Blizzard Compromise-- what they missed in their user communication
James brought this to my attention shortly after I checked in for my shift: http://us.blizzard.com/en-us/securityupdate.html
There are a few more details here: http://us.battle.net/support/en/article/important-security-update-faq
I'm going to repeat a little of what they said about what was accessed:
Here's a summary of the data that we know was illegally accessed: North American-based accounts, including players from Latin America, Australia, New Zealand, and Southeast Asia Email addresses Answers to secret security questions Cryptographically scrambled versions of passwords (not actual passwords) Information associated with the Mobile Authenticator Information associated with the Dial-in Authenticator Information associated with Phone Lock, a security system associated with Taiwan accounts only Accounts from all global regions outside of China (including Europe and Russia) Email addresses China-based accounts Unaffected At this time, there’s no evidence that financial information of any kind has been accessed. This includes credit cards, billing addresses, names, or other payment information.
Note the bit in bold: "Answers to secret security questions." As we saw with Mat Honan's ordeal earlier this week (http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard) the secret question isn't much of a barrier in an attack, and when they have the actual answer, password resets aren't much of a challenge.
So, Blizzard's recommendation to "change your password" is largely ineffective for North American customers. If you're concerned about your account, change your security questions, and go with their two-factor solution too.
UPDATE: After spending 15 minutes on the battlenet website I couldn't find an easy way to change/update the security question. The best I could do was add SMS alerts to authorize any password resets.
