Overwatch, World of Warcraft, Diablo, Hearthstone and StarCraft players should do a thorough security reset right now.

Blizzard has detailed a security breach which took place sometime this week.

The good news is that as yet no evidence has been found that your credit card number, billing address and real name were compromised. The bad news is almost everything else may have been.

Hackers obtained a list of email addresses for Battle.net members outside of China, and on North American servers (which includes most players from Latin America, Australia, New Zealand, and Southeast Asia), the answer to the personal security question, and information relating to Mobile and Dial-In Authenticators were also accessed.

Worse still, North American player’s passwords were stolen. Now, Blizzard stores these securely in “cryptographically scrambled” form, so it’s not like someone has a text file with your password in it – but there is a remote possibility that each individual password could be unscrambled. Here’s Blizzard on the risks:

“Based on what we currently know, this information alone is NOT enough for anyone to gain access to Battle.net accounts,” the developer said.

“We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually. As a precaution, however, we recommend that players on North American servers change their password.”

You absolutely should; here’s the Battle.net password change link. You should also change your log-in on any site or service where you use the same email address and password combination, and then stop doing that.

You could also change your security questions and update your two-factor authentication, but Blizzard will be automatically prompting you to do that over the next few days if you forget. It’s important to be extra wary of phishing scams in the next few months, as this sort of information leak makes it much easier for scammers to present a genuine-looking landing page. Remember that Blizzard emails will never ask you to reply with your personal information, and to double check the top level domain name on Blizzard and Battle.net pages.

“We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened,” Blizzard CEO Mike Morhaimed wrote in a letter to all players on Blizzard’s website.

“We take the security of your personal information very seriously, and we are truly sorry that this has happened.”

Read more here: VG247