect user account passwords, which means that each password needs to be deciphered individually, making it very difficult to derive the actual passwords from the breach. While these cryptographically scrambled Battle.net passwords are not easily usable by malicious parties, Blizzard is still encouraging players that use the North American servers to change their password. Additionally, if you use your Battle.net password on other services, you should first change those passwords as well. Second, shame on you.
Other user account information that was taken in the breach was the answer to the account"s personal security question, and information relating to Mobile and Dial-In Authenticators.
However, Blizzard claims that all the stolen information is NOT enough to illicitly gain access to Battle.net accounts, based on what the company currently knows, so you should be able to breathe a sigh of relief. For now.
Credit cards, billing addresses, and real names have apparently not been compromised, according to the evidence Blizzard has dug up on the breach so far.
Blizzard will launch an initiative to prompt players on the North American servers to change their secret questions and answers in the near future. They will also release an update for Battle.net authenticator apps on mobile devices. As a final reminder, Blizzard Entertainment will never ask for your password through email, so definitely disregard any such requests if you receive them.
Source: Blizzard