Protecting your Battle.net account means protecting your entire Blizzard gaming library: World of Warcraft characters and progress, Overwatch 2 skins and rank, Diablo IV gear, Hearthstone collections, Starcraft II ladder standing, and any payment methods linked to your account.
Battle.net is one of the oldest gaming platforms in existence, and it remains one of the most targeted by account thieves. The reason is straightforward: accounts linked to World of Warcraft in particular can hold thousands of hours of progress, rare in-game items, gold, and real-money game time that attackers can drain or sell. Diablo IV accounts with end-game gear, Overwatch 2 cosmetic collections, and accounts with active game subscriptions all carry measurable value to attackers.
This guide covers every step to properly secure your Battle.net account, how to make it significantly harder for anyone to access without your permission, what to do if your account has been locked, and an honest look at Battle.net’s own security history.
How to Protect Your Battle.net Account: Security Setup
Step 1: Enable the Battle.net Authenticator (Most Important)
The Battle.net Authenticator is Blizzard’s official two-factor authentication tool and the single most effective security measure available for your account. Blizzard describes it as the best security feature to keep your Battle.net account safe from hackers, and their own customer support teams consistently ask players who have been compromised to attach an Authenticator as the first step after account recovery.
The Authenticator now lives inside the Battle.net Mobile App, available for free on iOS and Android. It generates a unique, time-limited code tied specifically to your account.
How the Authenticator protects you:
- Every login from a new or unrecognized device requires the Authenticator code before access is granted
- By default, the system does not ask for a code on trusted devices after several successful logins from the same location. You can change this in Security Options to require the code on every single login for maximum protection
- Even if an attacker knows your email address and password, they cannot log in without the Authenticator code, which exists only in your mobile app
- The Authenticator also protects sensitive in-game actions in games like World of Warcraft
How to set up the Battle.net Authenticator:
- Download the Battle.net Mobile App from the App Store (iOS) or Google Play (Android)
- Sign in to your Battle.net account in the app
- The app will guide you through linking the Authenticator to your account
- Write down the Serial Number and Recovery Code shown during setup. Store these in a safe place. If you lose your phone, these codes are the only way to remove the Authenticator from your account
- Once linked, your next login will prompt for the Authenticator code
Security Options configuration: After attaching the Authenticator, go to your Battle.net Account Security settings to toggle whether you want the code requested on every login or only on unrecognized devices. For maximum security, enabling it on every login is recommended.
Step 2: Enable Battle.net SMS Protect
SMS Protect is a separate security feature that links your phone number to your Battle.net account. It is distinct from the Authenticator and provides a secondary verification path. SMS Protect allows you to:
- Unlock a locked Battle.net account using your phone
- Recover your account username via text message
- Approve password resets from your phone
- Remove a lost or inaccessible Authenticator from your account
- Receive text message alerts when certain account changes occur, including password changes and security feature additions or removals
SMS Protect is particularly important as a fallback. If you lose access to your Authenticator app (lost phone, factory reset, etc.), SMS Protect gives you a self-service path to regain account access without needing to contact Blizzard Customer Support. Without either SMS Protect or the Authenticator recovery codes, losing access to your authenticator app forces you through a slower manual support process.
How to set up SMS Protect:
- Sign in to your account at account.battle.net/security
- Find the Phone Notifications or Battle.net SMS Protect section
- Enter your mobile phone number and complete the verification
Step 3: Use a Strong, Unique Password and Update Your Security Question
Your password is the first line of defense. Battle.net accounts have historically been targeted through credential stuffing: attackers take email and password combinations from breaches of other services and test them against Battle.net automatically.
Guidelines for a strong Battle.net password:
- Minimum 12 to 16 characters
- Combines uppercase letters, lowercase letters, numbers, and special characters
- Never used on any other account or service
- Generated and stored by a password manager (Bitwarden is free; 1Password, Dashlane are paid options)
To change your password:
- Go to account.battle.net/security
- Click Update in the Password section
- Follow the prompts to set a new strong password
Security question: Battle.net also allows you to set a security question. If the answer to your security question can be guessed from information you share publicly on social media (birthplace, pet name, school, etc.), change it to something that cannot be guessed from your public profile. Store the answer in an encrypted note in your password manager so you do not forget it.
Step 4: Verify and Secure Your Email Address
Your email account is the recovery gateway for your Battle.net account. If an attacker accesses your email, they can request a Battle.net password reset and take over your account even without knowing your current password.
Securing your email as part of your Battle.net security:
- Use a strong, unique password on your email account that you do not use on Battle.net or anywhere else
- Enable two-factor authentication on your email account
- Review which apps have access to your email inbox and revoke any you do not recognize
- Keep your email address current in your Battle.net account settings. An outdated email address makes account recovery impossible
Step 5: Review Your Login History and Active Sessions
Battle.net logs every login with device information, making it possible to spot unauthorized access before you even realize something is wrong.
