Unless Blizzard did something very stupid then either having someone in the CS able to look at your info or having the database compromised is infeasible.

If you are storing passwords in a database you encrypt them with an md5 hash, kerbose, etc which means that the password is obsfucated to hell and back as a string of random characters that aren't what the user types in (unless you have no idea what you are doing, and as much as some of their decisions such as case-insensetive passwords make no sence, I don't see Blizz not understanding this part).

IF someone had access to the database they'd also have to know what hash method was used to encrypt the user password and then spend time doing bruteforce attacks on each password in the database by passing the attempted password through the hash and comparing it to the data in the database. Given that a password could be 20 characters long with each one of those characters being a-z, 0-9 and all the punctuation characters I'm sure you can see how time intensive this would be for even one password let alone bunches and bunches.

Occam's razor in this circumstance falls on the side of people being flawed and not wanting to admit or accept they fucked up in all cases of getting hacked. I have only been hacked once, and that was when I used a http tunneling service so I could log on from work now and then so I could run around claiming that I run a secure pc and thus could never be hacked but doesn't make it not my fault now does it?