The thing people forget is that you aren't asked for an auth code when you try to log into the wow forums, passwords are case-insensetive and there is no limit to the number of login attempts you can make.

All the hackers need to do is get a list of email addresses, feed them into a bruteforce password generator and throw each attempt at the wow forums until they find accounts that log in. They take that list and try to log into the account management and if there is no auth attatched then your account is now theirs.

To an extent Blizzard is at fault for their design decisions on passwords and forum log-in (eg limit it to 5 login attempts before blocking the account until user action, making passwords case-sensetive would increase time to crack etc) but there is almost no excuse for anyone to not have an auth attached to their accounts by now given they can be gotten either as phsyical or phone/ipod apps

[edit]
TBH, if I were in charge there I'd make having an auth mandatory along the lines of the change to battle.net logins