Battle.net's internal systems were illegally accessed on August 4 and account information including encrypted passwords and security question answers appear to have been taken. Blizzard said in a security update today that while no evidence so far suggests financial information like credit card numbers or home addresses were taken, affected users are encouraged to change their security credentials.
The intrusion is under investigation by law enforcement as well as Blizzard.
Account information stored on Battle.net's North American servers (which generally hosts accounts from North America, Latin America, Australia, New Zealand, and Southeast Asia) was most significantly breached. Only email accounts were gleaned from all other regions besides China, which does not appear to have had any user information illegally accessed.
Blizzard said encrypted phone numbers from players who use Battle.net's dial-in authentication service may have been taken, and that information accessed in the attack could be used to compromise Battle.net's mobile authentication service. Blizzard plans to update its mobile authenticator software soon, and it believes security from physical authenticators should remain intact.
The information uncovered in the attack should not be enough to access accounts, Blizzard said, as each encrypted password would have to be cracked individually with great effort. Blizzard plans to prompt players on North American servers to change their security questions and answers in coming days, and encourages those who used the same password for multiple accounts to change them. It will also ask its customer service staff to use additional measures to verify player identity.
Blizzard said it refrained from reporting the attacks for five days while it attempted to strike a balance between rapid response and external communication. "Our first priority was to re-secure our network, and from there we worked simultaneously on the investigation and on informing our global player base."