How to review your login history:
- Sign in at account.battle.net/security
- Scroll to find the Login History section
- Review the list of devices and locations that have accessed your account
- If you see any unfamiliar device, operating system, or geographic location, click Log out from all devices immediately
- After signing out all sessions, change your password and ensure the Authenticator is active
Step 6: Configure Your Privacy Settings
Battle.net includes privacy settings that control what other players can see about you.
Real ID: The Real ID feature shows your real name to mutual Real ID friends instead of just your BattleTag. If you prefer that other players only see your BattleTag and not your real name, disable Real ID:
- Go to your Battle.net Account settings
- Find the Privacy and Communication section
- Uncheck Enable Real ID
After disabling it, other users will only see your BattleTag, the nickname you use in games and on Blizzard forums.
Third-party data sharing: By default, Blizzard may share data about your gaming activity with third-party developers. To review and adjust what is shared:
- Go to your Battle.net Account settings
- Navigate to Privacy & Communication
- Review each option and disable data sharing for any category you do not want shared externally
Is Battle.net Safe? An Honest Assessment
Battle.net is a legitimate, established gaming platform operated by Blizzard Entertainment, one of the most recognized companies in the gaming industry. However, no large platform is completely immune to security incidents, and Battle.net has its own documented history.
The 2012 Data Breach: What Happened
The only confirmed major breach of Battle.net’s own infrastructure occurred in August 2012. Blizzard Entertainment’s then-president Mike Morhaime disclosed publicly that an unauthorized and illegal access into their internal network had occurred.
What was exposed in the 2012 breach:
- Email addresses of global Battle.net users
- For North American server users specifically: answers to personal security questions, cryptographically scrambled (hashed) passwords, and information relating to Mobile and Dial-In Authenticators
- No financial information, credit card data, or real names were confirmed as accessed
- The breach affected data related to approximately 14 million user accounts
What Blizzard did in response: Blizzard notified affected users, prompted all players to update their security questions, and urged North American users to change their passwords. They stated that the hashed password format made the data difficult but not impossible to exploit.
The security question data exposed in 2012 is one reason why Blizzard changed the security question system in the years following. If your Battle.net account predates 2013, updating your security question is a sensible precaution.
Current Security: What Battle.net Does to Protect You
Since the 2012 breach, Blizzard has maintained a significantly stronger security posture. Current measures that Battle.net applies to protect accounts include:
- Technical and organizational measures to protect stored data
- Automatic account locking when unusual login activity is detected
- SMS alerts when sensitive account changes occur
- The Authenticator system as a robust second-factor option
- Monitoring for suspicious activity patterns including logins from unusual locations or rapid credential stuffing attempts
What Remains Your Responsibility
Blizzard’s security measures protect the infrastructure. Individual account security depends on the actions players take:
- Using a strong, unique password not shared with other services
- Attaching the Authenticator and setting up SMS Protect
- Securing the email address linked to the account
- Recognizing and avoiding phishing attempts
- Keeping your computer free of keylogger malware
The vast majority of Battle.net account compromises in recent years have not involved Blizzard’s own systems being breached. They come from credential stuffing using passwords stolen elsewhere, phishing pages that capture credentials, and keylogger malware installed on players’ PCs. All three are preventable through the steps in this guide.
Battle.net Account Locked: What It Means and How to Unlock It
If you see a message saying Your Battle.net account has been locked, do not panic. This is frequently an automatic protective measure rather than evidence of wrongdoing.
Why Battle.net Accounts Get Locked
There are several distinct reasons a Battle.net account can be locked, each with a different resolution path:
| Lock Type | Cause | Resolution |
| Suspicious activity lock | Login from an unfamiliar location or device | Reset password via email link or SMS verification |
| Too many failed login attempts | Multiple incorrect password attempts | Wait for automatic unlock, then reset password |
| Unusual access pattern | Login pattern significantly differs from your history | Account recovery page, then password reset |
| Policy violation or ban | Violation of Blizzard’s Terms of Use or Code of Conduct | Appeal through Blizzard Customer Support |
| Compromised account lock | Blizzard detected someone else accessing your account | Secure your email first, then use account recovery |
In the majority of cases involving the error code BLZBNTTAS00000006, the lock is Blizzard’s automatic security system reacting to a login that looks suspicious, not a penalty for violating rules. Your games, purchases, and progress remain intact. The lock is a temporary security measure, not an account closure.
How to Unlock a Locked Battle.net Account
Method 1: Password Reset (resolves most locks)
- Go to the Battle.net login screen and click Can’t Log In
- Select I forgot my password
- Enter the email address associated with your account
- Check your email for a password reset link from Blizzard and follow it
- Resetting your password removes most account locks automatically
Method 2: SMS Verification (if email is inaccessible)
If the attacker changed your email address, or if you cannot access your registered email:
- Go to account.battle.net/recovery
- Select the option to receive a text message to your linked phone number
- Follow the SMS verification steps to confirm your identity
- This allows you to recover access even when the email has been changed
This only works if SMS Protect was set up on the account before the lock occurred. This is one of the most important reasons to configure SMS Protect proactively.
