>How can someone does this to such a big company?

You normally would use something called botnet. Botnet is a collection of compromised devices connected to the network – these devices could be video cameras, home routers, laptops – basically anything that runs OS that can have new packages installed. And there are A LOT of devices that can be compromised, since security is at best an afterthought.

So these devices in Botnet sit dormant and do nothing malicious (and thus undetected), until somebody tells them to do something. And that something could be as simple as “try logging in to Blizzard account”. And if at any given time there are lets say 1000 people logging in every second, Blizzard will not be able to handle one million devices trying to log in at once. And keep in mind that Blizzard has to process each request to figure out whether it was legitimate one or not.

>And how hard is it to track the person who does this?

The companies that offer botnets for hire usually operate in dark net, where it’s somewhat harder to track people’s connections. And they take payments in all kinds of different formats, some of which is also very hard to track even if somebody could get a hold of that company;s records (which I bet they don’t even keep). Can it be done? Yes, definitely. But it won’t be easy. I would not be surprised if some special services can do it, but they wouldn’t do it for some trivial DDOS attack that didn’t cause any massive disruptions.