There's only say 12-15 million active accounts. Even if you had all of them you're going to run out of attempts before you reliably brute force anything. Far more likely is Blizzard looks out for large scale distributed brute force attacks and locks users to their last handful of confirmed IPs.
That's in the realm of speculation admittedly. Look I'm largely defending Blizzard here but they aren't paragons of security. For one thing they could stop a lot of actual real world keyloggers by putting in a randomized screen pin entry. They never did that but they have been pretty aggressive on many other fronts. The fact that their passwords are case insensitive is something that might surprise many people, (and I was mildly shocked when it was pointed out to me years back because I had been dutifully capitalizing 2 characters in my p/w....) but it ends up not being of much consequence imho. Almost all hacks have been keylogger or social. There's one rumored (confirmed?) MITM attack against the authenticator. There's probably some people that used 123456 etc. but the option for a more secure password probably wasn't going to help those people, ymmv.
That's in the realm of speculation admittedly. Look I'm largely defending Blizzard here but they aren't paragons of security. For one thing they could stop a lot of actual real world keyloggers by putting in a randomized screen pin entry. They never did that but they have been pretty aggressive on many other fronts. The fact that their passwords are case insensitive is something that might surprise many people, (and I was mildly shocked when it was pointed out to me years back because I had been dutifully capitalizing 2 characters in my p/w....) but it ends up not being of much consequence imho. Almost all hacks have been keylogger or social. There's one rumored (confirmed?) MITM attack against the authenticator. There's probably some people that used 123456 etc. but the option for a more secure password probably wasn't going to help those people, ymmv.