Method 3: Contact Blizzard Customer Support
If neither password reset nor SMS verification resolves the issue:
- Go to support.blizzard.com
- Navigate to the Account Recovery section
- Submit a support ticket with as much account ownership information as possible: email address, Battle.net username (BattleTag), games purchased, approximate account creation date, and any billing receipts
- Blizzard’s support team can verify your identity and restore access manually
Important: Do not pay any third-party service claiming to unlock or recover Battle.net accounts. Blizzard has a free, official recovery process. Third-party recovery services are almost universally scams. The only legitimate recovery route is Blizzard’s own recovery page and official Customer Support.
If Your Account Was Locked Due to a Compromise
If Blizzard locked your account because they detected someone else accessing it, do the following before attempting to regain access:
- Secure your email account first. If your email is compromised, regaining Battle.net access is useless because the attacker can immediately use your email to take control again.
- Scan your PC for keylogger malware using Malwarebytes Free or your existing antivirus. A keylogger will capture your new password the moment you type it, making the reset meaningless.
- Complete the password reset and Authenticator setup only after steps 1 and 2 are done.
- Review your login history after regaining access and log out all other sessions.
Pro Tips: Keeping Your Battle.net Account Secure
- Store your Authenticator Serial Number and Recovery Code the day you set it up: The most common situation where players lose Battle.net access without a breach is losing their phone without having saved these codes. The Serial Number and Recovery Code are shown once during Authenticator setup. Save them in a password manager or printed in a physically secure location before you put your phone down.
- Set the Authenticator to require a code on every login: The default setting only requires the code for unrecognized devices. For accounts containing high-value World of Warcraft characters, Diablo IV gear, or significant cosmetic investments, changing this to require the code every time provides meaningful additional protection.
- Enable SMS Protect even if you already have the Authenticator: SMS Protect is a backup, not a replacement. Having both means you have a self-service recovery path if you ever lose your phone or reinstall the Battle.net app.
- Check your security question and update it if the answer is guessable from your public profiles: If you set your security question years ago using information like your hometown, mother’s maiden name, or first pet that you have ever mentioned publicly, change it to something unique that cannot be found through basic social media research.
Common Mistakes That Lead to Battle.net Account Compromise
- Using the same password across Battle.net and other gaming platforms: If your World of Warcraft account uses the same password as your Steam or Epic Games account, a single breach of any of those services puts your entire Blizzard library at risk. Fix: Generate a unique password for Battle.net using a password manager and never reuse it.
- Not setting up SMS Protect alongside the Authenticator: Players who only set up the Authenticator and then lose their phone face a slower, manual support process to remove the Authenticator and restore access. Fix: Set up both the Authenticator and SMS Protect on the same day. The two minutes it takes is worth it.
- Clicking links in emails claiming to be from Blizzard without verifying: Phishing emails that mimic Blizzard’s communications are common and well-designed. They typically warn of suspicious activity and ask you to click a link to verify your account. Fix: Never click links in emails claiming to be from Blizzard. Navigate to account.battle.net directly through your own bookmark instead.
- Ignoring SMS alerts about account changes: Battle.net sends text message alerts when significant security changes occur. A notification about a password change or Authenticator removal that you did not initiate is your earliest warning of an active account takeover. Fix: Treat every security notification as urgent. If you receive one for an action you did not take, treat it as active unauthorized access and go to Blizzard support immediately.
Play Blizzard Games with a Stable Connection Using ExitLag
A secured Battle.net account protects your library. A stable, low-latency connection protects your gameplay. High ping in World of Warcraft raids, packet loss in Overwatch 2 ranked matches, and unstable routing in Diablo IV online sessions all trace back to the same network issues that ExitLag addresses.
ExitLag is a connection optimizer used by over 30 million players across 4,000+ game titles including World of Warcraft, Overwatch 2, Diablo IV, Hearthstone, and all other Battle.net titles. It analyzes multiple network routes in real time and selects the fastest, most stable path between your device and Blizzard’s game servers.
Features that directly benefit Battle.net players:
- Real-Time Optimization: Continuously selects the lowest-latency route to Blizzard’s servers, reducing the reaction delay that costs you kills in Overwatch 2 and input responsiveness in Diablo IV.
- Multipath Technology: Routes game data through multiple simultaneous paths so a single connection failure never drops you from a World of Warcraft raid or a competitive Overwatch 2 match.
- Traffic Shaper: Prioritizes Blizzard game traffic over background applications so Battle.net launcher updates and patch downloads cannot spike your ping during an active session.
- Multi-Internet: Supports up to four simultaneous internet connections. If your primary connection drops during a Mythic+ key push, a backup takes over instantly without disconnecting you from the group.
Download ExitLag and try it free.
All product names and trademarks mentioned in this article belong to their respective owners. Battle.net, Blizzard Entertainment, World of Warcraft, Overwatch, Diablo, Hearthstone, and all related marks are trademarks of Blizzard Entertainment, Inc. They are used for informational and educational purposes only and do not imply endorsement or affiliation with the rights holders.
Got questions or want to connect with other players? Join the conversation at the ExitLag Forum!
