My personal experience:

Over Christmas, I got an e-mail saying that an account (which simply has about a month left on it, no gold... it was a former RAF account where the RAF time had run out but I had used a gametime card to get an early Zhevra) of mine had been password reset (successfully, by the way... which means they had access to my e-mail). This was the ONLY account to receive this e-mail, and when I password reset it back and got my access back, I didn't find anything changed. To be honest, they were probably disappointed to find some <lvl10 lowbies and no gold or gear to speak of.

None of my other accounts were hit.

Why?

The RAF account was the ONLY account that wasn't associated with my authenticator. I had just been too lazy to attach the authenticator to that account, and didn't feel there were any valuables on that account that I'd cry over losing. All of my high level characters had already been xfered onto my main accounts (which use authenticators).


What's disturbing?

In order to make a successful password reset, they need access to my e-mail. If they have access to my e-mail, they COULD have just deleted the e-mail notifications from Blizzard and I would've never known anyone had gotten into my account. Furthermore, if they got access to my e-mail/password via a keylogger, they potentially have any information I've ever typed into that computer (think: credit cards? online banking?). Thus far, all I've seen is that one password reset. But I'm keeping a hawk eye on everything else, just in case, and I'm wiping that machine.


The particular machine in question was running vista's UAC, Antivirus, and behind a firewall. However, it doesn't really surprise me that people can still get in. Given enough determination, people can find their way into anything.

It does make me smirk that they wasted their efforts on my relatively worthless former-RAF account, though. Hooray authenticator.